AusCERT - Security Bulletins

Latest published security bulletins. See https://www.auscert.org.au/rss/ for feed information.
Frissítve: 2 óra 43 perc
ESB-2022.5920 - [RedHat] rsync: CVSS (Max): 7.0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5920
rsync security and bug fix update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: rsync
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-37434
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8291
Comment: CVSS (Max): 7.0 CVE-2022-37434 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/P/UI:N/S:U/C:L/I:L/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: rsync security and bug fix update
Advisory ID: RHSA-2022:8291-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8291
Issue date: 2022-11-15
CVE Names: CVE-2022-37434
=====================================================================
1. Summary:
An update for rsync is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - noarch
Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, s390x, x86_64
3. Description:
The rsync utility enables the users to copy and synchronize files locally
or across a network. Synchronization with rsync is fast because rsync only
sends the differences in files over the network instead of sending whole
files. The rsync utility is also used as a mirroring tool.
Security Fix(es):
* zlib: heap-based buffer over-read and overflow in inflate() in inflate.c
via a large gzip header extra field (CVE-2022-37434)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2053198 - rsync segmentation fault
2077431 - Read-only files that have changed xattrs fail to allow xattr changes [rhel-9]
2081296 - Enable fmf tests in centos stream
2116639 - CVE-2022-37434 zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
noarch:
rsync-daemon-3.2.3-18.el9.noarch.rpm
Red Hat Enterprise Linux BaseOS (v. 9):
Source:
rsync-3.2.3-18.el9.src.rpm
aarch64:
rsync-3.2.3-18.el9.aarch64.rpm
rsync-debuginfo-3.2.3-18.el9.aarch64.rpm
rsync-debugsource-3.2.3-18.el9.aarch64.rpm
ppc64le:
rsync-3.2.3-18.el9.ppc64le.rpm
rsync-debuginfo-3.2.3-18.el9.ppc64le.rpm
rsync-debugsource-3.2.3-18.el9.ppc64le.rpm
s390x:
rsync-3.2.3-18.el9.s390x.rpm
rsync-debuginfo-3.2.3-18.el9.s390x.rpm
rsync-debugsource-3.2.3-18.el9.s390x.rpm
x86_64:
rsync-3.2.3-18.el9.x86_64.rpm
rsync-debuginfo-3.2.3-18.el9.x86_64.rpm
rsync-debugsource-3.2.3-18.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-37434
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3Pg19zjgjWX9erEAQgpRQ/7Bj65nEV0SOIx0sJi2b1JhwxkdT89C2mS
Xrj2gh3HU92CQpiJZuvDydU3zLbq7OABNznifdKVPsJ+Zth+N4Vrssqzuqb5ztue
C4stYAdqzZ/quoI5Ou1VTiYBRkoU8EV2YnfXlclgYf4Zgsswr4MqlWXf9aRS90vN
/Xz8YaI51hejuSVBjoQA97PyYs+uPQfY1s/HSS/kzZm3jyWr0Akx4BdN1XMgKbe0
K40sip6tee9GvNHXwZ/sLZFs8q/u/7ZzQDfUM0zyYPWCVyIsWixADR8biF2NHRq0
SeGSoyw7sycPr+S3eIQ0+VNw001n4Gvpj+sHYOzJhNrtUW6989PMM6Z+poM1xNl0
Nib5PFqZZcOzyH9N4Hzy4OBcYOkdCUXm6c+K+GN1gPPxloq07FSFihEltlDIuufy
eWzVRR53mjrLwOEn3GnWidgJ+znuAKxyZws8PlGctbKg/2y0PRoDJry9s9HiSWDJ
5y//A1m/mOnkoDOU32rW5lu3XceApph8MlBVqB03qjpj8HCBHvOKiZf8AMJQ5SoH
pDLoR4gzEk2xmei0QtlRXhWxtjgeTNUuoTJyMqxgvHoaEWabpjJxNGrd4y7vDbM/
PsXooDGL02mBzthJZ19mZfVZjzd4lNhq7CLsXgq7MpDB9dq4tQP3EJXoUwrmeflT
f1EaczpMC/0=
=Q58l
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3RIW8kNZI30y1K9AQga/A//ZFPlvl2XGIX/sbnoYMhez6CMFfri/ZCc
3A/u5PNj9sXZX4HQLownp3Ciem+aXwbDU8WHHwUK9pUL8ny5u5kgD1aRLhtfaxnh
fp1Of71m5xE7UUckj03lrce4feTMHhdTtwn0mXGkkWfo0zE8zEDlWrsQGQj7MXl8
uVlo5PhwAAWgvSC9U7UHXmpVvDvYtl3SH/F7o40QtSc99iFX3Hir9YFU32IpH/bO
9txAaUIieoOu4VcnER9BekSSFBGv4gc3N4RNp43xHB2BWhYQkWW8vTM9/ajtWw1U
+ugDlRREJmRX8ul/oTpJRUrD5MHB19O5y8kckf7HHGOTDSJ8E4EFEdDDIC9TxVp+
Hs/DUkfgC9ej8W0K1tZR3lDsOtJop1+sTj6dsNTFysIA1oIeHMn0b911t87E2hpB
YLNCNfK7a4R8GTRXO4FEa4Smlm12hmI6X8vsvcKhuygfM3uRV1zH46ZWooGUVNJY
gHJoL5Bv1OEzvfVfV8pirBr3ZRtZxFe9w2xCQqP/Ewz0L9P+eQKnFfu6c6GaQbaM
cBmg1PktYcDbAiepdytwl//m+zN3YIKswhyIQi+j+rOEGr0AiUqzbAItdHpHp59k
ahBgTpH63WqfLO1z+kf8FdAsVPrT8mDtCTksJ8hd+VOwh6UqcVhDajYqPjI3v3Dh
pj1/dFqmXDo=
=ZhgN
-----END PGP SIGNATURE-----
ESB-2022.5919 - [RedHat] kernel: CVSS (Max): 7.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5919
kernel security, bug fix, and enhancement update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: kernel
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-39190 CVE-2022-36946 CVE-2022-29901
CVE-2022-29900 CVE-2022-29581 CVE-2022-28893
CVE-2022-28390 CVE-2022-26373 CVE-2022-24448
CVE-2022-23825 CVE-2022-23816 CVE-2022-21499
CVE-2022-21166 CVE-2022-21125 CVE-2022-21123
CVE-2022-20368 CVE-2022-2639 CVE-2022-2586
CVE-2022-1998 CVE-2022-1852 CVE-2022-1679
CVE-2022-1353 CVE-2022-1280 CVE-2022-1184
CVE-2022-1048 CVE-2022-1016 CVE-2022-0854
CVE-2022-0617 CVE-2022-0168 CVE-2021-3640
CVE-2020-36516
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8267
Comment: CVSS (Max): 7.8 CVE-2022-29581 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: kernel security, bug fix, and enhancement update
Advisory ID: RHSA-2022:8267-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8267
Issue date: 2022-11-15
CVE Names: CVE-2020-36516 CVE-2021-3640 CVE-2022-0168
CVE-2022-0617 CVE-2022-0854 CVE-2022-1016
CVE-2022-1048 CVE-2022-1184 CVE-2022-1280
CVE-2022-1353 CVE-2022-1679 CVE-2022-1852
CVE-2022-1998 CVE-2022-2586 CVE-2022-2639
CVE-2022-20368 CVE-2022-21123 CVE-2022-21125
CVE-2022-21166 CVE-2022-21499 CVE-2022-23816
CVE-2022-23825 CVE-2022-24448 CVE-2022-26373
CVE-2022-28390 CVE-2022-28893 CVE-2022-29581
CVE-2022-29900 CVE-2022-29901 CVE-2022-36946
CVE-2022-39190
=====================================================================
1. Summary:
An update for kernel is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64
Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64
3. Description:
The kernel packages contain the Linux kernel, the core of any Linux
operating system.
Security Fix(es):
* off-path attacker may inject data or terminate victim's TCP session
(CVE-2020-36516)
* use-after-free vulnerability in function sco_sock_sendmsg()
(CVE-2021-3640)
* smb2_ioctl_query_info NULL pointer dereference (CVE-2022-0168)
* NULL pointer dereference in udf_expand_file_adinicbdue() during writeback
(CVE-2022-0617)
* swiotlb information leak with DMA_FROM_DEVICE (CVE-2022-0854)
* uninitialized registers on stack in nft_do_chain can cause kernel pointer
leakage to UM (CVE-2022-1016)
* race condition in snd_pcm_hw_free leading to use-after-free
(CVE-2022-1048)
* use-after-free and memory errors in ext4 when mounting and operating on a
corrupted image (CVE-2022-1184)
* concurrency use-after-free between drm_setmaster_ioctl and
drm_mode_getresources (CVE-2022-1280)
* kernel info leak issue in pfkey_register (CVE-2022-1353)
* use-after-free in ath9k_htc_probe_device() could cause an escalation of
privileges (CVE-2022-1679)
* NULL pointer dereference in x86_emulate_insn may lead to DoS
(CVE-2022-1852)
* fanotify misuses fd_install() which could lead to use-after-free
(CVE-2022-1998)
* nf_tables cross-table potential use-after-free may lead to local
privilege escalation (CVE-2022-2586)
* integer underflow leads to out-of-bounds write in reserve_sfa_size()
(CVE-2022-2639)
* slab-out-of-bounds access in packet_recvmsg() (CVE-2022-20368)
* incomplete clean-up of multi-core shared buffers (aka SBDR)
(CVE-2022-21123)
* incomplete clean-up of microarchitectural fill buffers (aka SBDS)
(CVE-2022-21125)
* incomplete clean-up in specific special register write operations (aka
DRPW) (CVE-2022-21166)
* possible to use the debugger to write zero into a location of choice
(CVE-2022-21499)
* AMD: RetBleed Arbitrary Speculative Code Execution with Return
Instructions (CVE-2022-23816, CVE-2022-29900)
* AMD: Branch Type Confusion (non-retbleed) (CVE-2022-23825)
* Intel: Post-barrier Return Stack Buffer Predictions (CVE-2022-26373)
* double free in ems_usb_start_xmit in drivers/net/can/usb/ems_usb.c
(CVE-2022-28390)
* use after free in SUNRPC subsystem (CVE-2022-28893)
* use-after-free due to improper update of reference count in
net/sched/cls_u32.c (CVE-2022-29581)
* Intel: RetBleed Arbitrary Speculative Code Execution with Return
Instructions (CVE-2022-29901)
* DoS in nfqnl_mangle in net/netfilter/nfnetlink_queue.c (CVE-2022-36946)
* nf_tables disallow binding to already bound chain (CVE-2022-39190)
* nfs_atomic_open() returns uninitialized data instead of ENOTDIR
(CVE-2022-24448)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
The system must be rebooted for this update to take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1905809 - [RHEL-9] WARNING: CPU: 0 PID: 13059 at fs/nfsd/nfs4proc.c:458 nfsd4_open+0x19c/0x4a0 [nfsd]
1951971 - [RFE] Bonding: add option ns_ipv6_target
1952053 - [RFE] Bonding: add link_watch.missed_max
1980646 - CVE-2021-3640 kernel: use-after-free vulnerability in function sco_sock_sendmsg()
2006399 - limited reexport support kernel documentation
2009423 - fs: dlm: dlm_callback_resume is too noisy
2025985 - Add acer_wireless.ko kernel module
2028370 - [xfstests/nfs generic/476] test never finishes
2037386 - CVE-2022-0168 kernel: smb2_ioctl_query_info NULL pointer dereference
2038794 - Backport futex_waitv() from Linux 5.16
2046624 - [Marvell 9.1 FEAT] update qedi driver to latest upstream
2051444 - CVE-2022-24448 kernel: nfs_atomic_open() returns uninitialized data instead of ENOTDIR
2052312 - CVE-2022-1998 kernel: fanotify misuses fd_install() which could lead to use-after-free
2053632 - CVE-2022-0617 kernel: NULL pointer dereference in udf_expand_file_adinicbdue() during writeback
2053991 - kernel build fails if CONFIG_RHEL_DIFFERENCES is "not set"
2054023 - vrf test fail in kselftest net:fcnal-test.sh
2058395 - CVE-2022-0854 kernel: swiotlb information leak with DMA_FROM_DEVICE
2059928 - CVE-2020-36516 kernel: off-path attacker may inject data or terminate victim's TCP session
2066297 - block layer: update to v5.17
2066614 - CVE-2022-1016 kernel: uninitialized registers on stack in nft_do_chain can cause kernel pointer leakage to UM
2066706 - CVE-2022-1048 kernel: race condition in snd_pcm_hw_free leading to use-after-free
2066819 - CVE-2022-1353 kernel: kernel info leak issue in pfkey_register
2070205 - CVE-2022-1184 kernel: use-after-free and memory errors in ext4 when mounting and operating on a corrupted image
2071022 - CVE-2022-1280 kernel: concurrency use-after-free between drm_setmaster_ioctl and drm_mode_getresources
2073064 - CVE-2022-28390 kernel: double free in ems_usb_start_xmit in drivers/net/can/usb/ems_usb.c
2074208 - CVE-2022-28893 kernel: use after free in SUNRPC subsystem
2074315 - genirq/affinity: Consider that CPUs on nodes can be unbalanced
2076304 - VFIO refresh to v5.18
2083580 - RFE: backport minor fixes and cleanups from upstream (up to version 5.18-rc5)
2084125 - CVE-2022-1679 kernel: use-after-free in ath9k_htc_probe_device() could cause an escalation of privileges
2084183 - CVE-2022-21499 kernel: possible to use the debugger to write zero into a location of choice
2084479 - CVE-2022-2639 kernel: openvswitch: integer underflow leads to out-of-bounds write in reserve_sfa_size()
2088021 - CVE-2022-29581 kernel: use-after-free due to improper update of reference count in net/sched/cls_u32.c
2089815 - CVE-2022-1852 kernel: NULL pointer dereference in x86_emulate_insn may lead to DoS
2090226 - CVE-2022-23816 CVE-2022-29900 hw: cpu: AMD: RetBleed Arbitrary Speculative Code Execution with Return Instructions
2090237 - CVE-2022-21123 hw: cpu: incomplete clean-up of multi-core shared buffers (aka SBDR)
2090240 - CVE-2022-21125 hw: cpu: incomplete clean-up of microarchitectural fill buffers (aka SBDS)
2090241 - CVE-2022-21166 hw: cpu: incomplete clean-up in specific special register write operations (aka DRPW)
2094045 - mm: Fix stall observed when xfs calls alloc_pages_bulk_array()
2095275 - [RHEL-9] NFS - Fix "softreval" mount option
2100261 - backport audit iouring fix and audit_log_kern_module memleak fix from v5.18 and v5.19-rc3
2102319 - ipmitool sensor list command generates syslog errors on HP iLO 5
2103148 - CVE-2022-29901 hw: cpu: Intel: RetBleed Arbitrary Speculative Code Execution with Return Instructions
2103153 - CVE-2022-23825 hw: cpu: AMD: Branch Type Confusion (non-retbleed)
2107360 - knfsd not always recalling delegations on contended access
2107589 - backport vsock commits for RHEL-9.1
2109349 - [bonding] bugfix update from v5.19
2110576 - RHEL-9 nfsd server post_wcc fixes - clients see increased revalidations
2111270 - netfilter: rebase conntrack to 5.19
2114878 - CVE-2022-2586 kernel: nf_tables cross-table potential use-after-free may lead to local privilege escalation
2115065 - CVE-2022-26373 hw: cpu: Intel: Post-barrier Return Stack Buffer Predictions
2115278 - CVE-2022-36946 kernel: DoS in nfqnl_mangle in net/netfilter/nfnetlink_queue.c
2123695 - CVE-2022-20368 kernel: net/packet: slab-out-of-bounds access in packet_recvmsg()
2129152 - CVE-2022-39190 kernel: nf_tables disallow binding to already bound chain
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
aarch64:
bpftool-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm
kernel-debug-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm
kernel-debug-devel-5.14.0-162.6.1.el9_1.aarch64.rpm
kernel-debug-devel-matched-5.14.0-162.6.1.el9_1.aarch64.rpm
kernel-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm
kernel-debuginfo-common-aarch64-5.14.0-162.6.1.el9_1.aarch64.rpm
kernel-devel-5.14.0-162.6.1.el9_1.aarch64.rpm
kernel-devel-matched-5.14.0-162.6.1.el9_1.aarch64.rpm
kernel-headers-5.14.0-162.6.1.el9_1.aarch64.rpm
kernel-tools-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm
perf-5.14.0-162.6.1.el9_1.aarch64.rpm
perf-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm
python3-perf-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm
noarch:
kernel-doc-5.14.0-162.6.1.el9_1.noarch.rpm
ppc64le:
bpftool-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm
kernel-debug-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm
kernel-debug-devel-5.14.0-162.6.1.el9_1.ppc64le.rpm
kernel-debug-devel-matched-5.14.0-162.6.1.el9_1.ppc64le.rpm
kernel-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm
kernel-debuginfo-common-ppc64le-5.14.0-162.6.1.el9_1.ppc64le.rpm
kernel-devel-5.14.0-162.6.1.el9_1.ppc64le.rpm
kernel-devel-matched-5.14.0-162.6.1.el9_1.ppc64le.rpm
kernel-headers-5.14.0-162.6.1.el9_1.ppc64le.rpm
kernel-tools-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm
perf-5.14.0-162.6.1.el9_1.ppc64le.rpm
perf-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm
python3-perf-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm
s390x:
bpftool-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-debug-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-debug-devel-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-debug-devel-matched-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-debuginfo-common-s390x-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-devel-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-devel-matched-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-headers-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-tools-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-zfcpdump-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-zfcpdump-devel-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-zfcpdump-devel-matched-5.14.0-162.6.1.el9_1.s390x.rpm
perf-5.14.0-162.6.1.el9_1.s390x.rpm
perf-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm
python3-perf-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm
x86_64:
bpftool-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm
kernel-debug-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm
kernel-debug-devel-5.14.0-162.6.1.el9_1.x86_64.rpm
kernel-debug-devel-matched-5.14.0-162.6.1.el9_1.x86_64.rpm
kernel-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm
kernel-debuginfo-common-x86_64-5.14.0-162.6.1.el9_1.x86_64.rpm
kernel-devel-5.14.0-162.6.1.el9_1.x86_64.rpm
kernel-devel-matched-5.14.0-162.6.1.el9_1.x86_64.rpm
kernel-headers-5.14.0-162.6.1.el9_1.x86_64.rpm
kernel-tools-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm
perf-5.14.0-162.6.1.el9_1.x86_64.rpm
perf-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm
python3-perf-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm
Red Hat Enterprise Linux BaseOS (v. 9):
Source:
kernel-5.14.0-162.6.1.el9_1.src.rpm
aarch64:
bpftool-5.14.0-162.6.1.el9_1.aarch64.rpm
bpftool-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm
kernel-5.14.0-162.6.1.el9_1.aarch64.rpm
kernel-core-5.14.0-162.6.1.el9_1.aarch64.rpm
kernel-debug-5.14.0-162.6.1.el9_1.aarch64.rpm
kernel-debug-core-5.14.0-162.6.1.el9_1.aarch64.rpm
kernel-debug-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm
kernel-debug-modules-5.14.0-162.6.1.el9_1.aarch64.rpm
kernel-debug-modules-extra-5.14.0-162.6.1.el9_1.aarch64.rpm
kernel-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm
kernel-debuginfo-common-aarch64-5.14.0-162.6.1.el9_1.aarch64.rpm
kernel-modules-5.14.0-162.6.1.el9_1.aarch64.rpm
kernel-modules-extra-5.14.0-162.6.1.el9_1.aarch64.rpm
kernel-tools-5.14.0-162.6.1.el9_1.aarch64.rpm
kernel-tools-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm
kernel-tools-libs-5.14.0-162.6.1.el9_1.aarch64.rpm
perf-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm
python3-perf-5.14.0-162.6.1.el9_1.aarch64.rpm
python3-perf-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm
noarch:
kernel-abi-stablelists-5.14.0-162.6.1.el9_1.noarch.rpm
ppc64le:
bpftool-5.14.0-162.6.1.el9_1.ppc64le.rpm
bpftool-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm
kernel-5.14.0-162.6.1.el9_1.ppc64le.rpm
kernel-core-5.14.0-162.6.1.el9_1.ppc64le.rpm
kernel-debug-5.14.0-162.6.1.el9_1.ppc64le.rpm
kernel-debug-core-5.14.0-162.6.1.el9_1.ppc64le.rpm
kernel-debug-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm
kernel-debug-modules-5.14.0-162.6.1.el9_1.ppc64le.rpm
kernel-debug-modules-extra-5.14.0-162.6.1.el9_1.ppc64le.rpm
