AusCERT - Security Bulletins

Subscribe to AusCERT - Security Bulletins hírcsatorna
Latest published security bulletins. See https://www.auscert.org.au/rss/ for feed information.
Frissítve: 2 óra 43 perc
2022. november 16.

ESB-2022.5900 - [RedHat] redis: CVSS (Max): 3.9

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5900 redis security and bug fix update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: redis Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-24736 CVE-2022-24735 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8096 Comment: CVSS (Max): 3.9 CVE-2022-24735 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Low: redis security and bug fix update Advisory ID: RHSA-2022:8096-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8096 Issue date: 2022-11-15 CVE Names: CVE-2022-24735 CVE-2022-24736 ===================================================================== 1. Summary: An update for redis is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or by appending each command to a log. Security Fix(es): * redis: Code injection via Lua script execution environment (CVE-2022-24735) * redis: Malformed Lua script can crash Redis (CVE-2022-24736) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2080286 - CVE-2022-24735 redis: Code injection via Lua script execution environment 2080289 - CVE-2022-24736 redis: Malformed Lua script can crash Redis 2083151 - Rebase to 6.2.7 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: redis-6.2.7-1.el9.src.rpm aarch64: redis-6.2.7-1.el9.aarch64.rpm redis-debuginfo-6.2.7-1.el9.aarch64.rpm redis-debugsource-6.2.7-1.el9.aarch64.rpm redis-devel-6.2.7-1.el9.aarch64.rpm noarch: redis-doc-6.2.7-1.el9.noarch.rpm ppc64le: redis-6.2.7-1.el9.ppc64le.rpm redis-debuginfo-6.2.7-1.el9.ppc64le.rpm redis-debugsource-6.2.7-1.el9.ppc64le.rpm redis-devel-6.2.7-1.el9.ppc64le.rpm s390x: redis-6.2.7-1.el9.s390x.rpm redis-debuginfo-6.2.7-1.el9.s390x.rpm redis-debugsource-6.2.7-1.el9.s390x.rpm redis-devel-6.2.7-1.el9.s390x.rpm x86_64: redis-6.2.7-1.el9.x86_64.rpm redis-debuginfo-6.2.7-1.el9.i686.rpm redis-debuginfo-6.2.7-1.el9.x86_64.rpm redis-debugsource-6.2.7-1.el9.i686.rpm redis-debugsource-6.2.7-1.el9.x86_64.rpm redis-devel-6.2.7-1.el9.i686.rpm redis-devel-6.2.7-1.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-24735 https://access.redhat.com/security/cve/CVE-2022-24736 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3OMYdzjgjWX9erEAQjLqQ/+Mtma0JGopZDIVKqroRSaVVU+1ziFrF0C ydUNR+kCQvnqrTLfV8pVEAR2VyNge+uZzv+GwyV3RCFIxvoVlds+CmvuePmJUKLt 2XJ/EHSQ1bUtFau5HFjX/mR8oqV269qaH+wErAKQ7V3kCDtS3LgMop4tOuI3FYeU hUynWV77xC2oDSzDIkezhUL2ifGdCHhmJvyZsYL0KLReQWlMy28CIDbKRjdvH3x/ hS0kWlPOscLjS72fWlvHv4mg26NEXee4shR9dUhnlOFtQb6golLL5V8mRd5woWJK xUJ5VQW4Ar/rLG/kGf98fY1utqVLMkCujuketgH28v6Ie98p3t7lCOO9eweawc2H 4oP6Uyu+Y3C2x2B9lApffctBPJFPJTU+jPIXgv3R9VHlE0aF4yjaha4bYQDViHms gY0UbzosUVqX8h6SdwrJCwzQYQ8vJ5EICzb4wfpS+x0cBEaJ59lS3JqTNFF5TgdX UHH9LAvTWih50KN145HNolhdQZsxvRXiYwiXMGzzxheKAi+Z69AjCvPsM+J9Iy/c sgqB+VsBK2K4TvnCNHLNKxE97s2jtcAJ6LhiEkUiTWoDBXp/CAzoAzHBCpsV0w+T R6rRzriVZLVC6jt91dgVG+vHCf6/qBZIuzEq+N8b4m7ACmCcHQB29qbS63aJYUAh x4HkVM/irCQ= =kKZJ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3Q5M8kNZI30y1K9AQhhyw/+OARSJjn3Ed317UWXgJMhGglKEEl9hiY5 qlR3gj82X+px/2MLjEZQR4txT3WdD/gSsuLBnsQ9piWk2tyMmh9rUBmr3oiPoEQs YfMF0REq4gR5nprZshl9b5fUBipipdTuDCtJRoj/F7k//nJAgO3NJJgcvNx9fvqS AUTkwRdRGf83iQUwOFR8tVd+vjnBLX54AuvPvas5MFIzEXZq5jO+xUHJGkUYWX4y x6thvVZ5cQ/c3GZ8mdBHEem7s2KTQPlTvInzBoUlSsl6jeVbMxL1sdZGum33x/3h amYzP9E5GSXJyAseDrW3XZreYrKgoNLRjGcPJLjhC7oZLjuTjOuzSXp4YN+CwmXl mTQ3PHJK9pUKkc0hoIAmURVdu+29fk7gZvL2kTPlU/lrvpPx9wn/qf2bXrxygqHq 9Q+fttCa6foqP+mCSNleCNGjQd1SiqOuqaIajso6rfNrLtMg7YjM4t/n5KXtf6Rj yck6ulJ83pbHkkWDKfWGNVrDBes6xQ+aZJBmvGoaFKy4FGrG2RRB/ycC8yI4r/gq kfrw8yQRWtPRXKilHNA4v0Mym556kdSKXUVdeGX0R37uXNOO4/G/duEWSghqa14o 0BH6VES9G/EL11SLvZ/vn3UJORoM03JQ28J/v09tmg3tYQtata52ai0OJU5jgZNc 8geFj4Cqtik= =H+1a -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5899 - [RedHat] runc: CVSS (Max): 5.6

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5899 runc security update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: runc Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-29162 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8090 Comment: CVSS (Max): 5.6 CVE-2022-29162 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Low: runc security update Advisory ID: RHSA-2022:8090-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8090 Issue date: 2022-11-15 CVE Names: CVE-2022-29162 ===================================================================== 1. Summary: An update for runc is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: The runC tool is a lightweight, portable implementation of the Open Container Format (OCF) that provides container runtime. Security Fix(es): * runc: incorrect handling of inheritable capabilities (CVE-2022-29162) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2086398 - CVE-2022-29162 runc: incorrect handling of inheritable capabilities 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: runc-1.1.4-1.el9.src.rpm aarch64: runc-1.1.4-1.el9.aarch64.rpm runc-debuginfo-1.1.4-1.el9.aarch64.rpm runc-debugsource-1.1.4-1.el9.aarch64.rpm ppc64le: runc-1.1.4-1.el9.ppc64le.rpm runc-debuginfo-1.1.4-1.el9.ppc64le.rpm runc-debugsource-1.1.4-1.el9.ppc64le.rpm s390x: runc-1.1.4-1.el9.s390x.rpm runc-debuginfo-1.1.4-1.el9.s390x.rpm runc-debugsource-1.1.4-1.el9.s390x.rpm x86_64: runc-1.1.4-1.el9.x86_64.rpm runc-debuginfo-1.1.4-1.el9.x86_64.rpm runc-debugsource-1.1.4-1.