AusCERT - Security Bulletins

Subscribe to AusCERT - Security Bulletins hírcsatorna
Latest published security bulletins. See https://www.auscert.org.au/rss/ for feed information.
Frissítve: 2 óra 43 perc
2022. november 16.

ESB-2022.5920 - [RedHat] rsync: CVSS (Max): 7.0

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5920 rsync security and bug fix update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: rsync Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-37434 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8291 Comment: CVSS (Max): 7.0 CVE-2022-37434 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/P/UI:N/S:U/C:L/I:L/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: rsync security and bug fix update Advisory ID: RHSA-2022:8291-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8291 Issue date: 2022-11-15 CVE Names: CVE-2022-37434 ===================================================================== 1. Summary: An update for rsync is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - noarch Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: The rsync utility enables the users to copy and synchronize files locally or across a network. Synchronization with rsync is fast because rsync only sends the differences in files over the network instead of sending whole files. The rsync utility is also used as a mirroring tool. Security Fix(es): * zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field (CVE-2022-37434) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2053198 - rsync segmentation fault 2077431 - Read-only files that have changed xattrs fail to allow xattr changes [rhel-9] 2081296 - Enable fmf tests in centos stream 2116639 - CVE-2022-37434 zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): noarch: rsync-daemon-3.2.3-18.el9.noarch.rpm Red Hat Enterprise Linux BaseOS (v. 9): Source: rsync-3.2.3-18.el9.src.rpm aarch64: rsync-3.2.3-18.el9.aarch64.rpm rsync-debuginfo-3.2.3-18.el9.aarch64.rpm rsync-debugsource-3.2.3-18.el9.aarch64.rpm ppc64le: rsync-3.2.3-18.el9.ppc64le.rpm rsync-debuginfo-3.2.3-18.el9.ppc64le.rpm rsync-debugsource-3.2.3-18.el9.ppc64le.rpm s390x: rsync-3.2.3-18.el9.s390x.rpm rsync-debuginfo-3.2.3-18.el9.s390x.rpm rsync-debugsource-3.2.3-18.el9.s390x.rpm x86_64: rsync-3.2.3-18.el9.x86_64.rpm rsync-debuginfo-3.2.3-18.el9.x86_64.rpm rsync-debugsource-3.2.3-18.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-37434 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3Pg19zjgjWX9erEAQgpRQ/7Bj65nEV0SOIx0sJi2b1JhwxkdT89C2mS Xrj2gh3HU92CQpiJZuvDydU3zLbq7OABNznifdKVPsJ+Zth+N4Vrssqzuqb5ztue C4stYAdqzZ/quoI5Ou1VTiYBRkoU8EV2YnfXlclgYf4Zgsswr4MqlWXf9aRS90vN /Xz8YaI51hejuSVBjoQA97PyYs+uPQfY1s/HSS/kzZm3jyWr0Akx4BdN1XMgKbe0 K40sip6tee9GvNHXwZ/sLZFs8q/u/7ZzQDfUM0zyYPWCVyIsWixADR8biF2NHRq0 SeGSoyw7sycPr+S3eIQ0+VNw001n4Gvpj+sHYOzJhNrtUW6989PMM6Z+poM1xNl0 Nib5PFqZZcOzyH9N4Hzy4OBcYOkdCUXm6c+K+GN1gPPxloq07FSFihEltlDIuufy eWzVRR53mjrLwOEn3GnWidgJ+znuAKxyZws8PlGctbKg/2y0PRoDJry9s9HiSWDJ 5y//A1m/mOnkoDOU32rW5lu3XceApph8MlBVqB03qjpj8HCBHvOKiZf8AMJQ5SoH pDLoR4gzEk2xmei0QtlRXhWxtjgeTNUuoTJyMqxgvHoaEWabpjJxNGrd4y7vDbM/ PsXooDGL02mBzthJZ19mZfVZjzd4lNhq7CLsXgq7MpDB9dq4tQP3EJXoUwrmeflT f1EaczpMC/0= =Q58l - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3RIW8kNZI30y1K9AQga/A//ZFPlvl2XGIX/sbnoYMhez6CMFfri/ZCc 3A/u5PNj9sXZX4HQLownp3Ciem+aXwbDU8WHHwUK9pUL8ny5u5kgD1aRLhtfaxnh fp1Of71m5xE7UUckj03lrce4feTMHhdTtwn0mXGkkWfo0zE8zEDlWrsQGQj7MXl8 uVlo5PhwAAWgvSC9U7UHXmpVvDvYtl3SH/F7o40QtSc99iFX3Hir9YFU32IpH/bO 9txAaUIieoOu4VcnER9BekSSFBGv4gc3N4RNp43xHB2BWhYQkWW8vTM9/ajtWw1U +ugDlRREJmRX8ul/oTpJRUrD5MHB19O5y8kckf7HHGOTDSJ8E4EFEdDDIC9TxVp+ Hs/DUkfgC9ej8W0K1tZR3lDsOtJop1+sTj6dsNTFysIA1oIeHMn0b911t87E2hpB YLNCNfK7a4R8GTRXO4FEa4Smlm12hmI6X8vsvcKhuygfM3uRV1zH46ZWooGUVNJY gHJoL5Bv1OEzvfVfV8pirBr3ZRtZxFe9w2xCQqP/Ewz0L9P+eQKnFfu6c6GaQbaM cBmg1PktYcDbAiepdytwl//m+zN3YIKswhyIQi+j+rOEGr0AiUqzbAItdHpHp59k ahBgTpH63WqfLO1z+kf8FdAsVPrT8mDtCTksJ8hd+VOwh6UqcVhDajYqPjI3v3Dh pj1/dFqmXDo= =ZhgN -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5919 - [RedHat] kernel: CVSS (Max): 7.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5919 kernel security, bug fix, and enhancement update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: kernel Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-39190 CVE-2022-36946 CVE-2022-29901 CVE-2022-29900 CVE-2022-29581 CVE-2022-28893 CVE-2022-28390 CVE-2022-26373 CVE-2022-24448 CVE-2022-23825 CVE-2022-23816 CVE-2022-21499 CVE-2022-21166 CVE-2022-21125 CVE-2022-21123 CVE-2022-20368 CVE-2022-2639 CVE-2022-2586 CVE-2022-1998 CVE-2022-1852 CVE-2022-1679 CVE-2022-1353 CVE-2022-1280 CVE-2022-1184 CVE-2022-1048 CVE-2022-1016 CVE-2022-0854 CVE-2022-0617 CVE-2022-0168 CVE-2021-3640 CVE-2020-36516 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8267 Comment: CVSS (Max): 7.8 CVE-2022-29581 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: kernel security, bug fix, and enhancement update Advisory ID: RHSA-2022:8267-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8267 Issue date: 2022-11-15 CVE Names: CVE-2020-36516 CVE-2021-3640 CVE-2022-0168 CVE-2022-0617 CVE-2022-0854 CVE-2022-1016 CVE-2022-1048 CVE-2022-1184 CVE-2022-1280 CVE-2022-1353 CVE-2022-1679 CVE-2022-1852 CVE-2022-1998 CVE-2022-2586 CVE-2022-2639 CVE-2022-20368 CVE-2022-21123 CVE-2022-21125 CVE-2022-21166 CVE-2022-21499 CVE-2022-23816 CVE-2022-23825 CVE-2022-24448 CVE-2022-26373 CVE-2022-28390 CVE-2022-28893 CVE-2022-29581 CVE-2022-29900 CVE-2022-29901 CVE-2022-36946 CVE-2022-39190 ===================================================================== 1. Summary: An update for kernel is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64 Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * off-path attacker may inject data or terminate victim's TCP session (CVE-2020-36516) * use-after-free vulnerability in function sco_sock_sendmsg() (CVE-2021-3640) * smb2_ioctl_query_info NULL pointer dereference (CVE-2022-0168) * NULL pointer dereference in udf_expand_file_adinicbdue() during writeback (CVE-2022-0617) * swiotlb information leak with DMA_FROM_DEVICE (CVE-2022-0854) * uninitialized registers on stack in nft_do_chain can cause kernel pointer leakage to UM (CVE-2022-1016) * race condition in snd_pcm_hw_free leading to use-after-free (CVE-2022-1048) * use-after-free and memory errors in ext4 when mounting and operating on a corrupted image (CVE-2022-1184) * concurrency use-after-free between drm_setmaster_ioctl and drm_mode_getresources (CVE-2022-1280) * kernel info leak issue in pfkey_register (CVE-2022-1353) * use-after-free in ath9k_htc_probe_device() could cause an escalation of privileges (CVE-2022-1679) * NULL pointer dereference in x86_emulate_insn may lead to DoS (CVE-2022-1852) * fanotify misuses fd_install() which could lead to use-after-free (CVE-2022-1998) * nf_tables cross-table potential use-after-free may lead to local privilege escalation (CVE-2022-2586) * integer underflow leads to out-of-bounds write in reserve_sfa_size() (CVE-2022-2639) * slab-out-of-bounds access in packet_recvmsg() (CVE-2022-20368) * incomplete clean-up of multi-core shared buffers (aka SBDR) (CVE-2022-21123) * incomplete clean-up of microarchitectural fill buffers (aka SBDS) (CVE-2022-21125) * incomplete clean-up in specific special register write operations (aka DRPW) (CVE-2022-21166) * possible to use the debugger to write zero into a location of choice (CVE-2022-21499) * AMD: RetBleed Arbitrary Speculative Code Execution with Return Instructions (CVE-2022-23816, CVE-2022-29900) * AMD: Branch Type Confusion (non-retbleed) (CVE-2022-23825) * Intel: Post-barrier Return Stack Buffer Predictions (CVE-2022-26373) * double free in ems_usb_start_xmit in drivers/net/can/usb/ems_usb.c (CVE-2022-28390) * use after free in SUNRPC subsystem (CVE-2022-28893) * use-after-free due to improper update of reference count in net/sched/cls_u32.c (CVE-2022-29581) * Intel: RetBleed Arbitrary Speculative Code Execution with Return Instructions (CVE-2022-29901) * DoS in nfqnl_mangle in net/netfilter/nfnetlink_queue.c (CVE-2022-36946) * nf_tables disallow binding to already bound chain (CVE-2022-39190) * nfs_atomic_open() returns uninitialized data instead of ENOTDIR (CVE-2022-24448) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The system must be rebooted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1905809 - [RHEL-9] WARNING: CPU: 0 PID: 13059 at fs/nfsd/nfs4proc.c:458 nfsd4_open+0x19c/0x4a0 [nfsd] 1951971 - [RFE] Bonding: add option ns_ipv6_target 1952053 - [RFE] Bonding: add link_watch.missed_max 1980646 - CVE-2021-3640 kernel: use-after-free vulnerability in function sco_sock_sendmsg() 2006399 - limited reexport support kernel documentation 2009423 - fs: dlm: dlm_callback_resume is too noisy 2025985 - Add acer_wireless.ko kernel module 2028370 - [xfstests/nfs generic/476] test never finishes 2037386 - CVE-2022-0168 kernel: smb2_ioctl_query_info NULL pointer dereference 2038794 - Backport futex_waitv() from Linux 5.16 2046624 - [Marvell 9.1 FEAT] update qedi driver to latest upstream 2051444 - CVE-2022-24448 kernel: nfs_atomic_open() returns uninitialized data instead of ENOTDIR 2052312 - CVE-2022-1998 kernel: fanotify misuses fd_install() which could lead to use-after-free 2053632 - CVE-2022-0617 kernel: NULL pointer dereference in udf_expand_file_adinicbdue() during writeback 2053991 - kernel build fails if CONFIG_RHEL_DIFFERENCES is "not set" 2054023 - vrf test fail in kselftest net:fcnal-test.sh 2058395 - CVE-2022-0854 kernel: swiotlb information leak with DMA_FROM_DEVICE 2059928 - CVE-2020-36516 kernel: off-path attacker may inject data or terminate victim's TCP session 2066297 - block layer: update to v5.17 2066614 - CVE-2022-1016 kernel: uninitialized registers on stack in nft_do_chain can cause kernel pointer leakage to UM 2066706 - CVE-2022-1048 kernel: race condition in snd_pcm_hw_free leading to use-after-free 2066819 - CVE-2022-1353 kernel: kernel info leak issue in pfkey_register 2070205 - CVE-2022-1184 kernel: use-after-free and memory errors in ext4 when mounting and operating on a corrupted image 2071022 - CVE-2022-1280 kernel: concurrency use-after-free between drm_setmaster_ioctl and drm_mode_getresources 2073064 - CVE-2022-28390 kernel: double free in ems_usb_start_xmit in drivers/net/can/usb/ems_usb.c 2074208 - CVE-2022-28893 kernel: use after free in SUNRPC subsystem 2074315 - genirq/affinity: Consider that CPUs on nodes can be unbalanced 2076304 - VFIO refresh to v5.18 2083580 - RFE: backport minor fixes and cleanups from upstream (up to version 5.18-rc5) 2084125 - CVE-2022-1679 kernel: use-after-free in ath9k_htc_probe_device() could cause an escalation of privileges 2084183 - CVE-2022-21499 kernel: possible to use the debugger to write zero into a location of choice 2084479 - CVE-2022-2639 kernel: openvswitch: integer underflow leads to out-of-bounds write in reserve_sfa_size() 2088021 - CVE-2022-29581 kernel: use-after-free due to improper update of reference count in net/sched/cls_u32.c 2089815 - CVE-2022-1852 kernel: NULL pointer dereference in x86_emulate_insn may lead to DoS 2090226 - CVE-2022-23816 CVE-2022-29900 hw: cpu: AMD: RetBleed Arbitrary Speculative Code Execution with Return Instructions 2090237 - CVE-2022-21123 hw: cpu: incomplete clean-up of multi-core shared buffers (aka SBDR) 2090240 - CVE-2022-21125 hw: cpu: incomplete clean-up of microarchitectural fill buffers (aka SBDS) 2090241 - CVE-2022-21166 hw: cpu: incomplete clean-up in specific special register write operations (aka DRPW) 2094045 - mm: Fix stall observed when xfs calls alloc_pages_bulk_array() 2095275 - [RHEL-9] NFS - Fix "softreval" mount option 2100261 - backport audit iouring fix and audit_log_kern_module memleak fix from v5.18 and v5.19-rc3 2102319 - ipmitool sensor list command generates syslog errors on HP iLO 5 2103148 - CVE-2022-29901 hw: cpu: Intel: RetBleed Arbitrary Speculative Code Execution with Return Instructions 2103153 - CVE-2022-23825 hw: cpu: AMD: Branch Type Confusion (non-retbleed) 2107360 - knfsd not always recalling delegations on contended access 2107589 - backport vsock commits for RHEL-9.1 2109349 - [bonding] bugfix update from v5.19 2110576 - RHEL-9 nfsd server post_wcc fixes - clients see increased revalidations 2111270 - netfilter: rebase conntrack to 5.19 2114878 - CVE-2022-2586 kernel: nf_tables cross-table potential use-after-free may lead to local privilege escalation 2115065 - CVE-2022-26373 hw: cpu: Intel: Post-barrier Return Stack Buffer Predictions 2115278 - CVE-2022-36946 kernel: DoS in nfqnl_mangle in net/netfilter/nfnetlink_queue.c 2123695 - CVE-2022-20368 kernel: net/packet: slab-out-of-bounds access in packet_recvmsg() 2129152 - CVE-2022-39190 kernel: nf_tables disallow binding to already bound chain 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): aarch64: bpftool-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm kernel-debug-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm kernel-debug-devel-5.14.0-162.6.1.el9_1.aarch64.rpm kernel-debug-devel-matched-5.14.0-162.6.1.el9_1.aarch64.rpm kernel-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm kernel-debuginfo-common-aarch64-5.14.0-162.6.1.el9_1.aarch64.rpm kernel-devel-5.14.0-162.6.1.el9_1.aarch64.rpm kernel-devel-matched-5.14.0-162.6.1.el9_1.aarch64.rpm kernel-headers-5.14.0-162.6.1.el9_1.aarch64.rpm kernel-tools-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm perf-5.14.0-162.6.1.el9_1.aarch64.rpm perf-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm python3-perf-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm noarch: kernel-doc-5.14.0-162.6.1.el9_1.noarch.rpm ppc64le: bpftool-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm kernel-debug-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm kernel-debug-devel-5.14.0-162.6.1.el9_1.ppc64le.rpm kernel-debug-devel-matched-5.14.0-162.6.1.el9_1.ppc64le.rpm kernel-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm kernel-debuginfo-common-ppc64le-5.14.0-162.6.1.el9_1.ppc64le.rpm kernel-devel-5.14.0-162.6.1.el9_1.ppc64le.rpm kernel-devel-matched-5.14.0-162.6.1.el9_1.ppc64le.rpm kernel-headers-5.14.0-162.6.1.el9_1.ppc64le.rpm kernel-tools-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm perf-5.14.0-162.6.1.el9_1.ppc64le.rpm perf-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm python3-perf-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm s390x: bpftool-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm kernel-debug-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm kernel-debug-devel-5.14.0-162.6.1.el9_1.s390x.rpm kernel-debug-devel-matched-5.14.0-162.6.1.el9_1.s390x.rpm kernel-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm kernel-debuginfo-common-s390x-5.14.0-162.6.1.el9_1.s390x.rpm kernel-devel-5.14.0-162.6.1.el9_1.s390x.rpm kernel-devel-matched-5.14.0-162.6.1.el9_1.s390x.rpm