kernel-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm
kernel-debuginfo-common-ppc64le-5.14.0-162.6.1.el9_1.ppc64le.rpm
kernel-modules-5.14.0-162.6.1.el9_1.ppc64le.rpm
kernel-modules-extra-5.14.0-162.6.1.el9_1.ppc64le.rpm
kernel-tools-5.14.0-162.6.1.el9_1.ppc64le.rpm
kernel-tools-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm
kernel-tools-libs-5.14.0-162.6.1.el9_1.ppc64le.rpm
perf-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm
python3-perf-5.14.0-162.6.1.el9_1.ppc64le.rpm
python3-perf-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm
s390x:
bpftool-5.14.0-162.6.1.el9_1.s390x.rpm
bpftool-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-core-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-debug-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-debug-core-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-debug-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-debug-modules-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-debug-modules-extra-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-debuginfo-common-s390x-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-modules-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-modules-extra-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-tools-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-tools-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-zfcpdump-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-zfcpdump-core-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-zfcpdump-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-zfcpdump-modules-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-zfcpdump-modules-extra-5.14.0-162.6.1.el9_1.s390x.rpm
perf-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm
python3-perf-5.14.0-162.6.1.el9_1.s390x.rpm
python3-perf-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm
x86_64:
bpftool-5.14.0-162.6.1.el9_1.x86_64.rpm
bpftool-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm
kernel-5.14.0-162.6.1.el9_1.x86_64.rpm
kernel-core-5.14.0-162.6.1.el9_1.x86_64.rpm
kernel-debug-5.14.0-162.6.1.el9_1.x86_64.rpm
kernel-debug-core-5.14.0-162.6.1.el9_1.x86_64.rpm
kernel-debug-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm
kernel-debug-modules-5.14.0-162.6.1.el9_1.x86_64.rpm
kernel-debug-modules-extra-5.14.0-162.6.1.el9_1.x86_64.rpm
kernel-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm
kernel-debuginfo-common-x86_64-5.14.0-162.6.1.el9_1.x86_64.rpm
kernel-modules-5.14.0-162.6.1.el9_1.x86_64.rpm
kernel-modules-extra-5.14.0-162.6.1.el9_1.x86_64.rpm
kernel-tools-5.14.0-162.6.1.el9_1.x86_64.rpm
kernel-tools-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm
kernel-tools-libs-5.14.0-162.6.1.el9_1.x86_64.rpm
perf-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm
python3-perf-5.14.0-162.6.1.el9_1.x86_64.rpm
python3-perf-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm
Red Hat CodeReady Linux Builder (v. 9):
aarch64:
bpftool-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm
kernel-cross-headers-5.14.0-162.6.1.el9_1.aarch64.rpm
kernel-debug-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm
kernel-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm
kernel-debuginfo-common-aarch64-5.14.0-162.6.1.el9_1.aarch64.rpm
kernel-tools-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm
kernel-tools-libs-devel-5.14.0-162.6.1.el9_1.aarch64.rpm
perf-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm
python3-perf-debuginfo-5.14.0-162.6.1.el9_1.aarch64.rpm
ppc64le:
bpftool-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm
kernel-cross-headers-5.14.0-162.6.1.el9_1.ppc64le.rpm
kernel-debug-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm
kernel-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm
kernel-debuginfo-common-ppc64le-5.14.0-162.6.1.el9_1.ppc64le.rpm
kernel-tools-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm
kernel-tools-libs-devel-5.14.0-162.6.1.el9_1.ppc64le.rpm
perf-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm
python3-perf-debuginfo-5.14.0-162.6.1.el9_1.ppc64le.rpm
s390x:
bpftool-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-cross-headers-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-debug-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-debuginfo-common-s390x-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-tools-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm
kernel-zfcpdump-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm
perf-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm
python3-perf-debuginfo-5.14.0-162.6.1.el9_1.s390x.rpm
x86_64:
bpftool-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm
kernel-cross-headers-5.14.0-162.6.1.el9_1.x86_64.rpm
kernel-debug-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm
kernel-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm
kernel-debuginfo-common-x86_64-5.14.0-162.6.1.el9_1.x86_64.rpm
kernel-tools-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm
kernel-tools-libs-devel-5.14.0-162.6.1.el9_1.x86_64.rpm
perf-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm
python3-perf-debuginfo-5.14.0-162.6.1.el9_1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-36516
https://access.redhat.com/security/cve/CVE-2021-3640
https://access.redhat.com/security/cve/CVE-2022-0168
https://access.redhat.com/security/cve/CVE-2022-0617
https://access.redhat.com/security/cve/CVE-2022-0854
https://access.redhat.com/security/cve/CVE-2022-1016
https://access.redhat.com/security/cve/CVE-2022-1048
https://access.redhat.com/security/cve/CVE-2022-1184
https://access.redhat.com/security/cve/CVE-2022-1280
https://access.redhat.com/security/cve/CVE-2022-1353
https://access.redhat.com/security/cve/CVE-2022-1679
https://access.redhat.com/security/cve/CVE-2022-1852
https://access.redhat.com/security/cve/CVE-2022-1998
https://access.redhat.com/security/cve/CVE-2022-2586
https://access.redhat.com/security/cve/CVE-2022-2639
https://access.redhat.com/security/cve/CVE-2022-20368
https://access.redhat.com/security/cve/CVE-2022-21123
https://access.redhat.com/security/cve/CVE-2022-21125
https://access.redhat.com/security/cve/CVE-2022-21166
https://access.redhat.com/security/cve/CVE-2022-21499
https://access.redhat.com/security/cve/CVE-2022-23816
https://access.redhat.com/security/cve/CVE-2022-23825
https://access.redhat.com/security/cve/CVE-2022-24448
https://access.redhat.com/security/cve/CVE-2022-26373
https://access.redhat.com/security/cve/CVE-2022-28390
https://access.redhat.com/security/cve/CVE-2022-28893
https://access.redhat.com/security/cve/CVE-2022-29581
https://access.redhat.com/security/cve/CVE-2022-29900
https://access.redhat.com/security/cve/CVE-2022-29901
https://access.redhat.com/security/cve/CVE-2022-36946
https://access.redhat.com/security/cve/CVE-2022-39190
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
https://access.redhat.com/solutions/6971358
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3PhAtzjgjWX9erEAQgitxAAkbzROnq07NKrm//FdeWtbRilbSnTPFB0
uWQ94azzL8ucu8FsgPGU6vkpewleQGvbL8vy1+/M0h2/l93aIs3Bd/1QBG/06fmR
5MgkxqnZB6VeioF4AuDQL2IbCPGGb3Nwawc/uUJNdhXxpLkkUGXhKTn6Rx3SVR5u
cXIBQZcm0JjFJGgBloCaiE4DVTcjcpxqetydVxh+TTOU8eFvuQ/rFhX7gxUTtv0k
bRreX2/Kr14lG/cLgH900e8dCArjE7UGSbWQwSry5XeywlShCDqzzreUhtU4ngY7
1x2RWGMvRrdNRUq1pPSe2nIAGo+zARcEM9+5HgVP1RnI0o7A1irGFMVh50pZUXBF
K/I/YeT+QW6xbpEy0omDkDPW9OCiAvbNWGT0LWvDy8GW5MXOOz6TOqaKtTLwTf3o
rFx7YhGIHr4Y7bwEdm56HBQM/KrTWGta2nzYHLCJgFAOOFRXKpHfSuM8injlFXtt
h5vwu18Ba3/e/KFDsD+uus3ytOwGQ2XgHLahIdrl+IE3YMXqyCyjdLlEHBvzvgb0
lfwz5jmESwNjb95SKow89d69Vp+Nt1is0gE4qsKNeVpzwOPgp71vkES+IjHBPzBc
Tas7YpILPFHwxoSIZHHQn+p8a5aTR0mQSFn65GhO3OW4/oJEbuH7jbjMq4HnbbBd
evsxa7DQ9IQ=
=wJS+
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3RH6MkNZI30y1K9AQji8g/+I8vfsvOluES7HRXGaaP0ChAI9aIJ2Tr3
ipLdE3KobPVwHkhkBqJF6v55kZY4uQ80sc6OLHNjeQj66LuoJqdTtyb2MQ3IODVH
aGOnn5LjfTO8PBzbKvvDFXdkqm9NfhXU4KVOPgm/tTpvibJOCWBDSjsCKL0TFOHj
IgMWCLbL2Gp07AI7iW12AJwe2JLVM36octLb8uN9xhxUX3qiKNiW9euM69DChegj
dD02cNQ6wLK+8kI9Pd5fwScu8NsfOBneInclcEejrfjI5kyQ9oH1Va1t303uDcvl
VicYnmAlkz83N581dg2WpdpQDv7MCaV5lpFA6FW5TB7toobLhHYba50xIfR0afpn
SghVl2n2VxCVI5TSgPYGm1yDpgfSRWFBKJFllIFqbpkk1pPMLnAoTc0gzq0DoV8m
9q+wZl2uLDh2WUxgEMYEpXcU9sXP5yyMl6XWIiINPbOTgaUCGuI4EbzdpHX/0OfQ
I2jVf8G1d0WlzBizn2rLRpAtykVtMOG2Vp30UOicDsk8MvZDwQhcuAkOM5S4yMSS
wpTyKDGgLROE/x8mHsnRVzDASKgih/AX9MXu19nFsgblj1VKleWjdY30enMKaYXG
6hpm8t6oiPmHd69s2i4JhVo01bXncTwvZsmw+PU+lU1vzUkW8RbHpdzeyfQN+5xy
VxGmpUaTL2c=
=4U9h
-----END PGP SIGNATURE-----
ESB-2022.5918 - [RedHat] dpdk: CVSS (Max): 8.6
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5918
dpdk security and bug fix update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: dpdk
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-28199 CVE-2022-2132 CVE-2021-3839
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8263
Comment: CVSS (Max): 8.6 CVE-2022-2132 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: dpdk security and bug fix update
Advisory ID: RHSA-2022:8263-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8263
Issue date: 2022-11-15
CVE Names: CVE-2021-3839 CVE-2022-2132 CVE-2022-28199
=====================================================================
1. Summary:
An update for dpdk is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, x86_64
3. Description:
The dpdk packages provide the Data Plane Development Kit, which is a set of
libraries and drivers for fast packet processing in the user space.
Security Fix(es):
* dpdk: DoS when a Vhost header crosses more than two descriptors and
exhausts all mbufs (CVE-2022-2132)
* DPDK: out-of-bounds read/write in vhost_user_set_inflight_fd() may lead
to crash (CVE-2021-3839)
* dpdk: error recovery in mlx5 driver not handled properly, allowing for
denial of service (CVE-2022-28199)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2025882 - CVE-2021-3839 DPDK: out-of-bounds read/write in vhost_user_set_inflight_fd() may lead to crash
2070583 - update dpdk spec file to use Epoch: 2 [rhel-9.1.0]
2099475 - CVE-2022-2132 dpdk: DoS when a Vhost header crosses more than two descriptors and exhausts all mbufs
2123549 - CVE-2022-28199 dpdk: error recovery in mlx5 driver not handled properly, allowing for denial of service
2126159 - [Rebase] Rebase to DPDK 21.11.2
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
dpdk-21.11.2-1.el9_1.src.rpm
aarch64:
dpdk-21.11.2-1.el9_1.aarch64.rpm
dpdk-debuginfo-21.11.2-1.el9_1.aarch64.rpm
dpdk-debugsource-21.11.2-1.el9_1.aarch64.rpm
dpdk-devel-21.11.2-1.el9_1.aarch64.rpm
dpdk-tools-21.11.2-1.el9_1.aarch64.rpm
noarch:
dpdk-doc-21.11.2-1.el9_1.noarch.rpm
ppc64le:
dpdk-21.11.2-1.el9_1.ppc64le.rpm
dpdk-debuginfo-21.11.2-1.el9_1.ppc64le.rpm
dpdk-debugsource-21.11.2-1.el9_1.ppc64le.rpm
dpdk-devel-21.11.2-1.el9_1.ppc64le.rpm
dpdk-tools-21.11.2-1.el9_1.ppc64le.rpm
x86_64:
dpdk-21.11.2-1.el9_1.x86_64.rpm
dpdk-debuginfo-21.11.2-1.el9_1.x86_64.rpm
dpdk-debugsource-21.11.2-1.el9_1.x86_64.rpm
dpdk-devel-21.11.2-1.el9_1.x86_64.rpm
dpdk-tools-21.11.2-1.el9_1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-3839
https://access.redhat.com/security/cve/CVE-2022-2132
https://access.redhat.com/security/cve/CVE-2022-28199
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3PhBtzjgjWX9erEAQg78g//XyR/n3o0jtO4xsEL2lr8PDatrr8Oxy2S
e4JymCnac0SY8lKd0TYIX4oQrN/INo8/YYRqkbGDk6jwJ1fDT/Vgh645EbpeiIce
4/KIKYq6g1tHEe2v4fWIWU+2l4ukCwfQgTTpXpXJb19ees2Nc2rFZjlwOopOqOZe
CJveaEZK5/bjWXYGg6kVgvQP1I9HgGwnh+2BQlGmxdSCczo/ePZhT55ntAP5TQYB
t1F1OMUxkj0cDNe6OxCUTNr8wGNJ4HoOm9STm5SWWCMBpKrXgoUnjGtEgyoiJze6
vYziXx8BSXf5IRFELd8Uxg3dmbS+1S4x3cDHZp7cZHViXhyls8PNt6WRkJinOv/4
uvY1QjENIkiA2NBTQ7howeYsrM90BpL80qcjbLgUgoxzfQRMLRgPbDdficnDeAia
VvM0XJDJ401wNGUjCg5yMdrHhYaj4gpC9X8GdxCgSWyIJK8Dfc4wDmcirGA9+eNP
7A1QflbquKlyNM6ILz1ETAWXMPBFZZz7Rl0vSiqOjPrscejcSfdtad6enTlFBIv7
d7F9SAwVQm+l0UPeOOzX8dQZbTMNj/JkN4nADsZjvyXst726COD+z67qUeazIza7
LpFny3soUKvo8yPnDiQr6wA6hsJ8xqvLlD6eOAmt6f1SBT/tJxRM25HY/CzzVvLU
p/EAee6QLvM=
=PSWE
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3RH2MkNZI30y1K9AQjpsQ/9FdbKHzTb8TmyseuY8wNGfr9HpWXY2V+9
3+uywpiCBD2IWDp879tfy5YUcSIfo6lRWJGmNbiTR/ftXbfTKdDaw6GPOno7KUAC
QLzq6L8K4zu9SCjDD1lS7fGkHjM1/i2Dy5gy2UTEwWWlPEXfK6njHK14S1mOMgif
JmSaQEfWA1OLEkbIjoeUZ7AzSHUwrwpICYGDHOA5LQ2482ZcPu3ywl2djut53KXY
qJxnSDBMpJ3ow7BF6Bb1n7xgp8xEvr+a0EJXosbITg1PtOB4fAwGZdhVIULttIIM
qEe1yaKbHaInK9NC+atpl2D9aRjK4WiJ0R+v4NkSgQWajOZgsgHKVQFsEuBbIMeG
e8FA0kOnEW6ITQGXMtj49WZaCvl7dlcyChDosECObrnxHAgvcjfmiSg9cH2crqQK
6y15fu1w/DA7F5B196GzCp8wh3GogMw+zk+Lf/2W4lJ5P8fXD3l9tUMOGe4xaZLN
YdoUacwwGBU4yeFKYDoLE0j9Xq/7AXSoAn4+6oqJZfWxOI8xuth9wtkTnsRvxzuI
rwhnfsQrPdRau4f+yxQ53o2AKjEn+Ux9kBUQcMTY9iRVNJeW2iMQuzvd/nhdrsa8
fSLCHJwBk9GQ6TnsLQOz+lxROueiKwY48WiXvmas+opvFoOrPn+dX8I/9Eo5M2E/
rtn+lihDC8I=
=V3v2
-----END PGP SIGNATURE-----
ESB-2022.5917 - [RedHat] yajl: CVSS (Max): 5.9
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5917
yajl security update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: yajl
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-24795
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8252
Comment: CVSS (Max): 5.9 CVE-2022-24795 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: yajl security update
Advisory ID: RHSA-2022:8252-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8252
Issue date: 2022-11-15
CVE Names: CVE-2022-24795
=====================================================================
1. Summary:
An update for yajl is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
3. Description:
Yet Another JSON Library (YAJL) is a small event-driven (SAX-style) JSON
parser written in ANSI C, and a small validating JSON generator.
Security Fix(es):
* yajl: heap-based buffer overflow when handling large inputs due to an
integer overflow (CVE-2022-24795)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2072912 - CVE-2022-24795 yajl: heap-based buffer overflow when handling large inputs due to an integer overflow
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
yajl-2.1.0-21.el9.src.rpm
aarch64:
yajl-2.1.0-21.el9.aarch64.rpm
yajl-debuginfo-2.1.0-21.el9.aarch64.rpm
yajl-debugsource-2.1.0-21.el9.aarch64.rpm
ppc64le:
yajl-2.1.0-21.el9.ppc64le.rpm
yajl-debuginfo-2.1.0-21.el9.ppc64le.rpm
yajl-debugsource-2.1.0-21.el9.ppc64le.rpm
s390x:
yajl-2.1.0-21.el9.s390x.rpm
yajl-debuginfo-2.1.0-21.el9.s390x.rpm
yajl-debugsource-2.1.0-21.el9.s390x.rpm
x86_64:
yajl-2.1.0-21.el9.i686.rpm
yajl-2.1.0-21.el9.x86_64.rpm
yajl-debuginfo-2.1.0-21.el9.i686.rpm
yajl-debuginfo-2.1.0-21.el9.x86_64.rpm
yajl-debugsource-2.1.0-21.el9.i686.rpm
yajl-debugsource-2.1.0-21.el9.x86_64.rpm
Red Hat CodeReady Linux Builder (v. 9):
aarch64:
yajl-debuginfo-2.1.0-21.el9.aarch64.rpm
yajl-debugsource-2.1.0-21.el9.aarch64.rpm
yajl-devel-2.1.0-21.el9.aarch64.rpm
ppc64le:
yajl-debuginfo-2.1.0-21.el9.ppc64le.rpm
yajl-debugsource-2.1.0-21.el9.ppc64le.rpm
yajl-devel-2.1.0-21.el9.ppc64le.rpm
s390x:
yajl-debuginfo-2.1.0-21.el9.s390x.rpm
yajl-debugsource-2.1.0-21.el9.s390x.rpm
yajl-devel-2.1.0-21.el9.s390x.rpm
x86_64:
yajl-debuginfo-2.1.0-21.el9.i686.rpm
yajl-debuginfo-2.1.0-21.el9.x86_64.rpm
yajl-debugsource-2.1.0-21.el9.i686.rpm
yajl-debugsource-2.1.0-21.el9.x86_64.rpm
yajl-devel-2.1.0-21.el9.i686.rpm
yajl-devel-2.1.0-21.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-24795
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3PgsdzjgjWX9erEAQhkcBAAlE0Cpp0ZXfHJMTZOXuYMAWD7quUUu3eQ
L6LQ3wmDf0o7sfpl5OyfIM3ptYVRSKOmc0vlphPdgiNB+WDtM3kxUhWFlm5GcTgR
qARr8HLjwukV52J9bp3obLzuj1UrgtiWkDTqAT9seIIHqULiUJGZEsDErGipQ1qV
R7F4ZQRZPUKIDSROhNOlN7wyCwNNS8WuqZiScmlrECs93BoOyhq4361aL2lcyzS6
tG/yiMzYMmAnU/6uDZrsAJDCPuahqvrkAoSW6rw98/inEcE9OaVMbvz7uxRszgsb
LsSEM4LZGkkVphHnXLRvVGwORgcIspdXup+5MYGG7MZmphDSQVLm2y/NW08zdwWM
DlKTNtCvyYlKfbqG8ALJRFGyCDlnh/PuNTcRrjt5WTcL6abqUs26igNNuTCG8BhV
n78z4RzNozGLipPnGNC9oRadrQUgJEeautqK6TGymyeNnaLi5PnmPM2lPmVXSF1t
liMuMZhUcyFcNrLkOn4IRlOaXdHh+RQdtK4Q2DcO8upZS2l7by8zSM3BVSwaJhTG
mKZfAv3rIwhwVAFdmORJ/JTAGRo9lUf7qkYP9wAIGVClY3Xn1coezD+nbeecPJUk
dojUkMdOma6MXs5bIRPXMofkRbnXJENdX1wefsXdr3GjAIf5PqF4Uybcgl4DCr9s
1yVv252cIxA=
=fC4O
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3RHw8kNZI30y1K9AQiYLg/+KtFkOB0HDP4o09XWrzHP3wa1V0aBxD76
pRTT57wG1+1thUgf/R2qbuXDEFzuZax8buDrstSvrd6h0k/ZILCsBLnKk8q6BUdy
6pHBRWJ/Dn/j23V/Tiy7AY0UCQG5+P6ymi4Q6vasr7AQYKhglPO3XZQfxyRCVp9r
drj18i4hl2MyWcpc5H8Va+jjuqf8NjzYow2v4I+FEQfyPctFykUYATT0m2kVCVYl
bd953QEXeLZ4r4SR63yMmS4Pjmsa/x6Nmg55pHge/AzxCF1Snj4BzpDrcTtXqNkT
/gbhBgZdVk9pG6yl2VSQgjs+WQOMDhvUEhaCjjfYWi05CBQN47bu2SLLx0IwwJJA
X9kV6nWbMx61nC1PU99R2liHz0wvIQ5FD86TtlppRz105p5NqqJXbyV6WlJuFMdS
sxCwU9KnEv3mqc4VabeZBnRsQdKf1DlO9ctigtB05YIKWX7ND2BkWKaZM0Yw7uDf
t7h3YdIxgNC48a0lmF0WaKg3usPuZByKeuryxWioyZzCz2lMuS4qTPsEp+qG8adC
tUdT9k/x0bUGaKlTVQwIRZ3ejViJTtuGugACyP1cdseVKh1guIeyqVDRanqwImmH
RBbAzurX9sFTQtHpc5kJcI08zWo3m7bw9soiZkKlgf3XEFfa52+u0j9/DTKCCD6K
6LXRCxU/M50=
=npOE
-----END PGP SIGNATURE-----
ESB-2022.5916 - [RedHat] grafana-pcp: CVSS (Max): 7.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5916
grafana-pcp security update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: grafana-pcp
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-32148 CVE-2022-30635 CVE-2022-30632
CVE-2022-30631 CVE-2022-30630 CVE-2022-1705
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8250
Comment: CVSS (Max): 7.5 CVE-2022-30635 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: grafana-pcp security update
Advisory ID: RHSA-2022:8250-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8250
Issue date: 2022-11-15
CVE Names: CVE-2022-1705 CVE-2022-30630 CVE-2022-30631
CVE-2022-30632 CVE-2022-30635 CVE-2022-32148
=====================================================================
1. Summary:
An update for grafana-pcp is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
3. Description:
The Grafana plugin for Performance Co-Pilot includes datasources for
scalable time series from pmseries and Redis, live PCP metrics and bpftrace
scripts from pmdabpftrace, as well as several dashboards.
