AusCERT - Security Bulletins
Latest published security bulletins. See https://www.auscert.org.au/rss/ for feed information.
Frissítve: 2 óra 43 perc
ESB-2022.5900 - [RedHat] redis: CVSS (Max): 3.9
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5900
redis security and bug fix update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: redis
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-24736 CVE-2022-24735
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8096
Comment: CVSS (Max): 3.9 CVE-2022-24735 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Low: redis security and bug fix update
Advisory ID: RHSA-2022:8096-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8096
Issue date: 2022-11-15
CVE Names: CVE-2022-24735 CVE-2022-24736
=====================================================================
1. Summary:
An update for redis is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64
3. Description:
Redis is an advanced key-value store. It is often referred to as a
data-structure server since keys can contain strings, hashes, lists, sets,
and sorted sets. For performance, Redis works with an in-memory data set.
You can persist it either by dumping the data set to disk every once in a
while, or by appending each command to a log.
Security Fix(es):
* redis: Code injection via Lua script execution environment
(CVE-2022-24735)
* redis: Malformed Lua script can crash Redis (CVE-2022-24736)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2080286 - CVE-2022-24735 redis: Code injection via Lua script execution environment
2080289 - CVE-2022-24736 redis: Malformed Lua script can crash Redis
2083151 - Rebase to 6.2.7
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
redis-6.2.7-1.el9.src.rpm
aarch64:
redis-6.2.7-1.el9.aarch64.rpm
redis-debuginfo-6.2.7-1.el9.aarch64.rpm
redis-debugsource-6.2.7-1.el9.aarch64.rpm
redis-devel-6.2.7-1.el9.aarch64.rpm
noarch:
redis-doc-6.2.7-1.el9.noarch.rpm
ppc64le:
redis-6.2.7-1.el9.ppc64le.rpm
redis-debuginfo-6.2.7-1.el9.ppc64le.rpm
redis-debugsource-6.2.7-1.el9.ppc64le.rpm
redis-devel-6.2.7-1.el9.ppc64le.rpm
s390x:
redis-6.2.7-1.el9.s390x.rpm
redis-debuginfo-6.2.7-1.el9.s390x.rpm
redis-debugsource-6.2.7-1.el9.s390x.rpm
redis-devel-6.2.7-1.el9.s390x.rpm
x86_64:
redis-6.2.7-1.el9.x86_64.rpm
redis-debuginfo-6.2.7-1.el9.i686.rpm
redis-debuginfo-6.2.7-1.el9.x86_64.rpm
redis-debugsource-6.2.7-1.el9.i686.rpm
redis-debugsource-6.2.7-1.el9.x86_64.rpm
redis-devel-6.2.7-1.el9.i686.rpm
redis-devel-6.2.7-1.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-24735
https://access.redhat.com/security/cve/CVE-2022-24736
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3OMYdzjgjWX9erEAQjLqQ/+Mtma0JGopZDIVKqroRSaVVU+1ziFrF0C
ydUNR+kCQvnqrTLfV8pVEAR2VyNge+uZzv+GwyV3RCFIxvoVlds+CmvuePmJUKLt
2XJ/EHSQ1bUtFau5HFjX/mR8oqV269qaH+wErAKQ7V3kCDtS3LgMop4tOuI3FYeU
hUynWV77xC2oDSzDIkezhUL2ifGdCHhmJvyZsYL0KLReQWlMy28CIDbKRjdvH3x/
hS0kWlPOscLjS72fWlvHv4mg26NEXee4shR9dUhnlOFtQb6golLL5V8mRd5woWJK
xUJ5VQW4Ar/rLG/kGf98fY1utqVLMkCujuketgH28v6Ie98p3t7lCOO9eweawc2H
4oP6Uyu+Y3C2x2B9lApffctBPJFPJTU+jPIXgv3R9VHlE0aF4yjaha4bYQDViHms
gY0UbzosUVqX8h6SdwrJCwzQYQ8vJ5EICzb4wfpS+x0cBEaJ59lS3JqTNFF5TgdX
UHH9LAvTWih50KN145HNolhdQZsxvRXiYwiXMGzzxheKAi+Z69AjCvPsM+J9Iy/c
sgqB+VsBK2K4TvnCNHLNKxE97s2jtcAJ6LhiEkUiTWoDBXp/CAzoAzHBCpsV0w+T
R6rRzriVZLVC6jt91dgVG+vHCf6/qBZIuzEq+N8b4m7ACmCcHQB29qbS63aJYUAh
x4HkVM/irCQ=
=kKZJ
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3Q5M8kNZI30y1K9AQhhyw/+OARSJjn3Ed317UWXgJMhGglKEEl9hiY5
qlR3gj82X+px/2MLjEZQR4txT3WdD/gSsuLBnsQ9piWk2tyMmh9rUBmr3oiPoEQs
YfMF0REq4gR5nprZshl9b5fUBipipdTuDCtJRoj/F7k//nJAgO3NJJgcvNx9fvqS
AUTkwRdRGf83iQUwOFR8tVd+vjnBLX54AuvPvas5MFIzEXZq5jO+xUHJGkUYWX4y
x6thvVZ5cQ/c3GZ8mdBHEem7s2KTQPlTvInzBoUlSsl6jeVbMxL1sdZGum33x/3h
amYzP9E5GSXJyAseDrW3XZreYrKgoNLRjGcPJLjhC7oZLjuTjOuzSXp4YN+CwmXl
mTQ3PHJK9pUKkc0hoIAmURVdu+29fk7gZvL2kTPlU/lrvpPx9wn/qf2bXrxygqHq
9Q+fttCa6foqP+mCSNleCNGjQd1SiqOuqaIajso6rfNrLtMg7YjM4t/n5KXtf6Rj
yck6ulJ83pbHkkWDKfWGNVrDBes6xQ+aZJBmvGoaFKy4FGrG2RRB/ycC8yI4r/gq
kfrw8yQRWtPRXKilHNA4v0Mym556kdSKXUVdeGX0R37uXNOO4/G/duEWSghqa14o
0BH6VES9G/EL11SLvZ/vn3UJORoM03JQ28J/v09tmg3tYQtata52ai0OJU5jgZNc
8geFj4Cqtik=
=H+1a
-----END PGP SIGNATURE-----
ESB-2022.5899 - [RedHat] runc: CVSS (Max): 5.6
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5899
runc security update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: runc
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-29162
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8090
Comment: CVSS (Max): 5.6 CVE-2022-29162 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Low: runc security update
Advisory ID: RHSA-2022:8090-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8090
Issue date: 2022-11-15
CVE Names: CVE-2022-29162
=====================================================================
1. Summary:
An update for runc is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
3. Description:
The runC tool is a lightweight, portable implementation of the Open
Container Format (OCF) that provides container runtime.
Security Fix(es):
* runc: incorrect handling of inheritable capabilities (CVE-2022-29162)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2086398 - CVE-2022-29162 runc: incorrect handling of inheritable capabilities
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
runc-1.1.4-1.el9.src.rpm
aarch64:
runc-1.1.4-1.el9.aarch64.rpm
runc-debuginfo-1.1.4-1.el9.aarch64.rpm
runc-debugsource-1.1.4-1.el9.aarch64.rpm
ppc64le:
runc-1.1.4-1.el9.ppc64le.rpm
runc-debuginfo-1.1.4-1.el9.ppc64le.rpm
runc-debugsource-1.1.4-1.el9.ppc64le.rpm
s390x:
runc-1.1.4-1.el9.s390x.rpm
runc-debuginfo-1.1.4-1.el9.s390x.rpm
runc-debugsource-1.1.4-1.el9.s390x.rpm
x86_64:
runc-1.1.4-1.el9.x86_64.rpm
runc-debuginfo-1.1.4-1.el9.x86_64.rpm
runc-debugsource-1.1.4-1.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-29162
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3PhJ9zjgjWX9erEAQglkQ/+NMfaKI3svFA8CoZJjJxelGD7l5Q1fw+r
5rNT54DLvkHMqsx63bIs07+jMXmbzUQgCBUub8yWI7pkTdGnq9KsRvsElLwnOWAN
elSl2ReDtUmynMubZrlWYZ93RdkOXAfWlzV4MYW7GnCu6TGokkdC/a0VBEOh/h4C
RtIiXsvDI5frm9XYIPAMicI8FUR56ONR1Cob3Z2Pe9i63dAs4WXxVm/Cv11WyzQf
+sqWACstPa87iY6NAak+8Kbw4nCEmGxRQR9z9vfQEUxG0y9DxExMkusKTm1Gx2SS
lQ4YLcpkDtIpcoebcNMgR2G79+JEgezIF2rFV7euqX2hYPnhlHJTN5R9vnNIwLwL
KyuLiRrRn9dIpXnUIhDqknOZmu8GnUIBmEYf5ibU2IdLCI5cC5U93QIN8NnW/0Jf
SGlrtnc+pgT4/Pnrrh40odxerL8GwxFX0qPg0Jqta5wp3JuO3E7pXWZMNUBd5Npu
mYmX3Vncsz34mNi83fDtFzgwh24BB9NuOk5X2M392Yrn6I0yAO+nxGouakeSFNdm
TC072mzT/7Di1Q/Tkz7/oh3C1Xj1ub/YIJDBYcVyHQ3HNcR2nHJC2OhQMOqgLFEc
Ie0qLhk33CcbWh5JcNi8+zAQBLKT5E/Ii0o0Wp9KvfWkkW+HEoAFHqsjhl/lql6s
V8IOomEs/qU=
=KNI1
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3Q5BMkNZI30y1K9AQjP6Q/5AW5V683++dUuGmpCpJu4NujtO7Kqhh8E
79m+iaASvF7+EMlgdKIVSLUfI4IQewL3El30mWXhLjL4I1hqu2DxMFtpdpQcWMXq
gOItdveX2/cVnVlTS8AB5cQigqGgnpUlBsPqDY4xitUGzsXJkxrg6rEZPg4gEx36
9aG+S9Euj8OJCcXJFqxNrSArJEGy37/rNrD31MfInkkCnT4dat1p+ZPz1eCjzPz4
A/eLBZKgct06/IOEUxdtPEC9LU9a789zAJ61qCSodlqMtTPCdtRTW53BGij12XRP
+H1qgC3eH5a/mLQsx/Ui+Kiye7AeRexwXMm9BksgqJtSSuweNBMErrugq9EOe4Ig
+bi2GlnU/OACbriWwU19+PKHaIOgQu+d4+otzYFWNXJ43uwYPUi0FXFZF5QQvsVf
GZN9+4cS0d/G1KpSaxq1OBiWg4VvKvzlYsaS3myQGgZRp1F6XiHC6woqwmZLkuX9
DA1KuEdDk0CwStHQED5okGSFJ6vkozzbQrSdcN81uiTnC0QZEeEIJIhsHMLdxytM
e2a5b0Lah0g5VUgJSsway3Fp6vmRVAlDboJ/f1LYqEAImcLCYTvMZ1roWVQBU3BK
9d4CtyQyJFwwmi5vaeajHdNc50seT83OIVhu9mhbgi1HNpPzjAwSHKndK1lNYMuo
B7AE9b2PZo0=
=zNQI
-----END PGP SIGNATURE-----
ESB-2022.5898 - [RedHat] flac: CVSS (Max): 5.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5898
flac security update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: flac
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2021-0561
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8078
Comment: CVSS (Max): 5.5 CVE-2021-0561 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: flac security update
Advisory ID: RHSA-2022:8078-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8078
Issue date: 2022-11-15
CVE Names: CVE-2021-0561
=====================================================================
1. Summary:
An update for flac is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
3. Description:
FLAC stands for Free Lossless Audio Codec. FLAC is similar to Ogg Vorbis,
but lossless. The FLAC project consists of the stream format, reference
encoders and decoders in library form, a command-line program to encode and
decode FLAC files, and a command-line metadata editor for FLAC files.
Security Fix(es):
* flac: out of bound write in append_to_verify_fifo_interleaved_ of
stream_encoder.c (CVE-2021-0561)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2057776 - CVE-2021-0561 flac: out of bound write in append_to_verify_fifo_interleaved_ of stream_encoder.c
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
flac-1.3.3-10.el9.src.rpm
aarch64:
flac-debuginfo-1.3.3-10.el9.aarch64.rpm
flac-debugsource-1.3.3-10.el9.aarch64.rpm
flac-libs-1.3.3-10.el9.aarch64.rpm
flac-libs-debuginfo-1.3.3-10.el9.aarch64.rpm
ppc64le:
flac-debuginfo-1.3.3-10.el9.ppc64le.rpm
flac-debugsource-1.3.3-10.el9.ppc64le.rpm
flac-libs-1.3.3-10.el9.ppc64le.rpm
flac-libs-debuginfo-1.3.3-10.el9.ppc64le.rpm
s390x:
flac-debuginfo-1.3.3-10.el9.s390x.rpm
flac-debugsource-1.3.3-10.el9.s390x.rpm
flac-libs-1.3.3-10.el9.s390x.rpm
flac-libs-debuginfo-1.3.3-10.el9.s390x.rpm
x86_64:
flac-debuginfo-1.3.3-10.el9.i686.rpm
flac-debuginfo-1.3.3-10.el9.x86_64.rpm
flac-debugsource-1.3.3-10.el9.i686.rpm
flac-debugsource-1.3.3-10.el9.x86_64.rpm
flac-libs-1.3.3-10.el9.i686.rpm
flac-libs-1.3.3-10.el9.x86_64.rpm
flac-libs-debuginfo-1.3.3-10.el9.i686.rpm
flac-libs-debuginfo-1.3.3-10.el9.x86_64.rpm
Red Hat CodeReady Linux Builder (v. 9):
aarch64:
flac-1.3.3-10.el9.aarch64.rpm
flac-debuginfo-1.3.3-10.el9.aarch64.rpm
flac-debugsource-1.3.3-10.el9.aarch64.rpm
flac-devel-1.3.3-10.el9.aarch64.rpm
flac-libs-debuginfo-1.3.3-10.el9.aarch64.rpm
ppc64le:
flac-1.3.3-10.el9.ppc64le.rpm
flac-debuginfo-1.3.3-10.el9.ppc64le.rpm
flac-debugsource-1.3.3-10.el9.ppc64le.rpm
flac-devel-1.3.3-10.el9.ppc64le.rpm
flac-libs-debuginfo-1.3.3-10.el9.ppc64le.rpm
s390x:
flac-1.3.3-10.el9.s390x.rpm
flac-debuginfo-1.3.3-10.el9.s390x.rpm
flac-debugsource-1.3.3-10.el9.s390x.rpm
flac-devel-1.3.3-10.el9.s390x.rpm
flac-libs-debuginfo-1.3.3-10.el9.s390x.rpm
x86_64:
flac-1.3.3-10.el9.x86_64.rpm
flac-debuginfo-1.3.3-10.el9.i686.rpm
flac-debuginfo-1.3.3-10.el9.x86_64.rpm
flac-debugsource-1.3.3-10.el9.i686.rpm
flac-debugsource-1.3.3-10.el9.x86_64.rpm
flac-devel-1.3.3-10.el9.i686.rpm
flac-devel-1.3.3-10.el9.x86_64.rpm
flac-libs-debuginfo-1.3.3-10.el9.i686.rpm
flac-libs-debuginfo-1.3.3-10.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-0561
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3OMatzjgjWX9erEAQirQw/+Ogspm4lU4ref0z1XUq1fPAy7tx1uP9+J
gtW+XE0edEaRYkQYsBo7jtyVS9YPcSSEN6i+bhCFh8P+5D5vLvps3gUQMf801RQv
M40HS+wjwdcO3R9Mg16yi6nArhnmvg19V2pWgUzqjvQdl/EGYxMtfFJC9nZNa2Pi
OZe5HsW4KERMhqcSCOd2N25z6Y0PHEAJnBezm4y+pw8AFFPDX/z7sQbvXsxbrBNW
uvkDz83IS7GtOMQEKytoVv9VUgM/j/wcoyb+iskkRmQ8EjQbtZYHokVlae/2B87g
OC3DXhITbruQpK6WI8iNreoLK7T9wXfFLTvl8UP3nQwIAO30jbMas2ziPkRf6L+h
FS8xnytVQ9alL9xxlpwvWly8igs5u/0w3brdSiZXHDz9f+20D7dkkZQhq6dla4XY
wpdZbIPutynjguPtIl1TKG/WnUldYYq+7wiS9eT4zJ3ShAsi1/czQz3Mqkwsankn
gxEXAV+5aQhX52RJ4fpXV7DKzDZJyCKyS+Hm0/Ne/AuYQjrxOWqVXbSjWYMOExnA
oZEKqInTQ3QdrCrPBo+SkZg2P394PmClydlpCYTMExNYKVLTAkbMCKH3BRYF4cnj
w3Vejd7Jd2lx2KbWEVR2tl48J4d2vVRHRe66JP1Kq8kU7Sni3WQLvwXFERueFSU6
9+iIbeADsTs=
=muDp
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3Q48ckNZI30y1K9AQjamA//SBXlEBKLWWlxhlEKoAII+xZiueRqdmjN
T+2MIL+URJxbbXM4/+I8RdDB4So2R5dcBm1vnfPY9WvHZgfGPXMXLTfUi2mpkBAv
wX1/8w7iylTx8LT36fZe/178EUGk/JkhBliANBDwIsbQsbpdBCFF/2zLpri1BNrw
ITGCH+m4MFCDj0hXVIkiUInd+tnxXibSUv+A2TITlyEh0O4eyC+SWB052pVPGgq+
cMFtLt3QEMEVSzAFhGvYBaql8kWaXXwqbxNKRX9m9t3sb1NBlFAlMCgSblxOL5SY
0WfvtlEj2GtHW9otpdSnxSZH9IjZf15ikQmP5qeV1jlxYGUqYoPXGy2lP0+lxkgf
JUNHPV+6TRCmb9C7n7L2FudtXS+1xxaV+i38IcdfhXlebXkkPFoaUqY1VWseO4p/
rur6N5NcnA6owYuhtQNulgLaamX2yj8GFwU3bdTZ039QcU7ukPU6OQPXug6GOtr1
JGtfCPXcuRsbI+Cg0r+KxqsROs/vOiYhv4ACweB3/eDM+yfEUKlr+KBmctK4BS3w
FGyvewSkAPJbRS5vmeKWoK4rvxJ02jOuuZahLR9r5DbpOpfVmSuCbArLypp/WXz6
7xpS+zyMycAncZZUWRsEjmBr1tp5NVoOy34K+kZ2Jt0B7xBb4HfBEmjgtOw3plbA
8xXgi70CJH8=
=ufbq
-----END PGP SIGNATURE-----
ESB-2022.5897 - [RedHat] dnsmasq: CVSS (Max): 6.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5897
dnsmasq security and bug fix update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: dnsmasq
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-0934
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8070
Comment: CVSS (Max): 6.5 CVE-2022-0934 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: dnsmasq security and bug fix update
Advisory ID: RHSA-2022:8070-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8070
Issue date: 2022-11-15
CVE Names: CVE-2022-0934
=====================================================================
1. Summary:
An update for dnsmasq is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
3. Description:
The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name
Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server.
Security Fix(es):
* dnsmasq: Heap use after free in dhcp6_no_relay (CVE-2022-0934)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2057075 - CVE-2022-0934 dnsmasq: Heap use after free in dhcp6_no_relay
2120711 - dnsmasq high CPU usage in 4.11 spoke deployment or after 4.10.21 to 4.11.0-rc.1 upgrade on an SNO node [rhel9]
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
dnsmasq-2.85-5.el9.src.rpm
aarch64:
dnsmasq-2.85-5.el9.aarch64.rpm
dnsmasq-debuginfo-2.85-5.el9.aarch64.rpm
dnsmasq-debugsource-2.85-5.el9.aarch64.rpm
dnsmasq-utils-2.85-5.el9.aarch64.rpm
dnsmasq-utils-debuginfo-2.85-5.el9.aarch64.rpm
ppc64le:
dnsmasq-2.85-5.el9.ppc64le.rpm
dnsmasq-debuginfo-2.85-5.el9.ppc64le.rpm
dnsmasq-debugsource-2.85-5.el9.ppc64le.rpm
dnsmasq-utils-2.85-5.el9.ppc64le.rpm
dnsmasq-utils-debuginfo-2.85-5.el9.ppc64le.rpm
s390x:
dnsmasq-2.85-5.el9.s390x.rpm
dnsmasq-debuginfo-2.85-5.el9.s390x.rpm
dnsmasq-debugsource-2.85-5.el9.s390x.rpm
dnsmasq-utils-2.85-5.el9.s390x.rpm
dnsmasq-utils-debuginfo-2.85-5.el9.s390x.rpm
x86_64:
dnsmasq-2.85-5.el9.x86_64.rpm
dnsmasq-debuginfo-2.85-5.el9.x86_64.rpm
dnsmasq-debugsource-2.85-5.el9.x86_64.rpm
dnsmasq-utils-2.85-5.el9.x86_64.rpm
dnsmasq-utils-debuginfo-2.85-5.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-0934
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3PhKtzjgjWX9erEAQgcqA//UVdaCbRPgvRq3pa2LZhYeAH2eGZuGTCC
dtMrzDVt83OI7mJI1QKAA6VWxytfw7RPr0zXECWroVIJp2TgcNhB6shuALxMod8e
1VFlmcPdyWIvFydDJa8f/kxrzPdVhF42qHmO+DBA9f2n1BPLtu3FHokab3zUGeln
B6wWEPxsrivTpPZ+fdRY4n7kOxnNU7cWqIFP/A/FUHz8X4etDGV0rmJkxeTNIvfV
abXJ5t0RNgmgEYOzqUGCHN3A85DU2eNhQiVQ401fpX8djsds9k6fPGu09Q3pQRer
G8aWBk+X6jdJqDOLVOtcpUj/HleJArjSvTtABBHIhvfk5Fkhf+nbr1s+ssrAuEA7
96RIvq0Agwnf+IEfom6yVWACw0wJgsXVgbJv90adZIY9roUq3545iIq624KsDjGv
aNu4qnPBgB4jxA0IVZvbsJFr+Dj/iRimBQ1cx3nC9onKFkR1WFsf71GhTQxeuWkf
AnQajO3sJOzukLJiOoaC1agbvJMBJLKSHWr5NXf9lO6X0tn7EnL5mz7ymPPegFUT
1S2cAy5J6+4hHGWw4RQC2H8zMSeplwl1PbopBD5WZOajQ2s96ijVAMa+r8jJJXLd
VhbXYTC7EcSJH4ZkTTeq2fFhtAFb0cxnhuMlw+J4gv6+FXGOMyuQld5TzoszpOsJ
lFtrMQGZcHI=
=fHx1
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3Q43ckNZI30y1K9AQgKZw/7B/KBMSL1hkDMVGnZ2P2O1sLjR5NZWXU1
D/iN0K+xx1TFvbd2bIDAOg+n+ZunOqGFKE2hzD5FPSV1Kta0MX7DOTQ9KHkKi3vT
jsvPgxTW76SteWVu1NPMomu8uEolE7kdHHolMzpVL0M5hZKmmR2Ll+iOMnhyWlU3
ghmEDsBV0/Z4xXLvzIOaq84h56PJjVPjbvI4A5tRE9rEM6a3JfTtJM/pa0B20N38
2UhZhVuthPnx2S8SePyaFU15Mmfn7tfg7uI73gYxtGuYBgySeLR7LFzBog8wUak7
vAE0eSYZGdEoK8y36CQU2nFQbF/oD3dDk4qlMOvT53qosRZAGyZqBGrAA2SVhDmE
MbKeuStUbpWP3YKIy8qkFeyvUvL7D43CB2I+75uVQE+jfVLplHmr0rmVPvAorZCe
B2hYWypcmce+cH1+WeJe7wEk8y0vn4VYPGdDOXhkxmDzVgBMtUS7aum2Fc9DJaLH
5bYTAfYa853dWa8P7lqg2PpL1Jljwh65aDXnNcm3O2fh/qn7VsWDJDFajpreBSdO
8R9c1A8oF2H/Bc2H+fBOJsLhGpkokNccGw6bib2XA0Zxnd+a0OOh6nL1rZp4a9fd
4zZb5yYooQFkEbjggrOBIgNEPXGDLruRNoFfpD4gmbJ8mMeQF208gn2o/iRWIvBU
1rflqHBJg18=
=2rRg
-----END PGP SIGNATURE-----
ESB-2022.5896 - [RedHat] bind: CVSS (Max): 6.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5896
bind security update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: bind
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-0396 CVE-2021-25220
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8068
Comment: CVSS (Max): 6.8 CVE-2021-25220 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: bind security update
Advisory ID: RHSA-2022:8068-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8068
Issue date: 2022-11-15
CVE Names: CVE-2021-25220 CVE-2022-0396
=====================================================================
1. Summary:
An update for bind is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat CodeReady Linux Builder (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64
3. Description:
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain
Name System (DNS) protocols. BIND includes a DNS server (named); a resolver
library (routines for applications to use when interfacing with DNS); and
tools for verifying that the DNS server is operating correctly.