kernel-headers-5.14.0-162.6.1.el9_1.s390x.rpm kernel-tools-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm kernel-zfcpdump-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm kernel-zfcpdump-devel-5.14.0-162.6.1.el9_1.s390x.rpm kernel-zfcpdump-devel-matched-5.14.0-162.6.1.el9_1.s390x.rpm perf-5.14.0-162.6.1.el9_1.s390x.rpm perf-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm python3-perf-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm x86_64: bpftool-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm kernel-debug-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm kernel-debug-devel-5.14.0-162.6.1.el9_1.x86_64.rpm kernel-debug-devel-matched-5.14.0-162.6.1.el9_1.x86_64.rpm kernel-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm kernel-debuginfo-common-x86_64-5.14.0-162.6.1.el9_1.x86_64.rpm kernel-devel-5.14.0-162.6.1.el9_1.x86_64.rpm kernel-devel-matched-5.14.0-162.6.1.el9_1.x86_64.rpm kernel-headers-5.14.0-162.6.1.el9_1.x86_64.rpm kernel-tools-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm perf-5.14.0-162.6.1.el9_1.x86_64.rpm perf-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm python3-perf-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm Red Hat Enterprise Linux BaseOS (v. 9): Source: kernel-5.14.0-162.6.1.el9_1.src.rpm aarch64: bpftool-5.14.0-162.6.1.el9_1.aarch64.rpm bpftool-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm kernel-5.14.0-162.6.1.el9_1.aarch64.rpm kernel-core-5.14.0-162.6.1.el9_1.aarch64.rpm kernel-debug-5.14.0-162.6.1.el9_1.aarch64.rpm kernel-debug-core-5.14.0-162.6.1.el9_1.aarch64.rpm kernel-debug-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm kernel-debug-modules-5.14.0-162.6.1.el9_1.aarch64.rpm kernel-debug-modules-extra-5.14.0-162.6.1.el9_1.aarch64.rpm kernel-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm kernel-debuginfo-common-aarch64-5.14.0-162.6.1.el9_1.aarch64.rpm kernel-modules-5.14.0-162.6.1.el9_1.aarch64.rpm kernel-modules-extra-5.14.0-162.6.1.el9_1.aarch64.rpm kernel-tools-5.14.0-162.6.1.el9_1.aarch64.rpm kernel-tools-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm kernel-tools-libs-5.14.0-162.6.1.el9_1.aarch64.rpm perf-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm python3-perf-5.14.0-162.6.1.el9_1.aarch64.rpm python3-perf-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm noarch: kernel-abi-stablelists-5.14.0-162.6.1.el9_1.noarch.rpm ppc64le: bpftool-5.14.0-162.6.1.el9_1.ppc64le.rpm bpftool-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm kernel-5.14.0-162.6.1.el9_1.ppc64le.rpm kernel-core-5.14.0-162.6.1.el9_1.ppc64le.rpm kernel-debug-5.14.0-162.6.1.el9_1.ppc64le.rpm kernel-debug-core-5.14.0-162.6.1.el9_1.ppc64le.rpm kernel-debug-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm kernel-debug-modules-5.14.0-162.6.1.el9_1.ppc64le.rpm kernel-debug-modules-extra-5.14.0-162.6.1.el9_1.ppc64le.rpm kernel-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm kernel-debuginfo-common-ppc64le-5.14.0-162.6.1.el9_1.ppc64le.rpm kernel-modules-5.14.0-162.6.1.el9_1.ppc64le.rpm kernel-modules-extra-5.14.0-162.6.1.el9_1.ppc64le.rpm kernel-tools-5.14.0-162.6.1.el9_1.ppc64le.rpm kernel-tools-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm kernel-tools-libs-5.14.0-162.6.1.el9_1.ppc64le.rpm perf-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm python3-perf-5.14.0-162.6.1.el9_1.ppc64le.rpm python3-perf-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm s390x: bpftool-5.14.0-162.6.1.el9_1.s390x.rpm bpftool-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm kernel-5.14.0-162.6.1.el9_1.s390x.rpm kernel-core-5.14.0-162.6.1.el9_1.s390x.rpm kernel-debug-5.14.0-162.6.1.el9_1.s390x.rpm kernel-debug-core-5.14.0-162.6.1.el9_1.s390x.rpm kernel-debug-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm kernel-debug-modules-5.14.0-162.6.1.el9_1.s390x.rpm kernel-debug-modules-extra-5.14.0-162.6.1.el9_1.s390x.rpm kernel-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm kernel-debuginfo-common-s390x-5.14.0-162.6.1.el9_1.s390x.rpm kernel-modules-5.14.0-162.6.1.el9_1.s390x.rpm kernel-modules-extra-5.14.0-162.6.1.el9_1.s390x.rpm kernel-tools-5.14.0-162.6.1.el9_1.s390x.rpm kernel-tools-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm kernel-zfcpdump-5.14.0-162.6.1.el9_1.s390x.rpm kernel-zfcpdump-core-5.14.0-162.6.1.el9_1.s390x.rpm kernel-zfcpdump-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm kernel-zfcpdump-modules-5.14.0-162.6.1.el9_1.s390x.rpm kernel-zfcpdump-modules-extra-5.14.0-162.6.1.el9_1.s390x.rpm perf-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm python3-perf-5.14.0-162.6.1.el9_1.s390x.rpm python3-perf-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm x86_64: bpftool-5.14.0-162.6.1.el9_1.x86_64.rpm bpftool-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm kernel-5.14.0-162.6.1.el9_1.x86_64.rpm kernel-core-5.14.0-162.6.1.el9_1.x86_64.rpm kernel-debug-5.14.0-162.6.1.el9_1.x86_64.rpm kernel-debug-core-5.14.0-162.6.1.el9_1.x86_64.rpm kernel-debug-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm kernel-debug-modules-5.14.0-162.6.1.el9_1.x86_64.rpm kernel-debug-modules-extra-5.14.0-162.6.1.el9_1.x86_64.rpm kernel-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm kernel-debuginfo-common-x86_64-5.14.0-162.6.1.el9_1.x86_64.rpm kernel-modules-5.14.0-162.6.1.el9_1.x86_64.rpm kernel-modules-extra-5.14.0-162.6.1.el9_1.x86_64.rpm kernel-tools-5.14.0-162.6.1.el9_1.x86_64.rpm kernel-tools-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm kernel-tools-libs-5.14.0-162.6.1.el9_1.x86_64.rpm perf-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm python3-perf-5.14.0-162.6.1.el9_1.x86_64.rpm python3-perf-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm Red Hat CodeReady Linux Builder (v. 9): aarch64: bpftool-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm kernel-cross-headers-5.14.0-162.6.1.el9_1.aarch64.rpm kernel-debug-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm kernel-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm kernel-debuginfo-common-aarch64-5.14.0-162.6.1.el9_1.aarch64.rpm kernel-tools-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm kernel-tools-libs-devel-5.14.0-162.6.1.el9_1.aarch64.rpm perf-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm python3-perf-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm ppc64le: bpftool-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm kernel-cross-headers-5.14.0-162.6.1.el9_1.ppc64le.rpm kernel-debug-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm kernel-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm kernel-debuginfo-common-ppc64le-5.14.0-162.6.1.el9_1.ppc64le.rpm kernel-tools-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm kernel-tools-libs-devel-5.14.0-162.6.1.el9_1.ppc64le.rpm perf-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm python3-perf-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm s390x: bpftool-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm kernel-cross-headers-5.14.0-162.6.1.el9_1.s390x.rpm kernel-debug-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm kernel-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm kernel-debuginfo-common-s390x-5.14.0-162.6.1.el9_1.s390x.rpm kernel-tools-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm kernel-zfcpdump-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm perf-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm python3-perf-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm x86_64: bpftool-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm kernel-cross-headers-5.14.0-162.6.1.el9_1.x86_64.rpm kernel-debug-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm kernel-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm kernel-debuginfo-common-x86_64-5.14.0-162.6.1.el9_1.x86_64.rpm kernel-tools-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm kernel-tools-libs-devel-5.14.0-162.6.1.el9_1.x86_64.rpm perf-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm python3-perf-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-36516 https://access.redhat.com/security/cve/CVE-2021-3640 https://access.redhat.com/security/cve/CVE-2022-0168 https://access.redhat.com/security/cve/CVE-2022-0617 https://access.redhat.com/security/cve/CVE-2022-0854 https://access.redhat.com/security/cve/CVE-2022-1016 https://access.redhat.com/security/cve/CVE-2022-1048 https://access.redhat.com/security/cve/CVE-2022-1184 https://access.redhat.com/security/cve/CVE-2022-1280 https://access.redhat.com/security/cve/CVE-2022-1353 https://access.redhat.com/security/cve/CVE-2022-1679 https://access.redhat.com/security/cve/CVE-2022-1852 https://access.redhat.com/security/cve/CVE-2022-1998 https://access.redhat.com/security/cve/CVE-2022-2586 https://access.redhat.com/security/cve/CVE-2022-2639 https://access.redhat.com/security/cve/CVE-2022-20368 https://access.redhat.com/security/cve/CVE-2022-21123 https://access.redhat.com/security/cve/CVE-2022-21125 https://access.redhat.com/security/cve/CVE-2022-21166 https://access.redhat.com/security/cve/CVE-2022-21499 https://access.redhat.com/security/cve/CVE-2022-23816 https://access.redhat.com/security/cve/CVE-2022-23825 https://access.redhat.com/security/cve/CVE-2022-24448 https://access.redhat.com/security/cve/CVE-2022-26373 https://access.redhat.com/security/cve/CVE-2022-28390 https://access.redhat.com/security/cve/CVE-2022-28893 https://access.redhat.com/security/cve/CVE-2022-29581 https://access.redhat.com/security/cve/CVE-2022-29900 https://access.redhat.com/security/cve/CVE-2022-29901 https://access.redhat.com/security/cve/CVE-2022-36946 https://access.redhat.com/security/cve/CVE-2022-39190 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index https://access.redhat.com/solutions/6971358 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3PhAtzjgjWX9erEAQgitxAAkbzROnq07NKrm//FdeWtbRilbSnTPFB0 uWQ94azzL8ucu8FsgPGU6vkpewleQGvbL8vy1+/M0h2/l93aIs3Bd/1QBG/06fmR 5MgkxqnZB6VeioF4AuDQL2IbCPGGb3Nwawc/uUJNdhXxpLkkUGXhKTn6Rx3SVR5u cXIBQZcm0JjFJGgBloCaiE4DVTcjcpxqetydVxh+TTOU8eFvuQ/rFhX7gxUTtv0k bRreX2/Kr14lG/cLgH900e8dCArjE7UGSbWQwSry5XeywlShCDqzzreUhtU4ngY7 1x2RWGMvRrdNRUq1pPSe2nIAGo+zARcEM9+5HgVP1RnI0o7A1irGFMVh50pZUXBF K/I/YeT+QW6xbpEy0omDkDPW9OCiAvbNWGT0LWvDy8GW5MXOOz6TOqaKtTLwTf3o rFx7YhGIHr4Y7bwEdm56HBQM/KrTWGta2nzYHLCJgFAOOFRXKpHfSuM8injlFXtt h5vwu18Ba3/e/KFDsD+uus3ytOwGQ2XgHLahIdrl+IE3YMXqyCyjdLlEHBvzvgb0 lfwz5jmESwNjb95SKow89d69Vp+Nt1is0gE4qsKNeVpzwOPgp71vkES+IjHBPzBc Tas7YpILPFHwxoSIZHHQn+p8a5aTR0mQSFn65GhO3OW4/oJEbuH7jbjMq4HnbbBd evsxa7DQ9IQ= =wJS+ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3RH6MkNZI30y1K9AQji8g/+I8vfsvOluES7HRXGaaP0ChAI9aIJ2Tr3 ipLdE3KobPVwHkhkBqJF6v55kZY4uQ80sc6OLHNjeQj66LuoJqdTtyb2MQ3IODVH aGOnn5LjfTO8PBzbKvvDFXdkqm9NfhXU4KVOPgm/tTpvibJOCWBDSjsCKL0TFOHj IgMWCLbL2Gp07AI7iW12AJwe2JLVM36octLb8uN9xhxUX3qiKNiW9euM69DChegj dD02cNQ6wLK+8kI9Pd5fwScu8NsfOBneInclcEejrfjI5kyQ9oH1Va1t303uDcvl VicYnmAlkz83N581dg2WpdpQDv7MCaV5lpFA6FW5TB7toobLhHYba50xIfR0afpn SghVl2n2VxCVI5TSgPYGm1yDpgfSRWFBKJFllIFqbpkk1pPMLnAoTc0gzq0DoV8m 9q+wZl2uLDh2WUxgEMYEpXcU9sXP5yyMl6XWIiINPbOTgaUCGuI4EbzdpHX/0OfQ I2jVf8G1d0WlzBizn2rLRpAtykVtMOG2Vp30UOicDsk8MvZDwQhcuAkOM5S4yMSS wpTyKDGgLROE/x8mHsnRVzDASKgih/AX9MXu19nFsgblj1VKleWjdY30enMKaYXG 6hpm8t6oiPmHd69s2i4JhVo01bXncTwvZsmw+PU+lU1vzUkW8RbHpdzeyfQN+5xy VxGmpUaTL2c= =4U9h -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5918 - [RedHat] dpdk: CVSS (Max): 8.6

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5918 dpdk security and bug fix update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: dpdk Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-28199 CVE-2022-2132 CVE-2021-3839 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8263 Comment: CVSS (Max): 8.6 CVE-2022-2132 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: dpdk security and bug fix update Advisory ID: RHSA-2022:8263-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8263 Issue date: 2022-11-15 CVE Names: CVE-2021-3839 CVE-2022-2132 CVE-2022-28199 ===================================================================== 1. Summary: An update for dpdk is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, x86_64 3. Description: The dpdk packages provide the Data Plane Development Kit, which is a set of libraries and drivers for fast packet processing in the user space. Security Fix(es): * dpdk: DoS when a Vhost header crosses more than two descriptors and exhausts all mbufs (CVE-2022-2132) * DPDK: out-of-bounds read/write in vhost_user_set_inflight_fd() may lead to crash (CVE-2021-3839) * dpdk: error recovery in mlx5 driver not handled properly, allowing for denial of service (CVE-2022-28199) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2025882 - CVE-2021-3839 DPDK: out-of-bounds read/write in vhost_user_set_inflight_fd() may lead to crash 2070583 - update dpdk spec file to use Epoch: 2 [rhel-9.1.0] 2099475 - CVE-2022-2132 dpdk: DoS when a Vhost header crosses more than two descriptors and exhausts all mbufs 2123549 - CVE-2022-28199 dpdk: error recovery in mlx5 driver not handled properly, allowing for denial of service 2126159 - [Rebase] Rebase to DPDK 21.11.2 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: dpdk-21.11.2-1.el9_1.src.rpm aarch64: dpdk-21.11.2-1.el9_1.aarch64.rpm dpdk-debuginfo-21.11.2-1.el9_1.aarch64.rpm dpdk-debugsource-21.11.2-1.el9_1.aarch64.rpm dpdk-devel-21.11.2-1.el9_1.aarch64.rpm dpdk-tools-21.11.2-1.el9_1.aarch64.rpm noarch: dpdk-doc-21.11.2-1.el9_1.noarch.rpm ppc64le: dpdk-21.11.2-1.el9_1.ppc64le.rpm dpdk-debuginfo-21.11.2-1.el9_1.ppc64le.rpm dpdk-debugsource-21.11.2-1.el9_1.ppc64le.rpm dpdk-devel-21.11.2-1.el9_1.ppc64le.rpm dpdk-tools-21.11.2-1.el9_1.ppc64le.rpm x86_64: dpdk-21.11.2-1.el9_1.x86_64.rpm dpdk-debuginfo-21.11.2-1.el9_1.x86_64.rpm dpdk-debugsource-21.11.2-1.el9_1.x86_64.rpm dpdk-devel-21.11.2-1.el9_1.x86_64.rpm dpdk-tools-21.11.2-1.el9_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-3839 https://access.redhat.com/security/cve/CVE-2022-2132 https://access.redhat.com/security/cve/CVE-2022-28199 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3PhBtzjgjWX9erEAQg78g//XyR/n3o0jtO4xsEL2lr8PDatrr8Oxy2S e4JymCnac0SY8lKd0TYIX4oQrN/INo8/YYRqkbGDk6jwJ1fDT/Vgh645EbpeiIce 4/KIKYq6g1tHEe2v4fWIWU+2l4ukCwfQgTTpXpXJb19ees2Nc2rFZjlwOopOqOZe CJveaEZK5/bjWXYGg6kVgvQP1I9HgGwnh+2BQlGmxdSCczo/ePZhT55ntAP5TQYB t1F1OMUxkj0cDNe6OxCUTNr8wGNJ4HoOm9STm5SWWCMBpKrXgoUnjGtEgyoiJze6 vYziXx8BSXf5IRFELd8Uxg3dmbS+1S4x3cDHZp7cZHViXhyls8PNt6WRkJinOv/4 uvY1QjENIkiA2NBTQ7howeYsrM90BpL80qcjbLgUgoxzfQRMLRgPbDdficnDeAia VvM0XJDJ401wNGUjCg5yMdrHhYaj4gpC9X8GdxCgSWyIJK8Dfc4wDmcirGA9+eNP 7A1QflbquKlyNM6ILz1ETAWXMPBFZZz7Rl0vSiqOjPrscejcSfdtad6enTlFBIv7 d7F9SAwVQm+l0UPeOOzX8dQZbTMNj/JkN4nADsZjvyXst726COD+z67qUeazIza7 LpFny3soUKvo8yPnDiQr6wA6hsJ8xqvLlD6eOAmt6f1SBT/tJxRM25HY/CzzVvLU p/EAee6QLvM= =PSWE - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3RH2MkNZI30y1K9AQjpsQ/9FdbKHzTb8TmyseuY8wNGfr9HpWXY2V+9 3+uywpiCBD2IWDp879tfy5YUcSIfo6lRWJGmNbiTR/ftXbfTKdDaw6GPOno7KUAC QLzq6L8K4zu9SCjDD1lS7fGkHjM1/i2Dy5gy2UTEwWWlPEXfK6njHK14S1mOMgif JmSaQEfWA1OLEkbIjoeUZ7AzSHUwrwpICYGDHOA5LQ2482ZcPu3ywl2djut53KXY qJxnSDBMpJ3ow7BF6Bb1n7xgp8xEvr+a0EJXosbITg1PtOB4fAwGZdhVIULttIIM qEe1yaKbHaInK9NC+atpl2D9aRjK4WiJ0R+v4NkSgQWajOZgsgHKVQFsEuBbIMeG e8FA0kOnEW6ITQGXMtj49WZaCvl7dlcyChDosECObrnxHAgvcjfmiSg9cH2crqQK 6y15fu1w/DA7F5B196GzCp8wh3GogMw+zk+Lf/2W4lJ5P8fXD3l9tUMOGe4xaZLN YdoUacwwGBU4yeFKYDoLE0j9Xq/7AXSoAn4+6oqJZfWxOI8xuth9wtkTnsRvxzuI rwhnfsQrPdRau4f+yxQ53o2AKjEn+Ux9kBUQcMTY9iRVNJeW2iMQuzvd/nhdrsa8 fSLCHJwBk9GQ6TnsLQOz+lxROueiKwY48WiXvmas+opvFoOrPn+dX8I/9Eo5M2E/ rtn+lihDC8I= =V3v2 -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5917 - [RedHat] yajl: CVSS (Max): 5.9

