#BSI WID-SEC-2024-1945: [NEU] [mittel] #Red #Hat #Enterprise #Linux (#libvpx): Mehrere Schwachstellen ermöglichen Denial of Service
Ein entfernter Angreifer kann mehrere Schwachstellen in Red Hat Enterprise Linux in der Komponente libvpx ausnutzen, um einen Denial of Service Angriff durchzuführen.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1945
FFmpeg libaom (libaom-av1) is the reference encoder for the AV1 format. It was also used for research during the development of AV1. libaom is based on libvpx and thus shares many of its characteristics in terms of features, performance, and usage.
To install FFmpeg with support for libaom-av1, look at the Compilation Guides and compile FFmpeg with the --enable-libaom option.
https://ffmpeg.org/ffmpeg-codecs.html#libaom_002dav1
https://trac.ffmpeg.org/wiki/CompilationGuide
Patch Tuesday, October 2023 Edition
https://krebsonsecurity.com/2023/10/patch-tuesday-october-2023-edition/
#PatchTuesdayOctober2023 #RapidResetAttack #SkypeforBusiness #CVE-2023-35349 #CVE-2023-36563 #CVE-2023-36778 #CVE-2023-41763 #CVE-2023-44487 #DamianMenscher #SecurityTools #ImmersiveLabs #iPadOS17.0.3 #NatalieSilva #TimetoPatch #AdamBarnett #CloudFlare #iOS17.0.3 #microsoft #windows #Wordpad #Amazon #google #libvpx #Rapid7 #apple
Patch Tuesday, October 2023 Edition https://krebsonsecurity.com/2023/10/patch-tuesday-october-2023-edition/ #PatchTuesdayOctober2023 #RapidResetAttack #SkypeforBusiness #CVE-2023-35349 #CVE-2023-36563 #CVE-2023-36778 #CVE-2023-41763 #CVE-2023-44487 #DamianMenscher #SecurityTools #ImmersiveLabs #iPadOS17.0.3 #NatalieSilva #TimetoPatch #AdamBarnett #CloudFlare #iOS17.0.3 #microsoft #windows #Wordpad #Amazon #google #libvpx #Rapid7 #apple
Apple releases iOS/iPad OS 17.0.3 as an emergency update to resolve an actively exploited zero day caused by a kernel vulnerability. If successful, a malicious actor can perform local privilege escalation as part of an attack chain.
Apple also notes that they have resolved CVE-2023-5217 by updating the libvpx to 1.13.1 in iOS/iPad OS 17.0.3
This marks the 17th zero day that Apple has addressed so far this year.
https://www.bleepingcomputer.com/news/apple/apple-emergency-update-fixes-new-zero-day-used-to-hack-iphones/
#infosec #cybersecurity #Apple #ios #ipados #kernel #vulnerability #CVE_2023_42824 #CVE_2023_5217 #libvpx #zeroday
CISA warned that a vulnerability affecting open source tool libvpx is being exploited
Incident responders and experts at several companies said the WS_FTP Server vulnerabilities are being exploited as well
https://therecord.media/libvpx-ws-ftp-vulnerabilities-browsers-file-transfer-tool
Looks like an updated #libvpx package is now in #Debian repositories for stable (Bookworm) and oldstable (Bullseye)!
Updated #Chromium packages are available as well;
however, Debian builds of #Firefox ESR are still at 118.0 so be cautious, noting as I mentioned here that the package that showed up yesterday was in fact for a new upstream build already underway before the security patch and is for 115.3.0 - NOT 115.3.1 that includes the patch for CVE-2023-5217
New 0-day, this time on "libvpx". Affects Chrome, Firefox and many more apps.
Woohoo, another day, another #0day like the #libwebp one, this time in #libvpx: https://arstechnica.com/security/2023/09/new-0-day-in-chrome-and-firefox-is-likely-to-plague-other-software/
Let the purge / patch crunch begin!
VP8-Videokodierung: Zero-Day-Schwachstelle betrifft weit mehr als nur Chrome https://www.computerbase.de/2023-09/vp8-videokodierung-zero-day-schwachstelle-betrifft-weit-mehr-als-nur-chrome/ #VP8 #Google #Chrome #Schwachstelle #libvpx
🗒️ petit résumé / annotations surs les deux vulnérabilités basés sur les denières information disponibles au 29.09
"CVE-2023-5217 [ ndr 𝐥𝐢𝐛𝐯𝐩𝐱 ] requires a targeted device to create media in the VP8 format.
CVE-2023-4863 [ndr 𝐖𝐞𝐛𝐏 / 𝐥𝐢𝐛𝐰𝐞𝐛𝐏 ] could be exploited when a targeted device simply displayed a booby-trapped image."
👇
https://arstechnica.com/security/2023/09/new-0-day-in-chrome-and-firefox-is-likely-to-plague-other-software/
CVE-2023-5129 ➡️ Retirée par Mitre Duplicata CVE-2023-4863
👇
https://www.cve.org/CVERecord?id=CVE-2023-5129
------------------------
liste utile pour (merci @mttaggart ) suivi CVE-2023-4863 dans apps Electron
👇
https://docs.google.com/spreadsheets/d/1QLLFYCO0FMAu1ob6mnYCapW8dnx-HXunbf_zc9QLXlM/edit#gid=1774064991
FAQ CVE-2023-4863 par Tenable
👇
https://www.tenable.com/blog/cve-2023-41064-cve-2023-4863-cve-2023-5129-faq-imageio-webp-zero-days
------------------------
Annonce CVE-2023-5217
👇
https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html
Firefox 118.0.1 now appears to be live in #archlinux extra repository, addressing CVE-2023-5217: Heap buffer overflow in libvpx
又爆零日漏洞了,影响Chrome和Firefox等浏览器,可能影响任何使用libvpx的软件😭
CVE-2023-5217
libvpx1.13.1/Chrome117.0.5938.132及之前版本中的堆溢出bug可允许远程攻击者通过提供特定的html网页利用漏洞执行任意代码。
请立即升级所有浏览器和使用了libvpx的软件(比如ffmpeg和视频播放器)。
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5217
#cve #0day #libvpx
@board@ovo.st
RE: https://mastodon.social/users/arstechnica/statuses/111144897030011609
#Firefox on both #Flatpak and #Snap is already updated to 118.0.1 addressing CVE-2023-5217: Heap buffer overflow in libvpx
Make sure you are running 118.0.1 or update ASAP.
Tracking of traditional distro packages will continue throughout this thread as they arrive in various repositories (both Firefox and libvpx, along with Chromium builds not linked dynamically to the system lib - e.g. #linuxmint)
Mozilla released #Firefox 118.0.1 and ESR 115.3.1 to address CVE-2023-5217: Heap buffer overflow in libvpx
https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/
I suppose I'll follow the Linux distro packages again for this one so I guess follow this thread or whatever 😂
*Sigh*, another one of these:
"CVE-2023-5217: Heap buffer overflow in vp8 encoding in #libvpx."
"Google is aware that an exploit for CVE-2023-5217 exists in the wild."
Note that because it's in an underlying (video codec) library, it's probably going to be an issue in every browser and video player and electron app; just like the prior #libwebp #security bug.