Security Fix(es):
* golang: net/http: improper sanitization of Transfer-Encoding header
(CVE-2022-1705)
* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
* golang: net/http/httputil: NewSingleHostReverseProxy - omit
X-Forwarded-For not working (CVE-2022-32148)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
grafana-pcp-3.2.0-3.el9.src.rpm
aarch64:
grafana-pcp-3.2.0-3.el9.aarch64.rpm
grafana-pcp-debuginfo-3.2.0-3.el9.aarch64.rpm
ppc64le:
grafana-pcp-3.2.0-3.el9.ppc64le.rpm
grafana-pcp-debuginfo-3.2.0-3.el9.ppc64le.rpm
s390x:
grafana-pcp-3.2.0-3.el9.s390x.rpm
grafana-pcp-debuginfo-3.2.0-3.el9.s390x.rpm
x86_64:
grafana-pcp-3.2.0-3.el9.x86_64.rpm
grafana-pcp-debuginfo-3.2.0-3.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-1705
https://access.redhat.com/security/cve/CVE-2022-30630
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/cve/CVE-2022-30632
https://access.redhat.com/security/cve/CVE-2022-30635
https://access.redhat.com/security/cve/CVE-2022-32148
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3PhCtzjgjWX9erEAQhTyA/9EsqUnLA8IJYSoNbATHuTMhjUic22R9Ft
3EDlu0a+wIRqt3K3gQFe6VLPECalVCiRjG3cvq/asbvaeVlvkVMJZPDt4OMTzoDp
gVQVPN2s9rndC5p7la/VpWy/weD/E1bOLXG9XfCXP8xr2Mf8iWuOYTLcmqI61+ov
CnDzqjVCCgxNLm1iiyE3/GyExnnqfP80a160J5B3PgW9dMotsiIYSVyXPbodawz0
GXY7mnDvkqlzTDbuVLO94ZXxeq9oxrIYguFynE3Pgtj2VNfq395zcvb8mhvLaS45
L5EXoy6q8RsG1FW7nToJnHVuLJ6Yiogy5vyCm/l2Ty8kGQYk1LaLNkJGccFul5to
lWCRDsdN6+ixEZODkOHtXogEV9Yc/j7AMJMGDHILyA+hLsFokVGlXevDv5ODrsIi
Vw23lsjKlUIwdeYyjqYwuX9/dQcah1DwtaRIAjgFhgRcc1zZRv3Bp+ffgA+FYTOZ
tWIlqDQ3SfziiisQwPlR0l/1/G13Ty0rmSi2NJ9xdrIScl/ur1Eoj3VX2xC7E9Xl
PT7hnsAta+iEVPtYNXLu5aKs9FrrbYAf5BRpMgmtQ/wglsOJuxtUq4y3aMc7NY4M
2mII8VQqln24SIuqBiydt/S6MSgdUkBB/FxXwrpPBprjhlta5ydB5JXiysvvRWpq
2Y4NKM59pYM=
=+Zub
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3RHmckNZI30y1K9AQjLaQ/9E8L853ufQNZkoqytXxJceAZzgvghJz5N
K2QPtXAB7n0t0ClMQLOEoy6ZPC9sRG1nfCsiJUFlAo8wDwfXvTZexjmKadWZ60Kq
b9i3qhL2YCnK1Q3KXHwBiW/RzAlfuWPa8vMawilj9nf5uow05LnpYTGmwQPJl5LA
rPxSgRacbYMPsaW+QswJWeJOWO7XVzSPKiG4SGqJKxtCgECBuhm6ZA/dIqWfhNxD
p4FPr8OWBuDv5Os7rYeTlS5vYpcoTpODsb67R2WZ5+40SvL/z0ywjeyV4ii5qK36
AGYoXFG08g82B7IuyZ0XM7rF9c51zw0QT+potFGWpNERgyx4iACF1qQ8jZgkpDb+
AoEJOszVWiPJ5BwYOmbryWx90bOLhUbyih5GtnqmOeYjHpNeBFdaa6zVy6DjAuWl
6eVM13nF+ZV9EsLrNZb34Fqbidnv1jSqZi1wQgJjcNXatnT/uj+7GTMTSckKLS3K
HNb+JMUyTzXFLP1fBrfnoNqvzcqNVBTx+lexXM05yoLpzlZwbRmI8J5yFvCzhiJi
oJOYU3kp5c5G6Nr4qimRGdWaONaNf8gFAvfFddNHwHjMUIhru7JB/80rzgIVzfC5
XkcjCcHNP4GXLSZcFIbMevuBoxBqs+4bgje43yPjBJ/4jEs4gKH6EKJ1XDuX57/E
gk0kl+ckmKY=
=vi1r
-----END PGP SIGNATURE-----
ESB-2022.5915 - [RedHat] python-lxml: CVSS (Max): 7.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5915
python-lxml security update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: python-lxml
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-2309
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8226
Comment: CVSS (Max): 7.5 CVE-2022-2309 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: python-lxml security update
Advisory ID: RHSA-2022:8226-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8226
Issue date: 2022-11-15
CVE Names: CVE-2022-2309
=====================================================================
1. Summary:
An update for python-lxml is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
3. Description:
lxml is an XML processing library providing access to libxml2 and libxslt
libraries using the Python ElementTree API.
Security Fix(es):
* lxml: NULL Pointer Dereference in lxml (CVE-2022-2309)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2107571 - CVE-2022-2309 lxml: NULL Pointer Dereference in lxml
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
python-lxml-4.6.5-3.el9.src.rpm
aarch64:
python-lxml-debugsource-4.6.5-3.el9.aarch64.rpm
python3-lxml-4.6.5-3.el9.aarch64.rpm
python3-lxml-debuginfo-4.6.5-3.el9.aarch64.rpm
ppc64le:
python-lxml-debugsource-4.6.5-3.el9.ppc64le.rpm
python3-lxml-4.6.5-3.el9.ppc64le.rpm
python3-lxml-debuginfo-4.6.5-3.el9.ppc64le.rpm
s390x:
python-lxml-debugsource-4.6.5-3.el9.s390x.rpm
python3-lxml-4.6.5-3.el9.s390x.rpm
python3-lxml-debuginfo-4.6.5-3.el9.s390x.rpm
x86_64:
python-lxml-debugsource-4.6.5-3.el9.x86_64.rpm
python3-lxml-4.6.5-3.el9.x86_64.rpm
python3-lxml-debuginfo-4.6.5-3.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-2309
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3PhDNzjgjWX9erEAQjlqA/9Gfprwl5Hs1M5sacre9Gsnv8zwm0+zziU
v5klKoHju1UFNLlildG7y1Mlhx6lCKKbp0pIA2jxQVa9uKODAENXvAKiXSVQlvZC
lyml3XJ9ugDYxVc74IeEcHT2/whXUGFaY+zhwIgYqxwAnawN18z+qDnch+tOlXIK
3/4jVIghuLzuiv0K+FCeyu/cwwP4zuek4jH9RqXl5j+51qmNofZSl5/cN5zexKKV
aQy0aLPzwc+3gY336ZEFqw7VDve0Lej7xwdfCBeg4loEOQ4xHg/Nw3CSDumfnV90
kAmKihfRbkh9jSw4NbC6K9tTTxaDii/W222cNsKmH3cJjDu9Y4G+97eJlYK7knZu
4bvo8+IIyHUtCtnNnswvb4X8Hf16PHJqe6bPEK25Bw0QeZrIgG3rnbeILrKSo6Uh
B9cimKQTZ8FOPDXT0FeCXUVMGVFPEKwGA7eyBYwQvRBcaohYOkHBo1BCFmh7J7b8
t5wPtGl9eBRN/TU2f86q++IWD56Q3owzTmZU0QuN4hGSdkvkvWRhb6u3a8S93Cwv
ECvPK6AWyhBFJXuUAQJibrj9nE/9KZUiNRC7Jh0gQohKB4avJFuA5qRmt+wVMoDR
YIutKAgwuf79lhJfUzNd1iaBGUZQPdOQTZ0u0hZpxJO01Gxh1dkRsYRIVWupNFGd
HTIwyDnFPqw=
=poX3
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3RHhMkNZI30y1K9AQiIQQ//eLr83kvTxHtP+blkeCNqHQuF9Edvm1gJ
ryQdOJzz8LZVb/lM2dINFojT2YPQZWQdJ6ZbOM4QYBGhD8VcbuUgBjkciUG/cJSI
65/kLx0Zx2f8CWFZXNLd9JFfEKsXrsBo9fGES41SE+dKvo6wkDkh0469c+qOraSB
hMky46QT+wTOCFMJooRaDvjwD+CqW7UOhm1TEInnLCa8bWEKAiV+1VVr+W5NUXTB
L3sOr0+8kF0Ox8D9w6Jfs8TDAng2hk+P4S3JAI7eb/FN4Pk+9b8rift5LwPuWYyq
k8wfAzx2IKHoB9DAvaMa9BXY9OMcSmij4omK5TYt5Z3O03++PxO/OoYqTz+e1Yd1
Y7bhv3K7D44fGxZyknD7FegSel7iC7bYYL2rTB7S1bvcFlRJABXZCw4PVrkDSmUJ
WMd6tn+4o+T+oaxh3VsuZ34vGRcVGkW240QRy3fgiiNVwmWfwDMqIBc0iNZUwMN0
GrlE6/KxFlAWRBKDydeBwb2wFnW4p2jV1lgTFrnZhPm2ldR6LMFGd+ACrru10JTM
h/KIl8ha7fRPgLGX3obxQugVPk65l5N108zeGM+V7sf0VFNhB65Kuf3yasah5Ky7
8Dbtx8zwymivUJj/4Ch8eRMQU17Jd/jqiOepz71ZU6brX3V2I7nkhqWZcuooirP8
mNuPaZ/TEqY=
=BGDn
-----END PGP SIGNATURE-----
ESB-2022.5914 - [RedHat] xorg-x11-server-Xwayland: CVSS (Max): 7.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5914
xorg-x11-server-Xwayland security update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: xorg-x11-server-Xwayland
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-2320 CVE-2022-2319
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8222
Comment: CVSS (Max): 7.8 CVE-2022-2320 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: xorg-x11-server-Xwayland security update
Advisory ID: RHSA-2022:8222-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8222
Issue date: 2022-11-15
CVE Names: CVE-2022-2319 CVE-2022-2320
=====================================================================
1. Summary:
An update for xorg-x11-server-Xwayland is now available for Red Hat
Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
3. Description:
Xwayland is an X server for running X clients under Wayland.
Security Fix(es):
* xorg-x11-server: X.Org Server ProcXkbSetGeometry out-of-bounds access
(CVE-2022-2319)
* xorg-x11-server: out-of-bounds access in ProcXkbSetDeviceInfo request
handler of the Xkb extension (CVE-2022-2320)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2106671 - CVE-2022-2319 xorg-x11-server: X.Org Server ProcXkbSetGeometry out-of-bounds access
2106683 - CVE-2022-2320 xorg-x11-server: out-of-bounds access in ProcXkbSetDeviceInfo request handler of the Xkb extension
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
xorg-x11-server-Xwayland-21.1.3-3.el9.src.rpm
aarch64:
xorg-x11-server-Xwayland-21.1.3-3.el9.aarch64.rpm
xorg-x11-server-Xwayland-debuginfo-21.1.3-3.el9.aarch64.rpm
xorg-x11-server-Xwayland-debugsource-21.1.3-3.el9.aarch64.rpm
ppc64le:
xorg-x11-server-Xwayland-21.1.3-3.el9.ppc64le.rpm
xorg-x11-server-Xwayland-debuginfo-21.1.3-3.el9.ppc64le.rpm
xorg-x11-server-Xwayland-debugsource-21.1.3-3.el9.ppc64le.rpm
s390x:
xorg-x11-server-Xwayland-21.1.3-3.el9.s390x.rpm
xorg-x11-server-Xwayland-debuginfo-21.1.3-3.el9.s390x.rpm
xorg-x11-server-Xwayland-debugsource-21.1.3-3.el9.s390x.rpm
x86_64:
xorg-x11-server-Xwayland-21.1.3-3.el9.x86_64.rpm
xorg-x11-server-Xwayland-debuginfo-21.1.3-3.el9.x86_64.rpm
xorg-x11-server-Xwayland-debugsource-21.1.3-3.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-2319
https://access.redhat.com/security/cve/CVE-2022-2320
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3PhD9zjgjWX9erEAQitZw/+KlpRlLmptWTwYIz/vpOH+9HYMcD0MPRp
t1J6oEQ35erbVIn1CAi6A+krzvEClGK0a+QT7YKM17fqzQoAEDmG0AlgvBaXiVm0
wbCJdN+YJZE5WujeW+zoX2XiyVR1pRJWJm2NCsM38u9OX4UctXQXwee1b8MU4pq0
uuEfXOOBZTuB8dMRew6/INJd1SiBw5Be9Py21akSmeCWFopg+d6fDGomEpQS4rtS
3dPS1+FQde5jFm+UOt5T55D+5mTkbS6SRL3A3dAT4j7TwWBbChdvYVpOkF3co7XA
l8m25WSH8TyK8JeHqJY1AdRuS2DGJY1OcByMdgtUDZk9E2Ea/jvn8fTHe8j8lWQZ
d0yL6JrjIn/hU7OUqN4GoOfwbqryzH/6bcaBs8xrI/OeW7aRp+sRMc3b7L+1FY28
3e22guV8EbU5fMEMfW1CTiMSXL0bJl/TDktUrlwiqkS3AknyTGE5BE5U8VHn9t/j
hlm2LOZs5kQ3ouE04fPw94wbdewaqXw6tjimItq12IG6cZeFE5WsCOEWvvMmT9IE
cThImEMfXyvTDetTsL83SQv1AfosNLsXP1K3EoGOqycOqw/1bXtm7srrcHY04zBM
iZn0WvsMfkm3wgH+2MMp//m9GQt9KB4VbcTt5NPARWt6yphYSZwvTVvA/0iU5TXw
sFJPfxo55X4=
=94jz
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3RHZ8kNZI30y1K9AQjbrg//WJXQiHF2iG/XbT6W4NXMQ0eL5lZ0zPBj
lrbn9OIwKYLQgAYJrKaMWO/PbsLAhXEd4R5GXY9BI+UXaSQLdLrr72fzXiN/jE6f
vrgu1gQRX0oi/aYxsd4kmJbBjBa2gUoIlrMtPj1Y/MWV2+CGrwgaw6xckRZLwYAT
RO72V2O2OG9KSfe9ijA1HsW6Qq3EyVfOR6dhJmwuU/1k8FMUrAUGM/vFrNCZyX3d
z7MCS/8b4yH9NLwT6cx8zm5P2Uc1aVEnDDRZHU2ZNV3GV6Jiv11Ttzhjk1wL0yw6
/jKuGLv1fVah4hr/bKy+6+26D4N6pOP2P/siQuxNjPETkSXQWCtkTcM2ROqXdGzi
0yEH4FdvPIlWymsypzX7dZWOlAa/ENqtrQvsokyHdKpVgpq42fsoWLOlILU9nxAm
4XbJRf3tU3KQ3r0x8xRQ+Mq/QcjH+5KjHQkHCGYotwjmqplioTFrs3Vu3nNhO1OL
j12LGnK8lu4jum/Vc/ePfushv3d+WI3Sc9/I+mXCtgVZKcVmg7wtI0sydr2L5rZd
EowE5BrNyHF4CZurUviB66n89+3K1dstUIbFg0p7j3/RjmfSQ4VzjMT/zz65hTv1
DzDi4rmpwmTnqay5MOM0q5BZGLmAC5FCLitCkU+Y75G4sszk0A7IbCDoeZ3y1X3A
YlykbCsCRCA=
=bTIk
-----END PGP SIGNATURE-----
ESB-2022.5913 - [RedHat] xorg-x11-server: CVSS (Max): 7.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5913
xorg-x11-server security and bug fix update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: xorg-x11-server
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-2320 CVE-2022-2319
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8221
Comment: CVSS (Max): 7.8 CVE-2022-2320 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: xorg-x11-server security and bug fix update
Advisory ID: RHSA-2022:8221-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8221
Issue date: 2022-11-15
CVE Names: CVE-2022-2319 CVE-2022-2320
=====================================================================
1. Summary:
An update for xorg-x11-server is now available for Red Hat Enterprise Linux
9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat CodeReady Linux Builder (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
3. Description:
X.Org is an open-source implementation of the X Window System. It provides
the basic low-level functionality that full-fledged graphical user
interfaces are designed upon.