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5917 yajl security update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: yajl Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-24795 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8252 Comment: CVSS (Max): 5.9 CVE-2022-24795 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: yajl security update Advisory ID: RHSA-2022:8252-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8252 Issue date: 2022-11-15 CVE Names: CVE-2022-24795 ===================================================================== 1. Summary: An update for yajl is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: Yet Another JSON Library (YAJL) is a small event-driven (SAX-style) JSON parser written in ANSI C, and a small validating JSON generator. Security Fix(es): * yajl: heap-based buffer overflow when handling large inputs due to an integer overflow (CVE-2022-24795) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2072912 - CVE-2022-24795 yajl: heap-based buffer overflow when handling large inputs due to an integer overflow 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: yajl-2.1.0-21.el9.src.rpm aarch64: yajl-2.1.0-21.el9.aarch64.rpm yajl-debuginfo-2.1.0-21.el9.aarch64.rpm yajl-debugsource-2.1.0-21.el9.aarch64.rpm ppc64le: yajl-2.1.0-21.el9.ppc64le.rpm yajl-debuginfo-2.1.0-21.el9.ppc64le.rpm yajl-debugsource-2.1.0-21.el9.ppc64le.rpm s390x: yajl-2.1.0-21.el9.s390x.rpm yajl-debuginfo-2.1.0-21.el9.s390x.rpm yajl-debugsource-2.1.0-21.el9.s390x.rpm x86_64: yajl-2.1.0-21.el9.i686.rpm yajl-2.1.0-21.el9.x86_64.rpm yajl-debuginfo-2.1.0-21.el9.i686.rpm yajl-debuginfo-2.1.0-21.el9.x86_64.rpm yajl-debugsource-2.1.0-21.el9.i686.rpm yajl-debugsource-2.1.0-21.el9.x86_64.rpm Red Hat CodeReady Linux Builder (v. 9): aarch64: yajl-debuginfo-2.1.0-21.el9.aarch64.rpm yajl-debugsource-2.1.0-21.el9.aarch64.rpm yajl-devel-2.1.0-21.el9.aarch64.rpm ppc64le: yajl-debuginfo-2.1.0-21.el9.ppc64le.rpm yajl-debugsource-2.1.0-21.el9.ppc64le.rpm yajl-devel-2.1.0-21.el9.ppc64le.rpm s390x: yajl-debuginfo-2.1.0-21.el9.s390x.rpm yajl-debugsource-2.1.0-21.el9.s390x.rpm yajl-devel-2.1.0-21.el9.s390x.rpm x86_64: yajl-debuginfo-2.1.0-21.el9.i686.rpm yajl-debuginfo-2.1.0-21.el9.x86_64.rpm yajl-debugsource-2.1.0-21.el9.i686.rpm yajl-debugsource-2.1.0-21.el9.x86_64.rpm yajl-devel-2.1.0-21.el9.i686.rpm yajl-devel-2.1.0-21.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-24795 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3PgsdzjgjWX9erEAQhkcBAAlE0Cpp0ZXfHJMTZOXuYMAWD7quUUu3eQ L6LQ3wmDf0o7sfpl5OyfIM3ptYVRSKOmc0vlphPdgiNB+WDtM3kxUhWFlm5GcTgR qARr8HLjwukV52J9bp3obLzuj1UrgtiWkDTqAT9seIIHqULiUJGZEsDErGipQ1qV R7F4ZQRZPUKIDSROhNOlN7wyCwNNS8WuqZiScmlrECs93BoOyhq4361aL2lcyzS6 tG/yiMzYMmAnU/6uDZrsAJDCPuahqvrkAoSW6rw98/inEcE9OaVMbvz7uxRszgsb LsSEM4LZGkkVphHnXLRvVGwORgcIspdXup+5MYGG7MZmphDSQVLm2y/NW08zdwWM DlKTNtCvyYlKfbqG8ALJRFGyCDlnh/PuNTcRrjt5WTcL6abqUs26igNNuTCG8BhV n78z4RzNozGLipPnGNC9oRadrQUgJEeautqK6TGymyeNnaLi5PnmPM2lPmVXSF1t liMuMZhUcyFcNrLkOn4IRlOaXdHh+RQdtK4Q2DcO8upZS2l7by8zSM3BVSwaJhTG mKZfAv3rIwhwVAFdmORJ/JTAGRo9lUf7qkYP9wAIGVClY3Xn1coezD+nbeecPJUk dojUkMdOma6MXs5bIRPXMofkRbnXJENdX1wefsXdr3GjAIf5PqF4Uybcgl4DCr9s 1yVv252cIxA= =fC4O - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3RHw8kNZI30y1K9AQiYLg/+KtFkOB0HDP4o09XWrzHP3wa1V0aBxD76 pRTT57wG1+1thUgf/R2qbuXDEFzuZax8buDrstSvrd6h0k/ZILCsBLnKk8q6BUdy 6pHBRWJ/Dn/j23V/Tiy7AY0UCQG5+P6ymi4Q6vasr7AQYKhglPO3XZQfxyRCVp9r drj18i4hl2MyWcpc5H8Va+jjuqf8NjzYow2v4I+FEQfyPctFykUYATT0m2kVCVYl bd953QEXeLZ4r4SR63yMmS4Pjmsa/x6Nmg55pHge/AzxCF1Snj4BzpDrcTtXqNkT /gbhBgZdVk9pG6yl2VSQgjs+WQOMDhvUEhaCjjfYWi05CBQN47bu2SLLx0IwwJJA X9kV6nWbMx61nC1PU99R2liHz0wvIQ5FD86TtlppRz105p5NqqJXbyV6WlJuFMdS sxCwU9KnEv3mqc4VabeZBnRsQdKf1DlO9ctigtB05YIKWX7ND2BkWKaZM0Yw7uDf t7h3YdIxgNC48a0lmF0WaKg3usPuZByKeuryxWioyZzCz2lMuS4qTPsEp+qG8adC tUdT9k/x0bUGaKlTVQwIRZ3ejViJTtuGugACyP1cdseVKh1guIeyqVDRanqwImmH RBbAzurX9sFTQtHpc5kJcI08zWo3m7bw9soiZkKlgf3XEFfa52+u0j9/DTKCCD6K 6LXRCxU/M50= =npOE -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5916 - [RedHat] grafana-pcp: CVSS (Max): 7.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5916 grafana-pcp security update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: grafana-pcp Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-32148 CVE-2022-30635 CVE-2022-30632 CVE-2022-30631 CVE-2022-30630 CVE-2022-1705 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8250 Comment: CVSS (Max): 7.5 CVE-2022-30635 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: grafana-pcp security update Advisory ID: RHSA-2022:8250-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8250 Issue date: 2022-11-15 CVE Names: CVE-2022-1705 CVE-2022-30630 CVE-2022-30631 CVE-2022-30632 CVE-2022-30635 CVE-2022-32148 ===================================================================== 1. Summary: An update for grafana-pcp is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards. Security Fix(es): * golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705) * golang: io/fs: stack exhaustion in Glob (CVE-2022-30630) * golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631) * golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632) * golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635) * golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read 2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob 2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header 2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working 2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob 2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: grafana-pcp-3.2.0-3.el9.src.rpm aarch64: grafana-pcp-3.2.0-3.el9.aarch64.rpm grafana-pcp-debuginfo-3.2.0-3.el9.aarch64.rpm ppc64le: grafana-pcp-3.2.0-3.el9.ppc64le.rpm grafana-pcp-debuginfo-3.2.0-3.el9.ppc64le.rpm s390x: grafana-pcp-3.2.0-3.el9.s390x.rpm grafana-pcp-debuginfo-3.2.0-3.el9.s390x.rpm x86_64: grafana-pcp-3.2.0-3.el9.x86_64.rpm grafana-pcp-debuginfo-3.2.0-3.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-1705 https://access.redhat.com/security/cve/CVE-2022-30630 https://access.redhat.com/security/cve/CVE-2022-30631 https://access.redhat.com/security/cve/CVE-2022-30632 https://access.redhat.com/security/cve/CVE-2022-30635 https://access.redhat.com/security/cve/CVE-2022-32148 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3PhCtzjgjWX9erEAQhTyA/9EsqUnLA8IJYSoNbATHuTMhjUic22R9Ft 3EDlu0a+wIRqt3K3gQFe6VLPECalVCiRjG3cvq/asbvaeVlvkVMJZPDt4OMTzoDp gVQVPN2s9rndC5p7la/VpWy/weD/E1bOLXG9XfCXP8xr2Mf8iWuOYTLcmqI61+ov CnDzqjVCCgxNLm1iiyE3/GyExnnqfP80a160J5B3PgW9dMotsiIYSVyXPbodawz0 GXY7mnDvkqlzTDbuVLO94ZXxeq9oxrIYguFynE3Pgtj2VNfq395zcvb8mhvLaS45 L5EXoy6q8RsG1FW7nToJnHVuLJ6Yiogy5vyCm/l2Ty8kGQYk1LaLNkJGccFul5to lWCRDsdN6+ixEZODkOHtXogEV9Yc/j7AMJMGDHILyA+hLsFokVGlXevDv5ODrsIi Vw23lsjKlUIwdeYyjqYwuX9/dQcah1DwtaRIAjgFhgRcc1zZRv3Bp+ffgA+FYTOZ tWIlqDQ3SfziiisQwPlR0l/1/G13Ty0rmSi2NJ9xdrIScl/ur1Eoj3VX2xC7E9Xl PT7hnsAta+iEVPtYNXLu5aKs9FrrbYAf5BRpMgmtQ/wglsOJuxtUq4y3aMc7NY4M 2mII8VQqln24SIuqBiydt/S6MSgdUkBB/FxXwrpPBprjhlta5ydB5JXiysvvRWpq 2Y4NKM59pYM= =+Zub - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3RHmckNZI30y1K9AQjLaQ/9E8L853ufQNZkoqytXxJceAZzgvghJz5N K2QPtXAB7n0t0ClMQLOEoy6ZPC9sRG1nfCsiJUFlAo8wDwfXvTZexjmKadWZ60Kq b9i3qhL2YCnK1Q3KXHwBiW/RzAlfuWPa8vMawilj9nf5uow05LnpYTGmwQPJl5LA rPxSgRacbYMPsaW+QswJWeJOWO7XVzSPKiG4SGqJKxtCgECBuhm6ZA/dIqWfhNxD p4FPr8OWBuDv5Os7rYeTlS5vYpcoTpODsb67R2WZ5+40SvL/z0ywjeyV4ii5qK36 AGYoXFG08g82B7IuyZ0XM7rF9c51zw0QT+potFGWpNERgyx4iACF1qQ8jZgkpDb+ AoEJOszVWiPJ5BwYOmbryWx90bOLhUbyih5GtnqmOeYjHpNeBFdaa6zVy6DjAuWl 6eVM13nF+ZV9EsLrNZb34Fqbidnv1jSqZi1wQgJjcNXatnT/uj+7GTMTSckKLS3K HNb+JMUyTzXFLP1fBrfnoNqvzcqNVBTx+lexXM05yoLpzlZwbRmI8J5yFvCzhiJi oJOYU3kp5c5G6Nr4qimRGdWaONaNf8gFAvfFddNHwHjMUIhru7JB/80rzgIVzfC5 XkcjCcHNP4GXLSZcFIbMevuBoxBqs+4bgje43yPjBJ/4jEs4gKH6EKJ1XDuX57/E gk0kl+ckmKY= =vi1r -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5915 - [RedHat] python-lxml: CVSS (Max): 7.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5915 python-lxml security update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: python-lxml Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-2309 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8226 Comment: CVSS (Max): 7.5 CVE-2022-2309 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: python-lxml security update Advisory ID: RHSA-2022:8226-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8226 Issue date: 2022-11-15 CVE Names: CVE-2022-2309 ===================================================================== 1. Summary: An update for python-lxml is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: lxml is an XML processing library providing access to libxml2 and libxslt libraries using the Python ElementTree API. Security Fix(es): * lxml: NULL Pointer Dereference in lxml (CVE-2022-2309) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2107571 - CVE-2022-2309 lxml: NULL Pointer Dereference in lxml 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: python-lxml-4.6.5-3.el9.src.rpm aarch64: python-lxml-debugsource-4.6.5-3.el9.aarch64.rpm python3-lxml-4.6.5-3.el9.aarch64.rpm python3-lxml-debuginfo-4.6.5-3.el9.aarch64.rpm ppc64le: python-lxml-debugsource-4.6.5-3.el9.ppc64le.rpm python3-lxml-4.6.5-3.el9.ppc64le.rpm python3-lxml-debuginfo-4.6.5-3.el9.ppc64le.rpm s390x: python-lxml-debugsource-4.6.5-3.el9.s390x.rpm python3-lxml-4.6.5-3.el9.s390x.rpm python3-lxml-debuginfo-4.6.5-3.el9.s390x.rpm x86_64: python-lxml-debugsource-4.6.5-3.el9.x86_64.rpm python3-lxml-4.6.5-3.el9.x86_64.rpm python3-lxml-debuginfo-4.6.5-3.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-2309 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3PhDNzjgjWX9erEAQjlqA/9Gfprwl5Hs1M5sacre9Gsnv8zwm0+zziU v5klKoHju1UFNLlildG7y1Mlhx6lCKKbp0pIA2jxQVa9uKODAENXvAKiXSVQlvZC lyml3XJ9ugDYxVc74IeEcHT2/whXUGFaY+zhwIgYqxwAnawN18z+qDnch+tOlXIK 3/4jVIghuLzuiv0K+FCeyu/cwwP4zuek4jH9RqXl5j+51qmNofZSl5/cN5zexKKV aQy0aLPzwc+3gY336ZEFqw7VDve0Lej7xwdfCBeg4loEOQ4xHg/Nw3CSDumfnV90 kAmKihfRbkh9jSw4NbC6K9tTTxaDii/W222cNsKmH3cJjDu9Y4G+97eJlYK7knZu 4bvo8+IIyHUtCtnNnswvb4X8Hf16PHJqe6bPEK25Bw0QeZrIgG3rnbeILrKSo6Uh B9cimKQTZ8FOPDXT0FeCXUVMGVFPEKwGA7eyBYwQvRBcaohYOkHBo1BCFmh7J7b8 t5wPtGl9eBRN/TU2f86q++IWD56Q3owzTmZU0QuN4hGSdkvkvWRhb6u3a8S93Cwv ECvPK6AWyhBFJXuUAQJibrj9nE/9KZUiNRC7Jh0gQohKB4avJFuA5qRmt+wVMoDR YIutKAgwuf79lhJfUzNd1iaBGUZQPdOQTZ0u0hZpxJO01Gxh1dkRsYRIVWupNFGd HTIwyDnFPqw= =poX3 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3RHhMkNZI30y1K9AQiIQQ//eLr83kvTxHtP+blkeCNqHQuF9Edvm1gJ ryQdOJzz8LZVb/lM2dINFojT2YPQZWQdJ6ZbOM4QYBGhD8VcbuUgBjkciUG/cJSI 65/kLx0Zx2f8CWFZXNLd9JFfEKsXrsBo9fGES41SE+dKvo6wkDkh0469c+qOraSB hMky46QT+wTOCFMJooRaDvjwD+CqW7UOhm1TEInnLCa8bWEKAiV+1VVr+W5NUXTB L3sOr0+8kF0Ox8D9w6Jfs8TDAng2hk+P4S3JAI7eb/FN4Pk+9b8rift5LwPuWYyq k8wfAzx2IKHoB9DAvaMa9BXY9OMcSmij4omK5TYt5Z3O03++PxO/OoYqTz+e1Yd1 Y7bhv3K7D44fGxZyknD7FegSel7iC7bYYL2rTB7S1bvcFlRJABXZCw4PVrkDSmUJ WMd6tn+4o+T+oaxh3VsuZ34vGRcVGkW240QRy3fgiiNVwmWfwDMqIBc0iNZUwMN0 GrlE6/KxFlAWRBKDydeBwb2wFnW4p2jV1lgTFrnZhPm2ldR6LMFGd+ACrru10JTM h/KIl8ha7fRPgLGX3obxQugVPk65l5N108zeGM+V7sf0VFNhB65Kuf3yasah5Ky7 8Dbtx8zwymivUJj/4Ch8eRMQU17Jd/jqiOepz71ZU6brX3V2I7nkhqWZcuooirP8 mNuPaZ/TEqY= =BGDn -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5914 - [RedHat] xorg-x11-server-Xwayland: CVSS (Max): 7.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5914 xorg-x11-server-Xwayland security update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: xorg-x11-server-Xwayland Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-2320 CVE-2022-2319 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8222 Comment: CVSS (Max): 7.8 CVE-2022-2320 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: xorg-x11-server-Xwayland security update Advisory ID: RHSA-2022:8222-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8222 Issue date: 2022-11-15 CVE Names: CVE-2022-2319 CVE-2022-2320 ===================================================================== 1. Summary: An update for xorg-x11-server-Xwayland is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: Xwayland is an X server for running X clients under Wayland. Security Fix(es): * xorg-x11-server: X.Org Server ProcXkbSetGeometry out-of-bounds access (CVE-2022-2319) * xorg-x11-server: out-of-bounds access in ProcXkbSetDeviceInfo request handler of the Xkb extension (CVE-2022-2320) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2106671 - CVE-2022-2319 xorg-x11-server: X.Org Server ProcXkbSetGeometry out-of-bounds access 2106683 - CVE-2022-2320 xorg-x11-server: out-of-bounds access in ProcXkbSetDeviceInfo request handler of the Xkb extension 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: xorg-x11-server-Xwayland-21.1.3-3.el9.src.rpm aarch64: xorg-x11-server-Xwayland-21.1.3-3.el9.aarch64.rpm xorg-x11-server-Xwayland-debuginfo-21.1.3-3.el9.aarch64.rpm xorg-x11-server-Xwayland-debugsource-21.1.3-3.el9.aarch64.rpm ppc64le: xorg-x11-server-Xwayland-21.1.3-3.el9.ppc64le.rpm xorg-x11-server-Xwayland-debuginfo-21.1.3-3.el9.ppc64le.rpm xorg-x11-server-Xwayland-debugsource-21.1.3-3.el9.ppc64le.rpm s390x: xorg-x11-server-Xwayland-21.1.3-3.el9.s390x.rpm xorg-x11-server-Xwayland-debuginfo-21.1.3-3.el9.s390x.rpm xorg-x11-server-Xwayland-debugsource-21.1.3-3.el9.s390x.rpm x86_64: xorg-x11-server-Xwayland-21.1.3-3.el9.x86_64.rpm xorg-x11-server-Xwayland-debuginfo-21.1.3-3.el9.x86_64.rpm xorg-x11-server-Xwayland-debugsource-21.1.3-3.