Security Fix(es):
* bind: DNS forwarders - cache poisoning vulnerability (CVE-2021-25220)
* bind: DoS from specifically crafted TCP packets (CVE-2022-0396)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the update, the BIND daemon (named) will be restarted
automatically.
5. Bugs fixed (https://bugzilla.redhat.com/):
2064512 - CVE-2021-25220 bind: DNS forwarders - cache poisoning vulnerability
2064513 - CVE-2022-0396 bind: DoS from specifically crafted TCP packets
2104863 - bind-doc is not shipped to public
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
bind-9.16.23-5.el9_1.src.rpm
aarch64:
bind-9.16.23-5.el9_1.aarch64.rpm
bind-chroot-9.16.23-5.el9_1.aarch64.rpm
bind-debuginfo-9.16.23-5.el9_1.aarch64.rpm
bind-debugsource-9.16.23-5.el9_1.aarch64.rpm
bind-dnssec-utils-9.16.23-5.el9_1.aarch64.rpm
bind-dnssec-utils-debuginfo-9.16.23-5.el9_1.aarch64.rpm
bind-libs-9.16.23-5.el9_1.aarch64.rpm
bind-libs-debuginfo-9.16.23-5.el9_1.aarch64.rpm
bind-utils-9.16.23-5.el9_1.aarch64.rpm
bind-utils-debuginfo-9.16.23-5.el9_1.aarch64.rpm
noarch:
bind-dnssec-doc-9.16.23-5.el9_1.noarch.rpm
bind-license-9.16.23-5.el9_1.noarch.rpm
python3-bind-9.16.23-5.el9_1.noarch.rpm
ppc64le:
bind-9.16.23-5.el9_1.ppc64le.rpm
bind-chroot-9.16.23-5.el9_1.ppc64le.rpm
bind-debuginfo-9.16.23-5.el9_1.ppc64le.rpm
bind-debugsource-9.16.23-5.el9_1.ppc64le.rpm
bind-dnssec-utils-9.16.23-5.el9_1.ppc64le.rpm
bind-dnssec-utils-debuginfo-9.16.23-5.el9_1.ppc64le.rpm
bind-libs-9.16.23-5.el9_1.ppc64le.rpm
bind-libs-debuginfo-9.16.23-5.el9_1.ppc64le.rpm
bind-utils-9.16.23-5.el9_1.ppc64le.rpm
bind-utils-debuginfo-9.16.23-5.el9_1.ppc64le.rpm
s390x:
bind-9.16.23-5.el9_1.s390x.rpm
bind-chroot-9.16.23-5.el9_1.s390x.rpm
bind-debuginfo-9.16.23-5.el9_1.s390x.rpm
bind-debugsource-9.16.23-5.el9_1.s390x.rpm
bind-dnssec-utils-9.16.23-5.el9_1.s390x.rpm
bind-dnssec-utils-debuginfo-9.16.23-5.el9_1.s390x.rpm
bind-libs-9.16.23-5.el9_1.s390x.rpm
bind-libs-debuginfo-9.16.23-5.el9_1.s390x.rpm
bind-utils-9.16.23-5.el9_1.s390x.rpm
bind-utils-debuginfo-9.16.23-5.el9_1.s390x.rpm
x86_64:
bind-9.16.23-5.el9_1.x86_64.rpm
bind-chroot-9.16.23-5.el9_1.x86_64.rpm
bind-debuginfo-9.16.23-5.el9_1.x86_64.rpm
bind-debugsource-9.16.23-5.el9_1.x86_64.rpm
bind-dnssec-utils-9.16.23-5.el9_1.x86_64.rpm
bind-dnssec-utils-debuginfo-9.16.23-5.el9_1.x86_64.rpm
bind-libs-9.16.23-5.el9_1.x86_64.rpm
bind-libs-debuginfo-9.16.23-5.el9_1.x86_64.rpm
bind-utils-9.16.23-5.el9_1.x86_64.rpm
bind-utils-debuginfo-9.16.23-5.el9_1.x86_64.rpm
Red Hat CodeReady Linux Builder (v. 9):
aarch64:
bind-debuginfo-9.16.23-5.el9_1.aarch64.rpm
bind-debugsource-9.16.23-5.el9_1.aarch64.rpm
bind-devel-9.16.23-5.el9_1.aarch64.rpm
bind-dnssec-utils-debuginfo-9.16.23-5.el9_1.aarch64.rpm
bind-libs-debuginfo-9.16.23-5.el9_1.aarch64.rpm
bind-utils-debuginfo-9.16.23-5.el9_1.aarch64.rpm
noarch:
bind-doc-9.16.23-5.el9_1.noarch.rpm
ppc64le:
bind-debuginfo-9.16.23-5.el9_1.ppc64le.rpm
bind-debugsource-9.16.23-5.el9_1.ppc64le.rpm
bind-devel-9.16.23-5.el9_1.ppc64le.rpm
bind-dnssec-utils-debuginfo-9.16.23-5.el9_1.ppc64le.rpm
bind-libs-debuginfo-9.16.23-5.el9_1.ppc64le.rpm
bind-utils-debuginfo-9.16.23-5.el9_1.ppc64le.rpm
s390x:
bind-debuginfo-9.16.23-5.el9_1.s390x.rpm
bind-debugsource-9.16.23-5.el9_1.s390x.rpm
bind-devel-9.16.23-5.el9_1.s390x.rpm
bind-dnssec-utils-debuginfo-9.16.23-5.el9_1.s390x.rpm
bind-libs-debuginfo-9.16.23-5.el9_1.s390x.rpm
bind-utils-debuginfo-9.16.23-5.el9_1.s390x.rpm
x86_64:
bind-debuginfo-9.16.23-5.el9_1.i686.rpm
bind-debuginfo-9.16.23-5.el9_1.x86_64.rpm
bind-debugsource-9.16.23-5.el9_1.i686.rpm
bind-debugsource-9.16.23-5.el9_1.x86_64.rpm
bind-devel-9.16.23-5.el9_1.i686.rpm
bind-devel-9.16.23-5.el9_1.x86_64.rpm
bind-dnssec-utils-debuginfo-9.16.23-5.el9_1.i686.rpm
bind-dnssec-utils-debuginfo-9.16.23-5.el9_1.x86_64.rpm
bind-libs-9.16.23-5.el9_1.i686.rpm
bind-libs-debuginfo-9.16.23-5.el9_1.i686.rpm
bind-libs-debuginfo-9.16.23-5.el9_1.x86_64.rpm
bind-utils-debuginfo-9.16.23-5.el9_1.i686.rpm
bind-utils-debuginfo-9.16.23-5.el9_1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-25220
https://access.redhat.com/security/cve/CVE-2022-0396
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3PhLdzjgjWX9erEAQhVSw/9HlIwMZZuRgTsbY2yARvJ+sRk08hViRo6
++sV0vMtt3ym5eQES1al4uwAFbVH3B+EZLVuox02PnKVvIM35QnzVFxSa24HToTp
l3tl+c9QnDwx3VGceX9og5o/ezSKqT8UeMQF/gamcB5kwGbbeb+Gp7cpSyXsmjB1
h418DMq/BBE1kLx2MAmIAn/r8x8ISsRbk3j96VEtLrQDtbSKCrE7jmQMaGRB4NhK
4pcgEdcVC6mpBIBRSoLqSVvY9cEdbWqB2LBKArSic/GS2RFfXiSTbPP+kHhd8WHF
0pHQpQa2CXqWuoyrk4cmlvyqmp+C1oCuwsjUWm3dIouIpLU3P1PH3Xua+DMcHfNl
z3wW5E8hihVQ7taw/c6jKMlIrPVzdNM7zfdqV4PBoMQ6y6nPDP23wNGIBMIArjO/
n841K1Lzp1vrChLKgtYOK4H/s6Fbtb/+fe6Q5wOVPPEeksfoKzjJjZj/J7J+RymH
Bd6n+f9iMQzOkj9zb6cgrvt2aLcr29XHfcCRH81i/CEPAEFGT86qOXqIZO0+qV/u
qhHDKy3rLqYsOR4BlwhFhovUGCt8rBJ8LOiZlUTxzNG4PNze4F1hG1d0qzYQv0Iw
zfOrgT8NGDmGCt2nwtmy813NDmzVegwrS7w0ayLzpcwcJMVOoO0nKi5kzX1slEyu
rbPwX0ROLTo=
=0klO
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3Q4w8kNZI30y1K9AQiYghAAiHYvOxD9yV6z9zoLSgBBtDZAYQGIUKrO
IOq2lUDJDWmR9IlVbktCChRKQ7T7Keh7UxPGfizyb7mbcZkHEte1sI3nyzEg0Y3L
ZN2y9O1JSPzxnuXp103Ej4QflR7qhLoOgOMumzAaAb5B8+Jp1YGmN0LTW8rYXq3H
F4E/mDdUb4g0i+4FAUXSA2Vi2kKfIik0O2XCfZnjghQFNjH4M9H87TX2KbRCNzkT
8YBRSJ6/dwynOAGHGDbBbzKhrhT74Qlq9E0RuOdkDqaMvDa0VI9BUNgABmwXlIsD
kBh66QZ2oaekNGMHaqguh9t2mipR1S90oXo3Js/2+e0x/1jXAMTgFqiJyl/0jq19
rPxj/Oun8Sa5OV6o3yMstgEy6AkY7aNXcVAH7Ei7nROrHiSFi56mbs7kGivKp0ZP
aUUgAV1AGgySEzYS9sXVh8bGDG4QO8aScLMYIbcYpQRcty/Rj+CLvoGcAIo3N4rt
yFf2GejqYu8upDn1+1Ra6wIuUfkNLBIsYaTEPgflDJ8Ypc3cI0LIFK4vOoxCSgb9
axnH19jl/KU4P5XvvPyMr5cQAXn//ladcp+J87oxwg0XffIe96Ym5ZS0MlBC8unW
egMQlD1lhIIzVrdBzCivl4d5TcssYZc4J+S3FkKWKLMNuKhT2pBKNivfC4YzIiyA
SdvalEeJq2k=
=uaEv
-----END PGP SIGNATURE-----
ESB-2022.5895 - [RedHat] httpd: CVSS (Max): 8.1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5895
httpd security, bug fix, and enhancement update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: httpd
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-31813 CVE-2022-30556 CVE-2022-30522
CVE-2022-29404 CVE-2022-28615 CVE-2022-28614
CVE-2022-26377 CVE-2022-23943 CVE-2022-22721
CVE-2022-22719
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8067
Comment: CVSS (Max): 8.1 CVE-2022-23943 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: httpd security, bug fix, and enhancement update
Advisory ID: RHSA-2022:8067-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8067
Issue date: 2022-11-15
CVE Names: CVE-2022-22719 CVE-2022-22721 CVE-2022-23943
CVE-2022-26377 CVE-2022-28614 CVE-2022-28615
CVE-2022-29404 CVE-2022-30522 CVE-2022-30556
CVE-2022-31813
=====================================================================
1. Summary:
An update for httpd is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64
3. Description:
The httpd packages provide the Apache HTTP Server, a powerful, efficient,
and extensible web server.
The following packages have been upgraded to a later upstream version:
httpd (2.4.53). (BZ#2079939)
Security Fix(es):
* httpd: mod_sed: Read/write beyond bounds (CVE-2022-23943)
* httpd: mod_lua: Use of uninitialized value of in r:parsebody
(CVE-2022-22719)
* httpd: core: Possible buffer overflow with very large or unlimited
LimitXMLRequestBody (CVE-2022-22721)
* httpd: mod_proxy_ajp: Possible request smuggling (CVE-2022-26377)
* httpd: mod_lua: DoS in r:parsebody (CVE-2022-29404)
* httpd: mod_sed: DoS vulnerability (CVE-2022-30522)
* httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism
(CVE-2022-31813)
* httpd: Out-of-bounds read via ap_rwrite() (CVE-2022-28614)
* httpd: Out-of-bounds read in ap_strcmp_match() (CVE-2022-28615)
* httpd: mod_lua: Information disclosure with websockets (CVE-2022-30556)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the updated packages, the httpd daemon will be restarted
automatically.
5. Bugs fixed (https://bugzilla.redhat.com/):
2064319 - CVE-2022-23943 httpd: mod_sed: Read/write beyond bounds
2064320 - CVE-2022-22721 httpd: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody
2064322 - CVE-2022-22719 httpd: mod_lua: Use of uninitialized value of in r:parsebody
2073459 - Cannot override LD_LIBARY_PATH in Apache HTTPD using SetEnv or PassEnv. Needs documentation.
2075406 - httpd.conf uses icon bomb.gif for all files/dirs ending with core
2079939 - httpd rebase to 2.4.53
2094997 - CVE-2022-26377 httpd: mod_proxy_ajp: Possible request smuggling
2095002 - CVE-2022-28614 httpd: Out-of-bounds read via ap_rwrite()
2095006 - CVE-2022-28615 httpd: Out-of-bounds read in ap_strcmp_match()
2095012 - CVE-2022-29404 httpd: mod_lua: DoS in r:parsebody
2095015 - CVE-2022-30522 httpd: mod_sed: DoS vulnerability
2095018 - CVE-2022-30556 httpd: mod_lua: Information disclosure with websockets
2095020 - CVE-2022-31813 httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism
2095838 - mod_mime_magic: invalid type 0 in mconvert()
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
httpd-2.4.53-7.el9.src.rpm
aarch64:
httpd-2.4.53-7.el9.aarch64.rpm
httpd-core-2.4.53-7.el9.aarch64.rpm
httpd-core-debuginfo-2.4.53-7.el9.aarch64.rpm
httpd-debuginfo-2.4.53-7.el9.aarch64.rpm
httpd-debugsource-2.4.53-7.el9.aarch64.rpm
httpd-devel-2.4.53-7.el9.aarch64.rpm
httpd-tools-2.4.53-7.el9.aarch64.rpm
httpd-tools-debuginfo-2.4.53-7.el9.aarch64.rpm
mod_ldap-2.4.53-7.el9.aarch64.rpm
mod_ldap-debuginfo-2.4.53-7.el9.aarch64.rpm
mod_lua-2.4.53-7.el9.aarch64.rpm
mod_lua-debuginfo-2.4.53-7.el9.aarch64.rpm
mod_proxy_html-2.4.53-7.el9.aarch64.rpm
mod_proxy_html-debuginfo-2.4.53-7.el9.aarch64.rpm
mod_session-2.4.53-7.el9.aarch64.rpm
mod_session-debuginfo-2.4.53-7.el9.aarch64.rpm
mod_ssl-2.4.53-7.el9.aarch64.rpm
mod_ssl-debuginfo-2.4.53-7.el9.aarch64.rpm
noarch:
httpd-filesystem-2.4.53-7.el9.noarch.rpm
httpd-manual-2.4.53-7.el9.noarch.rpm
ppc64le:
httpd-2.4.53-7.el9.ppc64le.rpm
httpd-core-2.4.53-7.el9.ppc64le.rpm
httpd-core-debuginfo-2.4.53-7.el9.ppc64le.rpm
httpd-debuginfo-2.4.53-7.el9.ppc64le.rpm
httpd-debugsource-2.4.53-7.el9.ppc64le.rpm
httpd-devel-2.4.53-7.el9.ppc64le.rpm
httpd-tools-2.4.53-7.el9.ppc64le.rpm
httpd-tools-debuginfo-2.4.53-7.el9.ppc64le.rpm
mod_ldap-2.4.53-7.el9.ppc64le.rpm
mod_ldap-debuginfo-2.4.53-7.el9.ppc64le.rpm
mod_lua-2.4.53-7.el9.ppc64le.rpm
mod_lua-debuginfo-2.4.53-7.el9.ppc64le.rpm
mod_proxy_html-2.4.53-7.el9.ppc64le.rpm
mod_proxy_html-debuginfo-2.4.53-7.el9.ppc64le.rpm
mod_session-2.4.53-7.el9.ppc64le.rpm
mod_session-debuginfo-2.4.53-7.el9.ppc64le.rpm
mod_ssl-2.4.53-7.el9.ppc64le.rpm
mod_ssl-debuginfo-2.4.53-7.el9.ppc64le.rpm
s390x:
httpd-2.4.53-7.el9.s390x.rpm
httpd-core-2.4.53-7.el9.s390x.rpm
httpd-core-debuginfo-2.4.53-7.el9.s390x.rpm
httpd-debuginfo-2.4.53-7.el9.s390x.rpm
httpd-debugsource-2.4.53-7.el9.s390x.rpm
httpd-devel-2.4.53-7.el9.s390x.rpm
httpd-tools-2.4.53-7.el9.s390x.rpm
httpd-tools-debuginfo-2.4.53-7.el9.s390x.rpm
mod_ldap-2.4.53-7.el9.s390x.rpm
mod_ldap-debuginfo-2.4.53-7.el9.s390x.rpm
mod_lua-2.4.53-7.el9.s390x.rpm
mod_lua-debuginfo-2.4.53-7.el9.s390x.rpm
mod_proxy_html-2.4.53-7.el9.s390x.rpm
mod_proxy_html-debuginfo-2.4.53-7.el9.s390x.rpm
mod_session-2.4.53-7.el9.s390x.rpm
mod_session-debuginfo-2.4.53-7.el9.s390x.rpm
mod_ssl-2.4.53-7.el9.s390x.rpm
mod_ssl-debuginfo-2.4.53-7.el9.s390x.rpm
x86_64:
httpd-2.4.53-7.el9.x86_64.rpm
httpd-core-2.4.53-7.el9.x86_64.rpm
httpd-core-debuginfo-2.4.53-7.el9.x86_64.rpm
httpd-debuginfo-2.4.53-7.el9.x86_64.rpm
httpd-debugsource-2.4.53-7.el9.x86_64.rpm
httpd-devel-2.4.53-7.el9.x86_64.rpm
httpd-tools-2.4.53-7.el9.x86_64.rpm
httpd-tools-debuginfo-2.4.53-7.el9.x86_64.rpm
mod_ldap-2.4.53-7.el9.x86_64.rpm
mod_ldap-debuginfo-2.4.53-7.el9.x86_64.rpm
mod_lua-2.4.53-7.el9.x86_64.rpm
mod_lua-debuginfo-2.4.53-7.el9.x86_64.rpm
mod_proxy_html-2.4.53-7.el9.x86_64.rpm
mod_proxy_html-debuginfo-2.4.53-7.el9.x86_64.rpm
mod_session-2.4.53-7.el9.x86_64.rpm
mod_session-debuginfo-2.4.53-7.el9.x86_64.rpm
mod_ssl-2.4.53-7.el9.x86_64.rpm
mod_ssl-debuginfo-2.4.53-7.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-22719
https://access.redhat.com/security/cve/CVE-2022-22721
https://access.redhat.com/security/cve/CVE-2022-23943
https://access.redhat.com/security/cve/CVE-2022-26377
https://access.redhat.com/security/cve/CVE-2022-28614
https://access.redhat.com/security/cve/CVE-2022-28615
https://access.redhat.com/security/cve/CVE-2022-29404
https://access.redhat.com/security/cve/CVE-2022-30522
https://access.redhat.com/security/cve/CVE-2022-30556
https://access.redhat.com/security/cve/CVE-2022-31813
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3OMbtzjgjWX9erEAQi+FhAAo5TZLQhEKcVKirhu9FgTXKvVgAVNerft
atmEk68++cjisOUIJI8bzD9lQ+DmRF9pjlSG0kVB64UkRAIEvT/MLq1kN4I0qTIm
LrjjA+qV6NYVuZCd178OXR/Qn1W8/iUfjC/W6UMGp8306n1aggcOY/kzrSlX2ZWU
ftQDrAPbUGqAWFwTK8eAlW9VlVOzD+6AHb00ew2yFkjFjCic0EPAz0kwoGMm4oGi
PrPhzIUra8vvgTuYJN1p2Ypkt6sFFOVBqJwL116tGv63F0PqRzUfiKgqvfH16HuT
VUcFgYV+05osb6bpQclNW4dLwCzpNcGCEwkEmZgYNGyetI2O8+6HFn+MdJna+uYO
mykzjAXz1tyzx8RnEexR/4E4aLWQKcr1YM27CE5NVAGgqxaf+6SCiCV5NvT/3vFk
KjKwQPUrb8SWHbWf6mxC6xInx9Iy6c6Ag4K1pk09fr7XjyZ9/GeFbbe08nirZm8a
xSs4jQIhfRzW7wsKqEjd6eNW+QeD1qKFuGiLMSN6+2km7AUTTcTIfVd7orMY/v4Q
WD++Xe+my6LHthH2+qYGWyc+oEp3DChQbka71X07iqVCqkKzQj9sE2GdbcTeAj6/
pInRoDF8ZuZv3TPFn+BQ12C3WZ0HzlXF/MDs6fG+iZkIPrgukj1EfauoY11JoJNd
wTPRPoUAq9w=
=hHrA
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3Q4lMkNZI30y1K9AQhZmA/9HLr6tiqjCdBfJCpJvgs6AItEq0kkXEqS
f+C0LYLTCCQTgfIgFnY9v5WYcZ0Hs+PNpG4Kt049RrMngdVpWNBKlyUnAHDeT7Hm
DP0QrYqxo9pvn7M/y9+EZuCTw7nSW7KchSAJDxlOl3jKiN35TwqUAZ6UjXi6Pb+N
LPPIAkInGgMQgNYaozJUHzQ/wYXn6/bIrgCEnN2O2rb9uM3d1P07RyNy16UTSVNn
X4rqhzf0TlhgGUVyBUEmAdEBxE28RoDib2xFwxhHR9A+df4U7fIyVCAMQmU2fMbW
62Jm/DwCsx1MnyXBMsUHRHlUSaRlPv0i1RUykgiew7KNuQWHo7dSo15NpcXI+q64
3UsqRSpJ2OMJFtyKhKkHmv9AT8EfwQlOtHeId4g33cWjzUSoNNvIvR45T5k1AeNP
eovFmood0qCIvzjqb5JTRxhIjmH0QseYI95XoTqY6znXFH5ThywhJklWZ1kHW9wj
XfjoVFzbvNkUZDrBSnmM3bxPP97Yc5rUqfrcee+Up2dSXkSY6r2JxGFnfh/w+yLJ
BMC0kF31jhLjG8KhvWlTqIiEkz+9J+Br0gKyf90YviAR1RM0w/yi03Z5po/zrS6v
WyqLIsmdAmiqpDHQC4s6m/QTqIYVfjsMRtnLyjug8k7otd60Xp0BuCnpSXDTiBuz
YkPqhAfDXwk=
=Izij
-----END PGP SIGNATURE-----
ESB-2022.5894 - [RedHat] unbound security: CVSS (Max): 6.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5894
unbound security, bug fix, and enhancement update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: unbound security
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-30699 CVE-2022-30698
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8062
Comment: CVSS (Max): 6.5 CVE-2022-30699 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: unbound security, bug fix, and enhancement update
Advisory ID: RHSA-2022:8062-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8062
Issue date: 2022-11-15
CVE Names: CVE-2022-30698 CVE-2022-30699
=====================================================================
1. Summary:
An update for unbound is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
3. Description:
The unbound packages provide a validating, recursive, and caching DNS or
DNSSEC resolver.
