---

Log

ASA-202403-1 edited at 29 Mar 2024 18:55:30

ASA-202403-1 edited at 29 Mar 2024 18:05:33
Impact	+ The malicious code path does not exist in the arch version of sshd, as it does not link to liblzma. + + However, out of an abundance of caution, we advise users to avoid the vulnerable code in their system as it is possible it could be triggered from other, un-identified vectors.

ASA-202403-1 created at 29 Mar 2024 17:53:31

AVG-2851 edited at 29 Mar 2024 17:43:12
Status	- Vulnerable + Fixed
Fixed	+ 5.6.1-2

AVG-2851 created at 29 Mar 2024 17:40:01
Packages	+ xz
Issues	+ CVE-2024-3094
Status	+ Vulnerable
Severity	+ Critical
Affected	+ 5.6.0-1
Fixed
Ticket
Advisory qualified	+ Yes
References	+ https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
Notes

CVE-2024-3094 created at 29 Mar 2024 17:36:17
Severity	+ Critical
Remote	+ Remote
Type	+ Authentication bypass
Description	+ Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. The tarballs included extra .m4 files, which contained instructions for building with automake that did not exist in the repository. These instructions, through a series of complex obfuscations, extract a prebuilt object file from one of the test archives, which is then used to modify specific functions in the code while building the liblzma package. This issue results in liblzma being used by additional software, like sshd, to provide functionality that will be interpreted by the modified functions.
References
Notes

AVG-1948 edited at 19 Mar 2024 22:48:39
Status	- Vulnerable + Unknown

AVG-2850 created at 10 Nov 2023 16:22:10
Packages	+ openjpeg2
Issues	+ CVE-2021-3575
Status	+ Vulnerable
Severity	+ Medium
Affected	+ 2.5.0-3
Fixed
Ticket
Advisory qualified	+ Yes
References
Notes

AVG-1390 edited at 10 Nov 2023 16:21:51
Issues	CVE-2018-16376 CVE-2018-20846 CVE-2019-6988 - CVE-2021-3575 CVE-2021-29338

AVG-1390 edited at 10 Nov 2023 16:21:10
Status	- Vulnerable + Fixed
Fixed	+ 2.5.0-1