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-29162 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3PhJ9zjgjWX9erEAQglkQ/+NMfaKI3svFA8CoZJjJxelGD7l5Q1fw+r 5rNT54DLvkHMqsx63bIs07+jMXmbzUQgCBUub8yWI7pkTdGnq9KsRvsElLwnOWAN elSl2ReDtUmynMubZrlWYZ93RdkOXAfWlzV4MYW7GnCu6TGokkdC/a0VBEOh/h4C RtIiXsvDI5frm9XYIPAMicI8FUR56ONR1Cob3Z2Pe9i63dAs4WXxVm/Cv11WyzQf +sqWACstPa87iY6NAak+8Kbw4nCEmGxRQR9z9vfQEUxG0y9DxExMkusKTm1Gx2SS lQ4YLcpkDtIpcoebcNMgR2G79+JEgezIF2rFV7euqX2hYPnhlHJTN5R9vnNIwLwL KyuLiRrRn9dIpXnUIhDqknOZmu8GnUIBmEYf5ibU2IdLCI5cC5U93QIN8NnW/0Jf SGlrtnc+pgT4/Pnrrh40odxerL8GwxFX0qPg0Jqta5wp3JuO3E7pXWZMNUBd5Npu mYmX3Vncsz34mNi83fDtFzgwh24BB9NuOk5X2M392Yrn6I0yAO+nxGouakeSFNdm TC072mzT/7Di1Q/Tkz7/oh3C1Xj1ub/YIJDBYcVyHQ3HNcR2nHJC2OhQMOqgLFEc Ie0qLhk33CcbWh5JcNi8+zAQBLKT5E/Ii0o0Wp9KvfWkkW+HEoAFHqsjhl/lql6s V8IOomEs/qU= =KNI1 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3Q5BMkNZI30y1K9AQjP6Q/5AW5V683++dUuGmpCpJu4NujtO7Kqhh8E 79m+iaASvF7+EMlgdKIVSLUfI4IQewL3El30mWXhLjL4I1hqu2DxMFtpdpQcWMXq gOItdveX2/cVnVlTS8AB5cQigqGgnpUlBsPqDY4xitUGzsXJkxrg6rEZPg4gEx36 9aG+S9Euj8OJCcXJFqxNrSArJEGy37/rNrD31MfInkkCnT4dat1p+ZPz1eCjzPz4 A/eLBZKgct06/IOEUxdtPEC9LU9a789zAJ61qCSodlqMtTPCdtRTW53BGij12XRP +H1qgC3eH5a/mLQsx/Ui+Kiye7AeRexwXMm9BksgqJtSSuweNBMErrugq9EOe4Ig +bi2GlnU/OACbriWwU19+PKHaIOgQu+d4+otzYFWNXJ43uwYPUi0FXFZF5QQvsVf GZN9+4cS0d/G1KpSaxq1OBiWg4VvKvzlYsaS3myQGgZRp1F6XiHC6woqwmZLkuX9 DA1KuEdDk0CwStHQED5okGSFJ6vkozzbQrSdcN81uiTnC0QZEeEIJIhsHMLdxytM e2a5b0Lah0g5VUgJSsway3Fp6vmRVAlDboJ/f1LYqEAImcLCYTvMZ1roWVQBU3BK 9d4CtyQyJFwwmi5vaeajHdNc50seT83OIVhu9mhbgi1HNpPzjAwSHKndK1lNYMuo B7AE9b2PZo0= =zNQI -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5898 - [RedHat] flac: CVSS (Max): 5.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5898 flac security update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: flac Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2021-0561 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8078 Comment: CVSS (Max): 5.5 CVE-2021-0561 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: flac security update Advisory ID: RHSA-2022:8078-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8078 Issue date: 2022-11-15 CVE Names: CVE-2021-0561 ===================================================================== 1. Summary: An update for flac is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: FLAC stands for Free Lossless Audio Codec. FLAC is similar to Ogg Vorbis, but lossless. The FLAC project consists