The following packages have been upgraded to a later upstream version:
unbound (1.16.2). (BZ#2087120)
Security Fix(es):
* unbound: novel ghost domain attack that allows attackers to trigger
continued resolvability of malicious domain names (CVE-2022-30698)
* unbound: novel ghost domain attack that allows attackers to trigger
continued resolvability of malicious domain names (CVE-2022-30699)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1981415 - unbound: don't use deprecated functions in OpenSSL 3.0
2056116 - unbound-devel is not available on Centos 9 Stream
2071543 - Unbound fails resolution of any SHA-1 signed domain [rhel-9.1.0]
2071943 - failing devel man pages for rhel 9
2079548 - [unbound: FIPS mode] does not resolve ED25519 and ED448
2087120 - [rebase] Rebase to 1.16.0
2094336 - unbound-keygen needs to be stoped
2116725 - CVE-2022-30698 unbound: novel ghost domain attack that allows attackers to trigger continued resolvability of malicious domain names
2116729 - CVE-2022-30699 unbound: novel ghost domain attack that allows attackers to trigger continued resolvability of malicious domain names
2116802 - unbound-keygen requires openssl [rhel9]
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
unbound-1.16.2-2.el9.src.rpm
aarch64:
python3-unbound-1.16.2-2.el9.aarch64.rpm
python3-unbound-debuginfo-1.16.2-2.el9.aarch64.rpm
unbound-1.16.2-2.el9.aarch64.rpm
unbound-debuginfo-1.16.2-2.el9.aarch64.rpm
unbound-debugsource-1.16.2-2.el9.aarch64.rpm
unbound-libs-1.16.2-2.el9.aarch64.rpm
unbound-libs-debuginfo-1.16.2-2.el9.aarch64.rpm
ppc64le:
python3-unbound-1.16.2-2.el9.ppc64le.rpm
python3-unbound-debuginfo-1.16.2-2.el9.ppc64le.rpm
unbound-1.16.2-2.el9.ppc64le.rpm
unbound-debuginfo-1.16.2-2.el9.ppc64le.rpm
unbound-debugsource-1.16.2-2.el9.ppc64le.rpm
unbound-libs-1.16.2-2.el9.ppc64le.rpm
unbound-libs-debuginfo-1.16.2-2.el9.ppc64le.rpm
s390x:
python3-unbound-1.16.2-2.el9.s390x.rpm
python3-unbound-debuginfo-1.16.2-2.el9.s390x.rpm
unbound-1.16.2-2.el9.s390x.rpm
unbound-debuginfo-1.16.2-2.el9.s390x.rpm
unbound-debugsource-1.16.2-2.el9.s390x.rpm
unbound-libs-1.16.2-2.el9.s390x.rpm
unbound-libs-debuginfo-1.16.2-2.el9.s390x.rpm
x86_64:
python3-unbound-1.16.2-2.el9.x86_64.rpm
python3-unbound-debuginfo-1.16.2-2.el9.i686.rpm
python3-unbound-debuginfo-1.16.2-2.el9.x86_64.rpm
unbound-1.16.2-2.el9.x86_64.rpm
unbound-debuginfo-1.16.2-2.el9.i686.rpm
unbound-debuginfo-1.16.2-2.el9.x86_64.rpm
unbound-debugsource-1.16.2-2.el9.i686.rpm
unbound-debugsource-1.16.2-2.el9.x86_64.rpm
unbound-libs-1.16.2-2.el9.i686.rpm
unbound-libs-1.16.2-2.el9.x86_64.rpm
unbound-libs-debuginfo-1.16.2-2.el9.i686.rpm
unbound-libs-debuginfo-1.16.2-2.el9.x86_64.rpm
Red Hat CodeReady Linux Builder (v. 9):
aarch64:
python3-unbound-debuginfo-1.16.2-2.el9.aarch64.rpm
unbound-debuginfo-1.16.2-2.el9.aarch64.rpm
unbound-debugsource-1.16.2-2.el9.aarch64.rpm
unbound-devel-1.16.2-2.el9.aarch64.rpm
unbound-libs-debuginfo-1.16.2-2.el9.aarch64.rpm
ppc64le:
python3-unbound-debuginfo-1.16.2-2.el9.ppc64le.rpm
unbound-debuginfo-1.16.2-2.el9.ppc64le.rpm
unbound-debugsource-1.16.2-2.el9.ppc64le.rpm
unbound-devel-1.16.2-2.el9.ppc64le.rpm
unbound-libs-debuginfo-1.16.2-2.el9.ppc64le.rpm
s390x:
python3-unbound-debuginfo-1.16.2-2.el9.s390x.rpm
unbound-debuginfo-1.16.2-2.el9.s390x.rpm
unbound-debugsource-1.16.2-2.el9.s390x.rpm
unbound-devel-1.16.2-2.el9.s390x.rpm
unbound-libs-debuginfo-1.16.2-2.el9.s390x.rpm
x86_64:
python3-unbound-debuginfo-1.16.2-2.el9.i686.rpm
python3-unbound-debuginfo-1.16.2-2.el9.x86_64.rpm
unbound-debuginfo-1.16.2-2.el9.i686.rpm
unbound-debuginfo-1.16.2-2.el9.x86_64.rpm
unbound-debugsource-1.16.2-2.el9.i686.rpm
unbound-debugsource-1.16.2-2.el9.x86_64.rpm
unbound-devel-1.16.2-2.el9.i686.rpm
unbound-devel-1.16.2-2.el9.x86_64.rpm
unbound-libs-debuginfo-1.16.2-2.el9.i686.rpm
unbound-libs-debuginfo-1.16.2-2.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-30698
https://access.redhat.com/security/cve/CVE-2022-30699
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3PhMdzjgjWX9erEAQi2qg/+JsLmnjmeg2U0b5tZnC5duXL1O4iNyIwm
V8y6hDiGaY2Iubih0SO29gLZYG3sN+dJdsspe8Vv9OqJso2Gm5J2gjgKZXxe6qZW
GUKcMRpwG+jM5RSBv9uogsW63tD0YQfIZbFRBJy0BE9TMRFtgHveseKG+OlLKFOP
2h/SbYILATEZA1Lw/c9KIDBOLB7wNny+Qrg46U1cU9ZH1oN9pOUGjBxH6VfkUA6S
SItza5DGOnKGbAOVFS79Y+MSCCGjXgIyY38y8mr8PkOh00d7eZ+13JwKnDaPfnxH
vVdo30jh9Tfs/LX0c+nn3IKyv3h9y2DtMEpxKnI927YRu4WPM9erSrxOX80KrJ+L
ENkVeb3YdkT+OqV3wvK9JblW8iDwlGSb0jC9LaWUx5An5hUqMKRoXydkKWTnC3Cp
4fofXWhWnqKQfRwHdx1rVhRuR/x2iG8VY7TvvRNocNb4YW4ilq+dIX0Q++iltna7
9V1vScJm3mINkqyU4uL2AJJhoDdcPpElvwcxTiRkg7FCn7BO9gj9mxHzO3xZu3RN
FShTo5J2XIf8a1gtMMHV8C8F7BsAgV7oTMSGlqSLgmx0BKiis/FtO5I2C6Unn/Ac
Sal3wXzA64ZPyHHDOeRsz0FFkhAMDB6SZzbCuvkaNLaga6z7NTvNaifkXvlnbib3
QoahqRtuado=
=Wd6S
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3Q4dckNZI30y1K9AQguRQ//eJd0vfzhO8bC0g2uGxBfhb0VqeWCyG8i
coMSHyfKHwu6CivKqOMcJhnZjm0mvRCZxWkpAPk+Lml53yb9ggvg+fdizAaLxmf3
KpAQghLApnMDBdxIkvUPnuDl6OANC4RTZIZPpRbA4W6MOnw6dolTXfsyLHznWpGA
Gy8qS+ZrMRrPkxvFe4Cq3uGiCv2fUtmiMlQkLHHRLLQ4/s8olwZPYwGxgP/q/Wn5
JTCkTwTccaMNSWhiHa0hZ7R6AZsRy1toYYFR4Y6pWNj037e7bFKYiAynvFeMpay/
tdpFHaV9tHadjcTard/e2SFGvwXE/erLR8pJxbSYrCCY9OI/6iwjK6p8EPljpzjH
QpAHAJCEempfL5JxbF458RAcw6nPRq2do8CtWUvthKHlsiDnO6HdZZLMKDa4Xnzu
mksEh0Feli1IOGzPrBSE7U81q8pLNrp3ArDCRTsPlqJb3z0CHU9L3iNaz4O799T9
Se7xqTtBO3cnfjfVLrwgdBxrGEKVQ9LAzZKBEsKMZnoDRYgSqOBxXFT+bBeiCY1J
Djijnvl24DrIJ1sI8JzNFAKxfPo9wYy2wHSzkz6XzGm3gmrcjn2H6r9vm7H+o1S5
xRyANEBQhWQjxQUBdfjMGSLow6B4a0YRJ9hMVk7Ocmx/UcyAX9+S1w4/q8vh0Ouz
GVyInSz3aSY=
=zwQ4
-----END PGP SIGNATURE-----
ESB-2022.5893 - [RedHat] grafana: CVSS (Max): 7.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5893
grafana security, bug fix, and enhancement update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: grafana
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-32148 CVE-2022-31107 CVE-2022-30635
CVE-2022-30633 CVE-2022-30632 CVE-2022-30631
CVE-2022-30630 CVE-2022-28131 CVE-2022-21713
CVE-2022-21703 CVE-2022-21702 CVE-2022-21698
CVE-2022-21673 CVE-2022-1962 CVE-2022-1705
CVE-2021-23648
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8057
Comment: CVSS (Max): 7.5 CVE-2022-30635 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: grafana security, bug fix, and enhancement update
Advisory ID: RHSA-2022:8057-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8057
Issue date: 2022-11-15
CVE Names: CVE-2021-23648 CVE-2022-1705 CVE-2022-1962
CVE-2022-21673 CVE-2022-21698 CVE-2022-21702
CVE-2022-21703 CVE-2022-21713 CVE-2022-28131
CVE-2022-30630 CVE-2022-30631 CVE-2022-30632
CVE-2022-30633 CVE-2022-30635 CVE-2022-32148
=====================================================================
1. Summary:
An update for grafana is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
3. Description:
Grafana is an open source, feature rich metrics dashboard and graph editor
for Graphite, InfluxDB & OpenTSDB.
The following packages have been upgraded to a later upstream version:
grafana (7.5.15). (BZ#2055349)
Security Fix(es):
* sanitize-url: XSS due to improper sanitization in sanitizeUrl function
(CVE-2021-23648)
* golang: net/http: improper sanitization of Transfer-Encoding header
(CVE-2022-1705)
* golang: go/parser: stack exhaustion in all Parse* functions
(CVE-2022-1962)
* grafana: Forward OAuth Identity Token can allow users to access some data
sources (CVE-2022-21673)
* prometheus/client_golang: Denial of service using
InstrumentHandlerCounter (CVE-2022-21698)
* grafana: XSS vulnerability in data source handling (CVE-2022-21702)
* grafana: CSRF vulnerability can lead to privilege escalation
(CVE-2022-21703)
* grafana: IDOR vulnerability can lead to information disclosure
(CVE-2022-21713)
* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
* golang: net/http/httputil: NewSingleHostReverseProxy - omit
X-Forwarded-For not working (CVE-2022-32148)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2044628 - CVE-2022-21673 grafana: Forward OAuth Identity Token can allow users to access some data sources
2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
2050648 - CVE-2022-21702 grafana: XSS vulnerability in data source handling
2050742 - CVE-2022-21703 grafana: CSRF vulnerability can lead to privilege escalation
2050743 - CVE-2022-21713 grafana: IDOR vulnerability can lead to information disclosure
2055349 - Rebase of Grafana in RHEL 9.1
2065290 - CVE-2021-23648 sanitize-url: XSS due to improper sanitization in sanitizeUrl function
2104367 - CVE-2022-31107 grafana: OAuth account takeover
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
grafana-7.5.15-3.el9.src.rpm
aarch64:
grafana-7.5.15-3.el9.aarch64.rpm
grafana-debuginfo-7.5.15-3.el9.aarch64.rpm
ppc64le:
grafana-7.5.15-3.el9.ppc64le.rpm
grafana-debuginfo-7.5.15-3.el9.ppc64le.rpm
s390x:
grafana-7.5.15-3.el9.s390x.rpm
grafana-debuginfo-7.5.15-3.el9.s390x.rpm
x86_64:
grafana-7.5.15-3.el9.x86_64.rpm
grafana-debuginfo-7.5.15-3.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-23648
https://access.redhat.com/security/cve/CVE-2022-1705
https://access.redhat.com/security/cve/CVE-2022-1962
https://access.redhat.com/security/cve/CVE-2022-21673
https://access.redhat.com/security/cve/CVE-2022-21698
https://access.redhat.com/security/cve/CVE-2022-21702
https://access.redhat.com/security/cve/CVE-2022-21703
https://access.redhat.com/security/cve/CVE-2022-21713
https://access.redhat.com/security/cve/CVE-2022-28131
https://access.redhat.com/security/cve/CVE-2022-30630
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/cve/CVE-2022-30632
https://access.redhat.com/security/cve/CVE-2022-30633
https://access.redhat.com/security/cve/CVE-2022-30635
https://access.redhat.com/security/cve/CVE-2022-32148
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3OMc9zjgjWX9erEAQi0HA/8Cyww+6XfCKlKLVfnpNcj1p0tXUTvcjnS
OnnlUiQjXS44wBO73RbGWZL0FSZf3kjIEmzm20Tq6NZJ1K3Krw709BLd6ijx/uDi
QoROhHbujrLa52FUEl5pQspiE8gtLRX/DfxtV8dQcCsDD5ocUarOoT661wFoxipy
SsV9AZLw971eoGgYEeB7iD9pgnUZqATMqf75bLxMgBd8RgHT7VkheOckS+ThJrTy
UhVXyORoLaMvbFdvcLn/U3B+ocRiEvEICQ3yFW7GkvElMEawQr1f7TSHSqAiGB3G
IYiAV13YsatkPes+VQFiHBxKLkXuCPUJn1V0zovrfQI96gEGWsm4k9p6DogweNyK
jQ67cjLzkBKYQoLI77NhV19dsvMjct4bQWMiVSVkdWRNECAXFyxIdndR/DalEydm
GDXzyk8CLWRXm5l/149RhOfbIoVPqe9b/lzMZGF/TGvi/Fl+m3hPXSB0STgiCXSD
0bNAscp6a+GEf+m4J+rf/fjePuSjYU4noUiWzL7mkZs9v/W7JGz67+h8SPRIVnH6
65rurVnpCVgie5ObFV2WKCmkCL1q1yBTwSVIfaRL60c+Za8eRZzjA9+t+3A2mbBs
l3oUVRAea2zLk3qXmaLbT/vAA49MClAd4IQw8OOAy1Zs2B8Yg/CyclKvgXnGcMCM
cIsuNoeU9+M=
=CKDa
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3Q2/ckNZI30y1K9AQhOChAAn+gEZc8zX2Bbkj11x8rwsDnUQavcTd/x
pn4rITTa5pdyqZPtykbl2UqEASrwQ7NxHnF2+0YMr340NIJnT6IPQAoV0xGRJlYD
pGixsXHRlzAYoR/Zl+jcgxGW+EMFs3oYjjtjsbDmIslVp//fEXD6RoZJGQqzKEz3
8Ni3hpjUJiJIHpEluwD8cFmoZmW/llI1qcKr7t1Yss27XejMvUuXw0dJA7ZcfFGf
SJnizvFo8fJ95hcr82pyvEUCpORo4sBfSjlZ5QZ4rOShtlW/aWko/6fHE08jXNbX
FhNIb4as8feZ1xvawTRdeD373E5h0B1GAb3+ttIp1cH7Nv8A2WMbUiZl7JxL7CTX
ZO96VLQcLfZqQewb4vbJSLkH5RNSmMagYkcBJfTFlkRcxB/p63Xoc52EEH9OP1XS
BwnzcVPUfv0+QGrv/74POLG6bTQKrE9AJcxQWIHAv5pfuMkdSFyN7P9ENljvRMg/
C5vziVlRmXt9UpUfUfb8IPMpinMJo8U2XRyFxXV1w6JkArtZ/UeyGCdTlmchLNjP
526VCC+JHom1NWzydmU/8sF6znGCSLm6cLkfJLwcBLHPEYIwJPB04gbSLnqXKYeM
a3B+orgnXSkSmXo8JEIJIiScQFEFIBg27oeGNcmlQl54TxCbPGF9qnuDNDIvPied
2tT+gpL0X+U=
=bz+D
-----END PGP SIGNATURE-----
ESB-2022.5892 - [RedHat] webkit2gtk3: CVSS (Max): 8.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5892
webkit2gtk3 security and bug fix update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: webkit2gtk3
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-30293 CVE-2022-26719 CVE-2022-26717
CVE-2022-26716 CVE-2022-26710 CVE-2022-26709
CVE-2022-26700 CVE-2022-22662 CVE-2022-22629
CVE-2022-22628 CVE-2022-22624
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8054
Comment: CVSS (Max): 8.8 CVE-2022-26719 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: webkit2gtk3 security and bug fix update
Advisory ID: RHSA-2022:8054-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8054
Issue date: 2022-11-15
CVE Names: CVE-2022-22624 CVE-2022-22628 CVE-2022-22629
CVE-2022-22662 CVE-2022-26700 CVE-2022-26709
CVE-2022-26710 CVE-2022-26716 CVE-2022-26717
CVE-2022-26719 CVE-2022-30293
=====================================================================
1. Summary:
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
3. Description:
WebKitGTK is the port of the portable web rendering engine WebKit to the
GTK platform.