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-2319 https://access.redhat.com/security/cve/CVE-2022-2320 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3PhD9zjgjWX9erEAQitZw/+KlpRlLmptWTwYIz/vpOH+9HYMcD0MPRp t1J6oEQ35erbVIn1CAi6A+krzvEClGK0a+QT7YKM17fqzQoAEDmG0AlgvBaXiVm0 wbCJdN+YJZE5WujeW+zoX2XiyVR1pRJWJm2NCsM38u9OX4UctXQXwee1b8MU4pq0 uuEfXOOBZTuB8dMRew6/INJd1SiBw5Be9Py21akSmeCWFopg+d6fDGomEpQS4rtS 3dPS1+FQde5jFm+UOt5T55D+5mTkbS6SRL3A3dAT4j7TwWBbChdvYVpOkF3co7XA l8m25WSH8TyK8JeHqJY1AdRuS2DGJY1OcByMdgtUDZk9E2Ea/jvn8fTHe8j8lWQZ d0yL6JrjIn/hU7OUqN4GoOfwbqryzH/6bcaBs8xrI/OeW7aRp+sRMc3b7L+1FY28 3e22guV8EbU5fMEMfW1CTiMSXL0bJl/TDktUrlwiqkS3AknyTGE5BE5U8VHn9t/j hlm2LOZs5kQ3ouE04fPw94wbdewaqXw6tjimItq12IG6cZeFE5WsCOEWvvMmT9IE cThImEMfXyvTDetTsL83SQv1AfosNLsXP1K3EoGOqycOqw/1bXtm7srrcHY04zBM iZn0WvsMfkm3wgH+2MMp//m9GQt9KB4VbcTt5NPARWt6yphYSZwvTVvA/0iU5TXw sFJPfxo55X4= =94jz - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3RHZ8kNZI30y1K9AQjbrg//WJXQiHF2iG/XbT6W4NXMQ0eL5lZ0zPBj lrbn9OIwKYLQgAYJrKaMWO/PbsLAhXEd4R5GXY9BI+UXaSQLdLrr72fzXiN/jE6f vrgu1gQRX0oi/aYxsd4kmJbBjBa2gUoIlrMtPj1Y/MWV2+CGrwgaw6xckRZLwYAT RO72V2O2OG9KSfe9ijA1HsW6Qq3EyVfOR6dhJmwuU/1k8FMUrAUGM/vFrNCZyX3d z7MCS/8b4yH9NLwT6cx8zm5P2Uc1aVEnDDRZHU2ZNV3GV6Jiv11Ttzhjk1wL0yw6 /jKuGLv1fVah4hr/bKy+6+26D4N6pOP2P/siQuxNjPETkSXQWCtkTcM2ROqXdGzi 0yEH4FdvPIlWymsypzX7dZWOlAa/ENqtrQvsokyHdKpVgpq42fsoWLOlILU9nxAm 4XbJRf3tU3KQ3r0x8xRQ+Mq/QcjH+5KjHQkHCGYotwjmqplioTFrs3Vu3nNhO1OL j12LGnK8lu4jum/Vc/ePfushv3d+WI3Sc9/I+mXCtgVZKcVmg7wtI0sydr2L5rZd EowE5BrNyHF4CZurUviB66n89+3K1dstUIbFg0p7j3/RjmfSQ4VzjMT/zz65hTv1 DzDi4rmpwmTnqay5MOM0q5BZGLmAC5FCLitCkU+Y75G4sszk0A7IbCDoeZ3y1X3A YlykbCsCRCA= =bTIk -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5913 - [RedHat] xorg-x11-server: CVSS (Max): 7.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5913 xorg-x11-server security and bug fix update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: xorg-x11-server Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-2320 CVE-2022-2319 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8221 Comment: CVSS (Max): 7.8 CVE-2022-2320 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: xorg-x11-server security and bug fix update Advisory ID: RHSA-2022:8221-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8221 Issue date: 2022-11-15 CVE Names: CVE-2022-2319 CVE-2022-2320 ===================================================================== 1. Summary: An update for xorg-x11-server is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64 Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: X.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Security Fix(es): * xorg-x11-server: X.Org Server ProcXkbSetGeometry out-of-bounds access (CVE-2022-2319) * xorg-x11-server: out-of-bounds access in ProcXkbSetDeviceInfo request handler of the Xkb extension (CVE-2022-2320) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2106671 - CVE-2022-2319 xorg-x11-server: X.Org Server ProcXkbSetGeometry out-of-bounds access 2106683 - CVE-2022-2320 xorg-x11-server: out-of-bounds access in ProcXkbSetDeviceInfo request handler of the Xkb extension 2119807 - xorg-x11-server-source binary package missing from repository 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: xorg-x11-server-1.20.11-11.el9.src.rpm aarch64: xorg-x11-server-Xdmx-1.20.11-11.el9.aarch64.rpm xorg-x11-server-Xdmx-debuginfo-1.20.11-11.el9.aarch64.rpm xorg-x11-server-Xephyr-1.20.11-11.el9.aarch64.rpm xorg-x11-server-Xephyr-debuginfo-1.20.11-11.el9.aarch64.rpm xorg-x11-server-Xnest-1.20.11-11.el9.aarch64.rpm xorg-x11-server-Xnest-debuginfo-1.20.11-11.el9.aarch64.rpm xorg-x11-server-Xorg-1.20.11-11.el9.aarch64.rpm xorg-x11-server-Xorg-debuginfo-1.20.11-11.el9.aarch64.rpm xorg-x11-server-Xvfb-1.20.11-11.el9.aarch64.rpm xorg-x11-server-Xvfb-debuginfo-1.20.11-11.el9.aarch64.rpm xorg-x11-server-common-1.20.11-11.el9.aarch64.rpm xorg-x11-server-debuginfo-1.20.11-11.el9.aarch64.rpm xorg-x11-server-debugsource-1.20.11-11.el9.aarch64.rpm ppc64le: xorg-x11-server-Xdmx-1.20.11-11.el9.ppc64le.rpm xorg-x11-server-Xdmx-debuginfo-1.20.11-11.el9.ppc64le.rpm xorg-x11-server-Xephyr-1.20.11-11.el9.ppc64le.rpm xorg-x11-server-Xephyr-debuginfo-1.20.11-11.el9.ppc64le.rpm xorg-x11-server-Xnest-1.20.11-11.el9.ppc64le.rpm xorg-x11-server-Xnest-debuginfo-1.20.11-11.el9.ppc64le.rpm xorg-x11-server-Xorg-1.20.11-11.el9.ppc64le.rpm xorg-x11-server-Xorg-debuginfo-1.20.11-11.el9.ppc64le.rpm xorg-x11-server-Xvfb-1.20.11-11.el9.ppc64le.rpm xorg-x11-server-Xvfb-debuginfo-1.20.11-11.el9.ppc64le.rpm xorg-x11-server-common-1.20.11-11.el9.ppc64le.rpm xorg-x11-server-debuginfo-1.20.11-11.el9.ppc64le.rpm xorg-x11-server-debugsource-1.20.11-11.el9.ppc64le.rpm s390x: xorg-x11-server-Xdmx-1.20.11-11.el9.s390x.rpm xorg-x11-server-Xdmx-debuginfo-1.20.11-11.el9.s390x.rpm xorg-x11-server-Xephyr-1.20.11-11.el9.s390x.rpm xorg-x11-server-Xephyr-debuginfo-1.20.11-11.el9.s390x.rpm xorg-x11-server-Xnest-1.20.11-11.el9.s390x.rpm xorg-x11-server-Xnest-debuginfo-1.20.11-11.el9.s390x.rpm xorg-x11-server-Xorg-1.20.11-11.el9.s390x.rpm xorg-x11-server-Xorg-debuginfo-1.20.11-11.el9.s390x.rpm xorg-x11-server-Xvfb-1.20.11-11.el9.s390x.rpm xorg-x11-server-Xvfb-debuginfo-1.20.11-11.el9.s390x.rpm xorg-x11-server-common-1.20.11-11.el9.s390x.rpm xorg-x11-server-debuginfo-1.20.11-11.el9.s390x.rpm xorg-x11-server-debugsource-1.20.11-11.el9.s390x.rpm x86_64: xorg-x11-server-Xdmx-1.20.11-11.el9.x86_64.rpm xorg-x11-server-Xdmx-debuginfo-1.20.11-11.el9.x86_64.rpm xorg-x11-server-Xephyr-1.20.11-11.el9.x86_64.rpm xorg-x11-server-Xephyr-debuginfo-1.20.11-11.el9.x86_64.rpm xorg-x11-server-Xnest-1.20.11-11.el9.x86_64.rpm xorg-x11-server-Xnest-debuginfo-1.20.11-11.el9.x86_64.rpm xorg-x11-server-Xorg-1.20.11-11.el9.x86_64.rpm xorg-x11-server-Xorg-debuginfo-1.20.11-11.el9.x86_64.rpm xorg-x11-server-Xvfb-1.20.11-11.el9.x86_64.rpm xorg-x11-server-Xvfb-debuginfo-1.20.11-11.el9.x86_64.rpm xorg-x11-server-common-1.20.11-11.el9.x86_64.rpm xorg-x11-server-debuginfo-1.20.11-11.el9.x86_64.rpm xorg-x11-server-debugsource-1.20.11-11.el9.x86_64.rpm Red Hat CodeReady Linux Builder (v. 9): aarch64: xorg-x11-server-Xdmx-debuginfo-1.20.11-11.el9.aarch64.rpm xorg-x11-server-Xephyr-debuginfo-1.20.11-11.el9.aarch64.rpm xorg-x11-server-Xnest-debuginfo-1.20.11-11.el9.aarch64.rpm xorg-x11-server-Xorg-debuginfo-1.20.11-11.el9.aarch64.rpm xorg-x11-server-Xvfb-debuginfo-1.20.11-11.el9.aarch64.rpm xorg-x11-server-debuginfo-1.20.11-11.el9.aarch64.rpm xorg-x11-server-debugsource-1.20.11-11.el9.aarch64.rpm xorg-x11-server-devel-1.20.11-11.el9.aarch64.rpm noarch: xorg-x11-server-source-1.20.11-11.el9.noarch.rpm ppc64le: xorg-x11-server-Xdmx-debuginfo-1.20.11-11.el9.ppc64le.rpm xorg-x11-server-Xephyr-debuginfo-1.20.11-11.el9.ppc64le.rpm xorg-x11-server-Xnest-debuginfo-1.20.11-11.el9.ppc64le.rpm xorg-x11-server-Xorg-debuginfo-1.20.11-11.el9.ppc64le.rpm xorg-x11-server-Xvfb-debuginfo-1.20.11-11.el9.ppc64le.rpm xorg-x11-server-debuginfo-1.20.11-11.el9.ppc64le.rpm xorg-x11-server-debugsource-1.20.11-11.el9.ppc64le.rpm xorg-x11-server-devel-1.20.11-11.el9.ppc64le.rpm s390x: xorg-x11-server-Xdmx-debuginfo-1.20.11-11.el9.s390x.rpm xorg-x11-server-Xephyr-debuginfo-1.20.11-11.el9.s390x.rpm xorg-x11-server-Xnest-debuginfo-1.20.11-11.el9.s390x.rpm xorg-x11-server-Xorg-debuginfo-1.20.11-11.el9.s390x.rpm xorg-x11-server-Xvfb-debuginfo-1.20.11-11.el9.s390x.rpm xorg-x11-server-debuginfo-1.20.11-11.el9.s390x.rpm xorg-x11-server-debugsource-1.20.11-11.el9.s390x.rpm xorg-x11-server-devel-1.20.11-11.el9.s390x.rpm x86_64: xorg-x11-server-Xdmx-debuginfo-1.20.11-11.el9.i686.rpm xorg-x11-server-Xdmx-debuginfo-1.20.11-11.el9.x86_64.rpm xorg-x11-server-Xephyr-debuginfo-1.20.11-11.el9.i686.rpm xorg-x11-server-Xephyr-debuginfo-1.20.11-11.el9.x86_64.rpm xorg-x11-server-Xnest-debuginfo-1.20.11-11.el9.i686.rpm xorg-x11-server-Xnest-debuginfo-1.20.11-11.el9.x86_64.rpm xorg-x11-server-Xorg-debuginfo-1.20.11-11.el9.i686.rpm xorg-x11-server-Xorg-debuginfo-1.20.11-11.el9.x86_64.rpm xorg-x11-server-Xvfb-debuginfo-1.20.11-11.el9.i686.rpm xorg-x11-server-Xvfb-debuginfo-1.20.11-11.el9.x86_64.rpm xorg-x11-server-debuginfo-1.20.11-11.el9.i686.rpm xorg-x11-server-debuginfo-1.20.11-11.el9.x86_64.rpm xorg-x11-server-debugsource-1.20.11-11.el9.i686.rpm xorg-x11-server-debugsource-1.20.11-11.el9.x86_64.rpm xorg-x11-server-devel-1.20.11-11.el9.i686.rpm xorg-x11-server-devel-1.20.11-11.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-2319 https://access.redhat.com/security/cve/CVE-2022-2320 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3PgrtzjgjWX9erEAQilkQ//ffKQ0k18HS2kbCgOl1CWeAQWxHh05x7y b4My0EwWWBHLq6CX6FwnNTWtVTCRFK27+v5oYxx5lpW9mHWwTHzWMhYguaiueZzj bn5eegP0QCEac38Qp1jGEMxcTguSPXzrFErZzQ7/xxyE5Poa8NFJX35hpJBXGOgO hnolUnNN8GzFqdp0hclu+IjLlvitgWozBX81XtRmv29Q3WJLl2tthZX3ZuRYGyD8 R4D42I6gq1X5ErRcur0UFZxsWGY1PH5mvUDCzhmNxojdRbj7gEWwbi3exhA3ye1t PEIRY/Px5csV3KzlVNr3er/sdLK0dRS+PVFTGm08h8ZUqMbqjOGid0I0tBJwvGsN ES6u5BlG27ZKVz9vlsQCWXP2JDViN9tumFWwvykgADlS36kzfeyErZi/D/4IQdAs tQdOpW86PkKRwGbcHmn7rtH84bRcpy0TflNgvbTv+7b5f+GCXqsn9j3Zmoe0q2dl Zdycvfpz/6RLWzg5HUfu+XKonMKAFpkQeIZQwdOkCADy/xwj2Cl5mmSNuYROlq1T ZfWZdpP0NooP/UXGguCrQQJJJCkWn1j3KphjdJmcXK4zHSTK4ivrAbopK3VEKzi5 Zc1/bYe1/qL6t1BchQ1BRpTH426db4GDHWYfby5239UWPT3JTGEA/W67KY0hFyuf Gkz8DjJeaP8= =0hwo - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3RHSckNZI30y1K9AQjzXg//bJ/U3Vbfb6o+/JPCDh+UyQq0Ae4PT3Zu yjN60WRCet8eanyh+1wwwhi2xyXiO8GYzVnMG2JRy4hGkQCy7GF+32rhFp10f1Yj Tm/VaCHjnE1mgAFNMahJbeMRfPDzUx3pNSC6lulcMiqVhwZuqhkAMjmq8SVnJXoc vlOj1x5wH9+qwjFp1OT5fm8tgpYCQi/o8eEcbD1PFqCcd4bcj0xYT0jMzSJObdIi 1XaajapFvhtwytpI0GBhQSE11JEdFof1PQ60S7yGlBM+jmDBfplmlfgv/6j6fCJN f+BBPrBGdIsPy4MpOGMZSN8vAintppceM7tbLly3yzCk7T9yMDaTkbZ9+t9cASCT CP0dgyArD4vcqghPZJSX+3J+YOMZ4+EVF2GvdAtlAlMibjiISTRXTDHCLDpQWUKP jmxlmn27lohUU0wxmkL9V5Rvri6jCaPCfdJPvXIs+tKP+BL+Bfz0R5rRMyCwzw98 NZCq1DgSGZUpJ1f6Eo0rVJKJCi+v5jAhkY2527jp41aRvGzpW/tG++moABFNXFC0 DbvbnMlIKBQFuKkLuwI8hmVts5NprN0/OVaQUBrd30IHAcJ/R0VadPoqRblvhkpk 4813gQST+G0beYtSfpkaP+UbXYHzy6/yEFqqd5a9j3rTMvQiOiuUlnhr82gV8D0D Kmcl4pFobAo= =FesE -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5912 - [RedHat] mutt: CVSS (Max): 6.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5912 mutt security update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: mutt Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-1328 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8219 Comment: CVSS (Max): 6.5 CVE-2022-1328 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: mutt security update Advisory ID: RHSA-2022:8219-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8219 Issue date: 2022-11-15 CVE Names: CVE-2022-1328 ===================================================================== 1. Summary: An update for mutt is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: Mutt is a low resource, highly configurable, text-based MIME e-mail client. Mutt supports most e-mail storing formats, such as mbox and Maildir, as well as most protocols, including POP3 and IMAP. Security Fix(es): * mutt: buffer overflow in uudecoder function (CVE-2022-1328) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2076058 - CVE-2022-1328 mutt: buffer overflow in uudecoder function 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: mutt-2.2.6-1.el9.src.rpm aarch64: mutt-2.2.6-1.el9.aarch64.rpm mutt-debuginfo-2.2.6-1.el9.aarch64.rpm mutt-debugsource-2.2.6-1.el9.aarch64.rpm ppc64le: mutt-2.2.6-1.el9.ppc64le.rpm mutt-debuginfo-2.2.6-1.el9.ppc64le.rpm mutt-debugsource-2.2.6-1.el9.ppc64le.rpm s390x: mutt-2.2.6-1.el9.s390x.rpm mutt-debuginfo-2.2.6-1.el9.s390x.rpm mutt-debugsource-2.2.6-1.el9.s390x.rpm x86_64: mutt-2.2.6-1.el9.x86_64.rpm mutt-debuginfo-2.2.6-1.el9.x86_64.rpm mutt-debugsource-2.2.6-1.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-1328 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3PhEtzjgjWX9erEAQjjBw//cPJGiKpauImghgVuDHN+VMlgvSb1BmlN XOkeWycEJXQA8GA+sJrToZg/X96RmskTJDuo8XcHpbGVEHuJ79N98+gnAGsvQMT8 dJaitGhmeRN2RCShN4f+4dVjENjFO1yalmYwSGSdoXTmVlSdyLOSzGeTBiger4ks YbctY49sXBIaP8oAuLHQMThWPdXVoLeEPL+vv0qUw7XNZKVU8ejBECxklP8XUCRj Xglycr08J+jJiVvjlVP+8dqx+AtKOV+kIsjcjdqRE0e71Gqk5CRiZKunXzD+ih6I Ql9UM5IDy+NSisCDZuvn2WNbXbUfFVFrVpgL2xNVgFVPoEdEx838/IGY22c/S3zT HmF20r2ufX2Um1VBLnLcmfRdoua5LLMSSFcHSAY9yRcwIi4u1EawG59XpP6U5Ytp kjGwUULrarzMxEgzvZnuYjOM+wOxjZkNBCy8fXBgIOzDVCeOqUPiwgcDv875/fPA tZD9OiivJItDOI3DJaqpeTOwpRmxiuqA7u3QhsfP9GUS0tOZBEJKM9pi01H2sjnr NBge0hs8k+LkpgY+PJks5P2QOYSgfvqFjksjIY1fbiceBYFF0VTTK1p+6bkBdUCW vktQHqr0CfIKgtw7nZTiEWOAGSnrZ+LMTGZwEiJNes8vj4THNmgPC2BczKUH8fOK cH9+cNeA5JM= =1jTy - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3RHL8kNZI30y1K9AQj9xRAAuopOhi5JxAeYyr8UeMlRD0YMo3Rj6jTs K136/Py0NzXkZBoNqxbkg2EfwviG3Qxye7Fc6j7TrxH8/Tjn0/MSEMDCfVH8y8vN VDk464r34CikZiPtbd/PxYRSosUsH7zFyhcUxMs0xjT3Oepxd6cfVaf7cAqB7o25 ePP3aRyq6okq9xjz8BYtp/ovjocQ5/VYqg3EJe1o/hY+rP5y8W49/t6H2HcDZ4vh cL3x3r1UawBayVipF9FWSWB1Y10hNC2JN+RHU2/KAvnrLfi06v1hjppY6LdjxKLY 9a6/qHQG8CYMF98Tp97T2EjmCEih0N8SpunDJxypgrPRbf7jfw9/3zTYbykOebGx YZJdz0Hql9x7QyR/iFAA1MpkRBlLqd5LnUF+p4jLbnUs2FwdZTGnzTEYYtyGbII8 blsHfTMV0BG2Q2z8nv+F17VE2H+qa8mwHYH9loeLRi8hOffMHAAidCX8zbtzr+37 6ZBJin8pS91c3zEEFNvz6QMEARw4xM8iIvq5qGHYzMtrTLAhNBj1GCcJysQez7mE nzG7zD346AVtxLZKN9UiFTMMEOMzOik2tNilNzkIEXEbaLUcDlCFlyK7qk8kJt+M 5+LzErB/n6/E+m1fXpmOapkExxWayOb8lUOep0K8V6Bmos0EGKIDEXVqpvw/k2iA V4vSVof0VK4= =7QGW -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5911 - [RedHat] dovecot: CVSS (Max): 6.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5911 dovecot security and enhancement update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: dovecot Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-30550 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8208 Comment: CVSS (Max): 6.8 CVE-2022-30550 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: dovecot security and enhancement update Advisory ID: RHSA-2022:8208-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8208 Issue date: 2022-11-15 CVE Names: CVE-2022-30550 ===================================================================== 1. Summary: An update for dovecot is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server, and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages. Security Fix(es): * dovecot: Privilege escalation when similar master and non-master passdbs are used (CVE-2022-30550) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2053368 - installing dovecot-pgsql via kickstart fails on Error in POSTIN scriptlet 2095399 - [RFE] dovecot use systemd-sysusers 2105070 - CVE-2022-30550 dovecot: Privilege escalation when similar master and non-master passdbs are used 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: dovecot-2.3.16-7.el9.src.rpm aarch64: dovecot-2.3.16-7.el9.aarch64.rpm dovecot-debuginfo-2.3.16-7.el9.aarch64.rpm dovecot-debugsource-2.3.16-7.el9.aarch64.rpm dovecot-mysql-2.3.16-7.el9.aarch64.rpm dovecot-mysql-debuginfo-2.3.16-7.el9.aarch64.rpm dovecot-pgsql-2.3.16-7.el9.aarch64.rpm dovecot-pgsql-debuginfo-2.3.16-7.el9.aarch64.rpm dovecot-pigeonhole-2.3.16-7.el9.aarch64.rpm dovecot-pigeonhole-debuginfo-2.3.16-7.el9.aarch64.rpm ppc64le: dovecot-2.3.16-7.el9.ppc64le.rpm dovecot-debuginfo-2.3.16-7.el9.ppc64le.rpm dovecot-debugsource-2.3.16-7.el9.ppc64le.rpm dovecot-mysql-2.3.16-7.el9.ppc64le.rpm dovecot-mysql-debuginfo-2.3.16-7.el9.ppc64le.rpm dovecot-pgsql-2.3.16-7.el9.ppc64le.rpm dovecot-pgsql-debuginfo-2.3.16-7.el9.ppc64le.rpm dovecot-pigeonhole-2.3.16-7.el9.ppc64le.rpm dovecot-pigeonhole-debuginfo-2.3.16-7.el9.ppc64le.rpm s390x: dovecot-2.3.16-7.el9.s390x.rpm dovecot-debuginfo-2.3.16-7.el9.s390x.rpm dovecot-debugsource-2.3.16-7.el9.s390x.rpm dovecot-mysql-2.3.16-7.el9.s390x.rpm dovecot-mysql-debuginfo-2.3.16-7.el9.s390x.rpm dovecot-pgsql-2.3.16-7.el9.s390x.rpm dovecot-pgsql-debuginfo-2.3.16-7.el9.s390x.rpm dovecot-pigeonhole-2.3.16-7.el9.s390x.rpm dovecot-pigeonhole-debuginfo-2.3.16-7.el9.s390x.rpm x86_64: dovecot-2.3.16-7.el9.x86_64.rpm dovecot-debuginfo-2.3.16-7.el9.x86_64.rpm dovecot-debugsource-2.3.16-7.el9.x86_64.rpm dovecot-mysql-2.3.16-7.el9.x86_64.rpm dovecot-mysql-debuginfo-2.3.16-7.el9.x86_64.rpm dovecot-pgsql-2.3.16-7.el9.x86_64.rpm dovecot-pgsql-debuginfo-2.3.16-7.el9.x86_64.rpm dovecot-pigeonhole-2.3.16-7.el9.x86_64.rpm dovecot-pigeonhole-debuginfo-2.3.16-7.el9.x86_64.rpm Red Hat CodeReady Linux Builder (v. 9): aarch64: dovecot-debuginfo-2.3.16-7.el9.aarch64.rpm dovecot-debugsource-2.3.16-7.el9.aarch64.rpm dovecot-devel-2.3.16-7.el9.aarch64.rpm dovecot-mysql-debuginfo-2.3.16-7.el9.aarch64.rpm dovecot-pgsql-debuginfo-2.3.16-7.el9.aarch64.rpm dovecot-pigeonhole-debuginfo-2.3.16-7.el9.aarch64.rpm ppc64le: dovecot-debuginfo-2.3.16-7.el9.ppc64le.rpm dovecot-debugsource-2.3.16-7.el9.ppc64le.rpm dovecot-devel-2.3.16-7.el9.ppc64le.rpm dovecot-mysql-debuginfo-2.3.16-7.el9.ppc64le.rpm dovecot-pgsql-debuginfo-2.3.16-7.el9.ppc64le.rpm dovecot-pigeonhole-debuginfo-2.3.16-7.el9.ppc64le.rpm s390x: dovecot-debuginfo-2.3.16-7.el9.s390x.rpm dovecot-debugsource-2.3.16-7.el9.s390x.rpm dovecot-devel-2.3.16-7.el9.s390x.rpm dovecot-mysql-debuginfo-2.3.16-7.el9.s390x.rpm dovecot-pgsql-debuginfo-2.3.16-7.el9.s390x.rpm dovecot-pigeonhole-debuginfo-2.3.16-7.el9.s390x.rpm x86_64: dovecot-2.3.16-7.el9.i686.rpm dovecot-debuginfo-2.3.16-7.el9.i686.rpm dovecot-debuginfo-2.3.16-7.el9.x86_64.rpm dovecot-debugsource-2.3.16-7.el9.i686.rpm dovecot-debugsource-2.3.16-7.el9.x86_64.rpm dovecot-devel-2.3.16-7.el9.i686.rpm dovecot-devel-2.3.16-7.el9.x86_64.rpm dovecot-mysql-debuginfo-2.3.16-7.el9.i686.rpm dovecot-mysql-debuginfo-2.3.16-7.el9.x86_64.rpm dovecot-pgsql-debuginfo-2.3.16-7.el9.i686.rpm dovecot-pgsql-debuginfo-2.3.16-7.el9.x86_64.rpm dovecot-pigeonhole-debuginfo-2.3.16-7.el9.i686.rpm dovecot-pigeonhole-debuginfo-2.3.16-7.