moderate: libglvnd/libuv security update
moderate
An update for libglvnd/libuv is now available for NewStart CGSL MAIN 7.02.
NewStart Security has rated this update as having a security impact of moderate. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
libglvnd:
libuv:
Security Fix(es):
libglvnd: libglxproto.c in OpenGL libglvnd bb06db5a was discovered to contain a segmentation violation via the function glXGetDrawableScreen(). NOTE: this is disputed because there are no common situations in which users require uninterrupted operation with an attacker-controller server.(CVE-2023-45924)
libglvnd: bugfix
libuv: A server-side request forgery (SSRF) flaw was found in the libuv package due to how the `hostname_ascii` variable is handled in `uv_getaddrinfo` and `uv__idna_toascii`. When the hostname exceeds 256 characters, it gets truncated without a terminating null byte. As a result, attackers may be able to access internal APIs or for websites that allow users to have `username.example.com` pages. Internal services that crawl or cache these user pages can be exposed to SSRF attacks if a malicious user chooses a long vulnerable username. This issue could allow an attacker to craft payloads that resolve to unintended IP addresses, bypassing developer checks.(CVE-2024-24806)
libuv: bugfix
Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 7.02.03B8.