Security Fix(es):
* webkitgtk: Use-after-free leading to arbitrary code execution
(CVE-2022-22624)
* webkitgtk: Use-after-free leading to arbitrary code execution
(CVE-2022-22628)
* webkitgtk: Buffer overflow leading to arbitrary code execution
(CVE-2022-22629)
* webkitgtk: Cookie management issue leading to sensitive user information
disclosure (CVE-2022-22662)
* webkitgtk: Memory corruption issue leading to arbitrary code execution
(CVE-2022-26700)
* webkitgtk: Use-after-free leading to arbitrary code execution
(CVE-2022-26709)
* webkitgtk: Use-after-free leading to arbitrary code execution
(CVE-2022-26710)
* webkitgtk: Memory corruption issue leading to arbitrary code execution
(CVE-2022-26716)
* webkitgtk: Use-after-free leading to arbitrary code execution
(CVE-2022-26717)
* webkitgtk: Memory corruption issue leading to arbitrary code execution
(CVE-2022-26719)
* webkitgtk: Heap buffer overflow in
WebCore::TextureMapperLayer::setContentsLayer leading to arbitrary code
execution (CVE-2022-30293)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2061996 - Upgrade WebKitGTK for RHEL 9.1
2073893 - CVE-2022-22624 webkitgtk: Use-after-free leading to arbitrary code execution
2073896 - CVE-2022-22628 webkitgtk: Use-after-free leading to arbitrary code execution
2073899 - CVE-2022-22629 webkitgtk: Buffer overflow leading to arbitrary code execution
2082548 - CVE-2022-30293 webkitgtk: Heap buffer overflow in WebCore::TextureMapperLayer::setContentsLayer leading to arbitrary code execution
2092732 - CVE-2022-26700 webkitgtk: Memory corruption issue leading to arbitrary code execution
2092733 - CVE-2022-26709 webkitgtk: Use-after-free leading to arbitrary code execution
2092734 - CVE-2022-26716 webkitgtk: Memory corruption issue leading to arbitrary code execution
2092735 - CVE-2022-26717 webkitgtk: Use-after-free leading to arbitrary code execution
2092736 - CVE-2022-26719 webkitgtk: Memory corruption issue leading to arbitrary code execution
2104787 - CVE-2022-22662 webkitgtk: Cookie management issue leading to sensitive user information disclosure
2104789 - CVE-2022-26710 webkitgtk: Use-after-free leading to arbitrary code execution
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
webkit2gtk3-2.36.7-1.el9.src.rpm
aarch64:
webkit2gtk3-2.36.7-1.el9.aarch64.rpm
webkit2gtk3-debuginfo-2.36.7-1.el9.aarch64.rpm
webkit2gtk3-debugsource-2.36.7-1.el9.aarch64.rpm
webkit2gtk3-devel-2.36.7-1.el9.aarch64.rpm
webkit2gtk3-devel-debuginfo-2.36.7-1.el9.aarch64.rpm
webkit2gtk3-jsc-2.36.7-1.el9.aarch64.rpm
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9.aarch64.rpm
webkit2gtk3-jsc-devel-2.36.7-1.el9.aarch64.rpm
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9.aarch64.rpm
ppc64le:
webkit2gtk3-2.36.7-1.el9.ppc64le.rpm
webkit2gtk3-debuginfo-2.36.7-1.el9.ppc64le.rpm
webkit2gtk3-debugsource-2.36.7-1.el9.ppc64le.rpm
webkit2gtk3-devel-2.36.7-1.el9.ppc64le.rpm
webkit2gtk3-devel-debuginfo-2.36.7-1.el9.ppc64le.rpm
webkit2gtk3-jsc-2.36.7-1.el9.ppc64le.rpm
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9.ppc64le.rpm
webkit2gtk3-jsc-devel-2.36.7-1.el9.ppc64le.rpm
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9.ppc64le.rpm
s390x:
webkit2gtk3-2.36.7-1.el9.s390x.rpm
webkit2gtk3-debuginfo-2.36.7-1.el9.s390x.rpm
webkit2gtk3-debugsource-2.36.7-1.el9.s390x.rpm
webkit2gtk3-devel-2.36.7-1.el9.s390x.rpm
webkit2gtk3-devel-debuginfo-2.36.7-1.el9.s390x.rpm
webkit2gtk3-jsc-2.36.7-1.el9.s390x.rpm
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9.s390x.rpm
webkit2gtk3-jsc-devel-2.36.7-1.el9.s390x.rpm
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9.s390x.rpm
x86_64:
webkit2gtk3-2.36.7-1.el9.i686.rpm
webkit2gtk3-2.36.7-1.el9.x86_64.rpm
webkit2gtk3-debuginfo-2.36.7-1.el9.i686.rpm
webkit2gtk3-debuginfo-2.36.7-1.el9.x86_64.rpm
webkit2gtk3-debugsource-2.36.7-1.el9.i686.rpm
webkit2gtk3-debugsource-2.36.7-1.el9.x86_64.rpm
webkit2gtk3-devel-2.36.7-1.el9.i686.rpm
webkit2gtk3-devel-2.36.7-1.el9.x86_64.rpm
webkit2gtk3-devel-debuginfo-2.36.7-1.el9.i686.rpm
webkit2gtk3-devel-debuginfo-2.36.7-1.el9.x86_64.rpm
webkit2gtk3-jsc-2.36.7-1.el9.i686.rpm
webkit2gtk3-jsc-2.36.7-1.el9.x86_64.rpm
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9.i686.rpm
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9.x86_64.rpm
webkit2gtk3-jsc-devel-2.36.7-1.el9.i686.rpm
webkit2gtk3-jsc-devel-2.36.7-1.el9.x86_64.rpm
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9.i686.rpm
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-22624
https://access.redhat.com/security/cve/CVE-2022-22628
https://access.redhat.com/security/cve/CVE-2022-22629
https://access.redhat.com/security/cve/CVE-2022-22662
https://access.redhat.com/security/cve/CVE-2022-26700
https://access.redhat.com/security/cve/CVE-2022-26709
https://access.redhat.com/security/cve/CVE-2022-26710
https://access.redhat.com/security/cve/CVE-2022-26716
https://access.redhat.com/security/cve/CVE-2022-26717
https://access.redhat.com/security/cve/CVE-2022-26719
https://access.redhat.com/security/cve/CVE-2022-30293
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3PhNNzjgjWX9erEAQjsxA//e3e3o5MsuGWIcDr3QU3zPT+1zQymzdZX
X0oSq7JCHRFVefNXaiVxl0WEaxVTQcenhr/A7SaX4Ma6Hy/B64yzRShe60OO3IFm
xsuLDaist0ol9Tyay1lPwhI6HqwCvZd7u+7P8iMKZyGynM56hVlOKW9YDal+a4u8
Nsxp2svs6Yq3rif40CSuuYdpAQ54Tiduz4mjGaD8eGStOUKeQ2SldrbwUFZJn5wR
zI6f0B3eY6gWb64xkhX5G4OzC7KzI/gnFJls15mece5L8NiNpz6znRKEjo0mlMzN
nAkTk4/E2bPUJwrB6FNJvOZhpOnr86fxezIzRIstzXRovkPQbubpC6AVCkrTNXnM
cdh0tYzts6TJ4Pdlbti7pq2hoKkTfagdMGfftZwowvlhpl+7xaK+LwnivK885atz
jw/2QztgTQfrgw0/B/ZoqzoRhm9ExcViYgPtIYiAWGd4d7HLgBROGtjWS7rMKrSV
mCjE/AKfgtJsnMyBRpqCcpz5qWQdGEvpaU+ZieeL9ygOdh1qg66ZRlEO7yuQDCTE
mC4Snqzi5mRu6K/b66nlzlA1/jWs+/vOgfiXs+V43S1mN16B+cRbXLJhPCXJAxnY
g1QwMmc4xjIKauClchw/kokItJvJLYdqlsae7nI95qTD+WBtEmvh8k19JtUi7jG6
dICPDYbUcGQ=
=qQaN
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3Q20MkNZI30y1K9AQjsfg//WIemic4EEsjlIqHQvbq9OAgLY3pzbc9s
OLwOUtdEE/KzpOUlxc/tspFNQB1U8pWzv8AiD7iyB9/9jIKjZacjPOYfcUlmQrC5
H3tYcFn3VQ6MjeDDChWBrpOyWVDb4RtIuy/nroSzVJUZaHI+fh4q9ygFFlLa9yV5
qVXexgwHjF3ryZTYLuctQrrF0VFGrerMEEH2huBvW0+9zPuatxk478TN8LRH6YuA
QMuxxAn6a6rVlq5wiYSEBoAEh6ZRpj4hK+h9NtT0Lpqz+RnpE3+UVWI6ssEGA5PM
tnFbqEqlCgEf0Oba4+5FYf25Akn6p54BDEKIL65FGnvkRge+Y7Axw1lHwR0egMNz
hngEnROgiMYbKOI3pRzTSpN9r1v+N5uHpiYfAqbI13ULgZP33UcLquI/4YnRS26L
MKIH7G03leLOJqQmXDKsE0IuiN69HTqzpbdutqnY2RLN+kby1QV95AqP4yo6ESce
dhX3nFo6Vpt0j/0Is4bTdJqdTX2rTuUj30aRrPDCW8UjM307r5NQpKQptpiaTAUN
mN69EE+N5UtNl2eVQIbKf2INWCy4JfMXWByusBH+Gmiavlji0gopMd39imKSnzia
m3N7XobCVXD6VaV2pXf7qxAxf2VNqPO+etlC6MF+SsdJU775D5xCZaYBbV2ocZJz
D4TpOgNa3sA=
=C565
-----END PGP SIGNATURE-----
ESB-2022.5891 - [RedHat] qt5: CVSS (Max): 7.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5891
qt5 security and bug fix update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: qt5
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-25255
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8022
Comment: CVSS (Max): 7.8 CVE-2022-25255 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: qt5 security and bug fix update
Advisory ID: RHSA-2022:8022-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8022
Issue date: 2022-11-15
CVE Names: CVE-2022-25255
=====================================================================
1. Summary:
An update for qt5 is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat CodeReady Linux Builder (v. 9) - noarch
Red Hat Enterprise Linux AppStream (v. 9) - noarch
3. Description:
The Qt5 libraries packages provide Qt 5, version 5 of the Qt cross-platform
application framework.
Security Fix(es):
* qt: QProcess could execute a binary from the current working directory
when not found in the PATH (CVE-2022-25255)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2055505 - CVE-2022-25255 qt: QProcess could execute a binary from the current working directory when not found in the PATH
2061352 - Rebase qt5 to 5.15.3
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
qt5-5.15.3-1.el9.src.rpm
noarch:
qt5-5.15.3-1.el9.noarch.rpm
qt5-rpm-macros-5.15.3-1.el9.noarch.rpm
qt5-srpm-macros-5.15.3-1.el9.noarch.rpm
Red Hat CodeReady Linux Builder (v. 9):
noarch:
qt5-devel-5.15.3-1.el9.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-25255
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3PhN9zjgjWX9erEAQhP0hAAnZQLHunFeJwBFniQZgiqZNfNjd45c1t9
fDokaCxq5cVZPA0pwvz3fBM9AMJDSdLbWLVdq/dMsgNkngVxmgxH3EiTx7ftgcft
QMWoE4HkSvvWLPUhWWKyeNLNpQOmoxMTrDZndlliuwY7LLb3o8Kg1hIzJwhuGePa
IxP3qWaX0k7PoTWsefsPOec4QceF6v+mGO2XXNGImsVeiM6s7C/HsPFYrgHBhuxb
JnIxIrfGY4L6+gzkc1UNqXymJtI1m3+zk+4VlJ6sO1sAxrOnxsZnpwrNyfOQw1su
pjpyZCB+N1elA1Foe4EaVICI5SI0lFie3qkusNRk/Seroni5PABYLA0nc1DmBo42
7/1RWDmqwQICn5oy0TIa49CDwl9+t01XVBcZAqsQ67RTbtkoo+LCqrVdaqIWocso
Kb1JUgWj5Z2nmbadZUlVY42rQtD7+kQp70WXO15wnAkVrLYkwRsLhxdFGxiCSgaK
imGBcrFefTULKEhagqQrIcU3ayektQXe9mzo0YLQifbLwkxCW/5IuDdxn+6nKtKC
ZcrSEnXgFFvjyvPBTGN8oq2bKTyfM8lZlFyNRDKgmVz0VwBoJ9YArEksh6Bi024B
F7iiLnsMNDDvKTanP5D19XO6YDBRnhfZxYiB7m3yqpBsoVgu0g0TKbQfpbHfmjvs
pPgfZltANlI=
=OLJm
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3Q2fckNZI30y1K9AQhf2Q/6AxZ9abpNW+c0lVuQ+tBZ7ybuvSKU/mVu
wvQ2jmLPUwzH8+GK05hSB2g/AkdAsJQ2hcBwuBYvJrz0Tr2yLWhpwlMdeXmZOmYq
W+POhgVh0FUBCcd/w8vCF2eiBYZHwfp3MorHMj4bR7GFVNtODaHPG1UeXNmCAjMg
+ATP1pv+Wb6lDCb5+wcQ6IG3f0O4lYh7huYLkEySPKjFwkj2ejsn8+RtBUxWbgRL
sxvqtfodaoibz8ql8a9DNMa57lXjrJgYIiKmpZUPoGOvJusi7FYopjDkXpMGuc/m
4RxNzIHM0uUHlzx/RgW8xwveIorw4R+yTykDPu+r/5aGCSbCj5tYI+GJhAFg6D0a
lGKEMk/PGdSH+TDZ3Yq6XPKCXMr+9TvAEwUj1WXB2gP6RYkNRNlJE2pRJHCaS62w
TVljU++3HLbSLYrfKH3IjpnadnQGEukOTfEo6RBUZihw1W8Y2vwX4uZT9Z1lOiML
so7f4tSZ+yNV7w6LB4i9CfiMTaabzYd0KOc0LKcd6WQzA9E5A9AdCOCJOtJkbenC
bk8Upk/Ycbpu+VdtnZj9NT1k6HHSfObnyny66hvTd0gVlvcviIQiOjgIDKcpVLXB
38p03tkCGdOUZ9F/kTJFZUnr5n7g+pQfszYSqO12lM6K7hKkyqMCAgQHoM9KH17U
1Dt2HjY4q5w=
=IGgD
-----END PGP SIGNATURE-----
ESB-2022.5890 - [RedHat] fribidi: CVSS (Max): 7.0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5890
fribidi security update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: fribidi
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-25310 CVE-2022-25309 CVE-2022-25308
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8011
Comment: CVSS (Max): 7.0 CVE-2022-25308 (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: fribidi security update
Advisory ID: RHSA-2022:8011-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8011
Issue date: 2022-11-15
CVE Names: CVE-2022-25308 CVE-2022-25309 CVE-2022-25310
=====================================================================
1. Summary:
An update for fribidi is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
3. Description:
FriBidi is a library to handle bidirectional scripts (for example Hebrew,
Arabic), so that the display is done in the proper way, while the text data
itself is always written in logical order.
Security Fix(es):
* fribidi: Stack based buffer overflow (CVE-2022-25308)
* fribidi: Heap-buffer-overflow in fribidi_cap_rtl_to_unicode
(CVE-2022-25309)
* fribidi: SEGV in fribidi_remove_bidi_marks (CVE-2022-25310)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2047890 - CVE-2022-25308 fribidi: Stack based buffer overflow
2047896 - CVE-2022-25309 fribidi: Heap-buffer-overflow in fribidi_cap_rtl_to_unicode
2047923 - CVE-2022-25310 fribidi: SEGV in fribidi_remove_bidi_marks
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
fribidi-1.0.10-6.el9.2.src.rpm
aarch64:
fribidi-1.0.10-6.el9.2.aarch64.rpm
fribidi-debuginfo-1.0.10-6.el9.2.aarch64.rpm
fribidi-debugsource-1.0.10-6.el9.2.aarch64.rpm
fribidi-devel-1.0.10-6.el9.2.aarch64.rpm
ppc64le:
fribidi-1.0.10-6.el9.2.ppc64le.rpm
fribidi-debuginfo-1.0.10-6.el9.2.ppc64le.rpm
fribidi-debugsource-1.0.10-6.el9.2.ppc64le.rpm
fribidi-devel-1.0.10-6.el9.2.ppc64le.rpm
s390x:
fribidi-1.0.10-6.el9.2.s390x.rpm
fribidi-debuginfo-1.0.10-6.el9.2.s390x.rpm
fribidi-debugsource-1.0.10-6.el9.2.s390x.rpm
fribidi-devel-1.0.10-6.el9.2.s390x.rpm
x86_64:
fribidi-1.0.10-6.el9.2.i686.rpm
fribidi-1.0.10-6.el9.2.x86_64.rpm
fribidi-debuginfo-1.0.10-6.el9.2.i686.rpm
fribidi-debuginfo-1.0.10-6.el9.2.x86_64.rpm
fribidi-debugsource-1.0.10-6.el9.2.i686.rpm
fribidi-debugsource-1.0.10-6.el9.2.x86_64.rpm
fribidi-devel-1.0.10-6.el9.2.i686.rpm
fribidi-devel-1.0.10-6.el9.2.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-25308
https://access.redhat.com/security/cve/CVE-2022-25309
https://access.redhat.com/security/cve/CVE-2022-25310
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3OMdtzjgjWX9erEAQiawBAAhv67WtXYKZVF00wsIwbaDm55oz1dHi+R
TzmJ5fIwJQ6PTl9Yai+9vlVIRJ6v3CJGvQkhzKL2ajua4XWPEKOuxNgGWuXe07DY
A3IMmpSGcu4Xjbi827k0aDs1DHUcrfSbNe6J41Tsk2QceNXjkuaxfS8wr5jBXc94
T1yTKxaKCXuBhZNXjYhPXqyjdCcKvw625aRYmPnk3y2Ogt+Kr5eNqRogTQgg9qzn
YEb0ysLVGf3DzmO8x5AvPbgwMiS/WsX+P12eF747kyHjzC8oONN1qyCZ02L1yudq
CvGww/rxyKlzfAmhMqJDlta7ADIzTdiw6KN5h189esPpL0KK1qMDb50xCNmmx4Yx
U7N3ScfBSP+Ws/JHTRLjbKUsCKkUm/8SH60eBkzMOwOnAZL+1dsVYxTonOpBX3gD
CD9+6N9YmZGfcp4wnEEDNYafChJezwnrs/sAPLWvMkE7GvplKkue12fbPKI+yXdZ
JPhY4A6XlYBuw0kXuwQCcCJ2BtwVyW8rWVSRj0YSXtNRjrrHsZTZlLSkIw4PaWn8
lzsp4RzRxlfJRRbwfs4AGwMpDjNHDdGa3Onnp8kbpHtfFA21D4tj2/tfzUJ+IZeW
I2V/9ZAj9i8qjGBsaNYonj/qXl04i6VZCxb/5W6wQoSXDxUyagRovmYxx+CD5Iu3
nCBmB26imLw=
=553+
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3Q0/8kNZI30y1K9AQirDRAAoz/oKYNVQ+/uCJPqrmsqrus1CzgWjfm3
qPlC9eEOhaEuamONMq5E7ae7fGL1T/U9p56XXBe1O7pdbqwfCEqhUg8fQN76dY4p
xXeml1ZtlJh+/Ssys9QzbO5m+mNt7tV1qngug2hLbW4ixOrGMVe+KfdfRJWA4+zx
ubZmf9tRKQSNTKxNRRWxHgHAujIX3IO7UsXaQbtfJXhbeQ0HbTAmAGZxPP49HhY4
254K/DmcsPEPVNLEMhTOwRXlApjF7Xh7OK8fRJXAYTGkY7LRQJ08rh/j/c5kYC/Q
vIfbCrAh8YBziEApZo6lniGc84Kzhx3Hv57takcKtLhRncspJVR4Qao7MPYGfY5M
Lwfs+RnWeRGbxsTQniC6kkXFsPx3u53bO8o7XHALf+bezTmzTMOBci7FOZNXwzsu
XrTanYN/fOFedS7URcAIK2DeL2Fr7wtjMrwGFzGBshnn/pU8InByij1SdI6ywzbj
4DE57O/YWzDoGuxMc8nurtn7ZfFnNlu/z/ipk7u6BohhqCTOZ09YayQpegVEOYX1
dMxFrXi1LACehYf2QAinbUoN/eTgtrjQswDAVgGv/RzkV6EXoYjBCAnlQSCS5gp/
+J8u62bc0ZJqmpbxAFho2ovr2RmwNoAXSNW7Nvm1Zd4qJgcE6x21WeC1LChT0rtp
5ppWRbE6Vhw=
=dc3/
-----END PGP SIGNATURE-----
ESB-2022.5889 - [RedHat] buildah: CVSS (Max): 7.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5889
buildah security and bug fix update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: buildah
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-27191 CVE-2022-2990 CVE-2022-2989
CVE-2021-33198 CVE-2021-33197 CVE-2021-33195
CVE-2021-20291
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8008
Comment: CVSS (Max): 7.5 CVE-2022-27191 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:NI:N/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: buildah security and bug fix update
Advisory ID: RHSA-2022:8008-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8008
Issue date: 2022-11-15
CVE Names: CVE-2021-20291 CVE-2021-33195 CVE-2021-33197
CVE-2021-33198 CVE-2022-2989 CVE-2022-2990
CVE-2022-27191
=====================================================================
1. Summary:
An update for buildah is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
3. Description:
The buildah package provides a tool for facilitating building OCI container
images. Among other things, buildah enables you to: Create a working
container, either from scratch or using an image as a starting point;
Create an image, either from a working container or using the instructions
in a Dockerfile; Build both Docker and OCI images.