of the stream format, reference encoders and decoders in library form, a command-line program to encode and decode FLAC files, and a command-line metadata editor for FLAC files. Security Fix(es): * flac: out of bound write in append_to_verify_fifo_interleaved_ of stream_encoder.c (CVE-2021-0561) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2057776 - CVE-2021-0561 flac: out of bound write in append_to_verify_fifo_interleaved_ of stream_encoder.c 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: flac-1.3.3-10.el9.src.rpm aarch64: flac-debuginfo-1.3.3-10.el9.aarch64.rpm flac-debugsource-1.3.3-10.el9.aarch64.rpm flac-libs-1.3.3-10.el9.aarch64.rpm flac-libs-debuginfo-1.3.3-10.el9.aarch64.rpm ppc64le: flac-debuginfo-1.3.3-10.el9.ppc64le.rpm flac-debugsource-1.3.3-10.el9.ppc64le.rpm flac-libs-1.3.3-10.el9.ppc64le.rpm flac-libs-debuginfo-1.3.3-10.el9.ppc64le.rpm s390x: flac-debuginfo-1.3.3-10.el9.s390x.rpm flac-debugsource-1.3.3-10.el9.s390x.rpm flac-libs-1.3.3-10.el9.s390x.rpm flac-libs-debuginfo-1.3.3-10.el9.s390x.rpm x86_64: flac-debuginfo-1.3.3-10.el9.i686.rpm flac-debuginfo-1.3.3-10.el9.x86_64.rpm flac-debugsource-1.3.3-10.el9.i686.rpm flac-debugsource-1.3.3-10.el9.x86_64.rpm flac-libs-1.3.3-10.el9.i686.rpm flac-libs-1.3.3-10.el9.x86_64.rpm flac-libs-debuginfo-1.3.3-10.el9.i686.rpm flac-libs-debuginfo-1.3.3-10.el9.x86_64.rpm Red Hat CodeReady Linux Builder (v. 9): aarch64: flac-1.3.3-10.el9.aarch64.rpm flac-debuginfo-1.3.3-10.el9.aarch64.rpm flac-debugsource-1.3.3-10.el9.aarch64.rpm flac-devel-1.3.3-10.el9.aarch64.rpm flac-libs-debuginfo-1.3.3-10.el9.aarch64.rpm ppc64le: flac-1.3.3-10.el9.ppc64le.rpm flac-debuginfo-1.3.3-10.el9.ppc64le.rpm flac-debugsource-1.3.3-10.el9.ppc64le.rpm flac-devel-1.3.3-10.el9.ppc64le.rpm flac-libs-debuginfo-1.3.3-10.el9.ppc64le.rpm s390x: flac-1.3.3-10.el9.s390x.rpm flac-debuginfo-1.3.3-10.el9.s390x.rpm flac-debugsource-1.3.3-10.el9.s390x.rpm flac-devel-1.3.3-10.el9.s390x.rpm flac-libs-debuginfo-1.3.3-10.el9.s390x.rpm x86_64: flac-1.3.3-10.el9.x86_64.rpm flac-debuginfo-1.3.3-10.el9.i686.rpm flac-debuginfo-1.3.3-10.el9.x86_64.rpm flac-debugsource-1.3.3-10.el9.i686.rpm flac-debugsource-1.3.3-10.el9.x86_64.rpm flac-devel-1.3.3-10.el9.i686.rpm flac-devel-1.3.3-10.el9.x86_64.rpm flac-libs-debuginfo-1.3.3-10.el9.i686.rpm flac-libs-debuginfo-1.3.3-10.