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-30550 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3OMWNzjgjWX9erEAQiH3g//XnwX6eT00oUJiqmJgLPCS4SA4KlvwZ8q ctMrW0k9DUxPvPNi9iR/AGGDI9wvwcQ8h2ZUjWVYsxFDjEpHb3w8WcfsXXM3QfMK VX4rau7LcDPx9JVv1J1RW2f/Ok0QIeUn5wwd+lTL97w4lNkC1ur2kZfbscZBDekQ IsCkobYNBCSMwHGrxcvF29xlHhGe3rbQtGCWtYPzfq7G9d0AII8ey3uOUAyBlSm+ Or6CKqwN+xkQSsJdDEValfgSriR1aUHY64rXzZlxFzd/cU7V6NIeakWZ1aXJiBVu wgb9NFY2nnrLdeDC8uA1k4WsqxKFtRwrjUHRSeRPFiWSIiWathMcE8WU/4T9MgI3 dUqKoNlnZV00TTfvfd4tKEiUegyLxTfr3rn563lqpJDXXOV2EYWgd0KBo4XZBlhh hQ5Fc+5W4u6AJbM+ysVIVcddQEmTpPztWq+hW+0MNKT8FAjAjIYs02SWHo2hRwDn BpSTPLxoTA6B/sFjQ8h7adjkFiN4xx6FtIrrnZwiqg3641WEBLKTMHLjm5MD7SII uvHF/Wf88lL3UiwlJlX/4vUNk8nf6bzUyybGbF3iKW7B2owZWdDos3VuGerPMKsP 8Wh96qWr0jdGVtEH23XilK6KY4urH202gTJMIJjJyBWR/Unu9dI/d5b0mSfFbnQe q3J0lreIUyc= =/tnO - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3RHGMkNZI30y1K9AQiQ7Q//fTkVF7wGfgQUmzMOX00Lgrv9Snku+sSC hqskW40tYi4sFFhetHcH14U49IwzssWrPNCox0lz5qkxF5wSNOh3CJ27e80Dc9+4 oTGYhw59s9ITye3k5EmX7sRqeAxAgBTJ58ENJV7AIYukqBtivF4Rsa7wgB33l5sQ s/giBOCFyEqbZ1siBN3VxDeL10RmDCnhSmzaw52VMpSxCcwDKQA620ZkoHSuI+/n woPeaE5WYcNkwznPLlhekFAfDYTs0WxG7817IJiMvbYGFcdnEQthZp6Wfgp7LjvF lZ4WGnRbC+7hRDDqcDJAtZrxJJhjR/YGXUW8oTkCDv9AFqPMFORMZOfDsSKJT2sK /zZsn4qy+k449rnCE+kYvoEbAtMDowHuS+qDDL4jSDVf4uVnOp0mNHI73YYu7Gne CSDmIz046QVfXeEYd1Sog4TQhlVeRL7O7Ko4ofekfvXW0+LqFZpk2gU0hocwxQy6 Yja92KuoA4h0aw2B8De7ImHa17ohmbJ6fYoe0tmBWtosAVVSVZ/KPugN3PwOHlgr 0pwtUncZR9vh7LdztNocG+jkx5E/OlHN1cQvDjsH12c9S4eD8CnK7tE3cfFiViW3 ETwY7SniOBnaRw0QmyBSxXAabpG68zjhHyHlD/6bXdBzylFBb+6mKtymaaMrU/XM SdJ/LzvxV3A= =fgYT -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5910 - [RedHat] openjpeg2: CVSS (Max): 5.1

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5910 openjpeg2 security update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: openjpeg2 Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-1122 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8207 Comment: CVSS (Max): 5.1 CVE-2022-1122 (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Low: openjpeg2 security update Advisory ID: RHSA-2022:8207-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8207 Issue date: 2022-11-15 CVE Names: CVE-2022-1122 ===================================================================== 1. Summary: An update for openjpeg2 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: OpenJPEG is an open source library for reading and writing image files in JPEG2000 format. Security Fix(es): * openjpeg: segmentation fault in opj2_decompress due to uninitialized pointer (CVE-2022-1122) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2067052 - CVE-2022-1122 openjpeg: segmentation fault in opj2_decompress due to uninitialized pointer 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: openjpeg2-2.4.0-7.el9.src.rpm aarch64: openjpeg2-2.4.0-7.el9.aarch64.rpm openjpeg2-debuginfo-2.4.0-7.el9.aarch64.rpm openjpeg2-debugsource-2.4.0-7.el9.aarch64.rpm openjpeg2-tools-debuginfo-2.4.0-7.el9.aarch64.rpm ppc64le: openjpeg2-2.4.0-7.el9.ppc64le.rpm openjpeg2-debuginfo-2.4.0-7.el9.ppc64le.rpm openjpeg2-debugsource-2.4.0-7.el9.ppc64le.rpm openjpeg2-tools-debuginfo-2.4.0-7.el9.ppc64le.rpm s390x: openjpeg2-2.4.0-7.el9.s390x.rpm openjpeg2-debuginfo-2.4.0-7.el9.s390x.rpm openjpeg2-debugsource-2.4.0-7.el9.s390x.rpm openjpeg2-tools-debuginfo-2.4.0-7.el9.s390x.rpm x86_64: openjpeg2-2.4.0-7.el9.i686.rpm openjpeg2-2.4.0-7.el9.x86_64.rpm openjpeg2-debuginfo-2.4.0-7.el9.i686.rpm openjpeg2-debuginfo-2.4.0-7.el9.x86_64.rpm openjpeg2-debugsource-2.4.0-7.el9.i686.rpm openjpeg2-debugsource-2.4.0-7.el9.x86_64.rpm openjpeg2-tools-debuginfo-2.4.0-7.el9.i686.rpm openjpeg2-tools-debuginfo-2.4.0-7.el9.x86_64.rpm Red Hat CodeReady Linux Builder (v. 9): aarch64: openjpeg2-debuginfo-2.4.0-7.el9.aarch64.rpm openjpeg2-debugsource-2.4.0-7.el9.aarch64.rpm openjpeg2-devel-2.4.0-7.el9.aarch64.rpm openjpeg2-tools-2.4.0-7.el9.aarch64.rpm openjpeg2-tools-debuginfo-2.4.0-7.el9.aarch64.rpm ppc64le: openjpeg2-debuginfo-2.4.0-7.el9.ppc64le.rpm openjpeg2-debugsource-2.4.0-7.el9.ppc64le.rpm openjpeg2-devel-2.4.0-7.el9.ppc64le.rpm openjpeg2-tools-2.4.0-7.el9.ppc64le.rpm openjpeg2-tools-debuginfo-2.4.0-7.el9.ppc64le.rpm s390x: openjpeg2-debuginfo-2.4.0-7.el9.s390x.rpm openjpeg2-debugsource-2.4.0-7.el9.s390x.rpm openjpeg2-devel-2.4.0-7.el9.s390x.rpm openjpeg2-tools-2.4.0-7.el9.s390x.rpm openjpeg2-tools-debuginfo-2.4.0-7.el9.s390x.rpm x86_64: openjpeg2-debuginfo-2.4.0-7.el9.i686.rpm openjpeg2-debuginfo-2.4.0-7.el9.x86_64.rpm openjpeg2-debugsource-2.4.0-7.el9.i686.rpm openjpeg2-debugsource-2.4.0-7.el9.x86_64.rpm openjpeg2-devel-2.4.0-7.el9.i686.rpm openjpeg2-devel-2.4.0-7.el9.x86_64.rpm openjpeg2-tools-2.4.0-7.el9.i686.rpm openjpeg2-tools-2.4.0-7.el9.x86_64.rpm openjpeg2-tools-debuginfo-2.4.0-7.el9.i686.rpm openjpeg2-tools-debuginfo-2.4.0-7.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-1122 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3PhFdzjgjWX9erEAQgS1Q/9EQDOF4ZawRGe05n43/uEPJi5FJfO0gHE 6Bf8P9zQPJG0xzs3ZeCJ2HrX8WaN/6VX+N1/Cz0lzO3IVd8biwggdZ2S7EjL8+VT cpM2O5EqYS7ScLGnxurEjPXd1D8kcJC6aanu1a5ztiK6tXp693XVtb9EYBRUDtRg dgY6qU3xdM5JDwdfXqFeZoHd2/Aaf0DVTLlGyOgSF1NF/whoC60lLPRC9xKRAT8n XObHjEm7HyMGrIUPaoSIbzG1pHEjHMT2HyNKXnthzaBSOUaTjtATLSyi9uMvjOpn LyyElibSatxRw6YV0k//cprLhvIeRIBk34KGd5uyZEC4BPaeY4I6bmtw1www1zcr 5DSvjuJP0ZmBEfjY018ibfHbiG+DKafwiTRjxQFz1F2Gn9ug7CVoDd2xTsDF8irq APo8aIVQXZFtQ7szURxDUuHEuG7FhylN4NyKvwv9gbqti7hGO7rL9Tzx4eb3Azmg CClV4fO7DjWrkmPguyE/Y9Y9u2M/tfCKFzeIfoJ4ykb3QZoqs6eHa+0jX89Dq1AT 1i0sEREsAcPDN/soUkZ5RnrD82xagCzFEHyukOM78g9LzWgZoU143bIFMfV9Cuz2 J+dBXf67ygMFbc7F+n8DuEoL2tNzVjkvl9ig9ykrkkkkSnb3kTxp1Zk6QzNhmRP9 kgngEo/g17c= =wQvP - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3RG/ckNZI30y1K9AQg3bhAAoeKVRGyVYUYNxz3/OuWzXwFnRNdentIS 1nZ7EMqRYKsFIoK9RFEHqkZejk5MFXAy6D+z2A+RIWrP360QttyK/1DjpqKYmcg9 RZHslgq6R5stikSux/sU4yzhuBZlEiuA3hUO0/D88Hlb1VCM3yfaNbRL0OX9TASi OHJ1PaRbEhemmyhYZ53OopNERb5Zrgm4oMlC7T10+/8g5NstlVYZTJHU/DorXSQA MnZ6TbI/2oWh/TVpo1wZ7HugzbBB4lQpHV+yp9MMZZQf14ZXoJnRnl4H4WHEgVe/ s5Be0jWv2m4s3rTF6rzGjtSCMV0hKHFpos0se1bFIn9eWJR+ByHXglvlfxTsDazC 0Rl2/Ip/5C13rs8PRmHRpAdwK+QRS0tUD6wdPkUokL4Jdt5Y5WVSgOaJmm07J6vs I8vb5/BHXkhcW+pTNYRwrOxe3UmfDYO3ZAvbx/FxK2h8O5tKonpUL0o0/ArjutmR 4im6CbHnPfGw8soKFfuRG52jN/cwKkFWSGWmyV7z9ClsZ12k+FuzRBgpm2jYW4kS lK1o/rltIj0o853Ce3/zx+gdHnMGL+9DJxCMOh7VUlVbOH2xO/jaC1s/3u59xsxq YgT8F8ETfjqk5QqCakRIO2V8k1BnTaluH1eHqRdNKZLSDfL+K35EXG51224H+m8X J4hONbo0ar0= =KvnA -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5909 - [RedHat] php: CVSS (Max): 9.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5909 php security, bug fix, and enhancement update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: php Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-31625 CVE-2021-21708 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8197 Comment: CVSS (Max): 9.8 CVE-2021-21708 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: php security, bug fix, and enhancement update Advisory ID: RHSA-2022:8197-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8197 Issue date: 2022-11-15 CVE Names: CVE-2021-21708 CVE-2022-31625 ===================================================================== 1. Summary: An update for php is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. The following packages have been upgraded to a later upstream version: php (8.0.20). (BZ#2095752) Security Fix(es): * php: Use after free due to php_filter_float() failing for ints (CVE-2021-21708) * php: Uninitialized array in pg_query_params() leading to RCE (CVE-2022-31625) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the updated packages, the httpd daemon must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 2055879 - CVE-2021-21708 php: Use after free due to php_filter_float() failing for ints 2095447 - php-fpm has an odd Requires 2095752 - Rebase to 8.0.20 2098521 - CVE-2022-31625 php: Uninitialized array in pg_query_params() leading to RCE 2104630 - PHP 8 snmp3 Calls Using authPriv or authNoPriv Immediately Return False Without Error Message 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: php-8.0.20-3.el9.src.rpm aarch64: php-8.0.20-3.el9.aarch64.rpm php-bcmath-8.0.20-3.el9.aarch64.rpm php-bcmath-debuginfo-8.0.20-3.el9.aarch64.rpm php-cli-8.0.20-3.el9.aarch64.rpm php-cli-debuginfo-8.0.20-3.el9.aarch64.rpm php-common-8.0.20-3.el9.aarch64.rpm php-common-debuginfo-8.0.20-3.el9.aarch64.rpm php-dba-8.0.20-3.el9.aarch64.rpm php-dba-debuginfo-8.0.20-3.el9.aarch64.rpm php-dbg-8.0.20-3.el9.aarch64.rpm php-dbg-debuginfo-8.0.20-3.el9.aarch64.rpm php-debuginfo-8.0.20-3.el9.aarch64.rpm php-debugsource-8.0.20-3.el9.aarch64.rpm php-devel-8.0.20-3.el9.aarch64.rpm php-embedded-8.0.20-3.el9.aarch64.rpm php-embedded-debuginfo-8.0.20-3.el9.aarch64.rpm php-enchant-8.0.20-3.el9.aarch64.rpm php-enchant-debuginfo-8.0.20-3.el9.aarch64.rpm php-ffi-8.0.20-3.el9.aarch64.rpm php-ffi-debuginfo-8.0.20-3.el9.aarch64.rpm php-fpm-8.0.20-3.el9.aarch64.rpm php-fpm-debuginfo-8.0.20-3.el9.aarch64.rpm php-gd-8.0.20-3.el9.aarch64.rpm php-gd-debuginfo-8.0.20-3.el9.aarch64.rpm php-gmp-8.0.20-3.el9.aarch64.rpm php-gmp-debuginfo-8.0.20-3.el9.aarch64.rpm php-intl-8.0.20-3.el9.aarch64.rpm php-intl-debuginfo-8.0.20-3.el9.aarch64.rpm php-ldap-8.0.20-3.el9.aarch64.rpm php-ldap-debuginfo-8.0.20-3.el9.aarch64.rpm php-mbstring-8.0.20-3.el9.aarch64.rpm php-mbstring-debuginfo-8.0.20-3.el9.aarch64.rpm php-mysqlnd-8.0.20-3.el9.aarch64.rpm php-mysqlnd-debuginfo-8.0.20-3.el9.aarch64.rpm php-odbc-8.0.20-3.el9.aarch64.rpm php-odbc-debuginfo-8.0.20-3.el9.aarch64.rpm php-opcache-8.0.20-3.el9.aarch64.rpm php-opcache-debuginfo-8.0.20-3.el9.aarch64.rpm php-pdo-8.0.20-3.el9.aarch64.rpm php-pdo-debuginfo-8.0.20-3.el9.aarch64.rpm php-pgsql-8.0.20-3.el9.aarch64.rpm php-pgsql-debuginfo-8.0.20-3.el9.aarch64.rpm php-process-8.0.20-3.el9.aarch64.rpm php-process-debuginfo-8.0.20-3.el9.aarch64.rpm php-snmp-8.0.20-3.el9.aarch64.rpm php-snmp-debuginfo-8.0.20-3.el9.aarch64.rpm php-soap-8.0.20-3.el9.aarch64.rpm php-soap-debuginfo-8.0.20-3.el9.aarch64.rpm php-xml-8.0.20-3.el9.aarch64.rpm php-xml-debuginfo-8.0.20-3.el9.aarch64.rpm ppc64le: php-8.0.20-3.el9.ppc64le.rpm php-bcmath-8.0.20-3.el9.ppc64le.rpm php-bcmath-debuginfo-8.0.20-3.el9.ppc64le.rpm php-cli-8.0.20-3.el9.ppc64le.rpm php-cli-debuginfo-8.0.20-3.el9.ppc64le.rpm php-common-8.0.20-3.el9.ppc64le.rpm php-common-debuginfo-8.0.20-3.el9.ppc64le.rpm php-dba-8.0.20-3.el9.ppc64le.rpm php-dba-debuginfo-8.0.20-3.el9.ppc64le.rpm php-dbg-8.0.20-3.el9.ppc64le.rpm php-dbg-debuginfo-8.0.20-3.el9.ppc64le.rpm php-debuginfo-8.0.20-3.el9.ppc64le.rpm php-debugsource-8.0.20-3.el9.ppc64le.rpm php-devel-8.0.20-3.el9.ppc64le.rpm php-embedded-8.0.20-3.el9.ppc64le.rpm php-embedded-debuginfo-8.0.20-3.el9.ppc64le.rpm php-enchant-8.0.20-3.el9.ppc64le.rpm php-enchant-debuginfo-8.0.20-3.el9.ppc64le.rpm php-ffi-8.0.20-3.el9.ppc64le.rpm php-ffi-debuginfo-8.0.20-3.el9.ppc64le.rpm php-fpm-8.0.20-3.el9.ppc64le.rpm php-fpm-debuginfo-8.0.20-3.el9.ppc64le.rpm php-gd-8.0.20-3.el9.ppc64le.rpm php-gd-debuginfo-8.0.20-3.el9.ppc64le.rpm php-gmp-8.0.20-3.el9.ppc64le.rpm php-gmp-debuginfo-8.0.20-3.el9.ppc64le.rpm php-intl-8.0.20-3.el9.ppc64le.rpm php-intl-debuginfo-8.0.20-3.el9.ppc64le.rpm php-ldap-8.0.20-3.el9.ppc64le.rpm php-ldap-debuginfo-8.0.20-3.el9.ppc64le.rpm php-mbstring-8.0.20-3.el9.ppc64le.rpm php-mbstring-debuginfo-8.0.20-3.el9.ppc64le.rpm php-mysqlnd-8.0.20-3.el9.ppc64le.rpm php-mysqlnd-debuginfo-8.0.20-3.el9.ppc64le.rpm php-odbc-8.0.20-3.el9.ppc64le.rpm php-odbc-debuginfo-8.0.20-3.el9.ppc64le.rpm php-opcache-8.0.20-3.el9.ppc64le.rpm php-opcache-debuginfo-8.0.20-3.el9.ppc64le.rpm php-pdo-8.0.20-3.el9.ppc64le.rpm php-pdo-debuginfo-8.0.20-3.el9.ppc64le.rpm php-pgsql-8.0.20-3.el9.ppc64le.rpm php-pgsql-debuginfo-8.0.20-3.el9.ppc64le.rpm php-process-8.0.20-3.el9.ppc64le.rpm php-process-debuginfo-8.0.20-3.el9.ppc64le.rpm php-snmp-8.0.20-3.el9.ppc64le.rpm php-snmp-debuginfo-8.0.20-3.el9.ppc64le.rpm php-soap-8.0.20-3.el9.ppc64le.rpm php-soap-debuginfo-8.0.20-3.el9.ppc64le.rpm php-xml-8.0.20-3.el9.ppc64le.rpm php-xml-debuginfo-8.0.20-3.el9.ppc64le.rpm s390x: php-8.0.20-3.el9.s390x.rpm php-bcmath-8.0.20-3.el9.s390x.rpm php-bcmath-debuginfo-8.0.20-3.el9.s390x.rpm php-cli-8.0.20-3.el9.s390x.rpm php-cli-debuginfo-8.0.20-3.el9.s390x.rpm php-common-8.0.20-3.el9.s390x.rpm php-common-debuginfo-8.0.20-3.el9.s390x.rpm php-dba-8.0.20-3.el9.s390x.rpm php-dba-debuginfo-8.0.20-3.el9.s390x.rpm php-dbg-8.0.20-3.el9.s390x.rpm php-dbg-debuginfo-8.0.20-3.el9.s390x.rpm php-debuginfo-8.0.20-3.el9.s390x.rpm php-debugsource-8.0.20-3.el9.s390x.rpm php-devel-8.0.20-3.el9.s390x.rpm php-embedded-8.0.20-3.el9.s390x.rpm php-embedded-debuginfo-8.0.20-3.el9.s390x.rpm php-enchant-8.0.20-3.el9.s390x.rpm php-enchant-debuginfo-8.0.20-3.el9.s390x.rpm