CoreOS Security Update (MINDBREEZE30237)
ID: MINDBREEZE30237
Affected Components: Mindbreeze InSpire, Mindbreeze InSpire SaaS
Severity: 8.4 High
Status: Final
First published: May 28, 2024
CVEs: CVE-2023-42465, CVE-2024-1086, CVE-2024-23851, CVE-2024-26585, CVE-2024-26582, CVE-2024-26584, CVE-2024-26583, CVE-2024-26603, CVE-2024-26604, CVE-2024-26606, CVE-2024-2905
Summary
- sudo: sudo before 1.9.15 might allow row hammer attacks
- kernel: nf_tables: use-after-free vulnerability in the nft_verdict_init() function
- kernel: copy_params can attempt to allocate more than INT_MAX bytes and crash
- kernel: tls: race between tx work scheduling and socket close
- kernel: tls: use-after-free with partial reads and async decrypt
- kernel: tls: handle backlogging of crypto requests
- kernel: tls: race between async notify and socket close
- kernel: x86/fpu: Stop relying on userspace for info to fault in xsave buffer that cause loop forever
- kernel: null pointer dereference in kobject
- kernel: signal epoll threads of self-work
- rpm-ostree: incorrect permissions on /etc/shadow
Hotfix Information
Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS:
- Mindbreeze InSpire 24.2 Release
- Mindbreeze InSpire SaaS 24.2 Release