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-0561 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3OMatzjgjWX9erEAQirQw/+Ogspm4lU4ref0z1XUq1fPAy7tx1uP9+J gtW+XE0edEaRYkQYsBo7jtyVS9YPcSSEN6i+bhCFh8P+5D5vLvps3gUQMf801RQv M40HS+wjwdcO3R9Mg16yi6nArhnmvg19V2pWgUzqjvQdl/EGYxMtfFJC9nZNa2Pi OZe5HsW4KERMhqcSCOd2N25z6Y0PHEAJnBezm4y+pw8AFFPDX/z7sQbvXsxbrBNW uvkDz83IS7GtOMQEKytoVv9VUgM/j/wcoyb+iskkRmQ8EjQbtZYHokVlae/2B87g OC3DXhITbruQpK6WI8iNreoLK7T9wXfFLTvl8UP3nQwIAO30jbMas2ziPkRf6L+h FS8xnytVQ9alL9xxlpwvWly8igs5u/0w3brdSiZXHDz9f+20D7dkkZQhq6dla4XY wpdZbIPutynjguPtIl1TKG/WnUldYYq+7wiS9eT4zJ3ShAsi1/czQz3Mqkwsankn gxEXAV+5aQhX52RJ4fpXV7DKzDZJyCKyS+Hm0/Ne/AuYQjrxOWqVXbSjWYMOExnA oZEKqInTQ3QdrCrPBo+SkZg2P394PmClydlpCYTMExNYKVLTAkbMCKH3BRYF4cnj w3Vejd7Jd2lx2KbWEVR2tl48J4d2vVRHRe66JP1Kq8kU7Sni3WQLvwXFERueFSU6 9+iIbeADsTs= =muDp - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3Q48ckNZI30y1K9AQjamA//SBXlEBKLWWlxhlEKoAII+xZiueRqdmjN T+2MIL+URJxbbXM4/+I8RdDB4So2R5dcBm1vnfPY9WvHZgfGPXMXLTfUi2mpkBAv wX1/8w7iylTx8LT36fZe/178EUGk/JkhBliANBDwIsbQsbpdBCFF/2zLpri1BNrw ITGCH+m4MFCDj0hXVIkiUInd+tnxXibSUv+A2TITlyEh0O4eyC+SWB052pVPGgq+ cMFtLt3QEMEVSzAFhGvYBaql8kWaXXwqbxNKRX9m9t3sb1NBlFAlMCgSblxOL5SY 0WfvtlEj2GtHW9otpdSnxSZH9IjZf15ikQmP5qeV1jlxYGUqYoPXGy2lP0+lxkgf JUNHPV+6TRCmb9C7n7L2FudtXS+1xxaV+i38IcdfhXlebXkkPFoaUqY1VWseO4p/ rur6N5NcnA6owYuhtQNulgLaamX2yj8GFwU3bdTZ039QcU7ukPU6OQPXug6GOtr1 JGtfCPXcuRsbI+Cg0r+KxqsROs/vOiYhv4ACweB3/eDM+yfEUKlr+KBmctK4BS3w FGyvewSkAPJbRS5vmeKWoK4rvxJ02jOuuZahLR9r5DbpOpfVmSuCbArLypp/WXz6 7xpS+zyMycAncZZUWRsEjmBr1tp5NVoOy34K+kZ2Jt0B7xBb4HfBEmjgtOw3plbA 8xXgi70CJH8= =ufbq -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5897 - [RedHat] dnsmasq: CVSS (Max): 6.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5897 dnsmasq security and bug fix update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: dnsmasq Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-0934 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8070 Comment: CVSS (Max): 6.5 CVE-2022-0934 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: dnsmasq security and bug fix update Advisory ID: RHSA-2022:8070-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8070 Issue date: 2022-11-15 CVE Names: CVE-2022-0934 ===================================================================== 1. Summary: An update for dnsmasq is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server. Security Fix(es): * dnsmasq: Heap use after free in dhcp6_no_relay (CVE-2022-0934) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2057075 - CVE-2022-0934 dnsmasq: Heap use after free in dhcp6_no_relay 2120711 - dnsmasq high CPU usage in 4.11 spoke deployment or after 4.10.21 to 4.11.0-rc.1 upgrade on an SNO node [rhel9] 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: dnsmasq-2.85-5.el9.src.rpm aarch64: dnsmasq-2.85-5.el9.aarch64.rpm dnsmasq-debuginfo-2.85-5.el9.aarch64.rpm dnsmasq-debugsource-2.85-5.el9.aarch64.rpm dnsmasq-utils-2.85-5.el9.aarch64.rpm dnsmasq-utils-debuginfo-2.85-5.el9.aarch64.rpm ppc64le: dnsmasq-2.85-5.el9.ppc64le.rpm dnsmasq-debuginfo-2.85-5.el9.ppc64le.rpm dnsmasq-debugsource-2.85-5.el9.ppc64le.rpm dnsmasq-utils-2.85-5.el9.ppc64le.rpm dnsmasq-utils-debuginfo-2.85-5.el9.ppc64le.rpm s390x: dnsmasq-2.85-5.el9.s390x.rpm dnsmasq-debuginfo-2.85-5.el9.s390x.rpm dnsmasq-debugsource-2.85-5.el9.s390x.rpm dnsmasq-utils-2.85-5.el9.s390x.rpm dnsmasq-utils-debuginfo-2.85-5.el9.s390x.rpm x86_64: dnsmasq-2.85-5.el9.x86_64.rpm dnsmasq-debuginfo-2.85-5.el9.x86_64.rpm dnsmasq-debugsource-2.85-5.el9.x86_64.rpm dnsmasq-utils-2.85-5.el9.x86_64.rpm dnsmasq-utils-debuginfo-2.85-5.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-0934 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3PhKtzjgjWX9erEAQgcqA//UVdaCbRPgvRq3pa2LZhYeAH2eGZuGTCC dtMrzDVt83OI7mJI1QKAA6VWxytfw7RPr0zXECWroVIJp2TgcNhB6shuALxMod8e 1VFlmcPdyWIvFydDJa8f/kxrzPdVhF42qHmO+DBA9f2n1BPLtu3FHokab3zUGeln B6wWEPxsrivTpPZ+fdRY4n7kOxnNU7cWqIFP/A/FUHz8X4etDGV0rmJkxeTNIvfV abXJ5t0RNgmgEYOzqUGCHN3A85DU2eNhQiVQ401fpX8djsds9k6fPGu09Q3pQRer G8aWBk+X6jdJqDOLVOtcpUj/HleJArjSvTtABBHIhvfk5Fkhf+nbr1s+ssrAuEA7 96RIvq0Agwnf+IEfom6yVWACw0wJgsXVgbJv90adZIY9roUq3545iIq624KsDjGv aNu4qnPBgB4jxA0IVZvbsJFr+Dj/iRimBQ1cx3nC9onKFkR1WFsf71GhTQxeuWkf AnQajO3sJOzukLJiOoaC1agbvJMBJLKSHWr5NXf9lO6X0tn7EnL5mz7ymPPegFUT 1S2cAy5J6+4hHGWw4RQC2H8zMSeplwl1PbopBD5WZOajQ2s96ijVAMa+r8jJJXLd VhbXYTC7EcSJH4ZkTTeq2fFhtAFb0cxnhuMlw+J4gv6+FXGOMyuQld5TzoszpOsJ lFtrMQGZcHI= =fHx1 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3Q43ckNZI30y1K9AQgKZw/7B/KBMSL1hkDMVGnZ2P2O1sLjR5NZWXU1 D/iN0K+xx1TFvbd2bIDAOg+n+ZunOqGFKE2hzD5FPSV1Kta0MX7DOTQ9KHkKi3vT jsvPgxTW76SteWVu1NPMomu8uEolE7kdHHolMzpVL0M5hZKmmR2Ll+iOMnhyWlU3 ghmEDsBV0/Z4xXLvzIOaq84h56PJjVPjbvI4A5tRE9rEM6a3JfTtJM/pa0B20N38 2UhZhVuthPnx2S8SePyaFU15Mmfn7tfg7uI73gYxtGuYBgySeLR7LFzBog8wUak7 vAE0eSYZGdEoK8y36CQU2nFQbF/oD3dDk4qlMOvT53qosRZAGyZqBGrAA2SVhDmE MbKeuStUbpWP3YKIy8qkFeyvUvL7D43CB2I+75uVQE+jfVLplHmr0rmVPvAorZCe B2hYWypcmce+cH1+WeJe7wEk8y0vn4VYPGdDOXhkxmDzVgBMtUS7aum2Fc9DJaLH 5bYTAfYa853dWa8P7lqg2PpL1Jljwh65aDXnNcm3O2fh/qn7VsWDJDFajpreBSdO 8R9c1A8oF2H/Bc2H+fBOJsLhGpkokNccGw6bib2XA0Zxnd+a0OOh6nL1rZp4a9fd 4zZb5yYooQFkEbjggrOBIgNEPXGDLruRNoFfpD4gmbJ8mMeQF208gn2o/iRWIvBU 1rflqHBJg18= =2rRg -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5896 - [RedHat] bind: CVSS (Max): 6.