php-ffi-8.0.20-3.el9.s390x.rpm php-ffi-debuginfo-8.0.20-3.el9.s390x.rpm php-fpm-8.0.20-3.el9.s390x.rpm php-fpm-debuginfo-8.0.20-3.el9.s390x.rpm php-gd-8.0.20-3.el9.s390x.rpm php-gd-debuginfo-8.0.20-3.el9.s390x.rpm php-gmp-8.0.20-3.el9.s390x.rpm php-gmp-debuginfo-8.0.20-3.el9.s390x.rpm php-intl-8.0.20-3.el9.s390x.rpm php-intl-debuginfo-8.0.20-3.el9.s390x.rpm php-ldap-8.0.20-3.el9.s390x.rpm php-ldap-debuginfo-8.0.20-3.el9.s390x.rpm php-mbstring-8.0.20-3.el9.s390x.rpm php-mbstring-debuginfo-8.0.20-3.el9.s390x.rpm php-mysqlnd-8.0.20-3.el9.s390x.rpm php-mysqlnd-debuginfo-8.0.20-3.el9.s390x.rpm php-odbc-8.0.20-3.el9.s390x.rpm php-odbc-debuginfo-8.0.20-3.el9.s390x.rpm php-opcache-8.0.20-3.el9.s390x.rpm php-opcache-debuginfo-8.0.20-3.el9.s390x.rpm php-pdo-8.0.20-3.el9.s390x.rpm php-pdo-debuginfo-8.0.20-3.el9.s390x.rpm php-pgsql-8.0.20-3.el9.s390x.rpm php-pgsql-debuginfo-8.0.20-3.el9.s390x.rpm php-process-8.0.20-3.el9.s390x.rpm php-process-debuginfo-8.0.20-3.el9.s390x.rpm php-snmp-8.0.20-3.el9.s390x.rpm php-snmp-debuginfo-8.0.20-3.el9.s390x.rpm php-soap-8.0.20-3.el9.s390x.rpm php-soap-debuginfo-8.0.20-3.el9.s390x.rpm php-xml-8.0.20-3.el9.s390x.rpm php-xml-debuginfo-8.0.20-3.el9.s390x.rpm x86_64: php-8.0.20-3.el9.x86_64.rpm php-bcmath-8.0.20-3.el9.x86_64.rpm php-bcmath-debuginfo-8.0.20-3.el9.x86_64.rpm php-cli-8.0.20-3.el9.x86_64.rpm php-cli-debuginfo-8.0.20-3.el9.x86_64.rpm php-common-8.0.20-3.el9.x86_64.rpm php-common-debuginfo-8.0.20-3.el9.x86_64.rpm php-dba-8.0.20-3.el9.x86_64.rpm php-dba-debuginfo-8.0.20-3.el9.x86_64.rpm php-dbg-8.0.20-3.el9.x86_64.rpm php-dbg-debuginfo-8.0.20-3.el9.x86_64.rpm php-debuginfo-8.0.20-3.el9.x86_64.rpm php-debugsource-8.0.20-3.el9.x86_64.rpm php-devel-8.0.20-3.el9.x86_64.rpm php-embedded-8.0.20-3.el9.x86_64.rpm php-embedded-debuginfo-8.0.20-3.el9.x86_64.rpm php-enchant-8.0.20-3.el9.x86_64.rpm php-enchant-debuginfo-8.0.20-3.el9.x86_64.rpm php-ffi-8.0.20-3.el9.x86_64.rpm php-ffi-debuginfo-8.0.20-3.el9.x86_64.rpm php-fpm-8.0.20-3.el9.x86_64.rpm php-fpm-debuginfo-8.0.20-3.el9.x86_64.rpm php-gd-8.0.20-3.el9.x86_64.rpm php-gd-debuginfo-8.0.20-3.el9.x86_64.rpm php-gmp-8.0.20-3.el9.x86_64.rpm php-gmp-debuginfo-8.0.20-3.el9.x86_64.rpm php-intl-8.0.20-3.el9.x86_64.rpm php-intl-debuginfo-8.0.20-3.el9.x86_64.rpm php-ldap-8.0.20-3.el9.x86_64.rpm php-ldap-debuginfo-8.0.20-3.el9.x86_64.rpm php-mbstring-8.0.20-3.el9.x86_64.rpm php-mbstring-debuginfo-8.0.20-3.el9.x86_64.rpm php-mysqlnd-8.0.20-3.el9.x86_64.rpm php-mysqlnd-debuginfo-8.0.20-3.el9.x86_64.rpm php-odbc-8.0.20-3.el9.x86_64.rpm php-odbc-debuginfo-8.0.20-3.el9.x86_64.rpm php-opcache-8.0.20-3.el9.x86_64.rpm php-opcache-debuginfo-8.0.20-3.el9.x86_64.rpm php-pdo-8.0.20-3.el9.x86_64.rpm php-pdo-debuginfo-8.0.20-3.el9.x86_64.rpm php-pgsql-8.0.20-3.el9.x86_64.rpm php-pgsql-debuginfo-8.0.20-3.el9.x86_64.rpm php-process-8.0.20-3.el9.x86_64.rpm php-process-debuginfo-8.0.20-3.el9.x86_64.rpm php-snmp-8.0.20-3.el9.x86_64.rpm php-snmp-debuginfo-8.0.20-3.el9.x86_64.rpm php-soap-8.0.20-3.el9.x86_64.rpm php-soap-debuginfo-8.0.20-3.el9.x86_64.rpm php-xml-8.0.20-3.el9.x86_64.rpm php-xml-debuginfo-8.0.20-3.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-21708 https://access.redhat.com/security/cve/CVE-2022-31625 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3OMW9zjgjWX9erEAQj/kg/9GSYTpNzlEIlJZov+EWGaAKzxPB7NoVQ/ cLTon+/fVVU0qBcxoxWA3O56UxYi8lifl62aMvFUbihLsC76QTteLAkwasjWWAyg Hl0/+tg6OzOaV6zmMyr/Y+RcM4+NhvQj1+ECj1sx8FXSypgOFhi7bXDM5XfjnOTh K+jd2LY16YBzbvf7hcOsZxqMsNANwCWIWJC8kc41ARM/FREx+cy/R3MsdmHQ+Ucn zr5AUORu92rUW4qgsoNcR4wzUKvhulN8ZVgix8IRh+OsDZWB/EMiKIml99pQG/Vi Nl/wPNOpIZHBHDOSDg0BGMJz0Z+w//mp+m9XDk0KKA3wSoH4L4tl+w6ZIunP/mr/ CiWPnMySwdlBCIQ64D2kICErN9g63u04t8PUgQfQKiFpObiaLcYwfed1kr4dpIki co4nCrF6CwknSn5cDF4cp5Y3pcN/dSsd2WdLN756Ebf0osfuqh6q3Pwoc/Jfp9uG YAgw/kli1sjl3YiG/nfuDVJBid8kS8ylymkUSDgfii7tMHLcnLnCk7deI40qDMUa p28RFPjNY27uCQURvi5oUzflsDo08otNYVq0/fQhGC2UrPWglyC4ClGp2GArag06 i3kCsjDAiyRcavAh4KcymbWsVaTDyZOeWNAEJlcko2jjFARjFtNkmoMaa98uIEmP PRH5jXRX0+g= =B5po - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3RFNskNZI30y1K9AQhK2Q/9EOefkNtTtk9I9YHh+T4EpHOeHChQowcy CvHsc6148ipLekXHw2SSVlYHvCseNc5oDQckbtsrvPwT0LmPexad4deSv9wrpA0S 3geFTw59XtGTaWfKEdSiBtlLHfHsWXpaUw82GkN5QALwcevL5ywdYhJubrbGRHjy 6eYUy+PzCddkRyHFAkrjYNQLZRE+UhGWU9mUaO0gmiK5AYSA901OHyEeunbsShwZ hhiVS3RuG5kT1PnLvxskBHKZ+Rln7ovUfhMT9+MfyD748feRuw//Yq24KTfKXDPM cV6AN++wg/ry8TwP0270vpTiwgh7Di4WH4sliVZaz0MVGf27vLKbJBwgB1zhrZCY WtN+Z2tR1uksBngoSaaEY5onj2zQvrq1xERGB1dAU/K3X0KNj+So3ksPSIojoOb7 dgCJ8fdw/W48wCX3weX/VuicTO4e4icCCyxIqkPxFBiYyNzRNvh9LujmuP6F6dw6 KPGCNewifPGxA1llIdYio5oYQL/Lyf+0P1eTbFYSubgWmLBZip38X0PjA9OnrgWK mp72rWfh0IUj/81l5gBTiVns820wO9o8HbDO6Cb+eR4dqevCSkuFZLlm4ItqQ63+ /3iwElli+ELny6ZBpnPo4JZPx5r3JL/W/IK1cMhQehg+sB2vKUUQ47HuKci0BUDQ CIaFFyD3PQ0= =Rd1b -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5908 - [RedHat] libtiff: CVSS (Max): 6.6

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5908 libtiff security update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libtiff Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-22844 CVE-2022-1355 CVE-2022-1354 CVE-2022-0924 CVE-2022-0909 CVE-2022-0908 CVE-2022-0891 CVE-2022-0865 CVE-2022-0562 CVE-2022-0561 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8194 Comment: CVSS (Max): 6.6 CVE-2022-1355 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: libtiff security update Advisory ID: RHSA-2022:8194-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8194 Issue date: 2022-11-15 CVE Names: CVE-2022-0561 CVE-2022-0562 CVE-2022-0865 CVE-2022-0891 CVE-2022-0908 CVE-2022-0909 CVE-2022-0924 CVE-2022-1354 CVE-2022-1355 CVE-2022-22844 ===================================================================== 1. Summary: An update for libtiff is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files. Security Fix(es): * libtiff: Denial of Service via crafted TIFF file (CVE-2022-0561) * libtiff: Null source pointer lead to Denial of Service via crafted TIFF file (CVE-2022-0562) * libtiff: reachable assertion (CVE-2022-0865) * libtiff: Out-of-bounds Read error in tiffcp (CVE-2022-0924) * libtiff: stack-buffer-overflow in tiffcp.c in main() (CVE-2022-1355) * libtiff: out-of-bounds read in _TIFFmemcpy() in tif_unix.c (CVE-2022-22844) * libtiff: heap buffer overflow in extractImageSection (CVE-2022-0891) * tiff: Null source pointer passed as an argument to memcpy in TIFFFetchNormalTag() in tif_dirread.c (CVE-2022-0908) * tiff: Divide By Zero error in tiffcrop (CVE-2022-0909) * libtiff: heap-buffer-overflow in TIFFReadRawDataStriped() in tiffinfo.c (CVE-2022-1354) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running applications linked against libtiff must be restarted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 2042603 - CVE-2022-22844 libtiff: out-of-bounds read in _TIFFmemcpy() in tif_unix.c 2054494 - CVE-2022-0561 libtiff: Denial of Service via crafted TIFF file 2054495 - CVE-2022-0562 libtiff: Null source pointer lead to Denial of Service via crafted TIFF file 2064145 - CVE-2022-0908 tiff: Null source pointer passed as an argument to memcpy in TIFFFetchNormalTag() in tif_dirread.c 2064146 - CVE-2022-0909 tiff: Divide By Zero error in tiffcrop 2064148 - CVE-2022-0924 libtiff: Out-of-bounds Read error in tiffcp 2064406 - CVE-2022-0865 libtiff: reachable assertion 2064411 - CVE-2022-0891 libtiff: heap buffer overflow in extractImageSection 2074404 - CVE-2022-1354 libtiff: heap-buffer-overflow in TIFFReadRawDataStriped() in tiffinfo.c 2074415 - CVE-2022-1355 libtiff: stack-buffer-overflow in tiffcp.c in main() 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: libtiff-4.4.0-2.el9.src.rpm aarch64: libtiff-4.4.0-2.el9.aarch64.rpm libtiff-debuginfo-4.4.0-2.el9.aarch64.rpm libtiff-debugsource-4.4.0-2.el9.aarch64.rpm libtiff-devel-4.4.0-2.el9.aarch64.rpm libtiff-tools-debuginfo-4.4.0-2.el9.aarch64.rpm ppc64le: libtiff-4.4.0-2.el9.ppc64le.rpm libtiff-debuginfo-4.4.0-2.el9.ppc64le.rpm libtiff-debugsource-4.4.0-2.el9.ppc64le.rpm libtiff-devel-4.4.0-2.el9.ppc64le.rpm libtiff-tools-debuginfo-4.4.0-2.el9.ppc64le.rpm s390x: libtiff-4.4.0-2.el9.s390x.rpm libtiff-debuginfo-4.4.0-2.el9.s390x.rpm libtiff-debugsource-4.4.0-2.el9.s390x.rpm libtiff-devel-4.4.0-2.el9.s390x.rpm libtiff-tools-debuginfo-4.4.0-2.el9.s390x.rpm x86_64: libtiff-4.4.0-2.el9.i686.rpm libtiff-4.4.0-2.el9.x86_64.rpm libtiff-debuginfo-4.4.0-2.el9.i686.rpm libtiff-debuginfo-4.4.0-2.el9.x86_64.rpm libtiff-debugsource-4.4.0-2.el9.i686.rpm libtiff-debugsource-4.4.0-2.el9.x86_64.rpm libtiff-devel-4.4.0-2.el9.i686.rpm libtiff-devel-4.4.0-2.el9.x86_64.rpm libtiff-tools-debuginfo-4.4.0-2.el9.i686.rpm libtiff-tools-debuginfo-4.4.0-2.el9.x86_64.rpm Red Hat CodeReady Linux Builder (v. 9): aarch64: libtiff-debuginfo-4.4.0-2.el9.aarch64.rpm libtiff-debugsource-4.4.0-2.el9.aarch64.rpm libtiff-tools-4.4.0-2.el9.aarch64.rpm libtiff-tools-debuginfo-4.4.0-2.el9.aarch64.rpm ppc64le: libtiff-debuginfo-4.4.0-2.el9.ppc64le.rpm libtiff-debugsource-4.4.0-2.el9.ppc64le.rpm libtiff-tools-4.4.0-2.el9.ppc64le.rpm libtiff-tools-debuginfo-4.4.0-2.el9.ppc64le.rpm s390x: libtiff-debuginfo-4.4.0-2.el9.s390x.rpm libtiff-debugsource-4.4.0-2.el9.s390x.rpm libtiff-tools-4.4.0-2.el9.s390x.rpm libtiff-tools-debuginfo-4.4.0-2.el9.s390x.rpm x86_64: libtiff-debuginfo-4.4.0-2.el9.x86_64.rpm libtiff-debugsource-4.4.0-2.el9.x86_64.rpm libtiff-tools-4.4.0-2.el9.x86_64.rpm libtiff-tools-debuginfo-4.4.0-2.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-0561 https://access.redhat.com/security/cve/CVE-2022-0562 https://access.redhat.com/security/cve/CVE-2022-0865 https://access.redhat.com/security/cve/CVE-2022-0891 https://access.redhat.com/security/cve/CVE-2022-0908 https://access.redhat.com/security/cve/CVE-2022-0909 https://access.redhat.com/security/cve/CVE-2022-0924 https://access.redhat.com/security/cve/CVE-2022-1354 https://access.redhat.com/security/cve/CVE-2022-1355 https://access.redhat.com/security/cve/CVE-2022-22844 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3PhGNzjgjWX9erEAQgQ5hAAp4Eqvm+2MVRXj33U0JsaiDpuTkz4E+X5 /FD8evDwgF4hPd32ThDus+s33/zk28BSrWzl51YSdLwGyJyMfnlzU7mH3m/Yo9lr k1g1o5aZGI1c05G00q3bAgZqCtMd0vptcG/Lbhppx678rd/d5poyOs3alPNmziP8 ips9bLnjB+maz5UViNlf6b7F81vSFeci7KN88VtY2sclnxmitY9jkuopLe1pV4zE +47qBz9JgFwXiuFVNHW46w1O9VZD3Oohr+85WySuDVXgu0tq22J1abA40F+rPSZD ElDWvCrlL8H2K+sOsCgwwi+KJJLKI3Whle4YWyD5n6CMYTtn9P49tBvHKXFjRZSA xhfq0B+7CNhdVUl5Q741YTHZ0rjnCqLG0k+HgT4fCL/n+fvSHVM7C5F0lYiSR+UE mOFEOnjewTOpdxhxnCBI6i3vUAEe2SXU2zJIt/1Rj4R4FVHF1c6O0zNQOUIeoY0H zrPAT7/WmV5Uw6zz8QH2PfHNLqO8/EKCZ58rGaSthlt9F47gccpc+xkQYLUwLw8C 9RNCsJME+OzkVLR31T29whOyzRXsH3d9gORJ2ALkUiM/dm3qQNRGac+Zw1+07x/Z rC32VLGzeTyhBlH54CN4WxK9cC20Zi5mILNDx/5u8FEhdYDRoln7XraNmloG/bvf 3qRlpkTDGzk= =ykHN - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3RFHckNZI30y1K9AQj0Sw//QgU2Dv1fqtixSv69NuWYMkuuJgIfJFDi wcpoyYxXDIPoBU7E+M/RJ8h4CoISh17DqC7ZGoSLcaOdv9JWpeq1TPtNoSon/Dke ZA/wH3cJcKV8yF0OHft8HYsXUB7a6oYiUmsQXU5wx7hTiqO2qSj8W/tvyxTEQbjO G3L5Bo5MKTLBQCgSy8MFx4wn8N7szms6jYkEJc/hEactOhJQSBZzIXaRnqSFQy/n scqQFTmqq3FeUhS+kdI1QgXA1sRAV+K1ElHxFubsnLCWoGCBxUnuxRD6xFyExy+n ib46FdmNg4yAKO4Y7sV+Q2hHqgybPjrbrLTtzwJPOl4vb6X8kX6NDVeSgQajnK/s cJHT97rB4ifHSTgCq3PlRyYbg7eVKqzjcqR8ztEVV5ZRdccJ4WVH1U2KlboDudan QzUqPyh0OKbpL3Wccp8eYY/cVWZRPd8MfIYH1znAvQhAEKhHbphaYqTnGCOZO+mE p7TLlyXTTAvXAyGW1DRb38nimu4rDvcAVzsoAaxSFoqJK1N4g88TB3rQdivm4mLf Nngn8+wdV/rWpUSva/KNKP42pmGRb0fhUOlIL1WFGwiIhcNtrrmrOe5/Sn0/84J9 LeOlP7ccslcsAuDXY355+I/X05fDNtiV2/WJjIHN1YiO3g489WjsHHdyDycPgcO5 ucIkg7Q+7DA= =t3uF -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5907 - [RedHat] 389-ds-base: CVSS (Max): 7.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5907 389-ds-base security, bug fix, and enhancement update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: 389-ds-base Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-2850 CVE-2022-0996 CVE-2022-0918 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8162 Comment: CVSS (Max): 7.5 CVE-2022-0918 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: 389-ds-base security, bug fix, and enhancement update Advisory ID: RHSA-2022:8162-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8162 Issue date: 2022-11-15 CVE Names: CVE-2022-0918 CVE-2022-0996 CVE-2022-2850 ===================================================================== 1. Summary: An update for 389-ds-base is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: 389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. The following packages have been upgraded to a later upstream version: 389-ds-base (2.1.3). (BZ#2061801) Security Fix(es): * 389-ds-base: sending crafted message could result in DoS (CVE-2022-0918) * 389-ds-base: SIGSEGV in sync_repl (CVE-2022-2850) * 389-ds-base: expired password was still allowed to access the database (CVE-2022-0996) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing this update, the 389 server service will be restarted automatically. 5. Bugs fixed (https://bugzilla.redhat.com/): 1872451 - [RFE] 389ds: run as non-root 2052527 - RFE - Provide an option to abort an Auto Member rebuild task. 2055815 - CVE-2022-0918 389-ds-base: sending crafted message could result in DoS 2057056 - Import may break the replication because changelog starting csn may not be created 2057063 - Add support for recursively deleting subentries 2061801 - Rebase 389-ds-base in RHEL 9.1 2064769 - CVE-2022-0996 389-ds-base: expired password was still allowed to access the database 2100337 - dsconf backend export userroot fails ldap.DECODING_ERROR 2100572 - Versions for RHDS 9.1 do not match in dirsrv logs and output from rpm -qa 2115348 - memory leak with filter optimizer 2118691 - CVE-2022-2850 389-ds-base: SIGSEGV in sync_repl 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: 389-ds-base-2.1.3-4.el9_1.src.rpm aarch64: 389-ds-base-2.1.3-4.el9_1.aarch64.rpm 389-ds-base-debuginfo-2.1.3-4.el9_1.aarch64.rpm 389-ds-base-debugsource-2.1.3-4.el9_1.aarch64.rpm 389-ds-base-libs-2.1.3-4.el9_1.aarch64.rpm 389-ds-base-libs-debuginfo-2.1.3-4.el9_1.aarch64.rpm 389-ds-base-snmp-debuginfo-2.1.3-4.el9_1.aarch64.rpm noarch: python3-lib389-2.1.3-4.el9_1.noarch.rpm ppc64le: 389-ds-base-2.1.3-4.el9_1.ppc64le.rpm 389-ds-base-debuginfo-2.1.3-4.el9_1.ppc64le.rpm 389-ds-base-debugsource-2.1.3-4.el9_1.ppc64le.rpm 389-ds-base-libs-2.1.3-4.el9_1.ppc64le.rpm 389-ds-base-libs-debuginfo-2.1.3-4.el9_1.ppc64le.rpm 389-ds-base-snmp-debuginfo-2.1.3-4.el9_1.ppc64le.rpm s390x: 389-ds-base-2.1.3-4.el9_1.s390x.rpm 389-ds-base-debuginfo-2.1.3-4.el9_1.s390x.rpm 389-ds-base-debugsource-2.1.3-4.el9_1.s390x.rpm 389-ds-base-libs-2.1.3-4.el9_1.s390x.rpm 389-ds-base-libs-debuginfo-2.1.3-4.el9_1.s390x.rpm 389-ds-base-snmp-debuginfo-2.1.3-4.el9_1.s390x.rpm x86_64: 389-ds-base-2.1.3-4.el9_1.x86_64.rpm 389-ds-base-debuginfo-2.1.3-4.el9_1.x86_64.rpm 389-ds-base-debugsource-2.1.3-4.el9_1.x86_64.rpm 389-ds-base-libs-2.1.3-4.el9_1.x86_64.rpm 389-ds-base-libs-debuginfo-2.1.3-4.el9_1.x86_64.rpm 389-ds-base-snmp-debuginfo-2.1.3-4.el9_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-0918 https://access.redhat.com/security/cve/CVE-2022-0996 https://access.redhat.com/security/cve/CVE-2022-2850 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3PhHNzjgjWX9erEAQi3Lw/+Kp2fj71Eme7k3P5fYZon8pjEsHOaHuSz FOTmU3hGViBe60UcUoyoERl2nbodmQ0yxozY4wz6H+TMHiTq1yj3LdiUQuZmOZMS +BUBzSR24iyPaXbLoa1+NwSm2+QnQuD8Ch5E4YwNJNRcRIYP2yaVJdcNi7RLU0I7 aADq56AI4QX1D+0c1tSkybVTbgEpnNzABrvaapwD1eNwsVWaFJd46CZaf9WGt3ht irr6PYHnyvoirvJndRsuuLgW2vJxhvI/6PQtOgM0SMyWWiIschFLlkelrjVsdQIH f9J3Rk5kRCN7Kd9hKDIghsitB0ilod8gxvhyio6UzB9acbXj+a55J1nEjo2oalR8 psXHcFRemMiPTMEh/W68PdbhifTcxa85Z4H/iVtEDgpIugJ5+B0j0+hdnzm3dncT IHsJVSayNuUqY04gpUhVsvEmzhVFogx9APJZmz4PhIaoGByX9Oti1t9IsqNENUVn l0n8u4h3Az4eo4l6/PKaF3DrIVLXzuC5HXvU4NOW4VsW4aM7tfVIlDUDxr8FUhUE 8AKp+AThKmW2vFNTP9bnUNXQSMnKRFclO99w/f2SB+PjSb4IJzpIQ/QokXRQ8I2z CUsrBtF1HQfwHPPV1fU2NvnLmtDEcxFX0kGgU11BaVSgoRpqrUpNPHmnQp9FpQUb 6ZLiLQ+itcM= =dmbn - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3Q5+skNZI30y1K9AQjsmg/+MV71gKPfbYef71MQf8V8C+s04xNf/6vv nAuhUVp5jqzHQJhrK32TTXaxTsntzyCsFXdKW9THjdD1aGaubfa8PrA0poOEVP9W e0q6s1WQkV4wNhmi5d8Jj9K1ysLzQlMXNjzr2DQfRYyij+rgXk7g5wGlTBvb7eKs 6MNDOErGOflV2LFKu9J6XDQvEWU2tIwCvhuWG0m9beFX488pVmEx45xntcG7N3aG 92i71AMx9YqGZvcXpZL3KIw/ykwss+8bKDqin2a/FbiJJZl1SNephKdHY6v58THN bTgu3mRaoEn1D5FFVklu5c4ZhR17cY1/B0Iv93bG50cJlk5F6Rw9RftR7KGBqtQz vFwgxm0szvvu+LzealzHm6QucU2N6kwpUxko5JqpnjElIcxF6gEqm8hzmg6rUVMa UD1jMqlvctX9Y7njCoUQNlGqkNZTDgz7IPiqEbNwkSIblyzZlwBrnnAYqRP4/lJO rs6IAp5hiU4PSz8i0ABQhLNbRZry02kIRB4dchfe7zpbR/N9E5QAh9L0sgqfPveH /hy02wMVURL9NQNtkDK8Gme6seNUQMVp/E31ZmChehp0b3zdgxO3k1jW2OR9gPBs fy8wWGvw9nK2oCqGApwudBJn6+x5w/puE20DSKDI9MtjAWqcxC+VDNohqiMXzSoN eWWFDa1YQOU= =xyFH -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5906 - [RedHat] poppler: CVSS (Max): 6.