Security Fix(es):
* containers/storage: DoS via malicious image (CVE-2021-20291)
* golang: net: lookup functions may return invalid host names
(CVE-2021-33195)
* golang: net/http/httputil: ReverseProxy forwards connection headers if
first one is empty (CVE-2021-33197)
* golang: math/big.Rat: may cause a panic or an unrecoverable fatal error
if passed inputs with very large exponents (CVE-2021-33198)
* golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191)
* podman: possible information disclosure and modification (CVE-2022-2989)
* buildah: possible information disclosure and modification (CVE-2022-2990)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1939485 - CVE-2021-20291 containers/storage: DoS via malicious image
1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
2064702 - CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server
2081835 - networking is broken when building containers due to missing container networking package dependencies
2121445 - CVE-2022-2989 podman: possible information disclosure and modification
2121453 - CVE-2022-2990 buildah: possible information disclosure and modification
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
buildah-1.27.0-2.el9.src.rpm
aarch64:
buildah-1.27.0-2.el9.aarch64.rpm
buildah-debuginfo-1.27.0-2.el9.aarch64.rpm
buildah-debugsource-1.27.0-2.el9.aarch64.rpm
buildah-tests-1.27.0-2.el9.aarch64.rpm
buildah-tests-debuginfo-1.27.0-2.el9.aarch64.rpm
ppc64le:
buildah-1.27.0-2.el9.ppc64le.rpm
buildah-debuginfo-1.27.0-2.el9.ppc64le.rpm
buildah-debugsource-1.27.0-2.el9.ppc64le.rpm
buildah-tests-1.27.0-2.el9.ppc64le.rpm
buildah-tests-debuginfo-1.27.0-2.el9.ppc64le.rpm
s390x:
buildah-1.27.0-2.el9.s390x.rpm
buildah-debuginfo-1.27.0-2.el9.s390x.rpm
buildah-debugsource-1.27.0-2.el9.s390x.rpm
buildah-tests-1.27.0-2.el9.s390x.rpm
buildah-tests-debuginfo-1.27.0-2.el9.s390x.rpm
x86_64:
buildah-1.27.0-2.el9.x86_64.rpm
buildah-debuginfo-1.27.0-2.el9.x86_64.rpm
buildah-debugsource-1.27.0-2.el9.x86_64.rpm
buildah-tests-1.27.0-2.el9.x86_64.rpm
buildah-tests-debuginfo-1.27.0-2.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-20291
https://access.redhat.com/security/cve/CVE-2021-33195
https://access.redhat.com/security/cve/CVE-2021-33197
https://access.redhat.com/security/cve/CVE-2021-33198
https://access.redhat.com/security/cve/CVE-2022-2989
https://access.redhat.com/security/cve/CVE-2022-2990
https://access.redhat.com/security/cve/CVE-2022-27191
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3PhO9zjgjWX9erEAQjSFg//TmQoiB4pxBXzwpB8PKdSXPda8mbc4fEY
tTxG4fDB5j/Xix/MkMajS+kWL6RmwLdnrR34cKzyQ7MPYAxbW0efssoChZ5fuFMO
CC8W8FBieAWSf+zJaaGDIUvEhUKL189Qeic175ilgkExNus3OycvtJnJdZa/uyjZ
0NPHe3oqRpt/jmRdrlBogQtzgDcj3440M0ER5wQcQyXa7DHF0aQKGFoC93D+QrAa
x3m7mK0vcAhIvOLYLhEXiGUKqqW9b+lYYgszMVi/gxdnIDXT+3in08sO1xzZrOAv
1sc4FJ+lBAYz23yFF8KeLRZOUOk/Js4mylN033nggmVPyU+uISXKkY9jtqJ2LBM2
bGQW+a0x4B/ef0Al4TYoDvieSCWGzlHBdFlylMXD0bPTx9j04z8/dqGSvn+rGRtH
whgq9782nXiRYt8itbTa/FL9IezrQz7/ryg1lVVQLxh2nhCaAa2NAEpky77Fupj9
mhRqYp0evBgoMTkMOkyskSp9YXjOZNLk/DB2n3oAnYgwOfOinz8fGy4KsL6D/pkt
5jLo8rvjbeTplnCwJrwUwpRb7MF3lua1oXCYCJf/3h7m/SCuVO0LRywNLdSF2BX7
r+LYttzHSYP/4E39Lpefq1trvt0qqnyJx8183KnTQA8M9yW4V3abEmrjXJUxQLfT
zXvxQ+zuUq0=
=rzwm
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3Q0zckNZI30y1K9AQjXYw//fRhCdP4WQ+GKIj5vR05cdQU7carIwCEb
LB9jgv+pCF36gR6ZzC8Gz5PPTGY29odl28FAhZp/OVD7Q5U/2FEX714zTFXjrEis
1PMubKhRtsKeOUyzi57ipDhz6WwyK6daS0tOSDG7L1mBZZOiz11E9dCBPk+ZYXLE
/PgC7Ixxdw3XLUyyr+bBB4SwY2O9NKztYUjuvgSowd7haHMxr67PMYIsQ6fOjKH3
KjPNTTL8kdGDgmWHZ3cTe4s2kAQfhkwmSdXW6qHEjj9v6NZTDpxKI/tjUKiDP0X0
Xx+L5n2fV1QwD5KShviuXfYs9YqFqkVzoEG0Y5XpYiQ1pkf9ELWIwnymhi5YthsE
fBbAs06sNDxP8r+N4bBM7PQVXzJepolCVtVIua1/BpYWy3oB1oqMueInxeIuydmK
Izl3+YSJbxE6Xumb+ZfyjovUcXQnzgHC9bvsAEJULyCCyCxekDzlHnww5f2DqHnn
PXB2IOHGO83mIfCe4R7RFZe6QkVW4rkVgdFl9PgTQJKM4JOQZLaPMpW/JC0k4cR9
EFrV+gcHNDgaBr7YYI5ssmVdKRjQBDrBlDpdDmD6Ztvx4SSFiVgtfUwT4mbRnbZT
9QS7LAbaEBnrmw5VEy8jQFZYnXQokIo+DKRDFGx96V33lrqp1S1SkyVUx7NBYjBS
0osOODMU5M4=
=5Pmp
-----END PGP SIGNATURE-----
ESB-2022.5888 - [RedHat] libvirt: CVSS (Max): 5.0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5888
libvirt security, bug fix, and enhancement update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libvirt
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-0897
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:8003
Comment: CVSS (Max): 5.0 CVE-2022-0897 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Low: libvirt security, bug fix, and enhancement update
Advisory ID: RHSA-2022:8003-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8003
Issue date: 2022-11-15
CVE Names: CVE-2022-0897
=====================================================================
1. Summary:
An update for libvirt is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
3. Description:
The libvirt library contains a C API for managing and interacting with the
virtualization capabilities of Linux and other operating systems. In
addition, libvirt provides tools for remote management of virtualized
systems.
The following packages have been upgraded to a later upstream version:
libvirt (8.5.0). (BZ#2060313)
Security Fix(es):
* libvirt: missing locking in nwfilterConnectNumOfNWFilters can lead to
denial of service (CVE-2022-0897)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the updated packages, libvirtd will be restarted
automatically.
5. Bugs fixed (https://bugzilla.redhat.com/):
1475431 - migration/postcopy: Handle network failures (libvirt)
1653327 - libvirt: Implement virtio-iommu support for aarch64
1745868 - Remove the support for 'virtio-input-host-pci-{non-}transitional model
1866400 - RFE: provide API which allows to take memory snapshot in sync with storage when storage is outsourced (e.g. using vhost-user-blk)
1901394 - --tls-destination doesn't take effect for disk migration
1910856 - Disk pool changed to be inactive after restarting libvirtd
1999372 - Error unclear when starting guest with wrong virtiofsd path
2026765 - Can't define a TFTP server without a DHCP server in network configuration
2035163 - Starting guest with spice audio backend should fail when SPICE graphics is disabled in QEMU
2036300 - video heads can be configured for 'bochs_display' even max_outputs is not supported
2037146 - Better to report error when setting acpi index='0' in device
2038045 - Documentation about using virt-admin to manage other daemons should be added
2040548 - 'unassigned' address type changed after hotplug
2040555 - Pinning iothread to not allowed cpuset fails but vm xml got updated unexpectedly
2041665 - guestinfo returns wrong value when domain's filesystems are frozen
2045953 - 'virsh nodedev-list --cap storage' doesn't list host nvme storage
2045959 - Not update Documentation for systemd config file
2046024 - virsh domsetlaunchsecstate not report an error message when the input parameter is not enough
2051451 - qemu driver must not use hardcoded "/machine/unattached/device[0]" QOM path when probing cpu flags
2057067 - `virsh blockjob --abort' logs error when cancelling a copy job started with '--reuse-external --shallow', where the target image has a backing file
2057768 - [RFE]Support copy/paste in the VNC console in libvirt
2060313 - Rebase libvirt for RHEL 9.1
2060776 - missing 'nvram-template' when start ovmf guest [rhel-9.1.0]
2063883 - CVE-2022-0897 libvirt: missing locking in nwfilterConnectNumOfNWFilters can lead to denial of service
2064115 - Start encrypted tpm guest failed
2065381 - Libvirt multiqueue support for vDPA [rhel-9.1.0]
2065399 - virtnwfilterd modular daemon occasionally hangs on concurrent access [rhel-9.1.0]
2070380 - Start a guest with numatune restrictive mode has different behavior with virsh numatune cmd.
2073867 - Missing the doc of dirtyrate.calc_mode and dirtyrate.vcpu..megabytes_per_second
2073887 - Segmentation fault when listening specified event types
2075383 - The vlan tag setting does not work in the xml
2075464 - There is error log when restart virtqemud during vm is running
2075765 - [cgroup] Libvirt cannot operate vm control groups after restarting virtqemud
2075837 - virtnwfilterd crashed when start->reload->restart virtnwfilterd with running guest having filter setting
2078274 - Blockcopy failed with catchXMLError
2081981 - input element with non-virtio bus should fail to accept the model attribute
2082540 - Update device to update the rss setting report success but no changes in xml
2089431 - [RFE] RFE to allow enabling ZEROCOPY live migration through libvirt
2092833 - [RFE] Support vDPA live migration in libvirt
2092856 - Hotplug interface fail with null file descriptor
2095260 - Revert the patch to ignore KVM_CAP_MAX_VCPUS in libvirt
2102009 - Attach interface fail will cause unexpected behavior
2103119 - [RFE] Expose supported TPM version in domCapabilities (via 'swtpm')
2103524 - Run virsh dumpxml cmd with extra options should return error
2105231 - [MT2910] XML error: Invalid value for attribute 'speed' in element 'link': '(null)'.
2107424 - "mem lock limit" of qemu process is not restored when kill src virtqemud during zerocopy migration.
2107892 - Migrate parameters are not restored if kill virtproxyd/virtqemud during migration
2111070 - --postcopy-bandwidth is not hornored when recovering postcopy migration
2112348 - pass the OPENSSL_CONF env var through to the "ssh" binary
2121141 - [libvirt] Kernel does not provide mount namespace
2121441 - NVME disk hot-plug fails due to the denial from selinux
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
libvirt-8.5.0-7.el9_1.src.rpm
aarch64:
libvirt-8.5.0-7.el9_1.aarch64.rpm
libvirt-client-8.5.0-7.el9_1.aarch64.rpm
libvirt-client-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-config-network-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-config-nwfilter-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-interface-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-interface-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-network-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-network-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-nodedev-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-nodedev-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-nwfilter-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-nwfilter-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-qemu-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-qemu-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-secret-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-secret-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-storage-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-storage-core-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-storage-core-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-storage-disk-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-storage-disk-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-storage-iscsi-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-storage-iscsi-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-storage-logical-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-storage-logical-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-storage-mpath-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-storage-mpath-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-storage-rbd-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-storage-rbd-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-storage-scsi-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-storage-scsi-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-kvm-8.5.0-7.el9_1.aarch64.rpm
libvirt-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-debugsource-8.5.0-7.el9_1.aarch64.rpm
libvirt-libs-8.5.0-7.el9_1.aarch64.rpm
libvirt-libs-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-lock-sanlock-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-nss-8.5.0-7.el9_1.aarch64.rpm
libvirt-nss-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-wireshark-debuginfo-8.5.0-7.el9_1.aarch64.rpm
ppc64le:
libvirt-8.5.0-7.el9_1.ppc64le.rpm
libvirt-client-8.5.0-7.el9_1.ppc64le.rpm
libvirt-client-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-config-network-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-config-nwfilter-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-interface-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-interface-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-network-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-network-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-nodedev-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-nodedev-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-nwfilter-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-nwfilter-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-secret-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-secret-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-storage-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-storage-core-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-storage-core-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-storage-disk-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-storage-disk-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-storage-iscsi-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-storage-iscsi-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-storage-logical-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-storage-logical-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-storage-mpath-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-storage-mpath-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-storage-rbd-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-storage-rbd-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-storage-scsi-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-storage-scsi-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-debugsource-8.5.0-7.el9_1.ppc64le.rpm
libvirt-libs-8.5.0-7.el9_1.ppc64le.rpm
libvirt-libs-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-nss-8.5.0-7.el9_1.ppc64le.rpm
libvirt-nss-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-wireshark-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
s390x:
libvirt-8.5.0-7.el9_1.s390x.rpm
libvirt-client-8.5.0-7.el9_1.s390x.rpm
libvirt-client-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-config-network-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-config-nwfilter-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-interface-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-interface-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-network-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-network-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-nodedev-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-nodedev-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-nwfilter-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-nwfilter-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-qemu-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-qemu-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-secret-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-secret-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-storage-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-storage-core-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-storage-core-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-storage-disk-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-storage-disk-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-storage-iscsi-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-storage-iscsi-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-storage-logical-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-storage-logical-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-storage-mpath-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-storage-mpath-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-storage-rbd-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-storage-rbd-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-storage-scsi-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-storage-scsi-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-kvm-8.5.0-7.el9_1.s390x.rpm
libvirt-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-debugsource-8.5.0-7.el9_1.s390x.rpm
libvirt-libs-8.5.0-7.el9_1.s390x.rpm
libvirt-libs-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-lock-sanlock-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-nss-8.5.0-7.el9_1.s390x.rpm
libvirt-nss-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-wireshark-debuginfo-8.5.0-7.el9_1.s390x.rpm
x86_64:
libvirt-8.5.0-7.el9_1.x86_64.rpm
libvirt-client-8.5.0-7.el9_1.x86_64.rpm
libvirt-client-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-config-network-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-config-nwfilter-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-interface-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-interface-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-network-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-network-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-nodedev-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-nodedev-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-nwfilter-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-nwfilter-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-qemu-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-qemu-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-secret-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-secret-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-storage-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-storage-core-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-storage-core-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-storage-disk-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-storage-disk-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-storage-iscsi-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-storage-iscsi-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-storage-logical-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-storage-logical-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-storage-mpath-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-storage-mpath-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-storage-rbd-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-storage-rbd-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-storage-scsi-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-storage-scsi-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-kvm-8.5.0-7.el9_1.x86_64.rpm
libvirt-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-debugsource-8.5.0-7.el9_1.x86_64.rpm
libvirt-libs-8.5.0-7.el9_1.x86_64.rpm
libvirt-libs-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-lock-sanlock-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-nss-8.5.0-7.el9_1.x86_64.rpm
libvirt-nss-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-wireshark-debuginfo-8.5.0-7.el9_1.x86_64.rpm
Red Hat CodeReady Linux Builder (v. 9):
aarch64:
libvirt-client-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-interface-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-network-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-nodedev-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-nwfilter-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-qemu-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-secret-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-storage-core-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-storage-disk-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-storage-iscsi-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-storage-logical-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-storage-mpath-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-storage-rbd-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-daemon-driver-storage-scsi-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-debugsource-8.5.0-7.el9_1.aarch64.rpm
libvirt-devel-8.5.0-7.el9_1.aarch64.rpm
libvirt-docs-8.5.0-7.el9_1.aarch64.rpm
libvirt-libs-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-lock-sanlock-8.5.0-7.el9_1.aarch64.rpm
libvirt-lock-sanlock-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-nss-debuginfo-8.5.0-7.el9_1.aarch64.rpm
libvirt-wireshark-debuginfo-8.5.0-7.el9_1.aarch64.rpm
ppc64le:
libvirt-client-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-interface-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-network-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-nodedev-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-nwfilter-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-secret-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-storage-core-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-storage-disk-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-storage-iscsi-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-storage-logical-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-storage-mpath-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-storage-rbd-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-daemon-driver-storage-scsi-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-debugsource-8.5.0-7.el9_1.ppc64le.rpm
libvirt-devel-8.5.0-7.el9_1.ppc64le.rpm
libvirt-docs-8.5.0-7.el9_1.ppc64le.rpm
libvirt-libs-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-nss-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
libvirt-wireshark-debuginfo-8.5.0-7.el9_1.ppc64le.rpm
s390x:
libvirt-client-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-interface-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-network-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-nodedev-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-nwfilter-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-qemu-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-secret-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-storage-core-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-storage-disk-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-storage-iscsi-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-storage-logical-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-storage-mpath-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-storage-rbd-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-daemon-driver-storage-scsi-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-debugsource-8.5.0-7.el9_1.s390x.rpm
libvirt-devel-8.5.0-7.el9_1.s390x.rpm
libvirt-docs-8.5.0-7.el9_1.s390x.rpm
libvirt-libs-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-lock-sanlock-8.5.0-7.el9_1.s390x.rpm
libvirt-lock-sanlock-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-nss-debuginfo-8.5.0-7.el9_1.s390x.rpm
libvirt-wireshark-debuginfo-8.5.0-7.el9_1.s390x.rpm
x86_64:
libvirt-client-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-interface-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-network-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-nodedev-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-nwfilter-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-qemu-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-secret-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-storage-core-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-storage-disk-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-storage-iscsi-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-storage-logical-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-storage-mpath-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-storage-rbd-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-daemon-driver-storage-scsi-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-debugsource-8.5.0-7.el9_1.x86_64.rpm
libvirt-devel-8.5.0-7.el9_1.x86_64.rpm
libvirt-docs-8.5.0-7.el9_1.x86_64.rpm
libvirt-libs-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-lock-sanlock-8.5.0-7.el9_1.x86_64.rpm
libvirt-lock-sanlock-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-nss-debuginfo-8.5.0-7.el9_1.x86_64.rpm
libvirt-wireshark-debuginfo-8.5.0-7.el9_1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-0897
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3Pgp9zjgjWX9erEAQj06Q//ZqJOFncLtpJxKDYhIaCHd17RYE/VPAt3
4iTTJwC+z6DBCvxSrH6ixEn1FnEQOBHTYRWCgUlmWKSKhMcaJKSBoggBOuD6OpC3
3dTxxfl5pi1pBDhS5u3PccLYgf23MKpF+B36Sp9KxJg2y6TyOYhwtwkknMVEXorX
WDlrUVYEKJMTCPBMS3BA+H3O36uRQw+wGbl2qxSLWmX/v8ConjClAPVqaMFOBo9E
9Tfhe5HHVy7KuJY7iBNi7pSnP1Hmw4paKSCwWL4i8lmELbWTfbzxRZ+HIx+urZzS
4cj33agJmm8tNyeIW4U91oosCN37+aK4zTnfBSWftZHhg0PSbB+G0o2lMmEAPxCJ
O/lJMvEgeDAZnH51RhA4GQXfleATYMXay2NmSIl1jVTHRkvoYHK+IhTXQONmIhyo
dztTtRLNfzQ8iTjEYVJhBNqbwMioqpjaM2vUm0aMtxxSV6S5zZcE60XBwOoyCDdL
AtS7EMcT0dWyEfTS6yhq854DMTAVE9ym1ZFPwH3QSZK0nDaJuvX8w9r/78WldVyI
SgmbjplLRjCpNBveB87N0hMlt/rs17BpVBquKS443wyzNUjwtR36wO25pONVKTvv
VPdxkZoFNFQ+0bCfC+xSH4cwXS177u9V5ut602X2VdohcmnTsMjAzogF6M2j/O+z
Wfe/R2UQlfo=
=xBto
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3Q0tckNZI30y1K9AQgmKhAAnlPPNEOrbacX/IZ0QaLNIoR4MW7TwNy1
szEEn3l7ow6PLfzKHXkHKVIZ8RZicjkluMENZl2sKq63APQ5EoD5l+eVRTFVUFRo
D4p7TWS0c+x4cc/Dy27TdYVl3GgFIQZFW5YCVHHayZPCnS5Y0Z9l0j1mJMecCwPd
6zxbMlmXIrjhTi0VJIfXwYxS9q8w+HzCLDtQlo+1tHBlRdR5MrlfrnTnwrUnLqh5
PcGmEdyH3dk0ErHJv3KkdAwp7a+fIkh2/a8XdAO3fB6sMw1KqsfEUVlkKapej2nF
uhNYTqzEZ+bjuZzkPxyFzU47nOMUJxHLdUu+rgqF0XSOANDZ0MO29RtYeavAzvxN
qlGYHT1kHKqU9qNBCIA7esOYoic+tbnb4vf8mfnyKoN0e/4pfU9eG75lHh96nFyy
kosYeAdPN8VOVUcdypFbUz5ELY0/0LkU0wE8jS9w7+aZ3Kn5GTBL0RWvNHwu9oF8
Aabv6W2rX7VIzo1wFxurOW8yDcmyaijozyVr4/F97dqdl2IubS2uXCDprJ9OVx0t
KweTv9zs/kWRMMQoQGlzdB+SGsVj2HG/Y6A2R3VSnXWKqlqyQy4IVXWeA6eKCu4A
TUlakvQ1PnbOnj/9NlDlohQTfNABIrQWOQAXVvXNg+U4UubLKw8YfBkNGA60vKpa
FKmwqcWDtWk=
=rAJ3
-----END PGP SIGNATURE-----
ESB-2022.5887 - [RedHat] speex: CVSS (Max): 5.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5887
speex security update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: speex
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2020-23903
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:7979
Comment: CVSS (Max): 5.5 CVE-2020-23903 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Low: speex security update
Advisory ID: RHSA-2022:7979-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:7979
Issue date: 2022-11-15
CVE Names: CVE-2020-23903
=====================================================================
1. Summary:
An update for speex is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
3. Description:
Speex is a patent-free compression format designed especially for speech.
It is specialized for voice communications at low bit-rates.
