OL CVE Issue Summary :

A vulnerability in the RADIUS (Remote Authentication Dial-In User Service) protocol allows attackers to forge authentication responses when the Message-Authenticator attribute is not enforced. This issue arises from a cryptographically insecure
integrity check using MD5, enabling attackers to spoof UDP-based RADIUS response packets. This can result in unauthorized access by modifying an Access-Reject response to an Access-Accept response, thereby compromising the authentication process.
 

OL CVE Issue Summary:
Insufficient escaping of user-supplied data in `mod_ssl` in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations.

In a logging configuration where `CustomLog` is used with `%{varname}x` or `%{varname}c` to log variables provided by `mod_ssl` such as `SSL_TLS_SNI`, no escaping is performed by either `mod_log_config` or `mod_ssl` and unsanitised data provided by the client may appear in log files.

OL CVE Issue Summary :

The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. 

 

OL CVE Issue Summary :

A regular expression denial of service (ReDos) vulnerability was found in Python's tarfile module. Due to excessive backtracking while tarfile parses headers, an attacker may be able to trigger a denial of service via a specially crafted tar archive.

OL CVE Issue Summary :

Network Time Protocol (NTP), as specified in RFC 5905, uses port 123 even for modes where a fixed port number is not required, which makes it easier for remote attackers to conduct off-path attacks.
 

OL CVE Issue Summary :

A heap overread vulnerability was found in xsltFormatNumberConversion function in libxslt. An empty decimal-separator could cause a heap overread. This can be exploited to leak a couple of bytes after the buffer that holds the pattern string.

NVD Listing: https://nvd.nist.gov/vuln/detail/CVE-2024-2961

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.
 

OL CVE Issue Summary :

An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SFTP packets with empty payloads are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.