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5906 poppler security and bug fix update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: poppler Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-27337 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8151 Comment: CVSS (Max): 6.5 CVE-2022-27337 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: poppler security and bug fix update Advisory ID: RHSA-2022:8151-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8151 Issue date: 2022-11-15 CVE Names: CVE-2022-27337 ===================================================================== 1. Summary: An update for poppler is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: Poppler is a Portable Document Format (PDF) rendering library, used by applications such as Evince. Security Fix(es): * poppler: A logic error in the Hints::Hints function can cause denial of service (CVE-2022-27337) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2087190 - CVE-2022-27337 poppler: A logic error in the Hints::Hints function can cause denial of service 2096451 - [RHEL9] Please put poppler-qt5 in AppStream 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: poppler-21.01.0-13.el9.src.rpm aarch64: poppler-21.01.0-13.el9.aarch64.rpm poppler-cpp-21.01.0-13.el9.aarch64.rpm poppler-cpp-debuginfo-21.01.0-13.el9.aarch64.rpm poppler-debuginfo-21.01.0-13.el9.aarch64.rpm poppler-debugsource-21.01.0-13.el9.aarch64.rpm poppler-glib-21.01.0-13.el9.aarch64.rpm poppler-glib-debuginfo-21.01.0-13.el9.aarch64.rpm poppler-qt5-21.01.0-13.el9.aarch64.rpm poppler-qt5-debuginfo-21.01.0-13.el9.aarch64.rpm poppler-utils-21.01.0-13.el9.aarch64.rpm poppler-utils-debuginfo-21.01.0-13.el9.aarch64.rpm ppc64le: poppler-21.01.0-13.el9.ppc64le.rpm poppler-cpp-21.01.0-13.el9.ppc64le.rpm poppler-cpp-debuginfo-21.01.0-13.el9.ppc64le.rpm poppler-debuginfo-21.01.0-13.el9.ppc64le.rpm poppler-debugsource-21.01.0-13.el9.ppc64le.rpm poppler-glib-21.01.0-13.el9.ppc64le.rpm poppler-glib-debuginfo-21.01.0-13.el9.ppc64le.rpm poppler-qt5-21.01.0-13.el9.ppc64le.rpm poppler-qt5-debuginfo-21.01.0-13.el9.ppc64le.rpm poppler-utils-21.01.0-13.el9.ppc64le.rpm poppler-utils-debuginfo-21.01.0-13.el9.ppc64le.rpm s390x: poppler-21.01.0-13.el9.s390x.rpm poppler-cpp-21.01.0-13.el9.s390x.rpm poppler-cpp-debuginfo-21.01.0-13.el9.s390x.rpm poppler-debuginfo-21.01.0-13.el9.s390x.rpm poppler-debugsource-21.01.0-13.el9.s390x.rpm poppler-glib-21.01.0-13.el9.s390x.rpm poppler-glib-debuginfo-21.01.0-13.el9.s390x.rpm poppler-qt5-21.01.0-13.el9.s390x.rpm poppler-qt5-debuginfo-21.01.0-13.el9.s390x.rpm poppler-utils-21.01.0-13.el9.s390x.rpm poppler-utils-debuginfo-21.01.0-13.el9.s390x.rpm x86_64: poppler-21.01.0-13.el9.i686.rpm poppler-21.01.0-13.el9.x86_64.rpm poppler-cpp-21.01.0-13.el9.i686.rpm poppler-cpp-21.01.0-13.el9.x86_64.rpm poppler-cpp-debuginfo-21.01.0-13.el9.i686.rpm poppler-cpp-debuginfo-21.01.0-13.el9.x86_64.rpm poppler-debuginfo-21.01.0-13.el9.i686.rpm poppler-debuginfo-21.01.0-13.el9.x86_64.rpm poppler-debugsource-21.01.0-13.el9.i686.rpm poppler-debugsource-21.01.0-13.el9.x86_64.rpm poppler-glib-21.01.0-13.el9.i686.rpm poppler-glib-21.01.0-13.el9.x86_64.rpm poppler-glib-debuginfo-21.01.0-13.el9.i686.rpm poppler-glib-debuginfo-21.01.0-13.el9.x86_64.rpm poppler-qt5-21.01.0-13.el9.i686.rpm poppler-qt5-21.01.0-13.el9.x86_64.rpm poppler-qt5-debuginfo-21.01.0-13.el9.i686.rpm poppler-qt5-debuginfo-21.01.0-13.el9.x86_64.rpm poppler-utils-21.01.0-13.el9.x86_64.rpm poppler-utils-debuginfo-21.01.0-13.el9.i686.rpm poppler-utils-debuginfo-21.01.0-13.el9.x86_64.rpm Red Hat CodeReady Linux Builder (v. 9): aarch64: poppler-cpp-debuginfo-21.01.0-13.el9.aarch64.rpm poppler-cpp-devel-21.01.0-13.el9.aarch64.rpm poppler-debuginfo-21.01.0-13.el9.aarch64.rpm poppler-debugsource-21.01.0-13.el9.aarch64.rpm poppler-devel-21.01.0-13.el9.aarch64.rpm poppler-glib-debuginfo-21.01.0-13.el9.aarch64.rpm poppler-glib-devel-21.01.0-13.el9.aarch64.rpm poppler-qt5-debuginfo-21.01.0-13.el9.aarch64.rpm poppler-qt5-devel-21.01.0-13.el9.aarch64.rpm poppler-utils-debuginfo-21.01.0-13.el9.aarch64.rpm ppc64le: poppler-cpp-debuginfo-21.01.0-13.el9.ppc64le.rpm poppler-cpp-devel-21.01.0-13.el9.ppc64le.rpm poppler-debuginfo-21.01.0-13.el9.ppc64le.rpm poppler-debugsource-21.01.0-13.el9.ppc64le.rpm poppler-devel-21.01.0-13.el9.ppc64le.rpm poppler-glib-debuginfo-21.01.0-13.el9.ppc64le.rpm poppler-glib-devel-21.01.0-13.el9.ppc64le.rpm poppler-qt5-debuginfo-21.01.0-13.el9.ppc64le.rpm poppler-qt5-devel-21.01.0-13.el9.ppc64le.rpm poppler-utils-debuginfo-21.01.0-13.el9.ppc64le.rpm s390x: poppler-cpp-debuginfo-21.01.0-13.el9.s390x.rpm poppler-cpp-devel-21.01.0-13.el9.s390x.rpm poppler-debuginfo-21.01.0-13.el9.s390x.rpm poppler-debugsource-21.01.0-13.el9.s390x.rpm poppler-devel-21.01.0-13.el9.s390x.rpm poppler-glib-debuginfo-21.01.0-13.el9.s390x.rpm poppler-glib-devel-21.01.0-13.el9.s390x.rpm poppler-qt5-debuginfo-21.01.0-13.el9.s390x.rpm poppler-qt5-devel-21.01.0-13.el9.s390x.rpm poppler-utils-debuginfo-21.01.0-13.el9.s390x.rpm x86_64: poppler-cpp-debuginfo-21.01.0-13.el9.i686.rpm poppler-cpp-debuginfo-21.01.0-13.el9.x86_64.rpm poppler-cpp-devel-21.01.0-13.el9.i686.rpm poppler-cpp-devel-21.01.0-13.el9.x86_64.rpm poppler-debuginfo-21.01.0-13.el9.i686.rpm poppler-debuginfo-21.01.0-13.el9.x86_64.rpm poppler-debugsource-21.01.0-13.el9.i686.rpm poppler-debugsource-21.01.0-13.el9.x86_64.rpm poppler-devel-21.01.0-13.el9.i686.rpm poppler-devel-21.01.0-13.el9.x86_64.rpm poppler-glib-debuginfo-21.01.0-13.el9.i686.rpm poppler-glib-debuginfo-21.01.0-13.el9.x86_64.rpm poppler-glib-devel-21.01.0-13.el9.i686.rpm poppler-glib-devel-21.01.0-13.el9.x86_64.rpm poppler-qt5-debuginfo-21.01.0-13.el9.i686.rpm poppler-qt5-debuginfo-21.01.0-13.el9.x86_64.rpm poppler-qt5-devel-21.01.0-13.el9.i686.rpm poppler-qt5-devel-21.01.0-13.el9.x86_64.rpm poppler-utils-debuginfo-21.01.0-13.el9.i686.rpm poppler-utils-debuginfo-21.01.0-13.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-27337 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3PhH9zjgjWX9erEAQjWGRAAhUuUc5u3CnCdu5+VKXNaY2dmM/dz642a hopSsiheysGrpG+Ig12YXI6L6k0Y6TtsrR3yV+lKfyv2diwSeuoK5M9QhYFdkpNm wyCOQGhSp1H1tKSf5zCWaSsittXWSe39Jzd3mKZMncMyDd5uRPO/U0IEM3E1dYEB M7mv4uNV663JQkV4K7+TYJRM8K+tX8LhcF/ylzVeWMltbYfX5IitV9PxNlutgL5p z7aL5Vhf3uflLdV9WGrIGiqjN6zXvnB81mM2EtwaMCEC8smTzkC9EKE8/En1uoYo g5om5KMmnYJIdOntARcQDp06GDgnXBGwTo52/+b4ZIWfd+1zrVtOM03z13/wobmw 8A1Ft4GfBlSDwE1EC1gT+AEsXazgjg44r1tBeAEhQVZqglNKZ03CQAQcS0XDgLgZ SN3CyYx6qpHvymBHqgLXNqjDSZdlwZVrhYO+svWoSRdTYqXcgANbELPdPxZCalQM cAf+pGZUzfR6SDPaBJG3aHvLWwyaVFQIbxV1VoYE1qk8C4Cimfl3uZ3x9CXgIDmS Dr6lkfoYQHfbJ6CWvbnqyqYjqwr0nK3+iACDpkzUQliUxdtJNEna6G5k8LNnkWUd C5yNjTZtmOwRv5pzh9gpSTKj7YZyaV0dM3M4pIY1kLVC6EcGgUb3W8wYMKXAJxOB RGQS7WFqspo= =prNt - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3Q57MkNZI30y1K9AQit3A/6A/CALYM1JzGX8o9sz5R9u/Z8YIncOOKT Q4sCAkUCoqEXUtm16kEa1oOzLFTITmrAWNs+2pkfQL9wPiemNah5Ssao0Qcdx8zx ybstHS1kNBhpBogyd2HPtTl4yk1ZFjug9Mgd3W50NSbqQyqMz3nwyWOeXPdTrd3L al3il/snQpeUjIjE8ZtxpBhUUCRxvbwh5b5E+OZqMHMYHHVQ/lXUkIVsV6cIzCS5 XQEhKPdw30L/fuGqVq0wpROrRLH+aL8hnRHVgPlBJTJ3O5Pxku4x2Deyrr2tKa/Y aaAwl6PCQ6py+WPlmPvKZPRJhtHk/HeqfOIdeL3yO9VlM1LWSgj2P+uiI8caHbZl HvorQjIcexfB0TaJpGSJVbIuAy6UtpkoDQNIhMsL+a44vxPnNVEEQkmKsLb8RMCd uXsp2Dy9oMd3dehgmq+AxbxfSqfCVS3C//jR9Bz5+oJUY+latu11BRdEQjMu5AOV bNHd0qZsyAvYlrHHsvKpPF7XWhJHjX4hyL/CBg3qD8BqOiNwY+OCOSpHvD0Pz0zI YzxTk1jczkBrO+y6Ex6v1E00ohROOesV5epVbQBwNuZ7I+Q3N5RJO30ZNUVWr/0r ED26Xl461SHMMpp2JrofdRVuDLWZawecJjOPl+yuevPT0vXLuzS3P3BHd+Nx/VHn aZH2gaK/R7c= =l2Io -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5905 - [RedHat] wavpack: CVSS (Max): 3.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5905 wavpack security update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: wavpack Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2021-44269 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8139 Comment: CVSS (Max): 3.5 CVE-2021-44269 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Low: wavpack security update Advisory ID: RHSA-2022:8139-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8139 Issue date: 2022-11-15 CVE Names: CVE-2021-44269 ===================================================================== 1. Summary: An update for wavpack is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: WavPack is a completely open audio compression format providing lossless, high-quality lossy, and a unique hybrid compression mode. Security Fix(es): * wavpack: Heap out-of-bounds read in WavpackPackSamples() (CVE-2021-44269) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2064457 - CVE-2021-44269 wavpack: Heap out-of-bounds read in WavpackPackSamples() 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: wavpack-5.4.0-5.el9.src.rpm aarch64: wavpack-5.4.0-5.el9.aarch64.rpm wavpack-debuginfo-5.4.0-5.el9.aarch64.rpm wavpack-debugsource-5.4.0-5.el9.aarch64.rpm ppc64le: wavpack-5.4.0-5.el9.ppc64le.rpm wavpack-debuginfo-5.4.0-5.el9.ppc64le.rpm wavpack-debugsource-5.4.0-5.el9.ppc64le.rpm s390x: wavpack-5.4.0-5.el9.s390x.rpm wavpack-debuginfo-5.4.0-5.el9.s390x.rpm wavpack-debugsource-5.4.0-5.el9.s390x.rpm x86_64: wavpack-5.4.0-5.el9.i686.rpm wavpack-5.4.0-5.el9.x86_64.rpm wavpack-debuginfo-5.4.0-5.el9.i686.rpm wavpack-debuginfo-5.4.0-5.el9.x86_64.rpm wavpack-debugsource-5.4.0-5.el9.i686.rpm wavpack-debugsource-5.4.0-5.el9.x86_64.rpm Red Hat CodeReady Linux Builder (v. 9): aarch64: wavpack-debuginfo-5.4.0-5.el9.aarch64.rpm wavpack-debugsource-5.4.0-5.el9.aarch64.rpm wavpack-devel-5.4.0-5.el9.aarch64.rpm ppc64le: wavpack-debuginfo-5.4.0-5.el9.ppc64le.rpm wavpack-debugsource-5.4.0-5.el9.ppc64le.rpm wavpack-devel-5.4.0-5.el9.ppc64le.rpm s390x: wavpack-debuginfo-5.4.0-5.el9.s390x.rpm wavpack-debugsource-5.4.0-5.el9.s390x.rpm wavpack-devel-5.4.0-5.el9.s390x.rpm x86_64: wavpack-debuginfo-5.4.0-5.el9.i686.rpm wavpack-debuginfo-5.4.0-5.el9.x86_64.rpm wavpack-debugsource-5.4.0-5.el9.i686.rpm wavpack-debugsource-5.4.0-5.el9.x86_64.rpm wavpack-devel-5.4.0-5.el9.i686.rpm wavpack-devel-5.4.0-5.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-44269 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3PhItzjgjWX9erEAQh4rw//T/3qfrWxxg1PShfJuA9TQRkGE0azG/Fl grImhuJxDG9tviXzfEMjd7yNhWtrd1hYPF4mQqr19Rz82KXCbl8QxaSYC58zxOVG j5TZnrLYMNp/z2fIFY317JnDXy63qBkIus6BnF9mywcFsA9cLw9+YjMW1+HPlttp zn6+iIklT2IGOHWcbKODPt1Xlm6EKSHn7CSTfJvaGqjWLoA9f6wzMcTJl4w/5Gr2 8RAJjc77F8g4hu/+AMR0e2UpU8YBO8xRpua0FqyB1GIkgAJgjcWOlhBZxzJ7dFA0 9zpxHSnZJGyRHOQ+2B6AtfEFIdosHoy33ZJI4fBavvrXY4o2gtLmIEbpp8CCyjE+ 8HW1ko8+q3TiJl3F6XBRMkw9/dt8uCPfm5lCHikQS2byUUDtNaC31ko8MsB5XP8Z Y9EZJio5LP9M0nhw1nRNjcRahvcL8dHyIQvxUJ5/AwON2SZXQpyw8WdkQ/eNJt/2 nZykA5uMLPE+qQ2R9FgQbOnTPdblZNgASdq3seM/w5rMMY3MA/xaK8xf1EkMkK84 vToalSoJ994bRPsgVy15oXQuazqG4FozOVs4lKp+whGPzkEY0EWxPXKd0qGOg3Ex lZC2eenbDie2olMcyeL/ykw8djM/OBhswM/1PO2th2bksMI8e3QhB3X0mSMluK6W Y1z0TX55584= =S0Wv - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3Q51skNZI30y1K9AQicnA/5AcVtuTerG/L3LZ/2x1kwd3CYJbTbBbQR Cx5WaGVH90giljVDSGgqkaYYOhIdThjup8DxkaUUhoIcZBEqMDsXt/Kyu2yeU9WZ 1uGwVqMwWuhD9ZlmwubQ6lxIsawiYA66c9We2e7Bz1vGPiZoI6B2Y4gvO7ixkB/h qyQUB8o2VZlMGLV2zK6Sw1DhawFFHSBQafC6ecjGEgGMRGl8dm1KqCi9D46ezex1 /Wl1WJHi/gieeHtA7e5E762XLO7DtMO8f9W8jYus/uQYv51fId4I3e+6lIU8huaW NEjIiWz1Z2Dc/Xn42EucTgjNZ87yVF9y6oASfrJ1Ps/eDsK7keJnTfLhKFZVfjVf f/fuTq2l/PO00l/Gma1fz5YhmyPtcNau+EZ04DO0Kh2QTPNcRywg80QCefxfATzB HXBbHROYuXGGUgq2thPCHRztLx9p2jwkZR2GcwQ4G4XHMv9Zh4aB34Zog7ztYKaQ Ye+zs9LeG7v+itirPGOm1ZH6XseQy4qOdi/2dswj6Xl8wZ+G9hgTiCMxXyF+LROk 7PqtevfI2uZ5U22izIMUAPV8RPfQ11QNiZZ0ApiQXwtrLGQnsi8mHFb7e55HEsmV mRbPOZStcqoRU8+V5T9wn2Ui1zx0IkQVUSs8JqSK/yMXjnMi3rM3Y3fr8nuFqq7G T0AMIozey2g= =yj+1 -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5904 - [RedHat] ingnition: CVSS (Max): 7.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5904 ignition security, bug fix, and enhancement update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ignition Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-1706 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8126 Comment: CVSS (Max): 7.5 CVE-2022-1706 (CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: ignition security, bug fix, and enhancement update Advisory ID: RHSA-2022:8126-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8126 Issue date: 2022-11-15 CVE Names: CVE-2022-1706 ===================================================================== 1. Summary: An update for ignition is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: Ignition is a utility used to manipulate systems during the initramfs. This includes partitioning disks, formatting partitions, writing files (regular files, systemd units, etc.), and configuring users. On first boot, Ignition reads its configuration from a source of truth (remote URL, network metadata service, hypervisor bridge, etc.) and applies the configuration. The following packages have been upgraded to a later upstream version: ignition (2.14.0). (BZ#2090647) Security Fix(es): * ignition: configs are accessible from unprivileged containers in VMs running on VMware products (CVE-2022-1706) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2066829 - Update to 2.13.0-2 2082274 - CVE-2022-1706 ignition: configs are accessible from unprivileged containers in VMs running on VMware products 2085130 - update spec file/man page to indicate Ignition is currently only supported on RHCOS 2090647 - Update Ignition to latest upstream version 2.14.0 2117606 - Enable ssh-key-dir in ignition on C9S 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: ignition-2.14.0-1.el9.src.rpm aarch64: ignition-2.14.0-1.el9.aarch64.rpm ignition-debuginfo-2.14.0-1.el9.aarch64.rpm ignition-debugsource-2.14.0-1.el9.aarch64.rpm ignition-validate-debuginfo-2.14.0-1.el9.aarch64.rpm ppc64le: ignition-2.14.0-1.el9.ppc64le.rpm ignition-debuginfo-2.14.0-1.el9.ppc64le.rpm ignition-debugsource-2.14.0-1.el9.ppc64le.rpm ignition-validate-debuginfo-2.14.0-1.el9.ppc64le.rpm s390x: ignition-2.14.0-1.el9.s390x.rpm ignition-debuginfo-2.14.0-1.el9.s390x.rpm ignition-debugsource-2.14.0-1.el9.s390x.rpm ignition-validate-debuginfo-2.14.0-1.el9.s390x.rpm x86_64: ignition-2.14.0-1.el9.x86_64.rpm ignition-debuginfo-2.14.0-1.el9.x86_64.rpm ignition-debugsource-2.14.0-1.el9.x86_64.rpm ignition-validate-debuginfo-2.14.0-1.