Distros have released important updates for WebKitGTK, NSS and VIM to address important security vulnerabilities that could lead to arbitrary code execution and denial of service attacks. With the majority of these issues having a low attack complexity and a high confidentiality, integrity and availability impact, it is crucial that all impacted users update immediately.

Two critical flaws were also recently found and fixed in the ClamAV open-source antivirus engine that could lead to remote code execution (RCE) and remote information leakage on susceptible devices. Learn if you are a risk, and how to protect yourself now! 

Our own Dave Wreski also evaluated Vali Cyber's ZeroLock, the latest ransomware protection developed specifically for Linux servers, and how it can be used to keep your critical systems and sensitive data protected from the dramatic increase in attacks against Linux we've seen over the last year.

Continue reading to learn about other significant issues that have been fixed, and how to secure your systems against them.

Yours in Open Source,

Brittany Signature 150 Esm W150

WebKitGTK

The Discovery 

An important vulnerability was found in WebKitGTK that occurs when processing maliciously crafted web content in WebKit (CVE-2023-23529).

Webkitgtk Esm W225

The Impact

This issue could allow a remote attacker to create a specially crafted web page, trick the victim into opening it, trigger type confusion, and execute arbitrary code on the target system.

The Fix

A security update for WebKitGTK has been released that fixes this bug. Setting the environment variable JSC_useDFGJIT=0 will also mitigate this issue. With a low attack complexity and a high confidentiality, integrity and availability impact, it is critical that all impacted users address this vulnerability immediately.

Your Related Advisories:

Register to Customize Your Advisories

NSS

The Discovery 

Two security vulnerabilities were identified in NSS. It was discovered that NSS incorrectly handled an empty pkcs7 sequence (CVE-2022-22747), and that NSS incorrectly handled certain memory operations (CVE-2022-34480).

LinuxKernel Esm W206

The Impact

A remote attacker could possibly use these issues to cause a denial of service (DoS) or execute arbitrary code.

The Fix

An update is available for NSS that fixes these bugs. We recommend that you update now to protect the security and integrity of your systems and prevent potential downtime.

Your Related Advisories:

Register to Customize Your Advisories

VIM

The Discovery 

Two high-severity security bugs have been discovered in the VIM (VIsual editor iMproved) version of the vi editor. These issues include a null pointer dereference in the function gui_x11_create_blank_mouse in gui_x11.c in VIM 8.1.2269 through 9.0.0339 (CVE-2022-47024), and a heap-based buffer overflow in the GitHub repository vim/vim prior to 9.0.1225 (CVE-2023-0433).

Vim Esm W224

The Impact

These vulnerabilities could lead to denial of service (DoS) attacks.

The Fix

An update for VIM that fixes these dangerous flaws has been released. We urge you to update as soon as possible to protect against attacks leading to disruptive downtime and compromise.

Your Related Advisories:

Register to Customize Your Advisories