Security Fix(es):
* speex: divide by zero in read_samples() via crafted WAV file
(CVE-2020-23903)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2024250 - CVE-2020-23903 speex: divide by zero in read_samples() via crafted WAV file
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
speex-1.2.0-11.el9.src.rpm
aarch64:
speex-1.2.0-11.el9.aarch64.rpm
speex-debuginfo-1.2.0-11.el9.aarch64.rpm
speex-debugsource-1.2.0-11.el9.aarch64.rpm
speex-tools-debuginfo-1.2.0-11.el9.aarch64.rpm
ppc64le:
speex-1.2.0-11.el9.ppc64le.rpm
speex-debuginfo-1.2.0-11.el9.ppc64le.rpm
speex-debugsource-1.2.0-11.el9.ppc64le.rpm
speex-tools-debuginfo-1.2.0-11.el9.ppc64le.rpm
s390x:
speex-1.2.0-11.el9.s390x.rpm
speex-debuginfo-1.2.0-11.el9.s390x.rpm
speex-debugsource-1.2.0-11.el9.s390x.rpm
speex-tools-debuginfo-1.2.0-11.el9.s390x.rpm
x86_64:
speex-1.2.0-11.el9.i686.rpm
speex-1.2.0-11.el9.x86_64.rpm
speex-debuginfo-1.2.0-11.el9.i686.rpm
speex-debuginfo-1.2.0-11.el9.x86_64.rpm
speex-debugsource-1.2.0-11.el9.i686.rpm
speex-debugsource-1.2.0-11.el9.x86_64.rpm
speex-tools-debuginfo-1.2.0-11.el9.i686.rpm
speex-tools-debuginfo-1.2.0-11.el9.x86_64.rpm
Red Hat CodeReady Linux Builder (v. 9):
aarch64:
speex-debuginfo-1.2.0-11.el9.aarch64.rpm
speex-debugsource-1.2.0-11.el9.aarch64.rpm
speex-devel-1.2.0-11.el9.aarch64.rpm
speex-tools-debuginfo-1.2.0-11.el9.aarch64.rpm
ppc64le:
speex-debuginfo-1.2.0-11.el9.ppc64le.rpm
speex-debugsource-1.2.0-11.el9.ppc64le.rpm
speex-devel-1.2.0-11.el9.ppc64le.rpm
speex-tools-debuginfo-1.2.0-11.el9.ppc64le.rpm
s390x:
speex-debuginfo-1.2.0-11.el9.s390x.rpm
speex-debugsource-1.2.0-11.el9.s390x.rpm
speex-devel-1.2.0-11.el9.s390x.rpm
speex-tools-debuginfo-1.2.0-11.el9.s390x.rpm
x86_64:
speex-debuginfo-1.2.0-11.el9.i686.rpm
speex-debuginfo-1.2.0-11.el9.x86_64.rpm
speex-debugsource-1.2.0-11.el9.i686.rpm
speex-debugsource-1.2.0-11.el9.x86_64.rpm
speex-devel-1.2.0-11.el9.i686.rpm
speex-devel-1.2.0-11.el9.x86_64.rpm
speex-tools-debuginfo-1.2.0-11.el9.i686.rpm
speex-tools-debuginfo-1.2.0-11.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-23903
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3OMedzjgjWX9erEAQgS4RAAi26Dt98tqjcq7pMiIWB2VwDQlgkFrgug
Ux1A9jpIypUQKBuxEbfruJlPJJvNjhDnhiMhJL3cLsI17pNdw+Q9lvgYDEtHvjw5
WtupnQIPEWArzpRMtk6FlIBZarncGjPNBcsXtOz8yeu9fqeQ6MmfiyFpq7OFr8H4
EzTnEXmkVyhUYj/DTUAD1eKk5TqKsvh7vOp3tt1lgQQOvGFNkx9rVGtry65MO6pb
TRAdDn4FTfoPWZAcVFH2CxsU9Ob0oHziTB1wqACUPJVRaMfJMBUEj1/T8nzLSAbX
drkp3Zyk503Fx7vazP8Rllc4xHZlnpKsR6Pr/Thi5Vc6wfBePGRIopMRzEgOxP2C
vpvCCQ70wW0nAh04xp4syDvTUW35DSApYB/yjw8xeNsyN+2tMqPRK//k8KSkFa9/
X+g/Ey8Z06U5KQ1yWBNgKMoRmXA5zfXtLS9lS9ArXtAeripa/gLhl4cHcUxnU1W5
IxlfhIqSnHSHIFumm77W9vmRmYojlvtQGvZPO2wGmoiID16xB+LwUWNiqOJLqi5z
M3GX6nt9trzpnJqyGLTfW0vr7xpY8fDL2GZaAsngkQRTOFsdonF0wmjUZPEFo7Se
wIVKQjhljfdceibYUk7jdSFnDulX+VQOyBgWgp+EaJuwdt0NzW7LcXfFxCI/1eRp
whTtb7CD4wM=
=7XMZ
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3Q0m8kNZI30y1K9AQgoMA/7ByD7MjOcdX73qVukfLdC+NQL1YNevBI6
Y/+h2wo2UC1YKkE0E57cn9Cx9gM/8/ZXVVwfhwvLlTv40Ax/vJkMUyouAPPEx0Ck
0PGRAGrZdnJaknupCT+FS/V+4JXfEQ5qNnGEiwYK1KahaTXUD3xgNIpwa4QHwf7J
lMXac9j/oenmpY694OyvsVQq6YBUWV6Y5eIBYxXQr/zfUuJjjbnDxmY22nuDY8l3
bNRMcKNAgpQul/YgSpvj0tYABvLJCk4Slc2z2Xf7V6tx6z1mydXjw620w4PabYmL
jaz/qgJEeNMEkz/p/DqD/ax7huB1UBr146IkmzNugy6Ps9cKunxutIN8D5XfQvv3
Hn6HezS4upAuwQdnK+EuSViSGurjX9PLuCAcxwnpLE/4GKjvPeyKZTzMZLNavU9l
P5Ku+VF2DZzi+Vv6Hemt9mZaNay+pMEGDppq9MO5zAYRG6j9M4Emh5PVOjSLa3YR
niSC+M0RjZhKJJGb/RSBNv8RxXdtl8ugKYe7KQ4IO5wXFXbYxvYLbrHlqCsusadi
OS9xBerabmLP+2JqOlgtjQHoWH2sIQVIQ25KR0cF9RpMJ1P9t/6Pd89LODktXZ+Q
wVvG32Us5ay3JGy6adGXTKmuYs/XV910RC/ZZ/1yDflgzZChPZHxJ0iLAI95o2+x
Qx5NrhrU6y8=
=LdE+
-----END PGP SIGNATURE-----
ESB-2022.5886 - [RedHat] gimp: CVSS (Max): 6.2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5886
gimp security and enhancement update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: gimp
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-32990 CVE-2022-30067
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:7978
Comment: CVSS (Max): 6.2 CVE-2022-30067 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: gimp security and enhancement update
Advisory ID: RHSA-2022:7978-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:7978
Issue date: 2022-11-15
CVE Names: CVE-2022-30067 CVE-2022-32990
=====================================================================
1. Summary:
An update for gimp is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
3. Description:
The GIMP (GNU Image Manipulation Program) is an image composition and
editing program. GIMP provides a large image manipulation toolbox,
including channel operations and layers, effects, sub-pixel imaging and
anti-aliasing, and conversions, all with multi-level undo.
Security Fix(es):
* gimp: buffer overflow through a crafted XCF file (CVE-2022-30067)
* gimp: unhandled exception via a crafted XCF file may lead to DoS
(CVE-2022-32990)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2087591 - CVE-2022-30067 gimp: buffer overflow through a crafted XCF file
2103202 - CVE-2022-32990 gimp: unhandled exception via a crafted XCF file may lead to DoS
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
gimp-2.99.8-3.el9.src.rpm
aarch64:
gimp-2.99.8-3.el9.aarch64.rpm
gimp-debuginfo-2.99.8-3.el9.aarch64.rpm
gimp-debugsource-2.99.8-3.el9.aarch64.rpm
gimp-devel-tools-debuginfo-2.99.8-3.el9.aarch64.rpm
gimp-libs-2.99.8-3.el9.aarch64.rpm
gimp-libs-debuginfo-2.99.8-3.el9.aarch64.rpm
ppc64le:
gimp-2.99.8-3.el9.ppc64le.rpm
gimp-debuginfo-2.99.8-3.el9.ppc64le.rpm
gimp-debugsource-2.99.8-3.el9.ppc64le.rpm
gimp-devel-tools-debuginfo-2.99.8-3.el9.ppc64le.rpm
gimp-libs-2.99.8-3.el9.ppc64le.rpm
gimp-libs-debuginfo-2.99.8-3.el9.ppc64le.rpm
s390x:
gimp-2.99.8-3.el9.s390x.rpm
gimp-debuginfo-2.99.8-3.el9.s390x.rpm
gimp-debugsource-2.99.8-3.el9.s390x.rpm
gimp-devel-tools-debuginfo-2.99.8-3.el9.s390x.rpm
gimp-libs-2.99.8-3.el9.s390x.rpm
gimp-libs-debuginfo-2.99.8-3.el9.s390x.rpm
x86_64:
gimp-2.99.8-3.el9.x86_64.rpm
gimp-debuginfo-2.99.8-3.el9.i686.rpm
gimp-debuginfo-2.99.8-3.el9.x86_64.rpm
gimp-debugsource-2.99.8-3.el9.i686.rpm
gimp-debugsource-2.99.8-3.el9.x86_64.rpm
gimp-devel-tools-debuginfo-2.99.8-3.el9.i686.rpm
gimp-devel-tools-debuginfo-2.99.8-3.el9.x86_64.rpm
gimp-libs-2.99.8-3.el9.i686.rpm
gimp-libs-2.99.8-3.el9.x86_64.rpm
gimp-libs-debuginfo-2.99.8-3.el9.i686.rpm
gimp-libs-debuginfo-2.99.8-3.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-30067
https://access.redhat.com/security/cve/CVE-2022-32990
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3OMfNzjgjWX9erEAQj5TA//bPsUi7sLSgUYBRJ4F1TTjT0sBrKPN5ZG
FAYwxZEsez6Bxco5qckXUvJcPD8rcl6BYrA46M1dHlN9hK0jfdKxHsMg7ZSNB8BF
A862I5hRMFXb8sBy8szLTvzHvRE5hmedH3QElCQN2EqNinVeHYSApJYLeamIkuYx
8wf70QHGrlGJb38ddRg2hKADDJCV10k4NUepgb+UNVPDPwQCmyk2gaPD4BBplPok
tmP908mU50IKwgwnjnw1Li7fxtrJmmZE7teogW7oAkqeFjNNtf3DUXUeqMtK0I8a
pZlpYG2FlepWtn2SGHiAfkkwWNtQlv2suwRGBsaroyGc2zI+BLwr3/kyjTRBrYEa
+rayYOQ7BiqGMvycIPW114adiEuYeLGa2z4u4W+lpJIDq1x3oZte2CgbxquYxjGR
huIhgJg1ZjkJMTtOf0yhCgkgDAs9C9Uv6/GqPnokMn90bH/45REvnlAAmNU/iRfX
TTbHugkSsdYskOMEAwtCRxMZ1JAf0FXTXJUfHcoQKsGAcde71Rf5+gukxHUm/5yU
K5vuh4RGVQi81ewHiNRiPdL3EDS85hy11/s86UPFa87mFdDEdK73p3pB1IyO6a0X
Wi9rvXUd/MdPTiS/HB+3T1bHMUxA4EJxYIIjF5qE3BPJoofgjfErHHugXa8jZnNq
EqA1kj/GHYo=
=X7Ae
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3Q0fskNZI30y1K9AQh5GxAAsgaEVSVODhnyuvV1z2X1uSvYgVUov473
t17x7JynDxBqhChIw5LUEUm5P/6Y/lk/nX0nCALqpzLhbdhF6uZls9Xrc7llT6tN
0xH7ObEkdh0k1WqhOk1wC1zhZ1qQePW7rtc1DKcarzFSoXUXS8jfx6R0l6x655S9
QXpp69J1CpT156seJlqdZe8BS+3BLsvdYmEklCi47IH8kVfnmn37FxaFQ/OVzXp6
Ki/fQOhlqgxj+tDLxBMQA7sHVswuHUL5tRza0AEOE+oY4bkwwB7ytDB5KFBnd+gu
qykBslN+V2za2g5reTf66fjYBQgrhlLcXsfchq4AsKDUuTesp2yBE6Dx9TIrjtKd
jO9RWOSq/MSEh8rslevl7AI98CdNc/5xAQb9natplJ5B6snhro5bJgCZAtke+jxE
q13xVQdUhQWb4GATzXBveM+MXbXYWiLOefg5GJwHTTQ/f7DC1bLjMbT06XmUlWgi
IniE60ov62sg24QpnnmFdcrV46NPQDooMmIIGf0xlYuzm8Z6neDJYlrcj3VOYHg+
xHmrh9hjdSHeW68TCG7dtnfrR8teqy4ZeO+SVeOpTSDSN45//MZXjlMdTqKvkIG8
0FYS5+mbEYetp9BkEZ78/SWSF7938PLwQbWKWVD5sUCjUBwFJ4i9VoYJWMBOfV/x
H2ZSfG3b+QE=
=jzVi
-----END PGP SIGNATURE-----
ESB-2022.5885 - [RedHat] protobuf: CVSS (Max): 7.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5885
protobuf security update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: protobuf
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2021-22570
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:7970
Comment: CVSS (Max): 7.5 CVE-2021-22570 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: protobuf security update
Advisory ID: RHSA-2022:7970-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:7970
Issue date: 2022-11-15
CVE Names: CVE-2021-22570
=====================================================================
1. Summary:
An update for protobuf is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64
3. Description:
The protobuf packages provide Protocol Buffers, Google's data interchange
format. Protocol Buffers can encode structured data in an efficient yet
extensible format, and provide a flexible, efficient, and automated
mechanism for serializing structured data.
Security Fix(es):
* protobuf: Incorrect parsing of nullchar in the proto symbol leads to
Nullptr dereference (CVE-2021-22570)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2049429 - CVE-2021-22570 protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
protobuf-3.14.0-13.el9.src.rpm
aarch64:
protobuf-3.14.0-13.el9.aarch64.rpm
protobuf-compiler-debuginfo-3.14.0-13.el9.aarch64.rpm
protobuf-debuginfo-3.14.0-13.el9.aarch64.rpm
protobuf-debugsource-3.14.0-13.el9.aarch64.rpm
protobuf-lite-3.14.0-13.el9.aarch64.rpm
protobuf-lite-debuginfo-3.14.0-13.el9.aarch64.rpm
noarch:
python3-protobuf-3.14.0-13.el9.noarch.rpm
ppc64le:
protobuf-3.14.0-13.el9.ppc64le.rpm
protobuf-compiler-debuginfo-3.14.0-13.el9.ppc64le.rpm
protobuf-debuginfo-3.14.0-13.el9.ppc64le.rpm
protobuf-debugsource-3.14.0-13.el9.ppc64le.rpm
protobuf-lite-3.14.0-13.el9.ppc64le.rpm
protobuf-lite-debuginfo-3.14.0-13.el9.ppc64le.rpm
s390x:
protobuf-3.14.0-13.el9.s390x.rpm
protobuf-compiler-debuginfo-3.14.0-13.el9.s390x.rpm
protobuf-debuginfo-3.14.0-13.el9.s390x.rpm
protobuf-debugsource-3.14.0-13.el9.s390x.rpm
protobuf-lite-3.14.0-13.el9.s390x.rpm
protobuf-lite-debuginfo-3.14.0-13.el9.s390x.rpm
x86_64:
protobuf-3.14.0-13.el9.i686.rpm
protobuf-3.14.0-13.el9.x86_64.rpm
protobuf-compiler-debuginfo-3.14.0-13.el9.i686.rpm
protobuf-compiler-debuginfo-3.14.0-13.el9.x86_64.rpm
protobuf-debuginfo-3.14.0-13.el9.i686.rpm
protobuf-debuginfo-3.14.0-13.el9.x86_64.rpm
protobuf-debugsource-3.14.0-13.el9.i686.rpm
protobuf-debugsource-3.14.0-13.el9.x86_64.rpm
protobuf-lite-3.14.0-13.el9.i686.rpm
protobuf-lite-3.14.0-13.el9.x86_64.rpm
protobuf-lite-debuginfo-3.14.0-13.el9.i686.rpm
protobuf-lite-debuginfo-3.14.0-13.el9.x86_64.rpm
Red Hat CodeReady Linux Builder (v. 9):
aarch64:
protobuf-compiler-3.14.0-13.el9.aarch64.rpm
protobuf-compiler-debuginfo-3.14.0-13.el9.aarch64.rpm
protobuf-debuginfo-3.14.0-13.el9.aarch64.rpm
protobuf-debugsource-3.14.0-13.el9.aarch64.rpm
protobuf-devel-3.14.0-13.el9.aarch64.rpm
protobuf-lite-debuginfo-3.14.0-13.el9.aarch64.rpm
protobuf-lite-devel-3.14.0-13.el9.aarch64.rpm
ppc64le:
protobuf-compiler-3.14.0-13.el9.ppc64le.rpm
protobuf-compiler-debuginfo-3.14.0-13.el9.ppc64le.rpm
protobuf-debuginfo-3.14.0-13.el9.ppc64le.rpm
protobuf-debugsource-3.14.0-13.el9.ppc64le.rpm
protobuf-devel-3.14.0-13.el9.ppc64le.rpm
protobuf-lite-debuginfo-3.14.0-13.el9.ppc64le.rpm
protobuf-lite-devel-3.14.0-13.el9.ppc64le.rpm
s390x:
protobuf-compiler-3.14.0-13.el9.s390x.rpm
protobuf-compiler-debuginfo-3.14.0-13.el9.s390x.rpm
protobuf-debuginfo-3.14.0-13.el9.s390x.rpm
protobuf-debugsource-3.14.0-13.el9.s390x.rpm
protobuf-devel-3.14.0-13.el9.s390x.rpm
protobuf-lite-debuginfo-3.14.0-13.el9.s390x.rpm
protobuf-lite-devel-3.14.0-13.el9.s390x.rpm
x86_64:
protobuf-compiler-3.14.0-13.el9.i686.rpm
protobuf-compiler-3.14.0-13.el9.x86_64.rpm
protobuf-compiler-debuginfo-3.14.0-13.el9.i686.rpm
protobuf-compiler-debuginfo-3.14.0-13.el9.x86_64.rpm
protobuf-debuginfo-3.14.0-13.el9.i686.rpm
protobuf-debuginfo-3.14.0-13.el9.x86_64.rpm
protobuf-debugsource-3.14.0-13.el9.i686.rpm
protobuf-debugsource-3.14.0-13.el9.x86_64.rpm
protobuf-devel-3.14.0-13.el9.i686.rpm
protobuf-devel-3.14.0-13.el9.x86_64.rpm
protobuf-lite-debuginfo-3.14.0-13.el9.i686.rpm
protobuf-lite-debuginfo-3.14.0-13.el9.x86_64.rpm
protobuf-lite-devel-3.14.0-13.el9.i686.rpm
protobuf-lite-devel-3.14.0-13.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-22570
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3OMf9zjgjWX9erEAQjPrxAAn/Wr7VqkJ14hap/PSkN2C1Ltwp5Jpwms
RUgoqJhr0JI19nD6WME9H0sSJNLMAaS/jaMY5iaBEUURv0KTHX+UHdsJDSAMjKtK
iqIwky9Db1EJSTAY+oR9DbUkK5A491GsmXL32Su/Bktf+7LCEu7pFoCo1aPIrIGT
PUJmj/oxy4OwHN6qATEEHvGV8U2eoACZHjeuHDwF3y+rwzsg7Yk/xci01xq9PVhf
vRtMYtJO5J1MFtLLS9Tgq9XqqhZkrJ2Yfbo6QXawZdWLgrB+flbrImZJPfkILe8X
FKao9rbZEfJ7EUvIgFevtNsUMBhpb1ZzwmcpjigjqgHWW4HWWFOqgZ4Y7p26TejV
7T42NbJccqFJ0UUQvPAAOeg331CgQfeps/ZUbakXkUzTB3xhfMwFbXmjEkycwCN+
a5y6aQDWabrjANNjP2x78iESf6Ra2/WNWyTETat/KjONKWTmpkBrnJsHSscYnIC+
g3Br7EYXKcRC6Gqrcripv2l2HY9FR/G31uQzG40NipnduzbKzhEeFv3FaVJR6P7c
5T6BcLQLC7gu1LPL/ztgB42KpdtVycCfwQoGcvz2tlih9jlDqH1/RbhayPXrvvR5
KwDlz6Xyov7I1VRWn33oKlSyFsh5WyiLVE1NxcgHA/sV3zQbC+4T+MqUKTYGcG/D
iXcioojD/tg=
=227y
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3Q0ZskNZI30y1K9AQhbaQ//TFu8OPFkGdl5gaRXR9ht+GNCQ5rcgtAR
GhMK7dwbgnmpIrMsEpuieltAf3F2Ol63SsO37BuMT+IzWtYReYakPYQvsbwtX260
NNOJ7yAPx3/RWl/tmKi0wSacuwF56lViTBCT5ElQZXAHaUdvv3zli2yklIjClXrI
hjsOdlu2eLFhgJUezkr3MW6qUbqrgUnauMUWsuXvMRJ/b8jRtJ3CmsU0BBKOFnCC
yzH7y56UiZLayDJCVyaoZ3FggGiZyPx984fQ+Bb+xzgyBhI/lcbdGswZvS8ZFgDM
pqdmlrgjkVXK3ZeMz0OD/jCpkwuQUVA6GYHInOdmFKxcE551L5mUWAQcTFO5BWwl
UdSBqwnZtVLSQAWo7W1aJZL57EbOg6cuejOrCtEbSJVe5rRWXO6MffdVy/B5TDnU
TqSedcFb9MOQKscU/0Bn+2SV/NHRR+l9S9zO1KPJ9iem0zNcjDIKXFglqSdllVyP
j/q/wx90YLaYFXvZI26mNFRkSdF7cm+PJM1XHHQPgUX7wgWIipsrr0D0hj1e+Uht
wS/yJtb3+CMB4yf6cOoJZK4wFppQLF6tFe/rZEjGJJEOgnXLiQOQvZGDb2otqMfe
vasyPQVGz+4StNGajjGrqyjdwU0n4v92X+EAD7HkF5yz5mYAubUClhTkVcC+5/0j
6dRneWr59GU=
=Tuqy
-----END PGP SIGNATURE-----
ESB-2022.5884 - [RedHat] virt-v2v: CVSS (Max): 5.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5884
virt-v2v security, bug fix, and enhancement update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: virt-v2v
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-2211
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:7968
Comment: CVSS (Max): 5.5 CVE-2022-2211 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Low: virt-v2v security, bug fix, and enhancement update
Advisory ID: RHSA-2022:7968-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:7968
Issue date: 2022-11-15
CVE Names: CVE-2022-2211
=====================================================================
1. Summary:
An update for virt-v2v is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat CodeReady Linux Builder (v. 9) - noarch
Red Hat Enterprise Linux AppStream (v. 9) - noarch, x86_64
3. Description:
The virt-v2v package provides a tool for converting virtual machines to use
the KVM (Kernel-based Virtual Machine) hypervisor or Red Hat Enterprise
Virtualization. The tool modifies both the virtual machine image and its
associated libvirt metadata. Also, virt-v2v can configure a guest to use
VirtIO drivers if possible.
