Уязвимость функций DeviceFocusEvent и XIQueryPointer реализации сервера X Window System X.Org Server, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании

Уязвимость компонента GLX PBuffer Handler реализации сервера X Window System X.Org Server, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость компонента Privates Handler реализации сервера X Window System X.Org Server, позволяющая нарушителю выполнить произвольный код

A flaw was found in X.Org server. Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255, but the X.Org Server was only allocating space for the device's particular number of buttons, leading to a heap overflow if a bigger value was used.

A flaw was found in the X.Org server. The GLX PBuffer code does not call the XACE hook when creating the buffer, leaving it unlabeled. When the client issues another request to access that resource (as with a GetGeometry) or when it creates another resource that needs to access that buffer, such as a GC, the XSELINUX code will try to use an object that was never labeled and crash because the SID is NULL.

A flaw was found in the X.Org server. The cursor code in both Xephyr and Xwayland uses the wrong type of private at creation. It uses the cursor bits type with the cursor as private, and when initiating the cursor, that overwrites the XSELINUX context.

Уязвимость фильтра xmlattr шаблонизатора Jinja2 для языка программирования Python, позволяющая нарушителю провести атаку межсайтового скриптинга (XSS)

Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.

Misbehavior in the sed regex inside add_systemd_networkd_ini_option() function

Typos in the write_systemd_networkd_bootproto() function

Уязвимость cредства криптографической защиты OpenSSH, связанная с внедрением или модификацией аргумента, позволяющая нарушителю выполнить произвольные команды

Уязвимость агента ssh-agent cредства криптографической защиты OpenSSH, позволяющая нарушителю раскрыть защищаемую информацию

Уязвимость функции mm_answer_authpassword() cредства криптографической защиты OpenSSH, позволяющая нарушителю реализовать атаку Rowhammer и обойти процедуру аутентификации

In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied. When destination constraints are specified during addition of PKCS#11-hosted private keys, these constraints are only applied to the first key, even if a PKCS#11 token returns multiple keys.

In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.

OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.

In libebml before 1.4.5, an integer overflow in MemIOCallback.cpp can occur when reading or writing. It may result in buffer overflows.