Security Fix(es):
* xorg-x11-server: X.Org Server ProcXkbSetGeometry out-of-bounds access
(CVE-2022-2319)
* xorg-x11-server: out-of-bounds access in ProcXkbSetDeviceInfo request
handler of the Xkb extension (CVE-2022-2320)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2106671 - CVE-2022-2319 xorg-x11-server: X.Org Server ProcXkbSetGeometry out-of-bounds access
2106683 - CVE-2022-2320 xorg-x11-server: out-of-bounds access in ProcXkbSetDeviceInfo request handler of the Xkb extension
2119807 - xorg-x11-server-source binary package missing from repository
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
xorg-x11-server-1.20.11-11.el9.src.rpm
aarch64:
xorg-x11-server-Xdmx-1.20.11-11.el9.aarch64.rpm
xorg-x11-server-Xdmx-debuginfo-1.20.11-11.el9.aarch64.rpm
xorg-x11-server-Xephyr-1.20.11-11.el9.aarch64.rpm
xorg-x11-server-Xephyr-debuginfo-1.20.11-11.el9.aarch64.rpm
xorg-x11-server-Xnest-1.20.11-11.el9.aarch64.rpm
xorg-x11-server-Xnest-debuginfo-1.20.11-11.el9.aarch64.rpm
xorg-x11-server-Xorg-1.20.11-11.el9.aarch64.rpm
xorg-x11-server-Xorg-debuginfo-1.20.11-11.el9.aarch64.rpm
xorg-x11-server-Xvfb-1.20.11-11.el9.aarch64.rpm
xorg-x11-server-Xvfb-debuginfo-1.20.11-11.el9.aarch64.rpm
xorg-x11-server-common-1.20.11-11.el9.aarch64.rpm
xorg-x11-server-debuginfo-1.20.11-11.el9.aarch64.rpm
xorg-x11-server-debugsource-1.20.11-11.el9.aarch64.rpm
ppc64le:
xorg-x11-server-Xdmx-1.20.11-11.el9.ppc64le.rpm
xorg-x11-server-Xdmx-debuginfo-1.20.11-11.el9.ppc64le.rpm
xorg-x11-server-Xephyr-1.20.11-11.el9.ppc64le.rpm
xorg-x11-server-Xephyr-debuginfo-1.20.11-11.el9.ppc64le.rpm
xorg-x11-server-Xnest-1.20.11-11.el9.ppc64le.rpm
xorg-x11-server-Xnest-debuginfo-1.20.11-11.el9.ppc64le.rpm
xorg-x11-server-Xorg-1.20.11-11.el9.ppc64le.rpm
xorg-x11-server-Xorg-debuginfo-1.20.11-11.el9.ppc64le.rpm
xorg-x11-server-Xvfb-1.20.11-11.el9.ppc64le.rpm
xorg-x11-server-Xvfb-debuginfo-1.20.11-11.el9.ppc64le.rpm
xorg-x11-server-common-1.20.11-11.el9.ppc64le.rpm
xorg-x11-server-debuginfo-1.20.11-11.el9.ppc64le.rpm
xorg-x11-server-debugsource-1.20.11-11.el9.ppc64le.rpm
s390x:
xorg-x11-server-Xdmx-1.20.11-11.el9.s390x.rpm
xorg-x11-server-Xdmx-debuginfo-1.20.11-11.el9.s390x.rpm
xorg-x11-server-Xephyr-1.20.11-11.el9.s390x.rpm
xorg-x11-server-Xephyr-debuginfo-1.20.11-11.el9.s390x.rpm
xorg-x11-server-Xnest-1.20.11-11.el9.s390x.rpm
xorg-x11-server-Xnest-debuginfo-1.20.11-11.el9.s390x.rpm
xorg-x11-server-Xorg-1.20.11-11.el9.s390x.rpm
xorg-x11-server-Xorg-debuginfo-1.20.11-11.el9.s390x.rpm
xorg-x11-server-Xvfb-1.20.11-11.el9.s390x.rpm
xorg-x11-server-Xvfb-debuginfo-1.20.11-11.el9.s390x.rpm
xorg-x11-server-common-1.20.11-11.el9.s390x.rpm
xorg-x11-server-debuginfo-1.20.11-11.el9.s390x.rpm
xorg-x11-server-debugsource-1.20.11-11.el9.s390x.rpm
x86_64:
xorg-x11-server-Xdmx-1.20.11-11.el9.x86_64.rpm
xorg-x11-server-Xdmx-debuginfo-1.20.11-11.el9.x86_64.rpm
xorg-x11-server-Xephyr-1.20.11-11.el9.x86_64.rpm
xorg-x11-server-Xephyr-debuginfo-1.20.11-11.el9.x86_64.rpm
xorg-x11-server-Xnest-1.20.11-11.el9.x86_64.rpm
xorg-x11-server-Xnest-debuginfo-1.20.11-11.el9.x86_64.rpm
xorg-x11-server-Xorg-1.20.11-11.el9.x86_64.rpm
xorg-x11-server-Xorg-debuginfo-1.20.11-11.el9.x86_64.rpm
xorg-x11-server-Xvfb-1.20.11-11.el9.x86_64.rpm
xorg-x11-server-Xvfb-debuginfo-1.20.11-11.el9.x86_64.rpm
xorg-x11-server-common-1.20.11-11.el9.x86_64.rpm
xorg-x11-server-debuginfo-1.20.11-11.el9.x86_64.rpm
xorg-x11-server-debugsource-1.20.11-11.el9.x86_64.rpm
Red Hat CodeReady Linux Builder (v. 9):
aarch64:
xorg-x11-server-Xdmx-debuginfo-1.20.11-11.el9.aarch64.rpm
xorg-x11-server-Xephyr-debuginfo-1.20.11-11.el9.aarch64.rpm
xorg-x11-server-Xnest-debuginfo-1.20.11-11.el9.aarch64.rpm
xorg-x11-server-Xorg-debuginfo-1.20.11-11.el9.aarch64.rpm
xorg-x11-server-Xvfb-debuginfo-1.20.11-11.el9.aarch64.rpm
xorg-x11-server-debuginfo-1.20.11-11.el9.aarch64.rpm
xorg-x11-server-debugsource-1.20.11-11.el9.aarch64.rpm
xorg-x11-server-devel-1.20.11-11.el9.aarch64.rpm
noarch:
xorg-x11-server-source-1.20.11-11.el9.noarch.rpm
ppc64le:
xorg-x11-server-Xdmx-debuginfo-1.20.11-11.el9.ppc64le.rpm
xorg-x11-server-Xephyr-debuginfo-1.20.11-11.el9.ppc64le.rpm
xorg-x11-server-Xnest-debuginfo-1.20.11-11.el9.ppc64le.rpm
xorg-x11-server-Xorg-debuginfo-1.20.11-11.el9.ppc64le.rpm
xorg-x11-server-Xvfb-debuginfo-1.20.11-11.el9.ppc64le.rpm
xorg-x11-server-debuginfo-1.20.11-11.el9.ppc64le.rpm
xorg-x11-server-debugsource-1.20.11-11.el9.ppc64le.rpm
xorg-x11-server-devel-1.20.11-11.el9.ppc64le.rpm
s390x:
xorg-x11-server-Xdmx-debuginfo-1.20.11-11.el9.s390x.rpm
xorg-x11-server-Xephyr-debuginfo-1.20.11-11.el9.s390x.rpm
xorg-x11-server-Xnest-debuginfo-1.20.11-11.el9.s390x.rpm
xorg-x11-server-Xorg-debuginfo-1.20.11-11.el9.s390x.rpm
xorg-x11-server-Xvfb-debuginfo-1.20.11-11.el9.s390x.rpm
xorg-x11-server-debuginfo-1.20.11-11.el9.s390x.rpm
xorg-x11-server-debugsource-1.20.11-11.el9.s390x.rpm
xorg-x11-server-devel-1.20.11-11.el9.s390x.rpm
x86_64:
xorg-x11-server-Xdmx-debuginfo-1.20.11-11.el9.i686.rpm
xorg-x11-server-Xdmx-debuginfo-1.20.11-11.el9.x86_64.rpm
xorg-x11-server-Xephyr-debuginfo-1.20.11-11.el9.i686.rpm
xorg-x11-server-Xephyr-debuginfo-1.20.11-11.el9.x86_64.rpm
xorg-x11-server-Xnest-debuginfo-1.20.11-11.el9.i686.rpm
xorg-x11-server-Xnest-debuginfo-1.20.11-11.el9.x86_64.rpm
xorg-x11-server-Xorg-debuginfo-1.20.11-11.el9.i686.rpm
xorg-x11-server-Xorg-debuginfo-1.20.11-11.el9.x86_64.rpm
xorg-x11-server-Xvfb-debuginfo-1.20.11-11.el9.i686.rpm
xorg-x11-server-Xvfb-debuginfo-1.20.11-11.el9.x86_64.rpm
xorg-x11-server-debuginfo-1.20.11-11.el9.i686.rpm
xorg-x11-server-debuginfo-1.20.11-11.el9.x86_64.rpm
xorg-x11-server-debugsource-1.20.11-11.el9.i686.rpm
xorg-x11-server-debugsource-1.20.11-11.el9.x86_64.rpm
xorg-x11-server-devel-1.20.11-11.el9.i686.rpm
xorg-x11-server-devel-1.20.11-11.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-2319
https://access.redhat.com/security/cve/CVE-2022-2320
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3PgrtzjgjWX9erEAQilkQ//ffKQ0k18HS2kbCgOl1CWeAQWxHh05x7y
b4My0EwWWBHLq6CX6FwnNTWtVTCRFK27+v5oYxx5lpW9mHWwTHzWMhYguaiueZzj
bn5eegP0QCEac38Qp1jGEMxcTguSPXzrFErZzQ7/xxyE5Poa8NFJX35hpJBXGOgO
hnolUnNN8GzFqdp0hclu+IjLlvitgWozBX81XtRmv29Q3WJLl2tthZX3ZuRYGyD8
R4D42I6gq1X5ErRcur0UFZxsWGY1PH5mvUDCzhmNxojdRbj7gEWwbi3exhA3ye1t
PEIRY/Px5csV3KzlVNr3er/sdLK0dRS+PVFTGm08h8ZUqMbqjOGid0I0tBJwvGsN
ES6u5BlG27ZKVz9vlsQCWXP2JDViN9tumFWwvykgADlS36kzfeyErZi/D/4IQdAs
tQdOpW86PkKRwGbcHmn7rtH84bRcpy0TflNgvbTv+7b5f+GCXqsn9j3Zmoe0q2dl
Zdycvfpz/6RLWzg5HUfu+XKonMKAFpkQeIZQwdOkCADy/xwj2Cl5mmSNuYROlq1T
ZfWZdpP0NooP/UXGguCrQQJJJCkWn1j3KphjdJmcXK4zHSTK4ivrAbopK3VEKzi5
Zc1/bYe1/qL6t1BchQ1BRpTH426db4GDHWYfby5239UWPT3JTGEA/W67KY0hFyuf
Gkz8DjJeaP8=
=0hwo
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3RHSckNZI30y1K9AQjzXg//bJ/U3Vbfb6o+/JPCDh+UyQq0Ae4PT3Zu
yjN60WRCet8eanyh+1wwwhi2xyXiO8GYzVnMG2JRy4hGkQCy7GF+32rhFp10f1Yj
Tm/VaCHjnE1mgAFNMahJbeMRfPDzUx3pNSC6lulcMiqVhwZuqhkAMjmq8SVnJXoc
vlOj1x5wH9+qwjFp1OT5fm8tgpYCQi/o8eEcbD1PFqCcd4bcj0xYT0jMzSJObdIi
1XaajapFvhtwytpI0GBhQSE11JEdFof1PQ60S7yGlBM+jmDBfplmlfgv/6j6fCJN
f+BBPrBGdIsPy4MpOGMZSN8vAintppceM7tbLly3yzCk7T9yMDaTkbZ9+t9cASCT
CP0dgyArD4vcqghPZJSX+3J+YOMZ4+EVF2GvdAtlAlMibjiISTRXTDHCLDpQWUKP
jmxlmn27lohUU0wxmkL9V5Rvri6jCaPCfdJPvXIs+tKP+BL+Bfz0R5rRMyCwzw98
NZCq1DgSGZUpJ1f6Eo0rVJKJCi+v5jAhkY2527jp41aRvGzpW/tG++moABFNXFC0
DbvbnMlIKBQFuKkLuwI8hmVts5NprN0/OVaQUBrd30IHAcJ/R0VadPoqRblvhkpk
4813gQST+G0beYtSfpkaP+UbXYHzy6/yEFqqd5a9j3rTMvQiOiuUlnhr82gV8D0D
Kmcl4pFobAo=
=FesE
-----END PGP SIGNATURE-----
ESB-2022.5912 - [RedHat] mutt: CVSS (Max): 6.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5912
mutt security update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: mutt
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-1328
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8219
Comment: CVSS (Max): 6.5 CVE-2022-1328 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: mutt security update
Advisory ID: RHSA-2022:8219-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8219
Issue date: 2022-11-15
CVE Names: CVE-2022-1328
=====================================================================
1. Summary:
An update for mutt is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
3. Description:
Mutt is a low resource, highly configurable, text-based MIME e-mail client.
Mutt supports most e-mail storing formats, such as mbox and Maildir, as
well as most protocols, including POP3 and IMAP.
Security Fix(es):
* mutt: buffer overflow in uudecoder function (CVE-2022-1328)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2076058 - CVE-2022-1328 mutt: buffer overflow in uudecoder function
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
mutt-2.2.6-1.el9.src.rpm
aarch64:
mutt-2.2.6-1.el9.aarch64.rpm
mutt-debuginfo-2.2.6-1.el9.aarch64.rpm
mutt-debugsource-2.2.6-1.el9.aarch64.rpm
ppc64le:
mutt-2.2.6-1.el9.ppc64le.rpm
mutt-debuginfo-2.2.6-1.el9.ppc64le.rpm
mutt-debugsource-2.2.6-1.el9.ppc64le.rpm
s390x:
mutt-2.2.6-1.el9.s390x.rpm
mutt-debuginfo-2.2.6-1.el9.s390x.rpm
mutt-debugsource-2.2.6-1.el9.s390x.rpm
x86_64:
mutt-2.2.6-1.el9.x86_64.rpm
mutt-debuginfo-2.2.6-1.el9.x86_64.rpm
mutt-debugsource-2.2.6-1.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-1328
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3PhEtzjgjWX9erEAQjjBw//cPJGiKpauImghgVuDHN+VMlgvSb1BmlN
XOkeWycEJXQA8GA+sJrToZg/X96RmskTJDuo8XcHpbGVEHuJ79N98+gnAGsvQMT8
dJaitGhmeRN2RCShN4f+4dVjENjFO1yalmYwSGSdoXTmVlSdyLOSzGeTBiger4ks
YbctY49sXBIaP8oAuLHQMThWPdXVoLeEPL+vv0qUw7XNZKVU8ejBECxklP8XUCRj
Xglycr08J+jJiVvjlVP+8dqx+AtKOV+kIsjcjdqRE0e71Gqk5CRiZKunXzD+ih6I
Ql9UM5IDy+NSisCDZuvn2WNbXbUfFVFrVpgL2xNVgFVPoEdEx838/IGY22c/S3zT
HmF20r2ufX2Um1VBLnLcmfRdoua5LLMSSFcHSAY9yRcwIi4u1EawG59XpP6U5Ytp
kjGwUULrarzMxEgzvZnuYjOM+wOxjZkNBCy8fXBgIOzDVCeOqUPiwgcDv875/fPA
tZD9OiivJItDOI3DJaqpeTOwpRmxiuqA7u3QhsfP9GUS0tOZBEJKM9pi01H2sjnr
NBge0hs8k+LkpgY+PJks5P2QOYSgfvqFjksjIY1fbiceBYFF0VTTK1p+6bkBdUCW
vktQHqr0CfIKgtw7nZTiEWOAGSnrZ+LMTGZwEiJNes8vj4THNmgPC2BczKUH8fOK
cH9+cNeA5JM=
=1jTy
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3RHL8kNZI30y1K9AQj9xRAAuopOhi5JxAeYyr8UeMlRD0YMo3Rj6jTs
K136/Py0NzXkZBoNqxbkg2EfwviG3Qxye7Fc6j7TrxH8/Tjn0/MSEMDCfVH8y8vN
VDk464r34CikZiPtbd/PxYRSosUsH7zFyhcUxMs0xjT3Oepxd6cfVaf7cAqB7o25
ePP3aRyq6okq9xjz8BYtp/ovjocQ5/VYqg3EJe1o/hY+rP5y8W49/t6H2HcDZ4vh
cL3x3r1UawBayVipF9FWSWB1Y10hNC2JN+RHU2/KAvnrLfi06v1hjppY6LdjxKLY
9a6/qHQG8CYMF98Tp97T2EjmCEih0N8SpunDJxypgrPRbf7jfw9/3zTYbykOebGx
YZJdz0Hql9x7QyR/iFAA1MpkRBlLqd5LnUF+p4jLbnUs2FwdZTGnzTEYYtyGbII8
blsHfTMV0BG2Q2z8nv+F17VE2H+qa8mwHYH9loeLRi8hOffMHAAidCX8zbtzr+37
6ZBJin8pS91c3zEEFNvz6QMEARw4xM8iIvq5qGHYzMtrTLAhNBj1GCcJysQez7mE
nzG7zD346AVtxLZKN9UiFTMMEOMzOik2tNilNzkIEXEbaLUcDlCFlyK7qk8kJt+M
5+LzErB/n6/E+m1fXpmOapkExxWayOb8lUOep0K8V6Bmos0EGKIDEXVqpvw/k2iA
V4vSVof0VK4=
=7QGW
-----END PGP SIGNATURE-----
ESB-2022.5911 - [RedHat] dovecot: CVSS (Max): 6.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5911
dovecot security and enhancement update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: dovecot
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-30550
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8208
Comment: CVSS (Max): 6.8 CVE-2022-30550 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: dovecot security and enhancement update
Advisory ID: RHSA-2022:8208-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8208
Issue date: 2022-11-15
CVE Names: CVE-2022-30550
=====================================================================
1. Summary:
An update for dovecot is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
3. Description:
Dovecot is an IMAP server for Linux and other UNIX-like systems, written
primarily with security in mind. It also contains a small POP3 server, and
supports e-mail in either the maildir or mbox format. The SQL drivers and
authentication plug-ins are provided as subpackages.
Security Fix(es):
* dovecot: Privilege escalation when similar master and non-master passdbs
are used (CVE-2022-30550)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2053368 - installing dovecot-pgsql via kickstart fails on Error in POSTIN scriptlet
2095399 - [RFE] dovecot use systemd-sysusers
2105070 - CVE-2022-30550 dovecot: Privilege escalation when similar master and non-master passdbs are used
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
dovecot-2.3.16-7.el9.src.rpm
aarch64:
dovecot-2.3.16-7.el9.aarch64.rpm
dovecot-debuginfo-2.3.16-7.el9.aarch64.rpm
dovecot-debugsource-2.3.16-7.el9.aarch64.rpm
dovecot-mysql-2.3.16-7.el9.aarch64.rpm
dovecot-mysql-debuginfo-2.3.16-7.el9.aarch64.rpm
dovecot-pgsql-2.3.16-7.el9.aarch64.rpm
dovecot-pgsql-debuginfo-2.3.16-7.el9.aarch64.rpm
dovecot-pigeonhole-2.3.16-7.el9.aarch64.rpm
dovecot-pigeonhole-debuginfo-2.3.16-7.el9.aarch64.rpm
ppc64le:
dovecot-2.3.16-7.el9.ppc64le.rpm
dovecot-debuginfo-2.3.16-7.el9.ppc64le.rpm
dovecot-debugsource-2.3.16-7.el9.ppc64le.rpm
dovecot-mysql-2.3.16-7.el9.ppc64le.rpm
dovecot-mysql-debuginfo-2.3.16-7.el9.ppc64le.rpm
dovecot-pgsql-2.3.16-7.el9.ppc64le.rpm
dovecot-pgsql-debuginfo-2.3.16-7.el9.ppc64le.rpm
dovecot-pigeonhole-2.3.16-7.el9.ppc64le.rpm
dovecot-pigeonhole-debuginfo-2.3.16-7.el9.ppc64le.rpm
s390x:
dovecot-2.3.16-7.el9.s390x.rpm
dovecot-debuginfo-2.3.16-7.el9.s390x.rpm
dovecot-debugsource-2.3.16-7.el9.s390x.rpm
dovecot-mysql-2.3.16-7.el9.s390x.rpm
dovecot-mysql-debuginfo-2.3.16-7.el9.s390x.rpm
dovecot-pgsql-2.3.16-7.el9.s390x.rpm
dovecot-pgsql-debuginfo-2.3.16-7.el9.s390x.rpm
dovecot-pigeonhole-2.3.16-7.el9.s390x.rpm
dovecot-pigeonhole-debuginfo-2.3.16-7.el9.s390x.rpm
x86_64:
dovecot-2.3.16-7.el9.x86_64.rpm
dovecot-debuginfo-2.3.16-7.el9.x86_64.rpm
dovecot-debugsource-2.3.16-7.el9.x86_64.rpm
dovecot-mysql-2.3.16-7.el9.x86_64.rpm
dovecot-mysql-debuginfo-2.3.16-7.el9.x86_64.rpm
dovecot-pgsql-2.3.16-7.el9.x86_64.rpm
dovecot-pgsql-debuginfo-2.3.16-7.el9.x86_64.rpm
dovecot-pigeonhole-2.3.16-7.el9.x86_64.rpm
dovecot-pigeonhole-debuginfo-2.3.16-7.el9.x86_64.rpm
Red Hat CodeReady Linux Builder (v. 9):
aarch64:
dovecot-debuginfo-2.3.16-7.el9.aarch64.rpm
dovecot-debugsource-2.3.16-7.el9.aarch64.rpm
dovecot-devel-2.3.16-7.el9.aarch64.rpm
dovecot-mysql-debuginfo-2.3.16-7.el9.aarch64.rpm
dovecot-pgsql-debuginfo-2.3.16-7.el9.aarch64.rpm
dovecot-pigeonhole-debuginfo-2.3.16-7.el9.aarch64.rpm
ppc64le:
dovecot-debuginfo-2.3.16-7.el9.ppc64le.rpm
dovecot-debugsource-2.3.16-7.el9.ppc64le.rpm
dovecot-devel-2.3.16-7.el9.ppc64le.rpm
dovecot-mysql-debuginfo-2.3.16-7.el9.ppc64le.rpm
dovecot-pgsql-debuginfo-2.3.16-7.el9.ppc64le.rpm
dovecot-pigeonhole-debuginfo-2.3.16-7.el9.ppc64le.rpm
s390x:
dovecot-debuginfo-2.3.16-7.el9.s390x.rpm
dovecot-debugsource-2.3.16-7.el9.s390x.rpm
dovecot-devel-2.3.16-7.el9.s390x.rpm
dovecot-mysql-debuginfo-2.3.16-7.el9.s390x.rpm
dovecot-pgsql-debuginfo-2.3.16-7.el9.s390x.rpm
dovecot-pigeonhole-debuginfo-2.3.16-7.el9.s390x.rpm
x86_64:
dovecot-2.3.16-7.el9.i686.rpm
dovecot-debuginfo-2.3.16-7.el9.i686.rpm
dovecot-debuginfo-2.3.16-7.el9.x86_64.rpm
dovecot-debugsource-2.3.16-7.el9.i686.rpm
dovecot-debugsource-2.3.16-7.el9.x86_64.rpm
dovecot-devel-2.3.16-7.el9.i686.rpm
dovecot-devel-2.3.16-7.el9.x86_64.rpm
dovecot-mysql-debuginfo-2.3.16-7.el9.i686.rpm
dovecot-mysql-debuginfo-2.3.16-7.el9.x86_64.rpm
dovecot-pgsql-debuginfo-2.3.16-7.el9.i686.rpm
dovecot-pgsql-debuginfo-2.3.16-7.el9.x86_64.rpm
dovecot-pigeonhole-debuginfo-2.3.16-7.el9.i686.rpm
dovecot-pigeonhole-debuginfo-2.3.16-7.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-30550
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3OMWNzjgjWX9erEAQiH3g//XnwX6eT00oUJiqmJgLPCS4SA4KlvwZ8q
ctMrW0k9DUxPvPNi9iR/AGGDI9wvwcQ8h2ZUjWVYsxFDjEpHb3w8WcfsXXM3QfMK
VX4rau7LcDPx9JVv1J1RW2f/Ok0QIeUn5wwd+lTL97w4lNkC1ur2kZfbscZBDekQ
IsCkobYNBCSMwHGrxcvF29xlHhGe3rbQtGCWtYPzfq7G9d0AII8ey3uOUAyBlSm+
Or6CKqwN+xkQSsJdDEValfgSriR1aUHY64rXzZlxFzd/cU7V6NIeakWZ1aXJiBVu
wgb9NFY2nnrLdeDC8uA1k4WsqxKFtRwrjUHRSeRPFiWSIiWathMcE8WU/4T9MgI3
dUqKoNlnZV00TTfvfd4tKEiUegyLxTfr3rn563lqpJDXXOV2EYWgd0KBo4XZBlhh
hQ5Fc+5W4u6AJbM+ysVIVcddQEmTpPztWq+hW+0MNKT8FAjAjIYs02SWHo2hRwDn
BpSTPLxoTA6B/sFjQ8h7adjkFiN4xx6FtIrrnZwiqg3641WEBLKTMHLjm5MD7SII
uvHF/Wf88lL3UiwlJlX/4vUNk8nf6bzUyybGbF3iKW7B2owZWdDos3VuGerPMKsP
8Wh96qWr0jdGVtEH23XilK6KY4urH202gTJMIJjJyBWR/Unu9dI/d5b0mSfFbnQe
q3J0lreIUyc=
=/tnO
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3RHGMkNZI30y1K9AQiQ7Q//fTkVF7wGfgQUmzMOX00Lgrv9Snku+sSC
hqskW40tYi4sFFhetHcH14U49IwzssWrPNCox0lz5qkxF5wSNOh3CJ27e80Dc9+4
oTGYhw59s9ITye3k5EmX7sRqeAxAgBTJ58ENJV7AIYukqBtivF4Rsa7wgB33l5sQ
s/giBOCFyEqbZ1siBN3VxDeL10RmDCnhSmzaw52VMpSxCcwDKQA620ZkoHSuI+/n
woPeaE5WYcNkwznPLlhekFAfDYTs0WxG7817IJiMvbYGFcdnEQthZp6Wfgp7LjvF
lZ4WGnRbC+7hRDDqcDJAtZrxJJhjR/YGXUW8oTkCDv9AFqPMFORMZOfDsSKJT2sK
/zZsn4qy+k449rnCE+kYvoEbAtMDowHuS+qDDL4jSDVf4uVnOp0mNHI73YYu7Gne
CSDmIz046QVfXeEYd1Sog4TQhlVeRL7O7Ko4ofekfvXW0+LqFZpk2gU0hocwxQy6
Yja92KuoA4h0aw2B8De7ImHa17ohmbJ6fYoe0tmBWtosAVVSVZ/KPugN3PwOHlgr
0pwtUncZR9vh7LdztNocG+jkx5E/OlHN1cQvDjsH12c9S4eD8CnK7tE3cfFiViW3
ETwY7SniOBnaRw0QmyBSxXAabpG68zjhHyHlD/6bXdBzylFBb+6mKtymaaMrU/XM
SdJ/LzvxV3A=
=fgYT
-----END PGP SIGNATURE-----
ESB-2022.5910 - [RedHat] openjpeg2: CVSS (Max): 5.1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5910
openjpeg2 security update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: openjpeg2
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-1122
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8207
Comment: CVSS (Max): 5.1 CVE-2022-1122 (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Low: openjpeg2 security update
Advisory ID: RHSA-2022:8207-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8207
Issue date: 2022-11-15
CVE Names: CVE-2022-1122
=====================================================================
1. Summary:
An update for openjpeg2 is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
3. Description:
OpenJPEG is an open source library for reading and writing image files in
JPEG2000 format.