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-1706 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3PhJdzjgjWX9erEAQj5DA//afrYtok46n53B1sQ+im37Kf+famdtKUs k1rbjBdYgSRDDBkut/9vGXVw52Ulf5aXVR1LbyVrnhCdbeEVTsiVZXlrnoMwj1vg pxQNdObR8iq75LB4QcLSla7Dsen4Ips+lGxok6DAeDrVo9b3zNnwaYfih8sREYZy gOOECfGNKUdtpYYIvOSDnzh2aNUKhyrRj2ahMDCcgIs93Ivg9jkCkXOaSb/4/aB6 TmDwmf6nq311sf6LSZk97UVlQlVk8NSLmnQHSxp7DPrQRrzaGun6C9E3819eSTvl /DDDaNT7A8FLb0z0i3QlLmagz29iuHXEAxBiuoTutGKLXymEaTijNFZmrO6mcA6Q NTEw7yUJljbfCQ6i6wRwr+8bRBedhWSEbHQWeXrxrkFVVty+FSZDmDAjk0G2nyaR eqEBzy8dga6cI8AnCrU+G/R3n/fj4u41Cm95f8vGQcQ1fYUvcfCw5iohAUtd2MOr eYw2t+gh6snTOmt81KJfcnpmNqK9t5Bn9cmOPaQrcA4BAwKouZad6aHedNoxLMTW M92KzdK2eRc9tPKzZUim1YwwbG1OD4KvQqdFHhfUTF3D6VJH1vVqLoyoChGY4EYk qoEzoFwRGUY0gHbjuy07h/1qr++lkkpEbY6ZkAnu42/QjdMoGWJFrEXxlBW4KMMm BRdawOhkw98= =4E1Y - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIUAwUBY3Q5yMkNZI30y1K9AQjwGw/3RUUFlwYucQv1Ui/TK+/o18jDJD3Xh8NX BGQSH8ppNQpXRcsXS17X8Di3MNYo1a/iA80Vmpva7ZHJ7jvMuOUc8BISPhlzKuUw 4Y+AgkRpgXxBGFQqqxzoUOoYv8RCxkBUoGcbXqh71MVvkARYhwpQPut2PFEy3s1P 7QwdxwG3Zz7KZhoRUYTM2DDoLrJYRiJ8fxgRGHxHMHJkP+nkqlx8kj/tmqWZ4IJ9 hQH/9RE9JxAjg10eAm616jsYjrC74tb6caUOrwBXbNKo3OQ16A5IwFTLM6AiUvFi E19epXCbaLB0o43KFnXEJozh7/TTv5Rz3lNbI8eufCks3cHhCFqNjacgsn2Pk7gp DgKxxlayFqPP71p0CMY+AbZr6UO7Rzhn9c+7kg0mlA1z21+YKNCtZd+SpD5PRsTu 8xktA5SwLR8W1k1XlnycJ5vKnsSIOyXXZmg8Lj49f6qNJVcfRDhsSx2Ttle9/vuB 4I8HMu8LdvGJF5TOg2aZUGaI6YaGIPLBifU3HlZMyioqzgzPTqdfyrkHhMvvpgN/ LIalaj+OgAwSFUhi/aIi5zmeHM32JjJXZU8S1IYQ6r4Z3kqJ7GYdTE0HPjyPMcqN VaHXmgTr9xt0B9xRhOrzPBoe0eXtP35XQ3dReBMDrDb9e93CDw0GAQUT+fmhDu6o bFcmtAk/Xw== =rvvU -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5903 - [RedHat] frr: CVSS (Max): 7.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5903 frr security, bug fix, and enhancement update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: frr Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-26125 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8112 Comment: CVSS (Max): 7.8 CVE-2022-26125 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: frr security, bug fix, and enhancement update Advisory ID: RHSA-2022:8112-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8112 Issue date: 2022-11-15 CVE Names: CVE-2022-26125 ===================================================================== 1. Summary: An update for frr is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: FRRouting is free software that manages TCP/IP based routing protocols. It supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP and BFD. The following packages have been upgraded to a later upstream version: frr (8.2.2). (BZ#2069563) Security Fix(es): * frrouting: overflow bugs in unpack_tlv_router_cap (CVE-2022-26125) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2058628 - CVE-2022-26125 frrouting: overflow bugs in unpack_tlv_router_cap 2069563 - [RFE] Rebase frr to more recent version 2081304 - Enhanced TMT testing for centos-stream 2095404 - [RFE] frr use systemd-sysusers 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: frr-8.2.2-4.el9.src.rpm aarch64: frr-8.2.2-4.el9.aarch64.rpm frr-debuginfo-8.2.2-4.el9.aarch64.rpm frr-debugsource-8.2.2-4.el9.aarch64.rpm ppc64le: frr-8.2.2-4.el9.ppc64le.rpm frr-debuginfo-8.2.2-4.el9.ppc64le.rpm frr-debugsource-8.2.2-4.el9.ppc64le.rpm s390x: frr-8.2.2-4.el9.s390x.rpm frr-debuginfo-8.2.2-4.el9.s390x.rpm frr-debugsource-8.2.2-4.el9.s390x.rpm x86_64: frr-8.2.2-4.el9.x86_64.rpm frr-debuginfo-8.2.2-4.el9.x86_64.rpm frr-debugsource-8.2.2-4.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-26125 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3OMUNzjgjWX9erEAQjmRQ/8C+N9RcZ/p4xeChDLXCORo6PXc9PHXUar bO+6ce/DwTmDd9kCw7uqwCsxidxmz//+P3pUoX20y9R5Dwt4pICSjVwE5PlQiK/X YufPTCZyC39ARiFZUO7iWEYii7EIktd3Uw2Holn3fUbQX+4WjaMSZNeiFG4uvhd4 uLt7tF1JhIJpTRs1cFSMXKpqeuy+c02rl3HOnm7YfuCABhESawzBRVQpS490OA0x gWg3me0IT3jBQH9zw6y7zBuNFA9XH9122R2i3a+pnB0d2ScFjPYlBzxeoCTdBZxf it9Pjqhxq4bssINLlSJyY8ZCxrdcuBVJbJsoJIpTskvONmQxm0Jfl1WbbyuaW4J1 8YFKlwFGyNw0YvzFsrdO+LWhCulSE/4o2vixmr3gcR1EHx9TD43OlFwbBhSjvsR/ u5hKKvQbwOSkfmpQu6jsK8IR9oKo7h1W5aolXshCnrp47cJFXU9FEJALWVa49yHm VUrjibqUTYJkcKEz2wJM7iD+EAIGvEJkwtCRcYKXzEwy1iTReqIhirUsU+xG+Wy4 3osfjYX3ZTnDZC1EhO3drImrtP+CYdKYbd4/z3ZdO42wHh4d0I9G6DFlb37bFqHu OMmPjuzBtW+rELygJUww71rutWUfsqjzSMLzFLqK2aPc5DoKcAmWoD0/35sxirsX vLlY8OoHyn8= =yO13 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIUAwUBY3Q5gskNZI30y1K9AQhCag/3X8RGfsexFgpVeKpY4fNvHA+DnGa4gfnL 9aScToO9P8x+x+lNsWDsxibCSU6RD3wFymBfWUQduam2rB3OP4mdP1kUCIFPyIFI O5K7FQNHR44jBu+53FMu9yRWefqsRGxibHtkwifj+MLZQiFQ8FA7LFVICoPpBVRN 5ua0Mo36IX4RxKEGwS+hOkTj79zprTsGW0513r5hgRlpAdZJfYuWOW1J4NkBJxQJ n3OSDg9H8vjydWntQGPmegpLpyiZzruh/7/NTunroqSJUpIP7rGll4+BEUaSMxXl d5jetORpm/yHgt6Ocp0uaFAz958XwtMVJEROrrgykzdBcf+6QNyGF8eUiSTyaeX4 hYzJBdq9y5Wkta+l24cQ+Oe9VcCtoPgquwwW9fELDnSCk+HLYSnNKrhpE+LxKBa0 dTlTcEQPiS/A5RJ2Jrr6nwu7LWxqD19ubz9iorlEYlLx6YtqW0YnzSjEJRIHlAVo sEGIGytWFr00JufWKLBCU6wivoZm/cf/ibJtHXTxgrg2rAZJF2LMMiq56567lAuj RyiVT2xP9k4PMj5PPX7Pbk8zhLmuvOZ6dcFk1Ha5vGz+MEEH6uMU6q+7mpFVpLrG TcQPT7qB2cgvGsWIOsYcH+F77oYbTBB9ZLkAaVCY5FtVFUWRxlrLv/s3LeHk4k9C ZXRxgtikhg== =JHYb -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5902 - [RedHat] swtpm: CVSS (Max): 5.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5902 swtpm security and bug fix update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: swtpm Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-23645 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8100 Comment: CVSS (Max): 5.5 CVE-2022-23645 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Low: swtpm security and bug fix update Advisory ID: RHSA-2022:8100-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8100 Issue date: 2022-11-15 CVE Names: CVE-2022-23645 ===================================================================== 1. Summary: An update for swtpm is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, s390x, x86_64 3. Description: SWTPM is a TPM emulator built on libtpms providing TPM functionality for QEMU VMs. Security Fix(es): * swtpm: Unchecked header size indicator against expected size (CVE-2022-23645) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2056491 - CVE-2022-23645 swtpm: Unchecked header size indicator against expected size 2090219 - Not able to install windows 11 OS with vTPM in spec (disable FIPS) 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: swtpm-0.7.0-3.20211109gitb79fd91.el9.src.rpm aarch64: swtpm-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm swtpm-debuginfo-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm swtpm-debugsource-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm swtpm-libs-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm swtpm-libs-debuginfo-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm swtpm-tools-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm swtpm-tools-debuginfo-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm s390x: swtpm-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm swtpm-debuginfo-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm swtpm-debugsource-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm swtpm-libs-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm swtpm-libs-debuginfo-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm swtpm-tools-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm swtpm-tools-debuginfo-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm x86_64: swtpm-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm swtpm-debuginfo-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm swtpm-debugsource-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm swtpm-libs-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm swtpm-libs-debuginfo-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm swtpm-tools-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm swtpm-tools-debuginfo-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-23645 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3OMXtzjgjWX9erEAQgHDA/+OMR2sFGbdP6hED6vJ/mp7wcx8xDO2fcl lUsbNs1WXDZ8N0ZFoQNN/iqXOE4f3YtliWHcFQOcacIyTAyev8469r4lTRHK5+RV KcQOOvdvVeibxvjR1bQS5hMZET+FWxfcQawVkTZjse6Osef6I3GF7VD5QoSbDI2B Lgj9SdvshnG2goTyLpwE9ZFUIyUhWy1CVDEGOFoeLk1zkJFMerkWb/FeQa2yCOxZ hPx1d3NIOH6V+bYYRl1owf9SpS/DhQJ7sCsay3zwz8uzjqzSX3x2cnj1U1LgCQ66 RkP3T1CHY9uRd3T7WT0oAGj4uodtXjf8+64ZgNBKqtv/2Ls7aZciIvRb1xwNVGc2 fOTSdv3zRPBwoIlxRiCxuqr5kDj3+9b9rGu1xqkedEt+736XaBcQ6uD6gHjFS41R 2KWxQ/Db0DetUyZc99atVs9YcP5YPqI+XbQWNJaGPmLR3JaZ8JAQTNEQWAKMXQD/ EPnoPYY8sgmZGDnzZb04IcnYIfvzj3DLWm0JB3cORwawvL1SulFhoikEuJ9DEKPG uIhE1nwHfGUlMmIMAbk0dPzoDt80gZMr4nHlWfEUOwCUQrQw6O67Nr9JNd32bwAW T77tKs+HriSXYQ9isoaGFnlVsVH965tEte1pHna3YqNznR3GC6Hh072gfJXWf/qx XpYcV7g6aB0= =l7Di - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3Q5ZckNZI30y1K9AQjOcw/8CA1Y2vLelmhv8fgdNQysCyCjBoCY7lFm 0cBaGBtoyn28taPoflONVYyXzxagyC/fgya4qRNEwL9p6GNsM6xcTHdt/wOSIlg8 c5dWaO50v6ltLGxyslPnygHqxEaE2dxnHVbsjEUf5jncaez3z07jxXItub8A/Ig/ 5PLGwGk/RTSAAc97KBjEkRiKf3fllTFsIOu5tTYDK8mBjy0ZUrelWvC62zr/o7lj g4o7fIYni77EeZlH59/nGYcs0OGLSWeXcCIFQnIeQyEzhlvXmHpX13krcRhyNE9v fJZ3MIF1HxKoTr7+KcTNN5ORJhD8Psgj4/XSGHGM4mf6MLJ3I4P1es2sVQIkwxoN 0xaKgoG+G9if9Rkh8Rm/JZXHRSHmOV0KUQLHh5WoCBoncgrNL0uQ9HZwRjAIVbg9 moVx8Ili1QNaNwKy9Hy7PX74vHlCpoOuEe5udqtwKVEWaV5sKsmW6ofLZ/eZZDuX hdPTGJKf01aBCwCqQXt8GsIwGUmFEkcHvXxEWQ5kMbEwScyZaGC75O3Wewo/9ug1 OWVFA5PPeBsRDjRgmzof4bZ2Pfl7PlfNJaPIBCfRbQ6LaWTC+dJ36epfTIXknW6a QWE3TLvWQE1qbGKq92/qPnmEqikwgit7nxVBjalKNDeLlT0CZd2yQyOaR7/KTK7e detSq8Yr+hg= =A+wv -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5901 - [RedHat] toolbox: CVSS (Max): 7.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5901 toolbox security and bug fix update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: toolbox Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-30632 CVE-2022-30631 CVE-2022-30630 CVE-2022-1705 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8098 Comment: CVSS (Max): 7.5 CVE-2022-30632 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: toolbox security and bug fix update Advisory ID: RHSA-2022:8098-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8098 Issue date: 2022-11-15 CVE Names: CVE-2022-1705 CVE-2022-30630 CVE-2022-30631 CVE-2022-30632 ===================================================================== 1. Summary: An update for toolbox is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: Toolbox is a tool for Linux operating systems, which allows the use of containerized command line environments. It is built on top of Podman and other standard container technologies from OCI. Security Fix(es): * golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705) * golang: io/fs: stack exhaustion in Glob (CVE-2022-30630) * golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631) * golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2089194 - Bump the minimum required golang version to >= 1.17.7 2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read 2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob 2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header 2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: toolbox-0.0.99.3-5.el9.src.rpm aarch64: toolbox-0.0.99.3-5.el9.aarch64.rpm toolbox-debuginfo-0.0.99.3-5.el9.aarch64.rpm toolbox-debugsource-0.0.99.3-5.el9.aarch64.rpm toolbox-tests-0.0.99.3-5.el9.aarch64.rpm ppc64le: toolbox-0.0.99.3-5.el9.ppc64le.rpm toolbox-debuginfo-0.0.99.3-5.el9.ppc64le.rpm toolbox-debugsource-0.0.99.3-5.el9.ppc64le.rpm toolbox-tests-0.0.99.3-5.el9.ppc64le.rpm s390x: toolbox-0.0.99.3-5.el9.s390x.rpm toolbox-debuginfo-0.0.99.3-5.el9.s390x.rpm toolbox-debugsource-0.0.99.3-5.el9.s390x.rpm toolbox-tests-0.0.99.3-5.el9.s390x.rpm x86_64: toolbox-0.0.99.3-5.el9.x86_64.rpm toolbox-debuginfo-0.0.99.3-5.el9.x86_64.rpm toolbox-debugsource-0.0.99.3-5.el9.x86_64.rpm toolbox-tests-0.0.99.3-5.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-1705 https://access.redhat.com/security/cve/CVE-2022-30630 https://access.redhat.com/security/cve/CVE-2022-30631 https://access.redhat.com/security/cve/CVE-2022-30632 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3Pgq9zjgjWX9erEAQjj5hAAqCDsxUqXw9MxioxE+bJB5z+fU0BuZC+S wzdywnCL41PC1Sr6C1AuhtIvYWyOtyPrftUQ+YBMvuvlFmjpLGHPraJb7Z4Cz/b8 v+H1YfYoVKDEClKQe0qYmG9CNErUtpT2pVcbL8pyFbZ32DRK8sTljy6J0c+PNnp3 PK/4sxK/hFvcLwrFNSI48ZQdvEVZFJ5vChTYVBeH+lk1cljlWVbr5IfsL2cvfWiF mvdawag3rqrGnCfccv9cTHDKdk+M6s0S4mOcv+j2g4SFAZoSCwL9C/Yatj3TdY2C Ggiy/0+RZPovj/5E/5mlpkS2zjcaBjVFpasekQqlD0TUdzdupVxXOi4tgISG/sdi eczyR27s6INXRFSjEAPB8vQUyvI5txUuJaWhLSvmSZKCFGGnjZFQOfHcP2To0elX J4QbJ28Xt/9jlF55eRDtbe7cT4ycqEQ8ST6bsfc/8dmIH3sW9b2nZMVMiJ3mFvTl YwLBBfyMddb0qdoSKC8c+1jrhcmPISkTHSwTNpxnRfWVq8Eu1obZLHi5gKNwcecU XnpBb0w55JnVbjetk2K4jWfJ599miNQZqmG/z+apTUo3/y+SU7mNVxk5Mhh+e38M UapTAG7H82+dZ2EJ+lcheonbrCmHzRTlTlFd8Gl35j7LlI15nEhh1r5+VPPz9NAv P0UIrhkqit0= =Qqov - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3Q5TskNZI30y1K9AQg1PA//bEaranBMk/QJ2QX0W0t4bbnlfRixO/ip DJMrfzZ6STUEMqhd+h5jkV96QMJE06mxWAsmHdsknKu5Z42VUkxq67uGG5xxMxoR vsVSsxXaha1WN2Y3v7T3DAZaHpFVpR4becry2l0BAhKodEl7C/cBMV6A8Y5NugQL Q+pZGxxFh8AdzLPjUWWx8RzeZsCzyLKFeZX7dLFj8AKRYv0bEf9emybGlxn2O1XP ulSaiMl6PM87mIKHB0F7YukEkYd1FQtKuOuYCtphHvxE0j6qjY2yJ9jwNKFo+GOt NNOc4weJQLuBwOhJ2tmYl9rmS+G6wiJxVhlQYUNx/+BV5H12+Trp6fbL2k7ZLTuy hcFr11UmDOHDeQg6ACYEPSxhXW3V/jC30tyoCK1zvjzTNtZDAUtVcHqzyAeAnShX u/ghvrTkbg2PJ1VHTR787MMp6ECnWbIBKafSodfF7jsU3ZLehv7J8iTOLuXDg30F GHbyQXx8WapGfq/5fDJWVXSQ97O7jd2Wa3Po7yhOEUdGxG1P9ww/UEsGjGNxpW7b kASg25bkNggczF18P11Wi83tk/i/1BqwQM5JKiQvFjIqLHpqdPVSwdKhVyxkUeU2 LChtqJ07uZFew5ZR8+vlAzMEVatzJBYKzO2ESvp1CipmFhUB8CvFNt24gotp6Sil a48TDp2eDGU= =QKJb -----END PGP SIGNATURE-----