Security Fix(es):
* libguestfs: Buffer overflow in get_keys leads to DoS (CVE-2022-2211)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1684075 - Virt-v2v can't convert a guest from VMware via nbdkit-vddk if original guest disk address is irregular
1774386 - input_vmx: cleanly reject guests with snapshots when using "-it ssh"
1788823 - Virt-v2v firstboot scripts should run in order, with v2v network configuration happening first
1817050 - Can't convert guest from VMware with non-admin account and vddk >=7.0 by virt-v2v
1848862 - There is nbdkit curl error info if convert a guest from VMware without vddk by administrator account
1854275 - document that vmx+ssh "-ip" auth doesn't cover ssh / scp shell commands
1868048 - [RFE]virt-v2v should install qemu-ga on debian guest during the conversion
1883802 - -i vmx: SATA disks are not parsed
1985830 - Start or remove VM failure even v2v has already finished
2003503 - There is virt-v2v warning: fstrim on guest filesystem /dev/mapper/osprober-linux-sdb1 failed if non-os disk of source guest has few/no inodes lef
2028764 - Install the qemu-guest-agent package during the conversion process
2039597 - Failed to import VM when selecting OVA as a source on RHV webadmin
2047660 - Add '--compressed' support in modular v2v
2051564 - [RFE]Limiting the maximum number of disks per guest for v2v conversions
2059287 - RFE: Rebase virt-v2v to 2.0 in RHEL 9.1
2062360 - RFE: Virt-v2v should replace hairy "enable LEGACY crypto" advice which a more targeted mechanism
2064178 - nothing provides openssh-clients >= 8.8p1 needed by virt-v2v-1:2.0.0-1.el9.x86_64
2066773 - The /tmp/v2v.XXXX directory has incorrect permisison if run v2v by root
2069768 - Import of OVA fails if the user/group name contains spaces
2070186 - fix virtio-vsock check (for Linux guests) in virt-v2v
2070530 - Virt-v2v can't convert guest when os is installed on nvme disk via vmx+ssh
2074026 - Remove -o json option
2074801 - do not pass "--non-bootable --read-write" to "volume create " in openstack output module
2074805 - -o qemu mode fails with: qemu-system-x86_64: -balloon: invalid option and other problems
2076013 - RHEL9.1 guest can't boot into OS after v2v conversion
2082603 - virt-v2v -o qemu prints cosmetic warning: "warning: short-form boolean option 'readonly' deprecated"
2094779 - missing python dependency in rhel9.1
2100862 - CVE-2022-2211 libguestfs: Buffer overflow in get_keys leads to DoS
2101665 - "/dev/nvme0n1" is not remapped to "/dev/vda" (etc) in boot config files such as "/boot/grub2/device.map"
2107503 - RHEL 8.6 VM with "qemu64" CPU model can't start because "the CPU is incompatible with host CPU: Host CPU does not provide required features: svm"
2112801 - RHEL9 guest hangs during boot after conversion by virt-p2v
2116811 - virt-v2v: error: internal error: assertion failed at linux_kernels.ml, line 190, char 11
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
virt-v2v-2.0.7-6.el9.src.rpm
noarch:
virt-v2v-bash-completion-2.0.7-6.el9.noarch.rpm
x86_64:
virt-v2v-2.0.7-6.el9.x86_64.rpm
virt-v2v-debuginfo-2.0.7-6.el9.x86_64.rpm
virt-v2v-debugsource-2.0.7-6.el9.x86_64.rpm
Red Hat CodeReady Linux Builder (v. 9):
noarch:
virt-v2v-man-pages-ja-2.0.7-6.el9.noarch.rpm
virt-v2v-man-pages-uk-2.0.7-6.el9.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-2211
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3PhQNzjgjWX9erEAQj9AA/+LVRs5e5xUbvrRYoUnsKZPXZ0fWjz3Dsd
D1P1qBp+IVgJIZNZpVgbuIk5c9C6mNzEFMd/1at0Tput1qu5b4VIUFz1KHvFPYIL
xj+p+mAm5qIA5MKFkCcA7Rw8RdPeeXQojUFoKQU2p6nSUfptMwP7vbWjgRoJJlJ/
TTom+MIktIBhZXoNj9ZnOMMev+8kNbSxItWNrog7rGJLEsOrntRlAr9bcKcrmxV0
fYQ+GpoYsZUBFtN1eIt6695v3lyly0W4myFsjFS4sKr0y4RG8oqY2oyEqMw3qcmd
UlciYz/QuKQqsY1ufc5JajhM0VHHXdv2RVxtJYn2cY4QI7aDeBsbl0wKG2Xs1+7v
19LmBNnikGzQHude/wNXdNkhTdJsvQkv+5ARvSmjkmywACuIbuyudJymG9S4Xzji
gZRzSrfcdh2VqUBUVT4pjjKvFAUqa9BIFSm0iwMlDuuHZj9EhvB7ZydaUjOqfZfp
tHZHGOl/sRtuojGVm56bXqp5u1ib+8VMVq8KCZGwD2dsMygeu3XnXOkvx/458FOY
SpJG+z6GsV0jP193IK9B++54LSL6ZQLQ4yAvDUhxvCtm8nhGtsRGD6HXPOYdpdXM
L1snWm51iEHrNavCuNf8Fh6Z1ewmWbZW+4RDWeo2rIn6HmSCj4iMW4twha+sqDDX
uPMe6qqj+P4=
=3mD0
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3Q0UskNZI30y1K9AQib0A/+K0o9GcehawZM2qdNkF7AqsNoStw+YT3K
1vQJ3VxR6pRkm+lfFJnLioA0YUCsRfhyg5YceiYBTyppedpG3HssYh0M47RBW0dK
bW45WPo7nzuLjsIwcW/lov+mV0uwDWXTfC4lrWKAmy4HsRAZtuIWDOIkXnaeLTtY
JLvFhrp3nmUHhBKbSZ0xsV4GWj+DHRvN8LB1T1GhLyEfjjUXluUuD2F9lngXB37h
o+n9IGtRjzHIRfRGt8ss905PVznPEtzt3Fsheg3gmroQKHD6uzOpsgRkICfkax4Z
nrHIAOMCce3juGmSzKqDsN2eN18sm7/BJ3lvtouGvvoPaTN87CgJXVuM/LmXac+1
XOKh0Y8jwufx1/LfVrjnjlc/gH4YJZeh+CoU4P09cKgsX715GAOzgCKg+ZSuSgnB
ZNJK8nTxe2nDTcl0yU2sS5bteisBbFYEj03p+ya2FiIfgBIIac9PKvGKK3gAHmA1
gDvY+7pcgoImJIAWYAYlVxSyIyvQW/WXN7O5d/dylGgPcarxIW3QBvs6jQnlotIh
mLWCmpAVPhxpliWx5WCfDOsdWMpeib5EXruUDVzhy1cuFqiJx463LT5eHCJLiVRf
vkNcKoOA+HRCTT9vbgrDMu8xWvQSGe12mDcM8GgY6FOb2jpODjxO4kUGmo/cHNu3
xZDc/EkRcU0=
=B2gb
-----END PGP SIGNATURE-----
ESB-2022.5883 - [RedHat] qemu-kvm: CVSS (Max): 7.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5883
qemu-kvm security, bug fix, and enhancement update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: qemu-kvm
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2021-4158 CVE-2021-3750 CVE-2021-3611
CVE-2021-3507
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:7967
Comment: CVSS (Max): 7.5 CVE-2021-3750 (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: qemu-kvm security, bug fix, and enhancement update
Advisory ID: RHSA-2022:7967-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:7967
Issue date: 2022-11-15
CVE Names: CVE-2021-3507 CVE-2021-3611 CVE-2021-3750
CVE-2021-4158
=====================================================================
1. Summary:
An update for qemu-kvm is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
3. Description:
Kernel-based Virtual Machine (KVM) is a full virtualization solution for
Linux on a variety of architectures. The qemu-kvm packages provide the
user-space component for running virtual machines that use KVM.
The following packages have been upgraded to a later upstream version:
qemu-kvm (7.0.0). (BZ#2064757)
Security Fix(es):
* QEMU: hcd-ehci: DMA reentrancy issue leads to use-after-free
(CVE-2021-3750)
* QEMU: fdc: heap buffer overflow in DMA read data transfers
(CVE-2021-3507)
* QEMU: intel-hda: segmentation fault due to stack overflow (CVE-2021-3611)
* QEMU: NULL pointer dereference in pci_write() in hw/acpi/pcihp.c
(CVE-2021-4158)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing this update, shut down all running virtual machines. Once
all virtual machines have shut down, start them again for this update to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1477099 - virtio-iommu (including ACPI, VHOST/VFIO integration, migration support)
1708300 - RFE: qemu-nbd vs NBD_FLAG_CAN_MULTI_CONN
1879437 - Qemu coredump when refreshing block limits on an actively used iothread block device [rhel.9]
1904267 - Q35: Support SMBIOS 3.0 Entry Point Type
1951118 - CVE-2021-3507 QEMU: fdc: heap buffer overflow in DMA read data transfers
1968509 - Use MSG_ZEROCOPY on QEMU Live Migration
1973784 - CVE-2021-3611 QEMU: intel-hda: segmentation fault due to stack overflow
1982600 - qemu-kvm -help reports -spice despite not being compiled
1995710 - RFE: Allow virtio-scsi CD-ROM media change with IOThreads
1999073 - CVE-2021-3750 QEMU: hcd-ehci: DMA reentrancy issue leads to use-after-free
2020993 - 'qemu-img convert' to Qcow2 Images over RBD Failed
2023977 - Duplicate SMBIOS handles when creating large VMs
2026955 - RFE: set default resolution/EDID info to a more sensible modern size like 1280x800 (WXGA)
2035002 - CVE-2021-4158 QEMU: NULL pointer dereference in pci_write() in hw/acpi/pcihp.c
2037612 - [Win11][tpm][QL41112 PF] vfio_listener_region_add received unaligned region
2041823 - [aarch64][numa] When there are at least 6 Numa nodes serial log shows 'arch topology borken'
2044162 - [RHEL9.1] Enable virtio-mem as tech-preview on ARM64 QEMU
2046029 - [WRB] New machine type property - dtb-kaslr-seed
2060839 - Consider deprecating CPU models like "kvm64" / "qemu64" on RHEL 9
2062809 - Guest can not start with SLIC acpi table [rhel-9.1.0]
2062813 - Mark all RHEL-8 and earlier machine types as deprecated [rhel-9.1.0]
2062817 - Missing qemu-kvm-block-ssh obsolete breaks upgrade path [rhel-9.1.0]
2062819 - Broken upgrade path due to qemu-kvm-hw-usbredir rename [rhel-9.1.0]
2062828 - [virtual network][rhel9][vDPA] qemu crash after hot unplug vdpa device [rhel-9.1.0]
2064500 - Install qemu-kvm-6.2.0-11.el9_0.1 failed as conflict with qemu-kvm-block-ssh-6.2.0-11.el9_0.1
2064530 - Rebuild qemu-kvm with clang-14
2064757 - Rebase to QEMU 7.0.0
2064771 - Update machine type compatibility for QEMU 7.0.0 update [x86_64]
2064782 - Update machine type compatibility for QEMU 7.0.0 update [s390x]
2065398 - watchdog: BUG: soft lockup - CPU#3 stuck for 22s! [cat:2843] [rhel-9.1.0]
2066824 - Aarch64: Drop unsupported CPU types
2070804 - PXE boot crash qemu when using multiqueue vDPA
2072379 - Fail to rebuild the reference count tables of qcow2 image on host block devices (e.g. LVs)
2079347 - Guest boot blocked when scsi disks using same iothread and 100% CPU consumption
2079938 - qemu coredump when boot with multi disks (qemu) failed to set up stack guard page: Cannot allocate memory
2081022 - Build regression on ppc64le with c9s qemu-kvm 7.0.0-1 changes
2086262 - [Win11][tpm]vfio_listener_region_del received unaligned region
2094252 - Compile the virtio-iommu device on x86_64
2094270 - Do not set the hard vCPU limit to the soft vCPU limit in downstream qemu-kvm anymore
2095608 - Please correct the error message when try to start qemu with "-M kernel-irqchip=split"
2096143 - The migration port is not released if use it again for recovering postcopy migration
2099541 - qemu coredump with error Assertion `qemu_mutex_iothread_locked()' failed when repeatly hotplug/unplug disks in pause status
2099934 - Guest reboot on destination host after postcopy migration completed
2100106 - Fix virtio-iommu/vfio bypass
2107466 - zerocopy capability can be enabled when set migrate capabilities with multifd and compress/xbzrle together
2111994 - RHEL9: skey test in kvm_unit_test got failed
2112303 - virtio-blk: Can't boot fresh installation from used 512 cluster_size image under certain conditions
2114060 - vDPA state restore support through control virtqueue in Qemu
2116876 - Fixes for vDPA control virtqueue support in Qemu
2120275 - Wrong max_sectors_kb and Maximum transfer length on the pass-through device [rhel-9.1]
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
qemu-kvm-7.0.0-13.el9.src.rpm
aarch64:
qemu-guest-agent-7.0.0-13.el9.aarch64.rpm
qemu-guest-agent-debuginfo-7.0.0-13.el9.aarch64.rpm
qemu-img-7.0.0-13.el9.aarch64.rpm
qemu-img-debuginfo-7.0.0-13.el9.aarch64.rpm
qemu-kvm-7.0.0-13.el9.aarch64.rpm
qemu-kvm-audio-pa-7.0.0-13.el9.aarch64.rpm
qemu-kvm-audio-pa-debuginfo-7.0.0-13.el9.aarch64.rpm
qemu-kvm-block-curl-7.0.0-13.el9.aarch64.rpm
qemu-kvm-block-curl-debuginfo-7.0.0-13.el9.aarch64.rpm
qemu-kvm-block-rbd-7.0.0-13.el9.aarch64.rpm
qemu-kvm-block-rbd-debuginfo-7.0.0-13.el9.aarch64.rpm
qemu-kvm-common-7.0.0-13.el9.aarch64.rpm
qemu-kvm-common-debuginfo-7.0.0-13.el9.aarch64.rpm
qemu-kvm-core-7.0.0-13.el9.aarch64.rpm
qemu-kvm-core-debuginfo-7.0.0-13.el9.aarch64.rpm
qemu-kvm-debuginfo-7.0.0-13.el9.aarch64.rpm
qemu-kvm-debugsource-7.0.0-13.el9.aarch64.rpm
qemu-kvm-device-display-virtio-gpu-7.0.0-13.el9.aarch64.rpm
qemu-kvm-device-display-virtio-gpu-debuginfo-7.0.0-13.el9.aarch64.rpm
qemu-kvm-device-display-virtio-gpu-gl-7.0.0-13.el9.aarch64.rpm
qemu-kvm-device-display-virtio-gpu-gl-debuginfo-7.0.0-13.el9.aarch64.rpm
qemu-kvm-device-display-virtio-gpu-pci-7.0.0-13.el9.aarch64.rpm
qemu-kvm-device-display-virtio-gpu-pci-debuginfo-7.0.0-13.el9.aarch64.rpm
qemu-kvm-device-display-virtio-gpu-pci-gl-7.0.0-13.el9.aarch64.rpm
qemu-kvm-device-display-virtio-gpu-pci-gl-debuginfo-7.0.0-13.el9.aarch64.rpm
qemu-kvm-device-usb-host-7.0.0-13.el9.aarch64.rpm
qemu-kvm-device-usb-host-debuginfo-7.0.0-13.el9.aarch64.rpm
qemu-kvm-docs-7.0.0-13.el9.aarch64.rpm
qemu-kvm-tests-debuginfo-7.0.0-13.el9.aarch64.rpm
qemu-kvm-tools-7.0.0-13.el9.aarch64.rpm
qemu-kvm-tools-debuginfo-7.0.0-13.el9.aarch64.rpm
qemu-pr-helper-7.0.0-13.el9.aarch64.rpm
qemu-pr-helper-debuginfo-7.0.0-13.el9.aarch64.rpm
ppc64le:
qemu-guest-agent-7.0.0-13.el9.ppc64le.rpm
qemu-guest-agent-debuginfo-7.0.0-13.el9.ppc64le.rpm
qemu-img-7.0.0-13.el9.ppc64le.rpm
qemu-img-debuginfo-7.0.0-13.el9.ppc64le.rpm
qemu-kvm-debuginfo-7.0.0-13.el9.ppc64le.rpm
qemu-kvm-debugsource-7.0.0-13.el9.ppc64le.rpm
s390x:
qemu-guest-agent-7.0.0-13.el9.s390x.rpm
qemu-guest-agent-debuginfo-7.0.0-13.el9.s390x.rpm
qemu-img-7.0.0-13.el9.s390x.rpm
qemu-img-debuginfo-7.0.0-13.el9.s390x.rpm
qemu-kvm-7.0.0-13.el9.s390x.rpm
qemu-kvm-audio-pa-7.0.0-13.el9.s390x.rpm
qemu-kvm-audio-pa-debuginfo-7.0.0-13.el9.s390x.rpm
qemu-kvm-block-curl-7.0.0-13.el9.s390x.rpm
qemu-kvm-block-curl-debuginfo-7.0.0-13.el9.s390x.rpm
qemu-kvm-block-rbd-7.0.0-13.el9.s390x.rpm
qemu-kvm-block-rbd-debuginfo-7.0.0-13.el9.s390x.rpm
qemu-kvm-common-7.0.0-13.el9.s390x.rpm
qemu-kvm-common-debuginfo-7.0.0-13.el9.s390x.rpm
qemu-kvm-core-7.0.0-13.el9.s390x.rpm
qemu-kvm-core-debuginfo-7.0.0-13.el9.s390x.rpm
qemu-kvm-debuginfo-7.0.0-13.el9.s390x.rpm
qemu-kvm-debugsource-7.0.0-13.el9.s390x.rpm
qemu-kvm-device-display-virtio-gpu-7.0.0-13.el9.s390x.rpm
qemu-kvm-device-display-virtio-gpu-ccw-7.0.0-13.el9.s390x.rpm
qemu-kvm-device-display-virtio-gpu-ccw-debuginfo-7.0.0-13.el9.s390x.rpm
qemu-kvm-device-display-virtio-gpu-debuginfo-7.0.0-13.el9.s390x.rpm
qemu-kvm-device-display-virtio-gpu-gl-7.0.0-13.el9.s390x.rpm
qemu-kvm-device-display-virtio-gpu-gl-debuginfo-7.0.0-13.el9.s390x.rpm
qemu-kvm-device-usb-host-7.0.0-13.el9.s390x.rpm
qemu-kvm-device-usb-host-debuginfo-7.0.0-13.el9.s390x.rpm
qemu-kvm-docs-7.0.0-13.el9.s390x.rpm
qemu-kvm-tests-debuginfo-7.0.0-13.el9.s390x.rpm
qemu-kvm-tools-7.0.0-13.el9.s390x.rpm
qemu-kvm-tools-debuginfo-7.0.0-13.el9.s390x.rpm
qemu-pr-helper-7.0.0-13.el9.s390x.rpm
qemu-pr-helper-debuginfo-7.0.0-13.el9.s390x.rpm
x86_64:
qemu-guest-agent-7.0.0-13.el9.x86_64.rpm
qemu-guest-agent-debuginfo-7.0.0-13.el9.x86_64.rpm
qemu-img-7.0.0-13.el9.x86_64.rpm
qemu-img-debuginfo-7.0.0-13.el9.x86_64.rpm
qemu-kvm-7.0.0-13.el9.x86_64.rpm
qemu-kvm-audio-pa-7.0.0-13.el9.x86_64.rpm
qemu-kvm-audio-pa-debuginfo-7.0.0-13.el9.x86_64.rpm
qemu-kvm-block-curl-7.0.0-13.el9.x86_64.rpm
qemu-kvm-block-curl-debuginfo-7.0.0-13.el9.x86_64.rpm
qemu-kvm-block-rbd-7.0.0-13.el9.x86_64.rpm
qemu-kvm-block-rbd-debuginfo-7.0.0-13.el9.x86_64.rpm
qemu-kvm-common-7.0.0-13.el9.x86_64.rpm
qemu-kvm-common-debuginfo-7.0.0-13.el9.x86_64.rpm
qemu-kvm-core-7.0.0-13.el9.x86_64.rpm
qemu-kvm-core-debuginfo-7.0.0-13.el9.x86_64.rpm
qemu-kvm-debuginfo-7.0.0-13.el9.x86_64.rpm
qemu-kvm-debugsource-7.0.0-13.el9.x86_64.rpm
qemu-kvm-device-display-virtio-gpu-7.0.0-13.el9.x86_64.rpm
qemu-kvm-device-display-virtio-gpu-debuginfo-7.0.0-13.el9.x86_64.rpm
qemu-kvm-device-display-virtio-gpu-gl-7.0.0-13.el9.x86_64.rpm
qemu-kvm-device-display-virtio-gpu-gl-debuginfo-7.0.0-13.el9.x86_64.rpm
qemu-kvm-device-display-virtio-gpu-pci-7.0.0-13.el9.x86_64.rpm
qemu-kvm-device-display-virtio-gpu-pci-debuginfo-7.0.0-13.el9.x86_64.rpm
qemu-kvm-device-display-virtio-gpu-pci-gl-7.0.0-13.el9.x86_64.rpm
qemu-kvm-device-display-virtio-gpu-pci-gl-debuginfo-7.0.0-13.el9.x86_64.rpm
qemu-kvm-device-display-virtio-vga-7.0.0-13.el9.x86_64.rpm
qemu-kvm-device-display-virtio-vga-debuginfo-7.0.0-13.el9.x86_64.rpm
qemu-kvm-device-display-virtio-vga-gl-7.0.0-13.el9.x86_64.rpm
qemu-kvm-device-display-virtio-vga-gl-debuginfo-7.0.0-13.el9.x86_64.rpm
qemu-kvm-device-usb-host-7.0.0-13.el9.x86_64.rpm
qemu-kvm-device-usb-host-debuginfo-7.0.0-13.el9.x86_64.rpm
qemu-kvm-device-usb-redirect-7.0.0-13.el9.x86_64.rpm
qemu-kvm-device-usb-redirect-debuginfo-7.0.0-13.el9.x86_64.rpm
qemu-kvm-docs-7.0.0-13.el9.x86_64.rpm
qemu-kvm-tests-debuginfo-7.0.0-13.el9.x86_64.rpm
qemu-kvm-tools-7.0.0-13.el9.x86_64.rpm
qemu-kvm-tools-debuginfo-7.0.0-13.el9.x86_64.rpm
qemu-kvm-ui-egl-headless-7.0.0-13.el9.x86_64.rpm
qemu-kvm-ui-egl-headless-debuginfo-7.0.0-13.el9.x86_64.rpm
qemu-kvm-ui-opengl-7.0.0-13.el9.x86_64.rpm
qemu-kvm-ui-opengl-debuginfo-7.0.0-13.el9.x86_64.rpm
qemu-pr-helper-7.0.0-13.el9.x86_64.rpm
qemu-pr-helper-debuginfo-7.0.0-13.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-3507
https://access.redhat.com/security/cve/CVE-2021-3611
https://access.redhat.com/security/cve/CVE-2021-3750
https://access.redhat.com/security/cve/CVE-2021-4158
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3OMhtzjgjWX9erEAQiSNw/+PECa4knr835Ovk54z9SclIiHdzc6yQk6
XOF3+t2hJtomewv83jwJP4mXI3IASX+FlEiZSA3R9iBz6rw/4m3VlwDHQO3Udfdy
6x5drqg1DQXo1WwyNvUuPncW8c9G/b7gEG85WnT2dRFUn+qN3RYgJzxhPgviyOTh
1PBw4RVHTOHOR9y8FMFMfVO5doWtlh1GfiaOVGRfTNMNWe76ldd5AFOa3Fez1MRl
odAzuXVVXpnXx0zgYgxvu2mxCTSs0FkBZ/6Se1YHAx0YOKd311SU+EGDs5Xsl6vf
2TSrzN9JchmiS111fVWyATdMcKqUvwInAZNgm0NpTQZof+yeY7fxSXvlkZzUXrq7
8tCjTx4KR9FIj76gm1j2lL1OC8td083RFtiG9G69QJOgeIM2m1psPmRNwGo+/iS6
bK2W5cX5zuJvUJ0DvREY1L3CThxRYBfzBRwTDEHVNPbvXIrgU2h/yb7bwt1DaG2X
5poyHsbsHjW/oD1Shi4AP5PW3yJw6Mu+RhxOXFZC88bRw6wV6VhMuxuU1/DJ2W10
42kMgZHEQCMFKVK4E5rzog2iWHYToccPC0T4OYwFJA/DqY8E4HoWslraLAifPOxC
wvjd50nu3/DjmF+5NHplVh9z65BQk/cEpnrTdjD0he3W0YynhfC1sD/+aLxChQ/D
B1Vp/1EISs0=
=LjZY
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3Q0MskNZI30y1K9AQgmtw//aT8YJMfEdBMgtheLpOSvZpwithEY6Qno
CAZmm0tQ/6d1jqFd1vQPr1HltmQyZgYZRemRlCLMQ5S5DyfkM+bfCe/rEzVuNufo
SoS9G2TUSAHrCAM+UUuECHDqeganadYcG6atukTb/Qh8sAu+YCc0jnsHc4xcBI8w
2Tiun9Q6imvkvy8Y18Y/yweRjvT8AKXcFU+ff+kpNFqzmDbxdQoUCxDXc6QPbMs7
jFb+0YJxkWXSFNW7y0ebCnPSRtChVmGnTLCJcrpXJSeqSv5Lzlm4T+4Ga0FKG8Xl
LmzEoaP9UNY72kH1arAisTuOt6mvKP5oRJEnHNeZ/BdttODPqcPHxCtbkASGyJ2q
wvHY/rZSiM9farYabJkjlK74fsnlMXUO1J89prsdB8ksTCHV66ES6Es4sYtS+bL7
OsFm1bzohvA/QJfFSCd+ZZLExa089fbppcqDqPMbaU6c95zKfwvy9JA2HIY3ZHBY
1h+GyrYp3phQ8QTfI195ArBI1Rv3L3zAe8Q2fr/gnOsV77FgmhjxI2C7fcK0m565
mWXpwuY3zuIGIHaBSvoQs8Ud/xGbM49R6tu+x7JvNobeuY426sJdIg2ItVmQtfCk
pP3wd5+S2eLvPEuoIX+j6NkakukFQk18laefaUiZSb7Cj9g8vnW4G+Z95DFZiKU/
HneuLX1w8Z4=
=KEfX
-----END PGP SIGNATURE-----
ESB-2022.5882 - [RedHat] guestfs-tools: CVSS (Max): 5.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5882
guestfs-tools security, bug fix, and enhancement update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: guestfs-tools
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-2211
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:7959
Comment: CVSS (Max): 5.5 CVE-2022-2211 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Low: guestfs-tools security, bug fix, and enhancement update
Advisory ID: RHSA-2022:7959-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:7959
Issue date: 2022-11-15
CVE Names: CVE-2022-2211
=====================================================================
1. Summary:
An update for guestfs-tools is now available for Red Hat Enterprise Linux
9.
Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, s390x, x86_64
3. Description:
guestfs-tools is a set of tools that can be used to make batch
configuration changes to guests, get disk used/free statistics, perform
backups and guest clones, change registry/UUID/hostname info, build guests
from scratch, and much more.
Security Fix(es):
* libguestfs: Buffer overflow in get_keys leads to DoS (CVE-2022-2211)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2059286 - RFE: Rebase guestfs-tools to 1.48 in RHEL 9.1
2072493 - [RFE] Request to add lvm system.devices cleanup operation to virt-sysprep
2075718 - Having to use "--selinux-relabel" is not intuitive given Red Hat products default to selinux enabled.
2089748 - Removal of "--selinux-relabel" option breaks existing scripts
2100862 - CVE-2022-2211 libguestfs: Buffer overflow in get_keys leads to DoS
2106286 - virt-sysprep: make an effort to support LUKS on LV
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
guestfs-tools-1.48.2-5.el9.src.rpm
aarch64:
guestfs-tools-1.48.2-5.el9.aarch64.rpm
guestfs-tools-debuginfo-1.48.2-5.el9.aarch64.rpm
guestfs-tools-debugsource-1.48.2-5.el9.aarch64.rpm
noarch:
virt-win-reg-1.48.2-5.el9.noarch.rpm
s390x:
guestfs-tools-1.48.2-5.el9.s390x.rpm
guestfs-tools-debuginfo-1.48.2-5.el9.s390x.rpm
guestfs-tools-debugsource-1.48.2-5.el9.s390x.rpm
x86_64:
guestfs-tools-1.48.2-5.el9.x86_64.rpm
guestfs-tools-debuginfo-1.48.2-5.el9.x86_64.rpm
guestfs-tools-debugsource-1.48.2-5.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-2211
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3OMidzjgjWX9erEAQh1Bg/+K+5p4OKmDWKd99Hn29Ow87+XRfhVNv/F
jOb8SAOy0KnxyJgMPCEAD+JqARNMkAI14bcYYEAnLvOUJgkxEzaJiiwPLjsIgolK
juf7fi8Ikl8VSRtoZIujpOGFqAEYeRxDUPt/p36mw/iLlRPZt9OvDSTl0kEo1FaZ
v8BmbqLPr6wGiLZtQmJ0jO+2E1K2m1dmFcUeCt9crA0ehN3gpOULWorJyYtGnFKr
dWtez1O6uurEl93IWbMM/n8C1vr1NYXqZo0GhfKXiSKiUmtR6a8WbzEr87nkK30E
yoHPvhi1NgSZ8X1ONZ7MDBC+six+54VVqUyK/VMyLZE8/BozKEIOaCk8CBM4adJH
6KBW7y/nn40izHcYUcw44r/6B/09zeN5coYoIBqq+PUwwp5vTU8I17A8pZncxYPM
e22eeTpID97lwT4AMeTXbC2EdMTMTNVsW13ZSONF3fXYMjGgcdoefeP803OUGIzm
uus7znkLd5lR9V5KQnB60JBFVf6tEYqahQEI5E/UCDNJcw0UNTIegJUEXVBqBVqM
wV63DANh2yvRWQsESMvxthWjxMVGkV+2R1P/2py5kD7mIUxlDLWJe3QKtJESTRkl
TyIdgMQ9TIR2jSMz/cZ2gPdZgUOrNu6kvgZqoom3t1DcK+E465r9QA1jh/WoQfwl
WbKw9UbaLms=
=j1SI
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3QsLMkNZI30y1K9AQgNsg/9HGjRchyrIUrhFV2w4cSWjsAWU1Rvusnz
JR41r9BKKkg4fKMLf/z6k2W8MXBrsgrIaF66649nJJZZGVRsQYuRyIOcui1CKloe
OdAjFqGQUZvmwF23HHEJvnq2/mfOebuWH8B2xc0XN7LzPpQJJ+qznUT3l46lqh3C
qjUFN/BtRFZTmt7wwBjgNfGMBIcJUdsM2a/w/GsI3mbcWijYmw1Ms0QRhAkv2m+V
JJf/JI3vOLnaMx50j6n6UjlUbkZfKtf85oVXElOle/tLU1Gb5/rYc7KGRRwC5zkl
JzKcxmlj5xV6sM6xn1rEk2ymc8fQsk9ulOWAsomRmzXqHqLxUAPl9ceVAKbtta43
RqVwK+yNQtzRTi4oIZQ43qwq3KhZ5WaJqK9R4+XVcrjnuNAvQIP2p4JE1ptEOQ1+
gQH9AO0DGicak3211j3fb+zlPM6aiEYj1pIyzuogYea1Tdiw/0gXH3/SQAwPaVY+
EaqiVm+NHwnswchFDE4fQNg0iVZFa7pfbIPnYpxSKW0kjqHQ2dQxmbpSqhIt3j3f
XjPIMJGNI1uiiPNNDGH7LqyTpv3J6jONDu3zX1nIaVQ6WA6yMLkpJuRnJoU3bwAu
MdKP7HAjMNOXrhVgqjSQcQXeBn1HJ7t7ouzAJnsp+k7JvYiczXrDbL183ikd+JR3
UwKbgHlQ9YI=
=MKiO
-----END PGP SIGNATURE-----
ESB-2022.5881 - [RedHat] libguestfs: CVSS (Max): 5.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5881
libguestfs security, bug fix, and enhancement update
16 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libguestfs
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-2211
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:7958
Comment: CVSS (Max): 5.5 CVE-2022-2211 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Low: libguestfs security, bug fix, and enhancement update
Advisory ID: RHSA-2022:7958-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:7958
Issue date: 2022-11-15
CVE Names: CVE-2022-2211
=====================================================================
1. Summary:
An update for libguestfs is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat CodeReady Linux Builder (v. 9) - aarch64, noarch, s390x, x86_64
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, s390x, x86_64
3. Description:
The libguestfs packages contain a library used for accessing and modifying
virtual machine disk images.
Security Fix(es):
* libguestfs: Buffer overflow in get_keys leads to DoS (CVE-2022-2211)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1674392 - No return values from a directory listing when there are simply too many files in that directory (NULL value return)
1794518 - Rewrite libguestfs use of setfiles so that it doesn't stop on ext4 immutable bits
1809453 - [RFE] Add support for LUKS encrypted disks with Clevis & Tang
1844341 - The duplicate block device is listed when iface is set to 'virtio'
1965941 - lvm-set-filter failed in guestfish with the latest lvm2 package
2033247 - document encrypted RBD disk limitation
2059285 - RFE: Rebase libguestfs to 1.48 in RHEL 9.1
2065172 - SHA 1 signatures required to inspect packages in RHEL 6 guests [rhel-9.1.0]
2084568 - Disable 5-level page tables when using -cpu max
2086368 - Add Rocky Linux to list of REDHAT distros for code generation
2097718 - Please build and ship php bindings to libguestfs
2100862 - CVE-2022-2211 libguestfs: Buffer overflow in get_keys leads to DoS
2117004 - RFE: Add support for Zstandard compression to guestfs_file_architecture API
6. Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
libguestfs-1.48.4-2.el9.src.rpm
aarch64:
libguestfs-1.48.4-2.el9.aarch64.rpm
libguestfs-appliance-1.48.4-2.el9.aarch64.rpm
libguestfs-debuginfo-1.48.4-2.el9.aarch64.rpm
libguestfs-debugsource-1.48.4-2.el9.aarch64.rpm
libguestfs-gobject-debuginfo-1.48.4-2.el9.aarch64.rpm
libguestfs-rescue-1.48.4-2.el9.aarch64.rpm
libguestfs-rescue-debuginfo-1.48.4-2.el9.aarch64.rpm
libguestfs-rsync-1.48.4-2.el9.aarch64.rpm
libguestfs-xfs-1.48.4-2.el9.aarch64.rpm
lua-guestfs-debuginfo-1.48.4-2.el9.aarch64.rpm
ocaml-libguestfs-debuginfo-1.48.4-2.el9.aarch64.rpm
perl-Sys-Guestfs-1.48.4-2.el9.aarch64.rpm
perl-Sys-Guestfs-debuginfo-1.48.4-2.el9.aarch64.rpm
php-libguestfs-debuginfo-1.48.4-2.el9.aarch64.rpm
python3-libguestfs-1.48.4-2.el9.aarch64.rpm
python3-libguestfs-debuginfo-1.48.4-2.el9.aarch64.rpm
ruby-libguestfs-debuginfo-1.48.4-2.el9.aarch64.rpm
noarch:
libguestfs-bash-completion-1.48.4-2.el9.noarch.rpm
libguestfs-inspect-icons-1.48.4-2.el9.noarch.rpm
s390x:
libguestfs-1.48.4-2.el9.s390x.rpm
libguestfs-appliance-1.48.4-2.el9.s390x.rpm
libguestfs-debuginfo-1.48.4-2.el9.s390x.rpm
libguestfs-debugsource-1.48.4-2.el9.s390x.rpm
libguestfs-gobject-debuginfo-1.48.4-2.el9.s390x.rpm
libguestfs-rescue-1.48.4-2.el9.s390x.rpm
libguestfs-rescue-debuginfo-1.48.4-2.el9.s390x.rpm
libguestfs-rsync-1.48.4-2.el9.s390x.rpm
libguestfs-xfs-1.48.4-2.el9.s390x.rpm
lua-guestfs-debuginfo-1.48.4-2.el9.s390x.rpm
ocaml-libguestfs-debuginfo-1.48.4-2.el9.s390x.rpm
perl-Sys-Guestfs-1.48.4-2.el9.s390x.rpm
perl-Sys-Guestfs-debuginfo-1.48.4-2.el9.s390x.rpm
php-libguestfs-debuginfo-1.48.4-2.el9.s390x.rpm
python3-libguestfs-1.48.4-2.el9.s390x.rpm
python3-libguestfs-debuginfo-1.48.4-2.el9.s390x.rpm
ruby-libguestfs-debuginfo-1.48.4-2.el9.s390x.rpm
x86_64:
libguestfs-1.48.4-2.el9.x86_64.rpm
libguestfs-appliance-1.48.4-2.el9.x86_64.rpm
libguestfs-debuginfo-1.48.4-2.el9.x86_64.rpm
libguestfs-debugsource-1.48.4-2.el9.x86_64.rpm
libguestfs-gobject-debuginfo-1.48.4-2.el9.x86_64.rpm
libguestfs-rescue-1.48.4-2.el9.x86_64.rpm
libguestfs-rescue-debuginfo-1.48.4-2.el9.x86_64.rpm
libguestfs-rsync-1.48.4-2.el9.x86_64.rpm
libguestfs-xfs-1.48.4-2.el9.x86_64.rpm
lua-guestfs-debuginfo-1.48.4-2.el9.x86_64.rpm
ocaml-libguestfs-debuginfo-1.48.4-2.el9.x86_64.rpm
perl-Sys-Guestfs-1.48.4-2.el9.x86_64.rpm
perl-Sys-Guestfs-debuginfo-1.48.4-2.el9.x86_64.rpm
php-libguestfs-debuginfo-1.48.4-2.el9.x86_64.rpm
python3-libguestfs-1.48.4-2.el9.x86_64.rpm
python3-libguestfs-debuginfo-1.48.4-2.el9.x86_64.rpm
ruby-libguestfs-debuginfo-1.48.4-2.el9.x86_64.rpm
Red Hat CodeReady Linux Builder (v. 9):
aarch64:
libguestfs-debuginfo-1.48.4-2.el9.aarch64.rpm
libguestfs-debugsource-1.48.4-2.el9.aarch64.rpm
libguestfs-devel-1.48.4-2.el9.aarch64.rpm
libguestfs-gobject-1.48.4-2.el9.aarch64.rpm
libguestfs-gobject-debuginfo-1.48.4-2.el9.aarch64.rpm
libguestfs-gobject-devel-1.48.4-2.el9.aarch64.rpm
libguestfs-rescue-debuginfo-1.48.4-2.el9.aarch64.rpm
lua-guestfs-1.48.4-2.el9.aarch64.rpm
lua-guestfs-debuginfo-1.48.4-2.el9.aarch64.rpm
ocaml-libguestfs-1.48.4-2.el9.aarch64.rpm
ocaml-libguestfs-debuginfo-1.48.4-2.el9.aarch64.rpm
ocaml-libguestfs-devel-1.48.4-2.el9.aarch64.rpm
perl-Sys-Guestfs-debuginfo-1.48.4-2.el9.aarch64.rpm
php-libguestfs-1.48.4-2.el9.aarch64.rpm
php-libguestfs-debuginfo-1.48.4-2.el9.aarch64.rpm
python3-libguestfs-debuginfo-1.48.4-2.el9.aarch64.rpm
ruby-libguestfs-1.48.4-2.el9.aarch64.rpm
ruby-libguestfs-debuginfo-1.48.4-2.el9.aarch64.rpm
noarch:
libguestfs-man-pages-ja-1.48.4-2.el9.noarch.rpm
libguestfs-man-pages-uk-1.48.4-2.el9.noarch.rpm
s390x:
libguestfs-debuginfo-1.48.4-2.el9.s390x.rpm
libguestfs-debugsource-1.48.4-2.el9.s390x.rpm
libguestfs-devel-1.48.4-2.el9.s390x.rpm
libguestfs-gobject-1.48.4-2.el9.s390x.rpm
libguestfs-gobject-debuginfo-1.48.4-2.el9.s390x.rpm
libguestfs-gobject-devel-1.48.4-2.el9.s390x.rpm
libguestfs-rescue-debuginfo-1.48.4-2.el9.s390x.rpm
lua-guestfs-1.48.4-2.el9.s390x.rpm
lua-guestfs-debuginfo-1.48.4-2.el9.s390x.rpm
ocaml-libguestfs-1.48.4-2.el9.s390x.rpm
ocaml-libguestfs-debuginfo-1.48.4-2.el9.s390x.rpm
ocaml-libguestfs-devel-1.48.4-2.el9.s390x.rpm
perl-Sys-Guestfs-debuginfo-1.48.4-2.el9.s390x.rpm
php-libguestfs-1.48.4-2.el9.s390x.rpm
php-libguestfs-debuginfo-1.48.4-2.el9.s390x.rpm
python3-libguestfs-debuginfo-1.48.4-2.el9.s390x.rpm
ruby-libguestfs-1.48.4-2.el9.s390x.rpm
ruby-libguestfs-debuginfo-1.48.4-2.el9.s390x.rpm
x86_64:
libguestfs-debuginfo-1.48.4-2.el9.x86_64.rpm
libguestfs-debugsource-1.48.4-2.el9.x86_64.rpm
libguestfs-devel-1.48.4-2.el9.x86_64.rpm
libguestfs-gobject-1.48.4-2.el9.x86_64.rpm
libguestfs-gobject-debuginfo-1.48.4-2.el9.x86_64.rpm
libguestfs-gobject-devel-1.48.4-2.el9.x86_64.rpm
libguestfs-rescue-debuginfo-1.48.4-2.el9.x86_64.rpm
lua-guestfs-1.48.4-2.el9.x86_64.rpm
lua-guestfs-debuginfo-1.48.4-2.el9.x86_64.rpm
ocaml-libguestfs-1.48.4-2.el9.x86_64.rpm
ocaml-libguestfs-debuginfo-1.48.4-2.el9.x86_64.rpm
ocaml-libguestfs-devel-1.48.4-2.el9.x86_64.rpm
perl-Sys-Guestfs-debuginfo-1.48.4-2.el9.x86_64.rpm
php-libguestfs-1.48.4-2.el9.x86_64.rpm
php-libguestfs-debuginfo-1.48.4-2.el9.x86_64.rpm
python3-libguestfs-debuginfo-1.48.4-2.el9.x86_64.rpm
ruby-libguestfs-1.48.4-2.el9.x86_64.rpm
ruby-libguestfs-debuginfo-1.48.4-2.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-2211
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3PhRNzjgjWX9erEAQhvYQ//WOhHDyYMyMZ7ZvphGgVONit46vH9In5d
yDCONHRJtdpZz9Gnf0jDyjRhIsDrRGb41cHkHDD3DBGT8/v5F+OvUG9X59XXJDgu
ZNER8K0z9/zHhpo4Ndki1nfv/RTBK4ItvJPYE32LFspP2L6z0ggGe22j8gJjJENa
uyBYJBsoxVQe1YUzhODekyX02prkcbMg6+Xt68XSpCeK4Nt9ixc0jYmH5aUUQOZW
AGB8dOhCX58L9gxSZdV1Ef24JQvqw78x02FDX6fbqnczayEs3Ilb1jYtMuDrrKus
z2t84BmcRlMh9IUM/nSp7Jy4GYrafxQQTvPYtEAyCMd8bvbbaQsldjjFy9DE3v4+
VF302O3gQb9OYA5kTcDFAabEjgKG3vNw7yNKylry6dKv6OaWlbbh9C/Xa8TD6bVT
7ebNXaguzIx+BQPr/MuIAJeSV26h9YpdiWJIfYoYivd4SxORNe50A4Il9W7KXCx4
HOgFO9T2n0n855FhDE9kAPp6eTOYrY25UjdLanbQoJnc3BKXfCxx9AZoYpfmY3V8
UfbF5UgijDBnNbdU25ifetq/yWWi03ZlrdGoZqmxA+sGUct+jRpdCFScdXNjmOd3
drHTsfOJuMvSChuhlfvRaKB6nXxpgDeSBdZiMqzD2ZZ4L/Ta2j6miEauJkq87olb
ge0yy6Zwqz8=
=Yy+E
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3QsIMkNZI30y1K9AQhcXQ//U/Ys3nKG7091Jgp/o2xSJ+XyTSn0w1gy
VK7Xfq7gg70kW08GdE8yjZUs8N/Jlz2ojHdMoxsMTLYnMfTfr+PFYslVZuNz26V2
ZEKVo/dwgAV7PgIfLFfvcArty1ysYQQ6LXRgQHZp1zIy++Hy1Qa6U30hEI1N5tlo
vHCF7HObu2hbnjg7/Y6i1VGlIK1OocGoCKaTKWrNfDWNFENSwDuJ6MrWuRqqEtrr
SaV0OU6ElZrvNA8q7lzyFSpbsYSLeoWsu4yNLwcXFmgBJNE7Zk3Xn6vdQ7ZtmbX9
gm+nRLDzHwl5mJ6Dp/s/4HnQgPVCg1I/TCZBFEvzKSUb+R/7+oZCuwd19fg/+Q9b
/OEukQaZBgyMz1XFYUL+RE19BYHhPE2FA2beCfXTLkIZ1Ow0A1VBImEAGLWFy2RA
th4R9IPKkrS+It7lngiaR8kT/ec2CTPTK785b52U2qS0V6CejjCwcHsU37xOoJNG
Q254J5gxBnA+FU6+fQk5M/xSz+S9FtK9supzLVGgODI8ruJnIU/DSO9Y8l2bqSH/
RLpq2OzJ5qicEAz3cbgzbI324x1lfvAuEGEtj1extRFJIOCpISPXCkuAhqpfJydH
GY7BpVj1fkR6IB4/fG90AtqNSeDd8atfj8i5dsXmDaY5lr5ZHb9LsLjtVzj3IC4k
LN8IfegmOGk=
=igrK
-----END PGP SIGNATURE-----