Security Fix(es):
* openjpeg: segmentation fault in opj2_decompress due to uninitialized
pointer (CVE-2022-1122)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2067052 - CVE-2022-1122 openjpeg: segmentation fault in opj2_decompress due to uninitialized pointer
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
openjpeg2-2.4.0-7.el9.src.rpm
aarch64:
openjpeg2-2.4.0-7.el9.aarch64.rpm
openjpeg2-debuginfo-2.4.0-7.el9.aarch64.rpm
openjpeg2-debugsource-2.4.0-7.el9.aarch64.rpm
openjpeg2-tools-debuginfo-2.4.0-7.el9.aarch64.rpm
ppc64le:
openjpeg2-2.4.0-7.el9.ppc64le.rpm
openjpeg2-debuginfo-2.4.0-7.el9.ppc64le.rpm
openjpeg2-debugsource-2.4.0-7.el9.ppc64le.rpm
openjpeg2-tools-debuginfo-2.4.0-7.el9.ppc64le.rpm
s390x:
openjpeg2-2.4.0-7.el9.s390x.rpm
openjpeg2-debuginfo-2.4.0-7.el9.s390x.rpm
openjpeg2-debugsource-2.4.0-7.el9.s390x.rpm
openjpeg2-tools-debuginfo-2.4.0-7.el9.s390x.rpm
x86_64:
openjpeg2-2.4.0-7.el9.i686.rpm
openjpeg2-2.4.0-7.el9.x86_64.rpm
openjpeg2-debuginfo-2.4.0-7.el9.i686.rpm
openjpeg2-debuginfo-2.4.0-7.el9.x86_64.rpm
openjpeg2-debugsource-2.4.0-7.el9.i686.rpm
openjpeg2-debugsource-2.4.0-7.el9.x86_64.rpm
openjpeg2-tools-debuginfo-2.4.0-7.el9.i686.rpm
openjpeg2-tools-debuginfo-2.4.0-7.el9.x86_64.rpm
Red Hat CodeReady Linux Builder (v. 9):
aarch64:
openjpeg2-debuginfo-2.4.0-7.el9.aarch64.rpm
openjpeg2-debugsource-2.4.0-7.el9.aarch64.rpm
openjpeg2-devel-2.4.0-7.el9.aarch64.rpm
openjpeg2-tools-2.4.0-7.el9.aarch64.rpm
openjpeg2-tools-debuginfo-2.4.0-7.el9.aarch64.rpm
ppc64le:
openjpeg2-debuginfo-2.4.0-7.el9.ppc64le.rpm
openjpeg2-debugsource-2.4.0-7.el9.ppc64le.rpm
openjpeg2-devel-2.4.0-7.el9.ppc64le.rpm
openjpeg2-tools-2.4.0-7.el9.ppc64le.rpm
openjpeg2-tools-debuginfo-2.4.0-7.el9.ppc64le.rpm
s390x:
openjpeg2-debuginfo-2.4.0-7.el9.s390x.rpm
openjpeg2-debugsource-2.4.0-7.el9.s390x.rpm
openjpeg2-devel-2.4.0-7.el9.s390x.rpm
openjpeg2-tools-2.4.0-7.el9.s390x.rpm
openjpeg2-tools-debuginfo-2.4.0-7.el9.s390x.rpm
x86_64:
openjpeg2-debuginfo-2.4.0-7.el9.i686.rpm
openjpeg2-debuginfo-2.4.0-7.el9.x86_64.rpm
openjpeg2-debugsource-2.4.0-7.el9.i686.rpm
openjpeg2-debugsource-2.4.0-7.el9.x86_64.rpm
openjpeg2-devel-2.4.0-7.el9.i686.rpm
openjpeg2-devel-2.4.0-7.el9.x86_64.rpm
openjpeg2-tools-2.4.0-7.el9.i686.rpm
openjpeg2-tools-2.4.0-7.el9.x86_64.rpm
openjpeg2-tools-debuginfo-2.4.0-7.el9.i686.rpm
openjpeg2-tools-debuginfo-2.4.0-7.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-1122
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3PhFdzjgjWX9erEAQgS1Q/9EQDOF4ZawRGe05n43/uEPJi5FJfO0gHE
6Bf8P9zQPJG0xzs3ZeCJ2HrX8WaN/6VX+N1/Cz0lzO3IVd8biwggdZ2S7EjL8+VT
cpM2O5EqYS7ScLGnxurEjPXd1D8kcJC6aanu1a5ztiK6tXp693XVtb9EYBRUDtRg
dgY6qU3xdM5JDwdfXqFeZoHd2/Aaf0DVTLlGyOgSF1NF/whoC60lLPRC9xKRAT8n
XObHjEm7HyMGrIUPaoSIbzG1pHEjHMT2HyNKXnthzaBSOUaTjtATLSyi9uMvjOpn
LyyElibSatxRw6YV0k//cprLhvIeRIBk34KGd5uyZEC4BPaeY4I6bmtw1www1zcr
5DSvjuJP0ZmBEfjY018ibfHbiG+DKafwiTRjxQFz1F2Gn9ug7CVoDd2xTsDF8irq
APo8aIVQXZFtQ7szURxDUuHEuG7FhylN4NyKvwv9gbqti7hGO7rL9Tzx4eb3Azmg
CClV4fO7DjWrkmPguyE/Y9Y9u2M/tfCKFzeIfoJ4ykb3QZoqs6eHa+0jX89Dq1AT
1i0sEREsAcPDN/soUkZ5RnrD82xagCzFEHyukOM78g9LzWgZoU143bIFMfV9Cuz2
J+dBXf67ygMFbc7F+n8DuEoL2tNzVjkvl9ig9ykrkkkkSnb3kTxp1Zk6QzNhmRP9
kgngEo/g17c=
=wQvP
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3RG/ckNZI30y1K9AQg3bhAAoeKVRGyVYUYNxz3/OuWzXwFnRNdentIS
1nZ7EMqRYKsFIoK9RFEHqkZejk5MFXAy6D+z2A+RIWrP360QttyK/1DjpqKYmcg9
RZHslgq6R5stikSux/sU4yzhuBZlEiuA3hUO0/D88Hlb1VCM3yfaNbRL0OX9TASi
OHJ1PaRbEhemmyhYZ53OopNERb5Zrgm4oMlC7T10+/8g5NstlVYZTJHU/DorXSQA
MnZ6TbI/2oWh/TVpo1wZ7HugzbBB4lQpHV+yp9MMZZQf14ZXoJnRnl4H4WHEgVe/
s5Be0jWv2m4s3rTF6rzGjtSCMV0hKHFpos0se1bFIn9eWJR+ByHXglvlfxTsDazC
0Rl2/Ip/5C13rs8PRmHRpAdwK+QRS0tUD6wdPkUokL4Jdt5Y5WVSgOaJmm07J6vs
I8vb5/BHXkhcW+pTNYRwrOxe3UmfDYO3ZAvbx/FxK2h8O5tKonpUL0o0/ArjutmR
4im6CbHnPfGw8soKFfuRG52jN/cwKkFWSGWmyV7z9ClsZ12k+FuzRBgpm2jYW4kS
lK1o/rltIj0o853Ce3/zx+gdHnMGL+9DJxCMOh7VUlVbOH2xO/jaC1s/3u59xsxq
YgT8F8ETfjqk5QqCakRIO2V8k1BnTaluH1eHqRdNKZLSDfL+K35EXG51224H+m8X
J4hONbo0ar0=
=KvnA
-----END PGP SIGNATURE-----
ESB-2022.5909 - [RedHat] php: CVSS (Max): 9.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5909
php security, bug fix, and enhancement update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: php
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-31625 CVE-2021-21708
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8197
Comment: CVSS (Max): 9.8 CVE-2021-21708 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: php security, bug fix, and enhancement update
Advisory ID: RHSA-2022:8197-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8197
Issue date: 2022-11-15
CVE Names: CVE-2021-21708 CVE-2022-31625
=====================================================================
1. Summary:
An update for php is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
3. Description:
PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Server.
The following packages have been upgraded to a later upstream version: php
(8.0.20). (BZ#2095752)
Security Fix(es):
* php: Use after free due to php_filter_float() failing for ints
(CVE-2021-21708)
* php: Uninitialized array in pg_query_params() leading to RCE
(CVE-2022-31625)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the updated packages, the httpd daemon must be restarted
for the update to take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
2055879 - CVE-2021-21708 php: Use after free due to php_filter_float() failing for ints
2095447 - php-fpm has an odd Requires
2095752 - Rebase to 8.0.20
2098521 - CVE-2022-31625 php: Uninitialized array in pg_query_params() leading to RCE
2104630 - PHP 8 snmp3 Calls Using authPriv or authNoPriv Immediately Return False Without Error Message
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
php-8.0.20-3.el9.src.rpm
aarch64:
php-8.0.20-3.el9.aarch64.rpm
php-bcmath-8.0.20-3.el9.aarch64.rpm
php-bcmath-debuginfo-8.0.20-3.el9.aarch64.rpm
php-cli-8.0.20-3.el9.aarch64.rpm
php-cli-debuginfo-8.0.20-3.el9.aarch64.rpm
php-common-8.0.20-3.el9.aarch64.rpm
php-common-debuginfo-8.0.20-3.el9.aarch64.rpm
php-dba-8.0.20-3.el9.aarch64.rpm
php-dba-debuginfo-8.0.20-3.el9.aarch64.rpm
php-dbg-8.0.20-3.el9.aarch64.rpm
php-dbg-debuginfo-8.0.20-3.el9.aarch64.rpm
php-debuginfo-8.0.20-3.el9.aarch64.rpm
php-debugsource-8.0.20-3.el9.aarch64.rpm
php-devel-8.0.20-3.el9.aarch64.rpm
php-embedded-8.0.20-3.el9.aarch64.rpm
php-embedded-debuginfo-8.0.20-3.el9.aarch64.rpm
php-enchant-8.0.20-3.el9.aarch64.rpm
php-enchant-debuginfo-8.0.20-3.el9.aarch64.rpm
php-ffi-8.0.20-3.el9.aarch64.rpm
php-ffi-debuginfo-8.0.20-3.el9.aarch64.rpm
php-fpm-8.0.20-3.el9.aarch64.rpm
php-fpm-debuginfo-8.0.20-3.el9.aarch64.rpm
php-gd-8.0.20-3.el9.aarch64.rpm
php-gd-debuginfo-8.0.20-3.el9.aarch64.rpm
php-gmp-8.0.20-3.el9.aarch64.rpm
php-gmp-debuginfo-8.0.20-3.el9.aarch64.rpm
php-intl-8.0.20-3.el9.aarch64.rpm
php-intl-debuginfo-8.0.20-3.el9.aarch64.rpm
php-ldap-8.0.20-3.el9.aarch64.rpm
php-ldap-debuginfo-8.0.20-3.el9.aarch64.rpm
php-mbstring-8.0.20-3.el9.aarch64.rpm
php-mbstring-debuginfo-8.0.20-3.el9.aarch64.rpm
php-mysqlnd-8.0.20-3.el9.aarch64.rpm
php-mysqlnd-debuginfo-8.0.20-3.el9.aarch64.rpm
php-odbc-8.0.20-3.el9.aarch64.rpm
php-odbc-debuginfo-8.0.20-3.el9.aarch64.rpm
php-opcache-8.0.20-3.el9.aarch64.rpm
php-opcache-debuginfo-8.0.20-3.el9.aarch64.rpm
php-pdo-8.0.20-3.el9.aarch64.rpm
php-pdo-debuginfo-8.0.20-3.el9.aarch64.rpm
php-pgsql-8.0.20-3.el9.aarch64.rpm
php-pgsql-debuginfo-8.0.20-3.el9.aarch64.rpm
php-process-8.0.20-3.el9.aarch64.rpm
php-process-debuginfo-8.0.20-3.el9.aarch64.rpm
php-snmp-8.0.20-3.el9.aarch64.rpm
php-snmp-debuginfo-8.0.20-3.el9.aarch64.rpm
php-soap-8.0.20-3.el9.aarch64.rpm
php-soap-debuginfo-8.0.20-3.el9.aarch64.rpm
php-xml-8.0.20-3.el9.aarch64.rpm
php-xml-debuginfo-8.0.20-3.el9.aarch64.rpm
ppc64le:
php-8.0.20-3.el9.ppc64le.rpm
php-bcmath-8.0.20-3.el9.ppc64le.rpm
php-bcmath-debuginfo-8.0.20-3.el9.ppc64le.rpm
php-cli-8.0.20-3.el9.ppc64le.rpm
php-cli-debuginfo-8.0.20-3.el9.ppc64le.rpm
php-common-8.0.20-3.el9.ppc64le.rpm
php-common-debuginfo-8.0.20-3.el9.ppc64le.rpm
php-dba-8.0.20-3.el9.ppc64le.rpm
php-dba-debuginfo-8.0.20-3.el9.ppc64le.rpm
php-dbg-8.0.20-3.el9.ppc64le.rpm
php-dbg-debuginfo-8.0.20-3.el9.ppc64le.rpm
php-debuginfo-8.0.20-3.el9.ppc64le.rpm
php-debugsource-8.0.20-3.el9.ppc64le.rpm
php-devel-8.0.20-3.el9.ppc64le.rpm
php-embedded-8.0.20-3.el9.ppc64le.rpm
php-embedded-debuginfo-8.0.20-3.el9.ppc64le.rpm
php-enchant-8.0.20-3.el9.ppc64le.rpm
php-enchant-debuginfo-8.0.20-3.el9.ppc64le.rpm
php-ffi-8.0.20-3.el9.ppc64le.rpm
php-ffi-debuginfo-8.0.20-3.el9.ppc64le.rpm
php-fpm-8.0.20-3.el9.ppc64le.rpm
php-fpm-debuginfo-8.0.20-3.el9.ppc64le.rpm
php-gd-8.0.20-3.el9.ppc64le.rpm
php-gd-debuginfo-8.0.20-3.el9.ppc64le.rpm
php-gmp-8.0.20-3.el9.ppc64le.rpm
php-gmp-debuginfo-8.0.20-3.el9.ppc64le.rpm
php-intl-8.0.20-3.el9.ppc64le.rpm
php-intl-debuginfo-8.0.20-3.el9.ppc64le.rpm
php-ldap-8.0.20-3.el9.ppc64le.rpm
php-ldap-debuginfo-8.0.20-3.el9.ppc64le.rpm
php-mbstring-8.0.20-3.el9.ppc64le.rpm
php-mbstring-debuginfo-8.0.20-3.el9.ppc64le.rpm
php-mysqlnd-8.0.20-3.el9.ppc64le.rpm
php-mysqlnd-debuginfo-8.0.20-3.el9.ppc64le.rpm
php-odbc-8.0.20-3.el9.ppc64le.rpm
php-odbc-debuginfo-8.0.20-3.el9.ppc64le.rpm
php-opcache-8.0.20-3.el9.ppc64le.rpm
php-opcache-debuginfo-8.0.20-3.el9.ppc64le.rpm
php-pdo-8.0.20-3.el9.ppc64le.rpm
php-pdo-debuginfo-8.0.20-3.el9.ppc64le.rpm
php-pgsql-8.0.20-3.el9.ppc64le.rpm
php-pgsql-debuginfo-8.0.20-3.el9.ppc64le.rpm
php-process-8.0.20-3.el9.ppc64le.rpm
php-process-debuginfo-8.0.20-3.el9.ppc64le.rpm
php-snmp-8.0.20-3.el9.ppc64le.rpm
php-snmp-debuginfo-8.0.20-3.el9.ppc64le.rpm
php-soap-8.0.20-3.el9.ppc64le.rpm
php-soap-debuginfo-8.0.20-3.el9.ppc64le.rpm
php-xml-8.0.20-3.el9.ppc64le.rpm
php-xml-debuginfo-8.0.20-3.el9.ppc64le.rpm
s390x:
php-8.0.20-3.el9.s390x.rpm
php-bcmath-8.0.20-3.el9.s390x.rpm
php-bcmath-debuginfo-8.0.20-3.el9.s390x.rpm
php-cli-8.0.20-3.el9.s390x.rpm
php-cli-debuginfo-8.0.20-3.el9.s390x.rpm
php-common-8.0.20-3.el9.s390x.rpm
php-common-debuginfo-8.0.20-3.el9.s390x.rpm
php-dba-8.0.20-3.el9.s390x.rpm
php-dba-debuginfo-8.0.20-3.el9.s390x.rpm
php-dbg-8.0.20-3.el9.s390x.rpm
php-dbg-debuginfo-8.0.20-3.el9.s390x.rpm
php-debuginfo-8.0.20-3.el9.s390x.rpm
php-debugsource-8.0.20-3.el9.s390x.rpm
php-devel-8.0.20-3.el9.s390x.rpm
php-embedded-8.0.20-3.el9.s390x.rpm
php-embedded-debuginfo-8.0.20-3.el9.s390x.rpm
php-enchant-8.0.20-3.el9.s390x.rpm
php-enchant-debuginfo-8.0.20-3.el9.s390x.rpm
php-ffi-8.0.20-3.el9.s390x.rpm
php-ffi-debuginfo-8.0.20-3.el9.s390x.rpm
php-fpm-8.0.20-3.el9.s390x.rpm
php-fpm-debuginfo-8.0.20-3.el9.s390x.rpm
php-gd-8.0.20-3.el9.s390x.rpm
php-gd-debuginfo-8.0.20-3.el9.s390x.rpm
php-gmp-8.0.20-3.el9.s390x.rpm
php-gmp-debuginfo-8.0.20-3.el9.s390x.rpm
php-intl-8.0.20-3.el9.s390x.rpm
php-intl-debuginfo-8.0.20-3.el9.s390x.rpm
php-ldap-8.0.20-3.el9.s390x.rpm
php-ldap-debuginfo-8.0.20-3.el9.s390x.rpm
php-mbstring-8.0.20-3.el9.s390x.rpm
php-mbstring-debuginfo-8.0.20-3.el9.s390x.rpm
php-mysqlnd-8.0.20-3.el9.s390x.rpm
php-mysqlnd-debuginfo-8.0.20-3.el9.s390x.rpm
php-odbc-8.0.20-3.el9.s390x.rpm
php-odbc-debuginfo-8.0.20-3.el9.s390x.rpm
php-opcache-8.0.20-3.el9.s390x.rpm
php-opcache-debuginfo-8.0.20-3.el9.s390x.rpm
php-pdo-8.0.20-3.el9.s390x.rpm
php-pdo-debuginfo-8.0.20-3.el9.s390x.rpm
php-pgsql-8.0.20-3.el9.s390x.rpm
php-pgsql-debuginfo-8.0.20-3.el9.s390x.rpm
php-process-8.0.20-3.el9.s390x.rpm
php-process-debuginfo-8.0.20-3.el9.s390x.rpm
php-snmp-8.0.20-3.el9.s390x.rpm
php-snmp-debuginfo-8.0.20-3.el9.s390x.rpm
php-soap-8.0.20-3.el9.s390x.rpm
php-soap-debuginfo-8.0.20-3.el9.s390x.rpm
php-xml-8.0.20-3.el9.s390x.rpm
php-xml-debuginfo-8.0.20-3.el9.s390x.rpm
x86_64:
php-8.0.20-3.el9.x86_64.rpm
php-bcmath-8.0.20-3.el9.x86_64.rpm
php-bcmath-debuginfo-8.0.20-3.el9.x86_64.rpm
php-cli-8.0.20-3.el9.x86_64.rpm
php-cli-debuginfo-8.0.20-3.el9.x86_64.rpm
php-common-8.0.20-3.el9.x86_64.rpm
php-common-debuginfo-8.0.20-3.el9.x86_64.rpm
php-dba-8.0.20-3.el9.x86_64.rpm
php-dba-debuginfo-8.0.20-3.el9.x86_64.rpm
php-dbg-8.0.20-3.el9.x86_64.rpm
php-dbg-debuginfo-8.0.20-3.el9.x86_64.rpm
php-debuginfo-8.0.20-3.el9.x86_64.rpm
php-debugsource-8.0.20-3.el9.x86_64.rpm
php-devel-8.0.20-3.el9.x86_64.rpm
php-embedded-8.0.20-3.el9.x86_64.rpm
php-embedded-debuginfo-8.0.20-3.el9.x86_64.rpm
php-enchant-8.0.20-3.el9.x86_64.rpm
php-enchant-debuginfo-8.0.20-3.el9.x86_64.rpm
php-ffi-8.0.20-3.el9.x86_64.rpm
php-ffi-debuginfo-8.0.20-3.el9.x86_64.rpm
php-fpm-8.0.20-3.el9.x86_64.rpm
php-fpm-debuginfo-8.0.20-3.el9.x86_64.rpm
php-gd-8.0.20-3.el9.x86_64.rpm
php-gd-debuginfo-8.0.20-3.el9.x86_64.rpm
php-gmp-8.0.20-3.el9.x86_64.rpm
php-gmp-debuginfo-8.0.20-3.el9.x86_64.rpm
php-intl-8.0.20-3.el9.x86_64.rpm
php-intl-debuginfo-8.0.20-3.el9.x86_64.rpm
php-ldap-8.0.20-3.el9.x86_64.rpm
php-ldap-debuginfo-8.0.20-3.el9.x86_64.rpm
php-mbstring-8.0.20-3.el9.x86_64.rpm
php-mbstring-debuginfo-8.0.20-3.el9.x86_64.rpm
php-mysqlnd-8.0.20-3.el9.x86_64.rpm
php-mysqlnd-debuginfo-8.0.20-3.el9.x86_64.rpm
php-odbc-8.0.20-3.el9.x86_64.rpm
php-odbc-debuginfo-8.0.20-3.el9.x86_64.rpm
php-opcache-8.0.20-3.el9.x86_64.rpm
php-opcache-debuginfo-8.0.20-3.el9.x86_64.rpm
php-pdo-8.0.20-3.el9.x86_64.rpm
php-pdo-debuginfo-8.0.20-3.el9.x86_64.rpm
php-pgsql-8.0.20-3.el9.x86_64.rpm
php-pgsql-debuginfo-8.0.20-3.el9.x86_64.rpm
php-process-8.0.20-3.el9.x86_64.rpm
php-process-debuginfo-8.0.20-3.el9.x86_64.rpm
php-snmp-8.0.20-3.el9.x86_64.rpm
php-snmp-debuginfo-8.0.20-3.el9.x86_64.rpm
php-soap-8.0.20-3.el9.x86_64.rpm
php-soap-debuginfo-8.0.20-3.el9.x86_64.rpm
php-xml-8.0.20-3.el9.x86_64.rpm
php-xml-debuginfo-8.0.20-3.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-21708
https://access.redhat.com/security/cve/CVE-2022-31625
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3OMW9zjgjWX9erEAQj/kg/9GSYTpNzlEIlJZov+EWGaAKzxPB7NoVQ/
cLTon+/fVVU0qBcxoxWA3O56UxYi8lifl62aMvFUbihLsC76QTteLAkwasjWWAyg
Hl0/+tg6OzOaV6zmMyr/Y+RcM4+NhvQj1+ECj1sx8FXSypgOFhi7bXDM5XfjnOTh
K+jd2LY16YBzbvf7hcOsZxqMsNANwCWIWJC8kc41ARM/FREx+cy/R3MsdmHQ+Ucn
zr5AUORu92rUW4qgsoNcR4wzUKvhulN8ZVgix8IRh+OsDZWB/EMiKIml99pQG/Vi
Nl/wPNOpIZHBHDOSDg0BGMJz0Z+w//mp+m9XDk0KKA3wSoH4L4tl+w6ZIunP/mr/
CiWPnMySwdlBCIQ64D2kICErN9g63u04t8PUgQfQKiFpObiaLcYwfed1kr4dpIki
