-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-07-29-2024-6 macOS Monterey 1276
macOS Monterey 1276 addresses the following issues
Information about the security content is also available at
supportapplecom/HT214118
Apple maintains a Security Releases page at
supportapplecom/HT201222 which lists recent
softwar ...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-07-29-2024-4 macOS Sonoma 146
macOS Sonoma 146 addresses the following issues
Information about the security content is also available at
supportapplecom/HT214119
Apple maintains a Security Releases page at
supportapplecom/HT201222 which lists recent
software update ...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-07-29-2024-5 macOS Ventura 1368
macOS Ventura 1368 addresses the following issues
Information about the security content is also available at
supportapplecom/HT214120
Apple maintains a Security Releases page at
supportapplecom/HT201222 which lists recent
software ...
On Wed, Jul 10, 2024 at 03:51:44PM -0400, Demi Marie Obenour wrote:
Hi,
I am curious what this could mean for Fedora Asahi Remix [0], as the
applicants maintain both distros
Is there interest in the Asahi SIG applying as well?
I heartily endorse the applicants membership request and appreciate
their work Hooray for ARM \o/
Mark Esler
nb ...
On Tue, Jul 09, 2024 at 09:52:58AM +1000, Damien Miller wrote:
I don't know for sure, but I guess someone from Red Hat did since the
CVE was assigned by them as a CNA Also, the description is the same as
what's in Red Hat Bugzilla
This was in the title, just not in the description And now I see I did
it the other way around in my oss-secu ...
Some nitpicks:
CVE-2006-5051 found by Mark Dowd, which was the original bug that got
relatively recently reintroduced as CVE-2024-6387, still has in its
description an erroneous reference to GSSAPI:
It was understood back in 2006 that this bug's exposure did not in fact
depend on GSSAPI:
bugzillaredhatcom/show_bugcgi?id=208347
I ...
Other records for the same CVE can also be posted to CVEorg and listed on
their website with a link for completeness
Under CVE rules, Red Hat can only assign a CVE for issues within our scope,
which for most CNAs means their software RH has on occasion, provided a
CVE for upstream projects which are not covered by another CNA That is
really ...
On Wed, Jul 10, 2024 at 11:23:56AM -0500, Michel Lind wrote:
I know that at least Neal Gompa is also a Fedora developer Would it
be permissible for him to also handle security patches for Fedora, if
Fedora is also affected?
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab ...
Damien Miller wrote on Mon, Jul 01, 2024 at 02:10:04AM -0600:
Thanks for all the work towards this release
Just a paperwork question as I couldn't find the information anywhere,
was there any CVE assigned to the 2nd security issue?
I'm asking because I tried updating the alpine package[1], and given the
first issue is a slightly different prob ...
On Wed, Jul 03, 2024 at 11:26:54AM +0000, Qualys Security Advisory wrote:
It's been almost a month, but apparently there still isn't a public
exploit 7etsuo's unfinished code was forked to lots of GitHub repos -
some acknowledge it's a fork, most don't, a few claim it's their own
Most made no changes at all, a few added non-English comments, a ...
Hi Jacob, all,
On Tue, Jul 02, 2024 at 09:01:48PM -0500, Jacob Bachmeyer wrote:
A side note, just in case: only our exploit against Ubuntu 6061 uses a
very long user name; our exploits against Debian 30r6 and Debian 1250
simply use "nobody" (but it could be any existing user name)
There are various already-existing limits along the way, ...
On Wed, Jul 3, 2024 at 2:39 AM Jacob Bachmeyer <jcb62281 () gmail com> wrote:
$ grep -IR LOGIN_NAME_MAX /usr/include
/usr/include/bits/confnameh: _SC_LOGIN_NAME_MAX,
/usr/include/bits/confnameh:#define _SC_LOGIN_NAME_MAX _SC_LOGIN_NAME_MAX
/usr/include/bits/local_limh:#define LOGIN_NAME_MAX 256
/usr/include/bits/pos ...
Hi,
Today is the coordinated release date to publicly disclose a related
issue I found during review of Qualys' findings, with further analysis
by Qualys My summary is:
CVE-2024-6409: OpenSSH: Possible remote code execution in privsep child
due to a race condition in signal handling
OpenSSH versions 87 and 88 and the corresponding portable r ...
Qualys Security Advisory wrote:
-- Jacob ...
Jeffrey Walton wrote:
I argue for it as a defense-in-depth measure
-- Jacob ...
Hi,
I've finally reviewed the links and re-read the thread Looks like
we're OK to proceed with adding CentOS Project's Hyperscale SIG as a
linux-distros member
Michel, please e-mail me off-list with PGP keys for all of you who need
to be subscribed for Hyperscale I also need to know who will be
managing this subscription on your end (informi ...
