Skip to main content
Skip table of contents

ISN 2024-04: Libuv Vulnerability

First published 4 March 2024

CVSS 3.1: 7.3 (High)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Summary

A security vulnerability has been found in the Libuv library used in IGEL OS. This affects the following IGEL products:

  • IGEL OS 12 (only if Firefox app is installed)
  • IGEL OS 11

Details

A security issue has been discovered in the uv_getaddrinfo function in Libuv. It truncates hostnames to 256 characters before it calls getaddrinfo. An attacker could exploit this to create payloads that are resolved to unintended IP addresses, thus bypassing security checks.

The OS 12 base system contains Libuv, but the library is only used if the Firefox app is installed.

Update Instructions

  • OS 12: Update to OS 12 base system version 12.4.1 when it is available.
  • OS 11: IGEL is working on an OS 11 release with an updated Libuv.

References

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.