co4nCrF6CwknSn5cDF4cp5Y3pcN/dSsd2WdLN756Ebf0osfuqh6q3Pwoc/Jfp9uG
YAgw/kli1sjl3YiG/nfuDVJBid8kS8ylymkUSDgfii7tMHLcnLnCk7deI40qDMUa
p28RFPjNY27uCQURvi5oUzflsDo08otNYVq0/fQhGC2UrPWglyC4ClGp2GArag06
i3kCsjDAiyRcavAh4KcymbWsVaTDyZOeWNAEJlcko2jjFARjFtNkmoMaa98uIEmP
PRH5jXRX0+g=
=B5po
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3RFNskNZI30y1K9AQhK2Q/9EOefkNtTtk9I9YHh+T4EpHOeHChQowcy
CvHsc6148ipLekXHw2SSVlYHvCseNc5oDQckbtsrvPwT0LmPexad4deSv9wrpA0S
3geFTw59XtGTaWfKEdSiBtlLHfHsWXpaUw82GkN5QALwcevL5ywdYhJubrbGRHjy
6eYUy+PzCddkRyHFAkrjYNQLZRE+UhGWU9mUaO0gmiK5AYSA901OHyEeunbsShwZ
hhiVS3RuG5kT1PnLvxskBHKZ+Rln7ovUfhMT9+MfyD748feRuw//Yq24KTfKXDPM
cV6AN++wg/ry8TwP0270vpTiwgh7Di4WH4sliVZaz0MVGf27vLKbJBwgB1zhrZCY
WtN+Z2tR1uksBngoSaaEY5onj2zQvrq1xERGB1dAU/K3X0KNj+So3ksPSIojoOb7
dgCJ8fdw/W48wCX3weX/VuicTO4e4icCCyxIqkPxFBiYyNzRNvh9LujmuP6F6dw6
KPGCNewifPGxA1llIdYio5oYQL/Lyf+0P1eTbFYSubgWmLBZip38X0PjA9OnrgWK
mp72rWfh0IUj/81l5gBTiVns820wO9o8HbDO6Cb+eR4dqevCSkuFZLlm4ItqQ63+
/3iwElli+ELny6ZBpnPo4JZPx5r3JL/W/IK1cMhQehg+sB2vKUUQ47HuKci0BUDQ
CIaFFyD3PQ0=
=Rd1b
-----END PGP SIGNATURE-----
ESB-2022.5908 - [RedHat] libtiff: CVSS (Max): 6.6
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5908
libtiff security update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libtiff
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-22844 CVE-2022-1355 CVE-2022-1354
CVE-2022-0924 CVE-2022-0909 CVE-2022-0908
CVE-2022-0891 CVE-2022-0865 CVE-2022-0562
CVE-2022-0561
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8194
Comment: CVSS (Max): 6.6 CVE-2022-1355 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: libtiff security update
Advisory ID: RHSA-2022:8194-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8194
Issue date: 2022-11-15
CVE Names: CVE-2022-0561 CVE-2022-0562 CVE-2022-0865
CVE-2022-0891 CVE-2022-0908 CVE-2022-0909
CVE-2022-0924 CVE-2022-1354 CVE-2022-1355
CVE-2022-22844
=====================================================================
1. Summary:
An update for libtiff is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
3. Description:
The libtiff packages contain a library of functions for manipulating Tagged
Image File Format (TIFF) files.
Security Fix(es):
* libtiff: Denial of Service via crafted TIFF file (CVE-2022-0561)
* libtiff: Null source pointer lead to Denial of Service via crafted TIFF
file (CVE-2022-0562)
* libtiff: reachable assertion (CVE-2022-0865)
* libtiff: Out-of-bounds Read error in tiffcp (CVE-2022-0924)
* libtiff: stack-buffer-overflow in tiffcp.c in main() (CVE-2022-1355)
* libtiff: out-of-bounds read in _TIFFmemcpy() in tif_unix.c
(CVE-2022-22844)
* libtiff: heap buffer overflow in extractImageSection (CVE-2022-0891)
* tiff: Null source pointer passed as an argument to memcpy in
TIFFFetchNormalTag() in tif_dirread.c (CVE-2022-0908)
* tiff: Divide By Zero error in tiffcrop (CVE-2022-0909)
* libtiff: heap-buffer-overflow in TIFFReadRawDataStriped() in tiffinfo.c
(CVE-2022-1354)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running applications linked against libtiff must be restarted for this
update to take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
2042603 - CVE-2022-22844 libtiff: out-of-bounds read in _TIFFmemcpy() in tif_unix.c
2054494 - CVE-2022-0561 libtiff: Denial of Service via crafted TIFF file
2054495 - CVE-2022-0562 libtiff: Null source pointer lead to Denial of Service via crafted TIFF file
2064145 - CVE-2022-0908 tiff: Null source pointer passed as an argument to memcpy in TIFFFetchNormalTag() in tif_dirread.c
2064146 - CVE-2022-0909 tiff: Divide By Zero error in tiffcrop
2064148 - CVE-2022-0924 libtiff: Out-of-bounds Read error in tiffcp
2064406 - CVE-2022-0865 libtiff: reachable assertion
2064411 - CVE-2022-0891 libtiff: heap buffer overflow in extractImageSection
2074404 - CVE-2022-1354 libtiff: heap-buffer-overflow in TIFFReadRawDataStriped() in tiffinfo.c
2074415 - CVE-2022-1355 libtiff: stack-buffer-overflow in tiffcp.c in main()
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
libtiff-4.4.0-2.el9.src.rpm
aarch64:
libtiff-4.4.0-2.el9.aarch64.rpm
libtiff-debuginfo-4.4.0-2.el9.aarch64.rpm
libtiff-debugsource-4.4.0-2.el9.aarch64.rpm
libtiff-devel-4.4.0-2.el9.aarch64.rpm
libtiff-tools-debuginfo-4.4.0-2.el9.aarch64.rpm
ppc64le:
libtiff-4.4.0-2.el9.ppc64le.rpm
libtiff-debuginfo-4.4.0-2.el9.ppc64le.rpm
libtiff-debugsource-4.4.0-2.el9.ppc64le.rpm
libtiff-devel-4.4.0-2.el9.ppc64le.rpm
libtiff-tools-debuginfo-4.4.0-2.el9.ppc64le.rpm
s390x:
libtiff-4.4.0-2.el9.s390x.rpm
libtiff-debuginfo-4.4.0-2.el9.s390x.rpm
libtiff-debugsource-4.4.0-2.el9.s390x.rpm
libtiff-devel-4.4.0-2.el9.s390x.rpm
libtiff-tools-debuginfo-4.4.0-2.el9.s390x.rpm
x86_64:
libtiff-4.4.0-2.el9.i686.rpm
libtiff-4.4.0-2.el9.x86_64.rpm
libtiff-debuginfo-4.4.0-2.el9.i686.rpm
libtiff-debuginfo-4.4.0-2.el9.x86_64.rpm
libtiff-debugsource-4.4.0-2.el9.i686.rpm
libtiff-debugsource-4.4.0-2.el9.x86_64.rpm
libtiff-devel-4.4.0-2.el9.i686.rpm
libtiff-devel-4.4.0-2.el9.x86_64.rpm
libtiff-tools-debuginfo-4.4.0-2.el9.i686.rpm
libtiff-tools-debuginfo-4.4.0-2.el9.x86_64.rpm
Red Hat CodeReady Linux Builder (v. 9):
aarch64:
libtiff-debuginfo-4.4.0-2.el9.aarch64.rpm
libtiff-debugsource-4.4.0-2.el9.aarch64.rpm
libtiff-tools-4.4.0-2.el9.aarch64.rpm
libtiff-tools-debuginfo-4.4.0-2.el9.aarch64.rpm
ppc64le:
libtiff-debuginfo-4.4.0-2.el9.ppc64le.rpm
libtiff-debugsource-4.4.0-2.el9.ppc64le.rpm
libtiff-tools-4.4.0-2.el9.ppc64le.rpm
libtiff-tools-debuginfo-4.4.0-2.el9.ppc64le.rpm
s390x:
libtiff-debuginfo-4.4.0-2.el9.s390x.rpm
libtiff-debugsource-4.4.0-2.el9.s390x.rpm
libtiff-tools-4.4.0-2.el9.s390x.rpm
libtiff-tools-debuginfo-4.4.0-2.el9.s390x.rpm
x86_64:
libtiff-debuginfo-4.4.0-2.el9.x86_64.rpm
libtiff-debugsource-4.4.0-2.el9.x86_64.rpm
libtiff-tools-4.4.0-2.el9.x86_64.rpm
libtiff-tools-debuginfo-4.4.0-2.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-0561
https://access.redhat.com/security/cve/CVE-2022-0562
https://access.redhat.com/security/cve/CVE-2022-0865
https://access.redhat.com/security/cve/CVE-2022-0891
https://access.redhat.com/security/cve/CVE-2022-0908
https://access.redhat.com/security/cve/CVE-2022-0909
https://access.redhat.com/security/cve/CVE-2022-0924
https://access.redhat.com/security/cve/CVE-2022-1354
https://access.redhat.com/security/cve/CVE-2022-1355
https://access.redhat.com/security/cve/CVE-2022-22844
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3PhGNzjgjWX9erEAQgQ5hAAp4Eqvm+2MVRXj33U0JsaiDpuTkz4E+X5
/FD8evDwgF4hPd32ThDus+s33/zk28BSrWzl51YSdLwGyJyMfnlzU7mH3m/Yo9lr
k1g1o5aZGI1c05G00q3bAgZqCtMd0vptcG/Lbhppx678rd/d5poyOs3alPNmziP8
ips9bLnjB+maz5UViNlf6b7F81vSFeci7KN88VtY2sclnxmitY9jkuopLe1pV4zE
+47qBz9JgFwXiuFVNHW46w1O9VZD3Oohr+85WySuDVXgu0tq22J1abA40F+rPSZD
ElDWvCrlL8H2K+sOsCgwwi+KJJLKI3Whle4YWyD5n6CMYTtn9P49tBvHKXFjRZSA
xhfq0B+7CNhdVUl5Q741YTHZ0rjnCqLG0k+HgT4fCL/n+fvSHVM7C5F0lYiSR+UE
mOFEOnjewTOpdxhxnCBI6i3vUAEe2SXU2zJIt/1Rj4R4FVHF1c6O0zNQOUIeoY0H
zrPAT7/WmV5Uw6zz8QH2PfHNLqO8/EKCZ58rGaSthlt9F47gccpc+xkQYLUwLw8C
9RNCsJME+OzkVLR31T29whOyzRXsH3d9gORJ2ALkUiM/dm3qQNRGac+Zw1+07x/Z
rC32VLGzeTyhBlH54CN4WxK9cC20Zi5mILNDx/5u8FEhdYDRoln7XraNmloG/bvf
3qRlpkTDGzk=
=ykHN
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3RFHckNZI30y1K9AQj0Sw//QgU2Dv1fqtixSv69NuWYMkuuJgIfJFDi
wcpoyYxXDIPoBU7E+M/RJ8h4CoISh17DqC7ZGoSLcaOdv9JWpeq1TPtNoSon/Dke
ZA/wH3cJcKV8yF0OHft8HYsXUB7a6oYiUmsQXU5wx7hTiqO2qSj8W/tvyxTEQbjO
G3L5Bo5MKTLBQCgSy8MFx4wn8N7szms6jYkEJc/hEactOhJQSBZzIXaRnqSFQy/n
scqQFTmqq3FeUhS+kdI1QgXA1sRAV+K1ElHxFubsnLCWoGCBxUnuxRD6xFyExy+n
ib46FdmNg4yAKO4Y7sV+Q2hHqgybPjrbrLTtzwJPOl4vb6X8kX6NDVeSgQajnK/s
cJHT97rB4ifHSTgCq3PlRyYbg7eVKqzjcqR8ztEVV5ZRdccJ4WVH1U2KlboDudan
QzUqPyh0OKbpL3Wccp8eYY/cVWZRPd8MfIYH1znAvQhAEKhHbphaYqTnGCOZO+mE
p7TLlyXTTAvXAyGW1DRb38nimu4rDvcAVzsoAaxSFoqJK1N4g88TB3rQdivm4mLf
Nngn8+wdV/rWpUSva/KNKP42pmGRb0fhUOlIL1WFGwiIhcNtrrmrOe5/Sn0/84J9
LeOlP7ccslcsAuDXY355+I/X05fDNtiV2/WJjIHN1YiO3g489WjsHHdyDycPgcO5
ucIkg7Q+7DA=
=t3uF
-----END PGP SIGNATURE-----
ESB-2022.5907 - [RedHat] 389-ds-base: CVSS (Max): 7.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5907
389-ds-base security, bug fix, and enhancement update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: 389-ds-base
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-2850 CVE-2022-0996 CVE-2022-0918
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8162
Comment: CVSS (Max): 7.5 CVE-2022-0918 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: 389-ds-base security, bug fix, and enhancement update
Advisory ID: RHSA-2022:8162-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8162
Issue date: 2022-11-15
CVE Names: CVE-2022-0918 CVE-2022-0996 CVE-2022-2850
=====================================================================
1. Summary:
An update for 389-ds-base is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64
3. Description:
389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The
base packages include the Lightweight Directory Access Protocol (LDAP)
server and command-line utilities for server administration.
The following packages have been upgraded to a later upstream version:
389-ds-base (2.1.3). (BZ#2061801)
Security Fix(es):
* 389-ds-base: sending crafted message could result in DoS (CVE-2022-0918)
* 389-ds-base: SIGSEGV in sync_repl (CVE-2022-2850)
* 389-ds-base: expired password was still allowed to access the database
(CVE-2022-0996)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing this update, the 389 server service will be restarted
automatically.
5. Bugs fixed (https://bugzilla.redhat.com/):
1872451 - [RFE] 389ds: run as non-root
2052527 - RFE - Provide an option to abort an Auto Member rebuild task.
2055815 - CVE-2022-0918 389-ds-base: sending crafted message could result in DoS
2057056 - Import may break the replication because changelog starting csn may not be created
2057063 - Add support for recursively deleting subentries
2061801 - Rebase 389-ds-base in RHEL 9.1
2064769 - CVE-2022-0996 389-ds-base: expired password was still allowed to access the database
2100337 - dsconf backend export userroot fails ldap.DECODING_ERROR
2100572 - Versions for RHDS 9.1 do not match in dirsrv logs and output from rpm -qa
2115348 - memory leak with filter optimizer
2118691 - CVE-2022-2850 389-ds-base: SIGSEGV in sync_repl
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
389-ds-base-2.1.3-4.el9_1.src.rpm
aarch64:
389-ds-base-2.1.3-4.el9_1.aarch64.rpm
389-ds-base-debuginfo-2.1.3-4.el9_1.aarch64.rpm
389-ds-base-debugsource-2.1.3-4.el9_1.aarch64.rpm
389-ds-base-libs-2.1.3-4.el9_1.aarch64.rpm
389-ds-base-libs-debuginfo-2.1.3-4.el9_1.aarch64.rpm
389-ds-base-snmp-debuginfo-2.1.3-4.el9_1.aarch64.rpm
noarch:
python3-lib389-2.1.3-4.el9_1.noarch.rpm
ppc64le:
389-ds-base-2.1.3-4.el9_1.ppc64le.rpm
389-ds-base-debuginfo-2.1.3-4.el9_1.ppc64le.rpm
389-ds-base-debugsource-2.1.3-4.el9_1.ppc64le.rpm
389-ds-base-libs-2.1.3-4.el9_1.ppc64le.rpm
389-ds-base-libs-debuginfo-2.1.3-4.el9_1.ppc64le.rpm
389-ds-base-snmp-debuginfo-2.1.3-4.el9_1.ppc64le.rpm
s390x:
389-ds-base-2.1.3-4.el9_1.s390x.rpm
389-ds-base-debuginfo-2.1.3-4.el9_1.s390x.rpm
389-ds-base-debugsource-2.1.3-4.el9_1.s390x.rpm
389-ds-base-libs-2.1.3-4.el9_1.s390x.rpm
389-ds-base-libs-debuginfo-2.1.3-4.el9_1.s390x.rpm
389-ds-base-snmp-debuginfo-2.1.3-4.el9_1.s390x.rpm
x86_64:
389-ds-base-2.1.3-4.el9_1.x86_64.rpm
389-ds-base-debuginfo-2.1.3-4.el9_1.x86_64.rpm
389-ds-base-debugsource-2.1.3-4.el9_1.x86_64.rpm
389-ds-base-libs-2.1.3-4.el9_1.x86_64.rpm
389-ds-base-libs-debuginfo-2.1.3-4.el9_1.x86_64.rpm
389-ds-base-snmp-debuginfo-2.1.3-4.el9_1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-0918
https://access.redhat.com/security/cve/CVE-2022-0996
https://access.redhat.com/security/cve/CVE-2022-2850
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3PhHNzjgjWX9erEAQi3Lw/+Kp2fj71Eme7k3P5fYZon8pjEsHOaHuSz
FOTmU3hGViBe60UcUoyoERl2nbodmQ0yxozY4wz6H+TMHiTq1yj3LdiUQuZmOZMS
+BUBzSR24iyPaXbLoa1+NwSm2+QnQuD8Ch5E4YwNJNRcRIYP2yaVJdcNi7RLU0I7
aADq56AI4QX1D+0c1tSkybVTbgEpnNzABrvaapwD1eNwsVWaFJd46CZaf9WGt3ht
irr6PYHnyvoirvJndRsuuLgW2vJxhvI/6PQtOgM0SMyWWiIschFLlkelrjVsdQIH
f9J3Rk5kRCN7Kd9hKDIghsitB0ilod8gxvhyio6UzB9acbXj+a55J1nEjo2oalR8
psXHcFRemMiPTMEh/W68PdbhifTcxa85Z4H/iVtEDgpIugJ5+B0j0+hdnzm3dncT
IHsJVSayNuUqY04gpUhVsvEmzhVFogx9APJZmz4PhIaoGByX9Oti1t9IsqNENUVn
l0n8u4h3Az4eo4l6/PKaF3DrIVLXzuC5HXvU4NOW4VsW4aM7tfVIlDUDxr8FUhUE
8AKp+AThKmW2vFNTP9bnUNXQSMnKRFclO99w/f2SB+PjSb4IJzpIQ/QokXRQ8I2z
CUsrBtF1HQfwHPPV1fU2NvnLmtDEcxFX0kGgU11BaVSgoRpqrUpNPHmnQp9FpQUb
6ZLiLQ+itcM=
=dmbn
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3Q5+skNZI30y1K9AQjsmg/+MV71gKPfbYef71MQf8V8C+s04xNf/6vv
nAuhUVp5jqzHQJhrK32TTXaxTsntzyCsFXdKW9THjdD1aGaubfa8PrA0poOEVP9W
e0q6s1WQkV4wNhmi5d8Jj9K1ysLzQlMXNjzr2DQfRYyij+rgXk7g5wGlTBvb7eKs
6MNDOErGOflV2LFKu9J6XDQvEWU2tIwCvhuWG0m9beFX488pVmEx45xntcG7N3aG
92i71AMx9YqGZvcXpZL3KIw/ykwss+8bKDqin2a/FbiJJZl1SNephKdHY6v58THN
bTgu3mRaoEn1D5FFVklu5c4ZhR17cY1/B0Iv93bG50cJlk5F6Rw9RftR7KGBqtQz
vFwgxm0szvvu+LzealzHm6QucU2N6kwpUxko5JqpnjElIcxF6gEqm8hzmg6rUVMa
UD1jMqlvctX9Y7njCoUQNlGqkNZTDgz7IPiqEbNwkSIblyzZlwBrnnAYqRP4/lJO
rs6IAp5hiU4PSz8i0ABQhLNbRZry02kIRB4dchfe7zpbR/N9E5QAh9L0sgqfPveH
/hy02wMVURL9NQNtkDK8Gme6seNUQMVp/E31ZmChehp0b3zdgxO3k1jW2OR9gPBs
fy8wWGvw9nK2oCqGApwudBJn6+x5w/puE20DSKDI9MtjAWqcxC+VDNohqiMXzSoN
eWWFDa1YQOU=
=xyFH
-----END PGP SIGNATURE-----
ESB-2022.5906 - [RedHat] poppler: CVSS (Max): 6.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5906
poppler security and bug fix update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: poppler
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-27337
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8151
Comment: CVSS (Max): 6.5 CVE-2022-27337 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: poppler security and bug fix update
Advisory ID: RHSA-2022:8151-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8151
Issue date: 2022-11-15
CVE Names: CVE-2022-27337
=====================================================================
1. Summary:
An update for poppler is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
3. Description:
Poppler is a Portable Document Format (PDF) rendering library, used by
applications such as Evince.