On 010724 17:36, jvoisin wrote:
Just wanted to provide some comment on the below, as there still seem to
be misunderstandings related to what kernel and userland bugs / features
lead to reduced ASLR Focusing solely on the thp_get_unmapped_area()
kernel related one isn't sufficient -- especially when we're looking at
old distros, as the Qualys ...
On Mon, 8 Jul 2024, Solar Designer wrote:
As an aside, who wrote the text of
cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2024-6409 ?
It's disappointing that this CVE states that this is a vulnerability
in OpenSSH sshd, and fails to make clear that this only affects Redhat
versions and users of their downstream patch
This follows anothe ...
On 10072024 11:23, Michel Lind wrote:
Indeed, the Hyperscale SIG applies patches and versions of software that
have a different support and feature scope compared to CentOS Stream
Linux Combined with its significant user base and existing strategy for
managing public vulnerabilities, it indicates that handling embargoed
releases would be manag ...
I am submitting this application on behalf of CentOS Project's Hyperscale SIG
Myself (Michel Lind), as well as Davide Cavalca and Neal Gompa (SIG co-chairs), would be joining if approved
sigscentosorg/hyperscale/sig/membership/
1 Be an actively maintained Unix-like operating system distro with substantial use of Open Source compon ...
I gave a cursory look at the musl libc (musllibcorg/) with the
help of the lovely #musl people, and it doesn't seem to be affected:
- Its syslog implementation (
gitmusl-libcorg/cgit/musl/tree/src/misc/syslogc ) doesn't
seem to (sub)call async-signal-unsafe functions
- Thanks to its small size, it's not affected by ALSRn't
...
Hi Yves-Alexis, all,
On Wed, Jul 03, 2024 at 10:54:30PM +0200, Yves-Alexis Perez wrote:
An interesting idea!
We also agree: the glibc's snprintf() only calls malloc functions if the
format string specifies positional parameters or floating points, which
is not the case in sshd's SIGALRM handler
We double-checked this on Debian 1250 and co ...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Mon, 2024-07-01 at 08:40 +0000, Qualys Security Advisory wrote:
Hi,
thanks Qualys for the outstanding research and detailed report (as always)
On Mastodon Hector Marcan also proposed
(mastodonsocial/deck/@marcan@treehousesystems/112715797114998895) to
use `-e` on sshd command-line a ...
Hi Alexander,
On Tue, Jul 23, 2024 at 09:23:10PM +0200, Solar Designer wrote:
Thank you! I'll email once I have collected all the keys
Thanks Good to know this exception exists, but I'm hoping to prod
Fedora to onboard itself as a member anyway
It was timely but there was some scramble in Fedora's security room
the morning the embargo w ...
On 7/10/24 08:06, Pete Allor wrote:
But the scope of Red Hat's CNA explicitly includes all open source projects
included in a Red Hat product:
wwwcveorg/PartnerInformation/ListofPartners/partner/redhat
and many projects have been told to contact Red Hat to request CVEs over
the years I know I've requested and received many CVE's fro ...
Hi all,
Many people have asked us about an alleged proof of concept named
"7etsuo-regreSSHionc": it is not a proof of concept, it is essentially
empty code (it might even be dangerous to compile and execute, we have
not checked) It is not just the shellcode that is missing, everything
else is missing too: the key-exchange code does nothing, the ...
Damian, in general when there is incorrect data on any of Red Hat's CVE
pages the best place to request a fix is secalert () redhat com
In this case we are paying attention to this mailing list and have
incorporated some suggestions I can help address any remaining cleanups
Has OpenSSH ever considered becoming a CNA?
~Nick
On Tue, Jul 9, 202 ...
Hi folks,
In testing some platforms that I had readily available, I've concluded:
- Older Linux (5x and earlier) randomize loaded libraries as expected
-WD ...
Qualys Security Advisory
regreSSHion: RCE in OpenSSH's server, on glibc-based Linux systems
(CVE-2024-6387)
========================================================================
Contents
========================================================================
Summary
SSH-20-OpenSSH_34p1 Debian 1:34p1-1woody3 (Debian 30r6, from 2005)
- ...
On Tue, Jul 02, 2024 at 09:01:48PM -0500, Jacob Bachmeyer wrote:
Actually, a related change was made in OpenSSH 85, but was "only
enabled for Sun-derived PAM implementations" Perhaps it should be
generalized and enabled unconditionally, including without PAM
wwwopenwallcom/lists/oss-security/2021/03/03/1
* Portable sshd(8): Pre ...
Vulmon