Security Fix(es):
* poppler: A logic error in the Hints::Hints function can cause denial of
service (CVE-2022-27337)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2087190 - CVE-2022-27337 poppler: A logic error in the Hints::Hints function can cause denial of service
2096451 - [RHEL9] Please put poppler-qt5 in AppStream
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
poppler-21.01.0-13.el9.src.rpm
aarch64:
poppler-21.01.0-13.el9.aarch64.rpm
poppler-cpp-21.01.0-13.el9.aarch64.rpm
poppler-cpp-debuginfo-21.01.0-13.el9.aarch64.rpm
poppler-debuginfo-21.01.0-13.el9.aarch64.rpm
poppler-debugsource-21.01.0-13.el9.aarch64.rpm
poppler-glib-21.01.0-13.el9.aarch64.rpm
poppler-glib-debuginfo-21.01.0-13.el9.aarch64.rpm
poppler-qt5-21.01.0-13.el9.aarch64.rpm
poppler-qt5-debuginfo-21.01.0-13.el9.aarch64.rpm
poppler-utils-21.01.0-13.el9.aarch64.rpm
poppler-utils-debuginfo-21.01.0-13.el9.aarch64.rpm
ppc64le:
poppler-21.01.0-13.el9.ppc64le.rpm
poppler-cpp-21.01.0-13.el9.ppc64le.rpm
poppler-cpp-debuginfo-21.01.0-13.el9.ppc64le.rpm
poppler-debuginfo-21.01.0-13.el9.ppc64le.rpm
poppler-debugsource-21.01.0-13.el9.ppc64le.rpm
poppler-glib-21.01.0-13.el9.ppc64le.rpm
poppler-glib-debuginfo-21.01.0-13.el9.ppc64le.rpm
poppler-qt5-21.01.0-13.el9.ppc64le.rpm
poppler-qt5-debuginfo-21.01.0-13.el9.ppc64le.rpm
poppler-utils-21.01.0-13.el9.ppc64le.rpm
poppler-utils-debuginfo-21.01.0-13.el9.ppc64le.rpm
s390x:
poppler-21.01.0-13.el9.s390x.rpm
poppler-cpp-21.01.0-13.el9.s390x.rpm
poppler-cpp-debuginfo-21.01.0-13.el9.s390x.rpm
poppler-debuginfo-21.01.0-13.el9.s390x.rpm
poppler-debugsource-21.01.0-13.el9.s390x.rpm
poppler-glib-21.01.0-13.el9.s390x.rpm
poppler-glib-debuginfo-21.01.0-13.el9.s390x.rpm
poppler-qt5-21.01.0-13.el9.s390x.rpm
poppler-qt5-debuginfo-21.01.0-13.el9.s390x.rpm
poppler-utils-21.01.0-13.el9.s390x.rpm
poppler-utils-debuginfo-21.01.0-13.el9.s390x.rpm
x86_64:
poppler-21.01.0-13.el9.i686.rpm
poppler-21.01.0-13.el9.x86_64.rpm
poppler-cpp-21.01.0-13.el9.i686.rpm
poppler-cpp-21.01.0-13.el9.x86_64.rpm
poppler-cpp-debuginfo-21.01.0-13.el9.i686.rpm
poppler-cpp-debuginfo-21.01.0-13.el9.x86_64.rpm
poppler-debuginfo-21.01.0-13.el9.i686.rpm
poppler-debuginfo-21.01.0-13.el9.x86_64.rpm
poppler-debugsource-21.01.0-13.el9.i686.rpm
poppler-debugsource-21.01.0-13.el9.x86_64.rpm
poppler-glib-21.01.0-13.el9.i686.rpm
poppler-glib-21.01.0-13.el9.x86_64.rpm
poppler-glib-debuginfo-21.01.0-13.el9.i686.rpm
poppler-glib-debuginfo-21.01.0-13.el9.x86_64.rpm
poppler-qt5-21.01.0-13.el9.i686.rpm
poppler-qt5-21.01.0-13.el9.x86_64.rpm
poppler-qt5-debuginfo-21.01.0-13.el9.i686.rpm
poppler-qt5-debuginfo-21.01.0-13.el9.x86_64.rpm
poppler-utils-21.01.0-13.el9.x86_64.rpm
poppler-utils-debuginfo-21.01.0-13.el9.i686.rpm
poppler-utils-debuginfo-21.01.0-13.el9.x86_64.rpm
Red Hat CodeReady Linux Builder (v. 9):
aarch64:
poppler-cpp-debuginfo-21.01.0-13.el9.aarch64.rpm
poppler-cpp-devel-21.01.0-13.el9.aarch64.rpm
poppler-debuginfo-21.01.0-13.el9.aarch64.rpm
poppler-debugsource-21.01.0-13.el9.aarch64.rpm
poppler-devel-21.01.0-13.el9.aarch64.rpm
poppler-glib-debuginfo-21.01.0-13.el9.aarch64.rpm
poppler-glib-devel-21.01.0-13.el9.aarch64.rpm
poppler-qt5-debuginfo-21.01.0-13.el9.aarch64.rpm
poppler-qt5-devel-21.01.0-13.el9.aarch64.rpm
poppler-utils-debuginfo-21.01.0-13.el9.aarch64.rpm
ppc64le:
poppler-cpp-debuginfo-21.01.0-13.el9.ppc64le.rpm
poppler-cpp-devel-21.01.0-13.el9.ppc64le.rpm
poppler-debuginfo-21.01.0-13.el9.ppc64le.rpm
poppler-debugsource-21.01.0-13.el9.ppc64le.rpm
poppler-devel-21.01.0-13.el9.ppc64le.rpm
poppler-glib-debuginfo-21.01.0-13.el9.ppc64le.rpm
poppler-glib-devel-21.01.0-13.el9.ppc64le.rpm
poppler-qt5-debuginfo-21.01.0-13.el9.ppc64le.rpm
poppler-qt5-devel-21.01.0-13.el9.ppc64le.rpm
poppler-utils-debuginfo-21.01.0-13.el9.ppc64le.rpm
s390x:
poppler-cpp-debuginfo-21.01.0-13.el9.s390x.rpm
poppler-cpp-devel-21.01.0-13.el9.s390x.rpm
poppler-debuginfo-21.01.0-13.el9.s390x.rpm
poppler-debugsource-21.01.0-13.el9.s390x.rpm
poppler-devel-21.01.0-13.el9.s390x.rpm
poppler-glib-debuginfo-21.01.0-13.el9.s390x.rpm
poppler-glib-devel-21.01.0-13.el9.s390x.rpm
poppler-qt5-debuginfo-21.01.0-13.el9.s390x.rpm
poppler-qt5-devel-21.01.0-13.el9.s390x.rpm
poppler-utils-debuginfo-21.01.0-13.el9.s390x.rpm
x86_64:
poppler-cpp-debuginfo-21.01.0-13.el9.i686.rpm
poppler-cpp-debuginfo-21.01.0-13.el9.x86_64.rpm
poppler-cpp-devel-21.01.0-13.el9.i686.rpm
poppler-cpp-devel-21.01.0-13.el9.x86_64.rpm
poppler-debuginfo-21.01.0-13.el9.i686.rpm
poppler-debuginfo-21.01.0-13.el9.x86_64.rpm
poppler-debugsource-21.01.0-13.el9.i686.rpm
poppler-debugsource-21.01.0-13.el9.x86_64.rpm
poppler-devel-21.01.0-13.el9.i686.rpm
poppler-devel-21.01.0-13.el9.x86_64.rpm
poppler-glib-debuginfo-21.01.0-13.el9.i686.rpm
poppler-glib-debuginfo-21.01.0-13.el9.x86_64.rpm
poppler-glib-devel-21.01.0-13.el9.i686.rpm
poppler-glib-devel-21.01.0-13.el9.x86_64.rpm
poppler-qt5-debuginfo-21.01.0-13.el9.i686.rpm
poppler-qt5-debuginfo-21.01.0-13.el9.x86_64.rpm
poppler-qt5-devel-21.01.0-13.el9.i686.rpm
poppler-qt5-devel-21.01.0-13.el9.x86_64.rpm
poppler-utils-debuginfo-21.01.0-13.el9.i686.rpm
poppler-utils-debuginfo-21.01.0-13.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-27337
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3PhH9zjgjWX9erEAQjWGRAAhUuUc5u3CnCdu5+VKXNaY2dmM/dz642a
hopSsiheysGrpG+Ig12YXI6L6k0Y6TtsrR3yV+lKfyv2diwSeuoK5M9QhYFdkpNm
wyCOQGhSp1H1tKSf5zCWaSsittXWSe39Jzd3mKZMncMyDd5uRPO/U0IEM3E1dYEB
M7mv4uNV663JQkV4K7+TYJRM8K+tX8LhcF/ylzVeWMltbYfX5IitV9PxNlutgL5p
z7aL5Vhf3uflLdV9WGrIGiqjN6zXvnB81mM2EtwaMCEC8smTzkC9EKE8/En1uoYo
g5om5KMmnYJIdOntARcQDp06GDgnXBGwTo52/+b4ZIWfd+1zrVtOM03z13/wobmw
8A1Ft4GfBlSDwE1EC1gT+AEsXazgjg44r1tBeAEhQVZqglNKZ03CQAQcS0XDgLgZ
SN3CyYx6qpHvymBHqgLXNqjDSZdlwZVrhYO+svWoSRdTYqXcgANbELPdPxZCalQM
cAf+pGZUzfR6SDPaBJG3aHvLWwyaVFQIbxV1VoYE1qk8C4Cimfl3uZ3x9CXgIDmS
Dr6lkfoYQHfbJ6CWvbnqyqYjqwr0nK3+iACDpkzUQliUxdtJNEna6G5k8LNnkWUd
C5yNjTZtmOwRv5pzh9gpSTKj7YZyaV0dM3M4pIY1kLVC6EcGgUb3W8wYMKXAJxOB
RGQS7WFqspo=
=prNt
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3Q57MkNZI30y1K9AQit3A/6A/CALYM1JzGX8o9sz5R9u/Z8YIncOOKT
Q4sCAkUCoqEXUtm16kEa1oOzLFTITmrAWNs+2pkfQL9wPiemNah5Ssao0Qcdx8zx
ybstHS1kNBhpBogyd2HPtTl4yk1ZFjug9Mgd3W50NSbqQyqMz3nwyWOeXPdTrd3L
al3il/snQpeUjIjE8ZtxpBhUUCRxvbwh5b5E+OZqMHMYHHVQ/lXUkIVsV6cIzCS5
XQEhKPdw30L/fuGqVq0wpROrRLH+aL8hnRHVgPlBJTJ3O5Pxku4x2Deyrr2tKa/Y
aaAwl6PCQ6py+WPlmPvKZPRJhtHk/HeqfOIdeL3yO9VlM1LWSgj2P+uiI8caHbZl
HvorQjIcexfB0TaJpGSJVbIuAy6UtpkoDQNIhMsL+a44vxPnNVEEQkmKsLb8RMCd
uXsp2Dy9oMd3dehgmq+AxbxfSqfCVS3C//jR9Bz5+oJUY+latu11BRdEQjMu5AOV
bNHd0qZsyAvYlrHHsvKpPF7XWhJHjX4hyL/CBg3qD8BqOiNwY+OCOSpHvD0Pz0zI
YzxTk1jczkBrO+y6Ex6v1E00ohROOesV5epVbQBwNuZ7I+Q3N5RJO30ZNUVWr/0r
ED26Xl461SHMMpp2JrofdRVuDLWZawecJjOPl+yuevPT0vXLuzS3P3BHd+Nx/VHn
aZH2gaK/R7c=
=l2Io
-----END PGP SIGNATURE-----
ESB-2022.5905 - [RedHat] wavpack: CVSS (Max): 3.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5905
wavpack security update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: wavpack
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2021-44269
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8139
Comment: CVSS (Max): 3.5 CVE-2021-44269 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Low: wavpack security update
Advisory ID: RHSA-2022:8139-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8139
Issue date: 2022-11-15
CVE Names: CVE-2021-44269
=====================================================================
1. Summary:
An update for wavpack is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
3. Description:
WavPack is a completely open audio compression format providing lossless,
high-quality lossy, and a unique hybrid compression mode.
Security Fix(es):
* wavpack: Heap out-of-bounds read in WavpackPackSamples() (CVE-2021-44269)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2064457 - CVE-2021-44269 wavpack: Heap out-of-bounds read in WavpackPackSamples()
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
wavpack-5.4.0-5.el9.src.rpm
aarch64:
wavpack-5.4.0-5.el9.aarch64.rpm
wavpack-debuginfo-5.4.0-5.el9.aarch64.rpm
wavpack-debugsource-5.4.0-5.el9.aarch64.rpm
ppc64le:
wavpack-5.4.0-5.el9.ppc64le.rpm
wavpack-debuginfo-5.4.0-5.el9.ppc64le.rpm
wavpack-debugsource-5.4.0-5.el9.ppc64le.rpm
s390x:
wavpack-5.4.0-5.el9.s390x.rpm
wavpack-debuginfo-5.4.0-5.el9.s390x.rpm
wavpack-debugsource-5.4.0-5.el9.s390x.rpm
x86_64:
wavpack-5.4.0-5.el9.i686.rpm
wavpack-5.4.0-5.el9.x86_64.rpm
wavpack-debuginfo-5.4.0-5.el9.i686.rpm
wavpack-debuginfo-5.4.0-5.el9.x86_64.rpm
wavpack-debugsource-5.4.0-5.el9.i686.rpm
wavpack-debugsource-5.4.0-5.el9.x86_64.rpm
Red Hat CodeReady Linux Builder (v. 9):
aarch64:
wavpack-debuginfo-5.4.0-5.el9.aarch64.rpm
wavpack-debugsource-5.4.0-5.el9.aarch64.rpm
wavpack-devel-5.4.0-5.el9.aarch64.rpm
ppc64le:
wavpack-debuginfo-5.4.0-5.el9.ppc64le.rpm
wavpack-debugsource-5.4.0-5.el9.ppc64le.rpm
wavpack-devel-5.4.0-5.el9.ppc64le.rpm
s390x:
wavpack-debuginfo-5.4.0-5.el9.s390x.rpm
wavpack-debugsource-5.4.0-5.el9.s390x.rpm
wavpack-devel-5.4.0-5.el9.s390x.rpm
x86_64:
wavpack-debuginfo-5.4.0-5.el9.i686.rpm
wavpack-debuginfo-5.4.0-5.el9.x86_64.rpm
wavpack-debugsource-5.4.0-5.el9.i686.rpm
wavpack-debugsource-5.4.0-5.el9.x86_64.rpm
wavpack-devel-5.4.0-5.el9.i686.rpm
wavpack-devel-5.4.0-5.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-44269
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3PhItzjgjWX9erEAQh4rw//T/3qfrWxxg1PShfJuA9TQRkGE0azG/Fl
grImhuJxDG9tviXzfEMjd7yNhWtrd1hYPF4mQqr19Rz82KXCbl8QxaSYC58zxOVG
j5TZnrLYMNp/z2fIFY317JnDXy63qBkIus6BnF9mywcFsA9cLw9+YjMW1+HPlttp
zn6+iIklT2IGOHWcbKODPt1Xlm6EKSHn7CSTfJvaGqjWLoA9f6wzMcTJl4w/5Gr2
8RAJjc77F8g4hu/+AMR0e2UpU8YBO8xRpua0FqyB1GIkgAJgjcWOlhBZxzJ7dFA0
9zpxHSnZJGyRHOQ+2B6AtfEFIdosHoy33ZJI4fBavvrXY4o2gtLmIEbpp8CCyjE+
8HW1ko8+q3TiJl3F6XBRMkw9/dt8uCPfm5lCHikQS2byUUDtNaC31ko8MsB5XP8Z
Y9EZJio5LP9M0nhw1nRNjcRahvcL8dHyIQvxUJ5/AwON2SZXQpyw8WdkQ/eNJt/2
nZykA5uMLPE+qQ2R9FgQbOnTPdblZNgASdq3seM/w5rMMY3MA/xaK8xf1EkMkK84
vToalSoJ994bRPsgVy15oXQuazqG4FozOVs4lKp+whGPzkEY0EWxPXKd0qGOg3Ex
lZC2eenbDie2olMcyeL/ykw8djM/OBhswM/1PO2th2bksMI8e3QhB3X0mSMluK6W
Y1z0TX55584=
=S0Wv
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3Q51skNZI30y1K9AQicnA/5AcVtuTerG/L3LZ/2x1kwd3CYJbTbBbQR
Cx5WaGVH90giljVDSGgqkaYYOhIdThjup8DxkaUUhoIcZBEqMDsXt/Kyu2yeU9WZ
1uGwVqMwWuhD9ZlmwubQ6lxIsawiYA66c9We2e7Bz1vGPiZoI6B2Y4gvO7ixkB/h
qyQUB8o2VZlMGLV2zK6Sw1DhawFFHSBQafC6ecjGEgGMRGl8dm1KqCi9D46ezex1
/Wl1WJHi/gieeHtA7e5E762XLO7DtMO8f9W8jYus/uQYv51fId4I3e+6lIU8huaW
NEjIiWz1Z2Dc/Xn42EucTgjNZ87yVF9y6oASfrJ1Ps/eDsK7keJnTfLhKFZVfjVf
f/fuTq2l/PO00l/Gma1fz5YhmyPtcNau+EZ04DO0Kh2QTPNcRywg80QCefxfATzB
HXBbHROYuXGGUgq2thPCHRztLx9p2jwkZR2GcwQ4G4XHMv9Zh4aB34Zog7ztYKaQ
Ye+zs9LeG7v+itirPGOm1ZH6XseQy4qOdi/2dswj6Xl8wZ+G9hgTiCMxXyF+LROk
7PqtevfI2uZ5U22izIMUAPV8RPfQ11QNiZZ0ApiQXwtrLGQnsi8mHFb7e55HEsmV
mRbPOZStcqoRU8+V5T9wn2Ui1zx0IkQVUSs8JqSK/yMXjnMi3rM3Y3fr8nuFqq7G
T0AMIozey2g=
=yj+1
-----END PGP SIGNATURE-----
ESB-2022.5904 - [RedHat] ingnition: CVSS (Max): 7.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5904
ignition security, bug fix, and enhancement update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: ignition
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-1706
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8126
Comment: CVSS (Max): 7.5 CVE-2022-1706 (CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: ignition security, bug fix, and enhancement update
Advisory ID: RHSA-2022:8126-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8126
Issue date: 2022-11-15
CVE Names: CVE-2022-1706
=====================================================================
1. Summary:
An update for ignition is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
3. Description:
Ignition is a utility used to manipulate systems during the initramfs. This
includes partitioning disks, formatting partitions, writing files (regular
files, systemd units, etc.), and configuring users. On first boot, Ignition
reads its configuration from a source of truth (remote URL, network
metadata service, hypervisor bridge, etc.) and applies the configuration.
The following packages have been upgraded to a later upstream version:
ignition (2.14.0). (BZ#2090647)
Security Fix(es):
* ignition: configs are accessible from unprivileged containers in VMs
running on VMware products (CVE-2022-1706)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2066829 - Update to 2.13.0-2
2082274 - CVE-2022-1706 ignition: configs are accessible from unprivileged containers in VMs running on VMware products
2085130 - update spec file/man page to indicate Ignition is currently only supported on RHCOS
2090647 - Update Ignition to latest upstream version 2.14.0
2117606 - Enable ssh-key-dir in ignition on C9S
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
ignition-2.14.0-1.el9.src.rpm
aarch64:
ignition-2.14.0-1.el9.aarch64.rpm
ignition-debuginfo-2.14.0-1.el9.aarch64.rpm
ignition-debugsource-2.14.0-1.el9.aarch64.rpm
ignition-validate-debuginfo-2.14.0-1.el9.aarch64.rpm
ppc64le:
ignition-2.14.0-1.el9.ppc64le.rpm
ignition-debuginfo-2.14.0-1.el9.ppc64le.rpm
ignition-debugsource-2.14.0-1.el9.ppc64le.rpm
ignition-validate-debuginfo-2.14.0-1.el9.ppc64le.rpm
s390x:
ignition-2.14.0-1.el9.s390x.rpm
ignition-debuginfo-2.14.0-1.el9.s390x.rpm
ignition-debugsource-2.14.0-1.el9.s390x.rpm
ignition-validate-debuginfo-2.14.0-1.el9.s390x.rpm
x86_64:
ignition-2.14.0-1.el9.x86_64.rpm
ignition-debuginfo-2.14.0-1.el9.x86_64.rpm
ignition-debugsource-2.14.0-1.el9.x86_64.rpm
ignition-validate-debuginfo-2.14.0-1.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-1706
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3PhJdzjgjWX9erEAQj5DA//afrYtok46n53B1sQ+im37Kf+famdtKUs
k1rbjBdYgSRDDBkut/9vGXVw52Ulf5aXVR1LbyVrnhCdbeEVTsiVZXlrnoMwj1vg
pxQNdObR8iq75LB4QcLSla7Dsen4Ips+lGxok6DAeDrVo9b3zNnwaYfih8sREYZy
gOOECfGNKUdtpYYIvOSDnzh2aNUKhyrRj2ahMDCcgIs93Ivg9jkCkXOaSb/4/aB6
TmDwmf6nq311sf6LSZk97UVlQlVk8NSLmnQHSxp7DPrQRrzaGun6C9E3819eSTvl
/DDDaNT7A8FLb0z0i3QlLmagz29iuHXEAxBiuoTutGKLXymEaTijNFZmrO6mcA6Q
NTEw7yUJljbfCQ6i6wRwr+8bRBedhWSEbHQWeXrxrkFVVty+FSZDmDAjk0G2nyaR
eqEBzy8dga6cI8AnCrU+G/R3n/fj4u41Cm95f8vGQcQ1fYUvcfCw5iohAUtd2MOr
eYw2t+gh6snTOmt81KJfcnpmNqK9t5Bn9cmOPaQrcA4BAwKouZad6aHedNoxLMTW
M92KzdK2eRc9tPKzZUim1YwwbG1OD4KvQqdFHhfUTF3D6VJH1vVqLoyoChGY4EYk
qoEzoFwRGUY0gHbjuy07h/1qr++lkkpEbY6ZkAnu42/QjdMoGWJFrEXxlBW4KMMm
BRdawOhkw98=
=4E1Y
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIUAwUBY3Q5yMkNZI30y1K9AQjwGw/3RUUFlwYucQv1Ui/TK+/o18jDJD3Xh8NX
BGQSH8ppNQpXRcsXS17X8Di3MNYo1a/iA80Vmpva7ZHJ7jvMuOUc8BISPhlzKuUw
4Y+AgkRpgXxBGFQqqxzoUOoYv8RCxkBUoGcbXqh71MVvkARYhwpQPut2PFEy3s1P
7QwdxwG3Zz7KZhoRUYTM2DDoLrJYRiJ8fxgRGHxHMHJkP+nkqlx8kj/tmqWZ4IJ9
hQH/9RE9JxAjg10eAm616jsYjrC74tb6caUOrwBXbNKo3OQ16A5IwFTLM6AiUvFi
E19epXCbaLB0o43KFnXEJozh7/TTv5Rz3lNbI8eufCks3cHhCFqNjacgsn2Pk7gp
DgKxxlayFqPP71p0CMY+AbZr6UO7Rzhn9c+7kg0mlA1z21+YKNCtZd+SpD5PRsTu
8xktA5SwLR8W1k1XlnycJ5vKnsSIOyXXZmg8Lj49f6qNJVcfRDhsSx2Ttle9/vuB
4I8HMu8LdvGJF5TOg2aZUGaI6YaGIPLBifU3HlZMyioqzgzPTqdfyrkHhMvvpgN/
LIalaj+OgAwSFUhi/aIi5zmeHM32JjJXZU8S1IYQ6r4Z3kqJ7GYdTE0HPjyPMcqN
VaHXmgTr9xt0B9xRhOrzPBoe0eXtP35XQ3dReBMDrDb9e93CDw0GAQUT+fmhDu6o
bFcmtAk/Xw==
=rvvU
-----END PGP SIGNATURE-----
ESB-2022.5903 - [RedHat] frr: CVSS (Max): 7.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5903
frr security, bug fix, and enhancement update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: frr
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-26125
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8112
Comment: CVSS (Max): 7.8 CVE-2022-26125 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: frr security, bug fix, and enhancement update
Advisory ID: RHSA-2022:8112-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8112
Issue date: 2022-11-15
CVE Names: CVE-2022-26125
=====================================================================
1. Summary:
An update for frr is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
3. Description:
FRRouting is free software that manages TCP/IP based routing protocols. It
supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP and
BFD.
The following packages have been upgraded to a later upstream version: frr
(8.2.2). (BZ#2069563)
Security Fix(es):
* frrouting: overflow bugs in unpack_tlv_router_cap (CVE-2022-26125)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2058628 - CVE-2022-26125 frrouting: overflow bugs in unpack_tlv_router_cap
2069563 - [RFE] Rebase frr to more recent version
2081304 - Enhanced TMT testing for centos-stream
2095404 - [RFE] frr use systemd-sysusers
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
frr-8.2.2-4.el9.src.rpm
aarch64:
frr-8.2.2-4.el9.aarch64.rpm
frr-debuginfo-8.2.2-4.el9.aarch64.rpm
frr-debugsource-8.2.2-4.el9.aarch64.rpm
ppc64le:
frr-8.2.2-4.el9.ppc64le.rpm
frr-debuginfo-8.2.2-4.el9.ppc64le.rpm
frr-debugsource-8.2.2-4.el9.ppc64le.rpm
s390x:
frr-8.2.2-4.el9.s390x.rpm
frr-debuginfo-8.2.2-4.el9.s390x.rpm
frr-debugsource-8.2.2-4.el9.s390x.rpm
x86_64:
frr-8.2.2-4.el9.x86_64.rpm
frr-debuginfo-8.2.2-4.el9.x86_64.rpm
frr-debugsource-8.2.2-4.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-26125
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3OMUNzjgjWX9erEAQjmRQ/8C+N9RcZ/p4xeChDLXCORo6PXc9PHXUar
bO+6ce/DwTmDd9kCw7uqwCsxidxmz//+P3pUoX20y9R5Dwt4pICSjVwE5PlQiK/X
YufPTCZyC39ARiFZUO7iWEYii7EIktd3Uw2Holn3fUbQX+4WjaMSZNeiFG4uvhd4
uLt7tF1JhIJpTRs1cFSMXKpqeuy+c02rl3HOnm7YfuCABhESawzBRVQpS490OA0x
gWg3me0IT3jBQH9zw6y7zBuNFA9XH9122R2i3a+pnB0d2ScFjPYlBzxeoCTdBZxf
it9Pjqhxq4bssINLlSJyY8ZCxrdcuBVJbJsoJIpTskvONmQxm0Jfl1WbbyuaW4J1
8YFKlwFGyNw0YvzFsrdO+LWhCulSE/4o2vixmr3gcR1EHx9TD43OlFwbBhSjvsR/
u5hKKvQbwOSkfmpQu6jsK8IR9oKo7h1W5aolXshCnrp47cJFXU9FEJALWVa49yHm
VUrjibqUTYJkcKEz2wJM7iD+EAIGvEJkwtCRcYKXzEwy1iTReqIhirUsU+xG+Wy4
3osfjYX3ZTnDZC1EhO3drImrtP+CYdKYbd4/z3ZdO42wHh4d0I9G6DFlb37bFqHu
OMmPjuzBtW+rELygJUww71rutWUfsqjzSMLzFLqK2aPc5DoKcAmWoD0/35sxirsX
vLlY8OoHyn8=
=yO13
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIUAwUBY3Q5gskNZI30y1K9AQhCag/3X8RGfsexFgpVeKpY4fNvHA+DnGa4gfnL
9aScToO9P8x+x+lNsWDsxibCSU6RD3wFymBfWUQduam2rB3OP4mdP1kUCIFPyIFI
O5K7FQNHR44jBu+53FMu9yRWefqsRGxibHtkwifj+MLZQiFQ8FA7LFVICoPpBVRN
5ua0Mo36IX4RxKEGwS+hOkTj79zprTsGW0513r5hgRlpAdZJfYuWOW1J4NkBJxQJ
n3OSDg9H8vjydWntQGPmegpLpyiZzruh/7/NTunroqSJUpIP7rGll4+BEUaSMxXl
d5jetORpm/yHgt6Ocp0uaFAz958XwtMVJEROrrgykzdBcf+6QNyGF8eUiSTyaeX4
hYzJBdq9y5Wkta+l24cQ+Oe9VcCtoPgquwwW9fELDnSCk+HLYSnNKrhpE+LxKBa0
dTlTcEQPiS/A5RJ2Jrr6nwu7LWxqD19ubz9iorlEYlLx6YtqW0YnzSjEJRIHlAVo
sEGIGytWFr00JufWKLBCU6wivoZm/cf/ibJtHXTxgrg2rAZJF2LMMiq56567lAuj
RyiVT2xP9k4PMj5PPX7Pbk8zhLmuvOZ6dcFk1Ha5vGz+MEEH6uMU6q+7mpFVpLrG
TcQPT7qB2cgvGsWIOsYcH+F77oYbTBB9ZLkAaVCY5FtVFUWRxlrLv/s3LeHk4k9C
ZXRxgtikhg==
=JHYb
-----END PGP SIGNATURE-----
ESB-2022.5902 - [RedHat] swtpm: CVSS (Max): 5.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5902
swtpm security and bug fix update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: swtpm
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-23645
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8100
Comment: CVSS (Max): 5.5 CVE-2022-23645 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Low: swtpm security and bug fix update
Advisory ID: RHSA-2022:8100-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8100
Issue date: 2022-11-15
CVE Names: CVE-2022-23645
=====================================================================
1. Summary:
An update for swtpm is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, s390x, x86_64
3. Description:
SWTPM is a TPM emulator built on libtpms providing TPM functionality for
QEMU VMs.
Security Fix(es):
* swtpm: Unchecked header size indicator against expected size
(CVE-2022-23645)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2056491 - CVE-2022-23645 swtpm: Unchecked header size indicator against expected size
2090219 - Not able to install windows 11 OS with vTPM in spec (disable FIPS)
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
swtpm-0.7.0-3.20211109gitb79fd91.el9.src.rpm
aarch64:
swtpm-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm
swtpm-debuginfo-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm
swtpm-debugsource-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm
swtpm-libs-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm
swtpm-libs-debuginfo-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm
swtpm-tools-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm
swtpm-tools-debuginfo-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm
s390x:
swtpm-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm
swtpm-debuginfo-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm
swtpm-debugsource-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm
swtpm-libs-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm
swtpm-libs-debuginfo-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm
swtpm-tools-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm
swtpm-tools-debuginfo-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm
x86_64:
swtpm-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm
swtpm-debuginfo-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm
swtpm-debugsource-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm
swtpm-libs-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm
swtpm-libs-debuginfo-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm
swtpm-tools-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm
swtpm-tools-debuginfo-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-23645
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3OMXtzjgjWX9erEAQgHDA/+OMR2sFGbdP6hED6vJ/mp7wcx8xDO2fcl
lUsbNs1WXDZ8N0ZFoQNN/iqXOE4f3YtliWHcFQOcacIyTAyev8469r4lTRHK5+RV
KcQOOvdvVeibxvjR1bQS5hMZET+FWxfcQawVkTZjse6Osef6I3GF7VD5QoSbDI2B
Lgj9SdvshnG2goTyLpwE9ZFUIyUhWy1CVDEGOFoeLk1zkJFMerkWb/FeQa2yCOxZ
hPx1d3NIOH6V+bYYRl1owf9SpS/DhQJ7sCsay3zwz8uzjqzSX3x2cnj1U1LgCQ66
RkP3T1CHY9uRd3T7WT0oAGj4uodtXjf8+64ZgNBKqtv/2Ls7aZciIvRb1xwNVGc2
fOTSdv3zRPBwoIlxRiCxuqr5kDj3+9b9rGu1xqkedEt+736XaBcQ6uD6gHjFS41R
2KWxQ/Db0DetUyZc99atVs9YcP5YPqI+XbQWNJaGPmLR3JaZ8JAQTNEQWAKMXQD/
EPnoPYY8sgmZGDnzZb04IcnYIfvzj3DLWm0JB3cORwawvL1SulFhoikEuJ9DEKPG
uIhE1nwHfGUlMmIMAbk0dPzoDt80gZMr4nHlWfEUOwCUQrQw6O67Nr9JNd32bwAW
T77tKs+HriSXYQ9isoaGFnlVsVH965tEte1pHna3YqNznR3GC6Hh072gfJXWf/qx
XpYcV7g6aB0=
=l7Di
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3Q5ZckNZI30y1K9AQjOcw/8CA1Y2vLelmhv8fgdNQysCyCjBoCY7lFm
0cBaGBtoyn28taPoflONVYyXzxagyC/fgya4qRNEwL9p6GNsM6xcTHdt/wOSIlg8
c5dWaO50v6ltLGxyslPnygHqxEaE2dxnHVbsjEUf5jncaez3z07jxXItub8A/Ig/
5PLGwGk/RTSAAc97KBjEkRiKf3fllTFsIOu5tTYDK8mBjy0ZUrelWvC62zr/o7lj
g4o7fIYni77EeZlH59/nGYcs0OGLSWeXcCIFQnIeQyEzhlvXmHpX13krcRhyNE9v
fJZ3MIF1HxKoTr7+KcTNN5ORJhD8Psgj4/XSGHGM4mf6MLJ3I4P1es2sVQIkwxoN
0xaKgoG+G9if9Rkh8Rm/JZXHRSHmOV0KUQLHh5WoCBoncgrNL0uQ9HZwRjAIVbg9
moVx8Ili1QNaNwKy9Hy7PX74vHlCpoOuEe5udqtwKVEWaV5sKsmW6ofLZ/eZZDuX
hdPTGJKf01aBCwCqQXt8GsIwGUmFEkcHvXxEWQ5kMbEwScyZaGC75O3Wewo/9ug1
OWVFA5PPeBsRDjRgmzof4bZ2Pfl7PlfNJaPIBCfRbQ6LaWTC+dJ36epfTIXknW6a
QWE3TLvWQE1qbGKq92/qPnmEqikwgit7nxVBjalKNDeLlT0CZd2yQyOaR7/KTK7e
detSq8Yr+hg=
=A+wv
-----END PGP SIGNATURE-----
ESB-2022.5901 - [RedHat] toolbox: CVSS (Max): 7.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5901
toolbox security and bug fix update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: toolbox
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-30632 CVE-2022-30631 CVE-2022-30630
CVE-2022-1705
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8098
Comment: CVSS (Max): 7.5 CVE-2022-30632 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: toolbox security and bug fix update
Advisory ID: RHSA-2022:8098-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8098
Issue date: 2022-11-15
CVE Names: CVE-2022-1705 CVE-2022-30630 CVE-2022-30631
CVE-2022-30632
=====================================================================
1. Summary:
An update for toolbox is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
3. Description:
Toolbox is a tool for Linux operating systems, which allows the use of
containerized command line environments. It is built on top of Podman and
other standard container technologies from OCI.
Security Fix(es):
* golang: net/http: improper sanitization of Transfer-Encoding header
(CVE-2022-1705)
* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2089194 - Bump the minimum required golang version to >= 1.17.7
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
toolbox-0.0.99.3-5.el9.src.rpm
aarch64:
toolbox-0.0.99.3-5.el9.aarch64.rpm
toolbox-debuginfo-0.0.99.3-5.el9.aarch64.rpm
toolbox-debugsource-0.0.99.3-5.el9.aarch64.rpm
toolbox-tests-0.0.99.3-5.el9.aarch64.rpm
ppc64le:
toolbox-0.0.99.3-5.el9.ppc64le.rpm
toolbox-debuginfo-0.0.99.3-5.el9.ppc64le.rpm
toolbox-debugsource-0.0.99.3-5.el9.ppc64le.rpm
toolbox-tests-0.0.99.3-5.el9.ppc64le.rpm
s390x:
toolbox-0.0.99.3-5.el9.s390x.rpm
toolbox-debuginfo-0.0.99.3-5.el9.s390x.rpm
toolbox-debugsource-0.0.99.3-5.el9.s390x.rpm
toolbox-tests-0.0.99.3-5.el9.s390x.rpm
x86_64:
toolbox-0.0.99.3-5.el9.x86_64.rpm
toolbox-debuginfo-0.0.99.3-5.el9.x86_64.rpm
toolbox-debugsource-0.0.99.3-5.el9.x86_64.rpm
toolbox-tests-0.0.99.3-5.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-1705
https://access.redhat.com/security/cve/CVE-2022-30630
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/cve/CVE-2022-30632
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3Pgq9zjgjWX9erEAQjj5hAAqCDsxUqXw9MxioxE+bJB5z+fU0BuZC+S
wzdywnCL41PC1Sr6C1AuhtIvYWyOtyPrftUQ+YBMvuvlFmjpLGHPraJb7Z4Cz/b8
v+H1YfYoVKDEClKQe0qYmG9CNErUtpT2pVcbL8pyFbZ32DRK8sTljy6J0c+PNnp3
PK/4sxK/hFvcLwrFNSI48ZQdvEVZFJ5vChTYVBeH+lk1cljlWVbr5IfsL2cvfWiF
mvdawag3rqrGnCfccv9cTHDKdk+M6s0S4mOcv+j2g4SFAZoSCwL9C/Yatj3TdY2C
Ggiy/0+RZPovj/5E/5mlpkS2zjcaBjVFpasekQqlD0TUdzdupVxXOi4tgISG/sdi
eczyR27s6INXRFSjEAPB8vQUyvI5txUuJaWhLSvmSZKCFGGnjZFQOfHcP2To0elX
J4QbJ28Xt/9jlF55eRDtbe7cT4ycqEQ8ST6bsfc/8dmIH3sW9b2nZMVMiJ3mFvTl
YwLBBfyMddb0qdoSKC8c+1jrhcmPISkTHSwTNpxnRfWVq8Eu1obZLHi5gKNwcecU
XnpBb0w55JnVbjetk2K4jWfJ599miNQZqmG/z+apTUo3/y+SU7mNVxk5Mhh+e38M
UapTAG7H82+dZ2EJ+lcheonbrCmHzRTlTlFd8Gl35j7LlI15nEhh1r5+VPPz9NAv
P0UIrhkqit0=
=Qqov
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3Q5TskNZI30y1K9AQg1PA//bEaranBMk/QJ2QX0W0t4bbnlfRixO/ip
DJMrfzZ6STUEMqhd+h5jkV96QMJE06mxWAsmHdsknKu5Z42VUkxq67uGG5xxMxoR
vsVSsxXaha1WN2Y3v7T3DAZaHpFVpR4becry2l0BAhKodEl7C/cBMV6A8Y5NugQL
Q+pZGxxFh8AdzLPjUWWx8RzeZsCzyLKFeZX7dLFj8AKRYv0bEf9emybGlxn2O1XP
ulSaiMl6PM87mIKHB0F7YukEkYd1FQtKuOuYCtphHvxE0j6qjY2yJ9jwNKFo+GOt
NNOc4weJQLuBwOhJ2tmYl9rmS+G6wiJxVhlQYUNx/+BV5H12+Trp6fbL2k7ZLTuy
hcFr11UmDOHDeQg6ACYEPSxhXW3V/jC30tyoCK1zvjzTNtZDAUtVcHqzyAeAnShX
u/ghvrTkbg2PJ1VHTR787MMp6ECnWbIBKafSodfF7jsU3ZLehv7J8iTOLuXDg30F
GHbyQXx8WapGfq/5fDJWVXSQ97O7jd2Wa3Po7yhOEUdGxG1P9ww/UEsGjGNxpW7b
kASg25bkNggczF18P11Wi83tk/i/1BqwQM5JKiQvFjIqLHpqdPVSwdKhVyxkUeU2
LChtqJ07uZFew5ZR8+vlAzMEVatzJBYKzO2ESvp1CipmFhUB8CvFNt24gotp6Sil
a48TDp2eDGU=
=QKJb
-----END PGP SIGNATURE-----