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5896 bind security update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: bind Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-0396 CVE-2021-25220 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8068 Comment: CVSS (Max): 6.8 CVE-2021-25220 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: bind security update Advisory ID: RHSA-2022:8068-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8068 Issue date: 2022-11-15 CVE Names: CVE-2021-25220 CVE-2022-0396 ===================================================================== 1. Summary: An update for bind is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64 Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * bind: DNS forwarders - cache poisoning vulnerability (CVE-2021-25220) * bind: DoS from specifically crafted TCP packets (CVE-2022-0396) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, the BIND daemon (named) will be restarted automatically. 5. Bugs fixed (https://bugzilla.redhat.com/): 2064512 - CVE-2021-25220 bind: DNS forwarders - cache poisoning vulnerability 2064513 - CVE-2022-0396 bind: DoS from specifically crafted TCP packets 2104863 - bind-doc is not shipped to public 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: bind-9.16.23-5.el9_1.src.rpm aarch64: bind-9.16.23-5.el9_1.aarch64.rpm bind-chroot-9.16.23-5.el9_1.aarch64.rpm bind-debuginfo-9.16.23-5.el9_1.aarch64.rpm bind-debugsource-9.16.23-5.el9_1.aarch64.rpm bind-dnssec-utils-9.16.23-5.el9_1.aarch64.rpm bind-dnssec-utils-debuginfo-9.16.23-5.el9_1.aarch64.rpm bind-libs-9.16.23-5.el9_1.aarch64.rpm bind-libs-debuginfo-9.16.23-5.el9_1.aarch64.rpm bind-utils-9.16.23-5.el9_1.aarch64.rpm bind-utils-debuginfo-9.16.23-5.el9_1.aarch64.rpm noarch: bind-dnssec-doc-9.16.23-5.el9_1.noarch.rpm bind-license-9.16.23-5.el9_1.noarch.rpm python3-bind-9.16.23-5.el9_1.noarch.rpm ppc64le: bind-9.16.23-5.el9_1.ppc64le.rpm bind-chroot-9.16.23-5.el9_1.ppc64le.rpm bind-debuginfo-9.16.23-5.el9_1.ppc64le.rpm bind-debugsource-9.16.23-5.el9_1.ppc64le.rpm bind-dnssec-utils-9.16.23-5.el9_1.ppc64le.rpm bind-dnssec-utils-debuginfo-9.16.23-5.el9_1.ppc64le.rpm bind-libs-9.16.23-5.el9_1.ppc64le.rpm bind-libs-debuginfo-9.16.23-5.el9_1.ppc64le.rpm bind-utils-9.16.23-5.el9_1.ppc64le.rpm bind-utils-debuginfo-9.16.23-5.el9_1.ppc64le.rpm s390x: bind-9.16.23-5.el9_1.s390x.rpm bind-chroot-9.16.23-5.el9_1.s390x.rpm bind-debuginfo-9.16.23-5.el9_1.s390x.rpm bind-debugsource-9.16.23-5.el9_1.s390x.rpm bind-dnssec-utils-9.16.23-5.el9_1.s390x.rpm bind-dnssec-utils-debuginfo-9.16.23-5.el9_1.s390x.rpm bind-libs-9.16.23-5.el9_1.s390x.rpm bind-libs-debuginfo-9.16.23-5.el9_1.s390x.rpm bind-utils-9.16.23-5.el9_1.s390x.rpm bind-utils-debuginfo-9.16.23-5.el9_1.s390x.rpm x86_64: bind-9.16.23-5.el9_1.x86_64.rpm bind-chroot-9.16.23-5.el9_1.x86_64.rpm bind-debuginfo-9.16.23-5.el9_1.x86_64.rpm bind-debugsource-9.16.23-5.el9_1.x86_64.rpm bind-dnssec-utils-9.16.23-5.el9_1.x86_64.rpm bind-dnssec-utils-debuginfo-9.16.23-5.el9_1.x86_64.rpm bind-libs-9.16.23-5.el9_1.x86_64.rpm bind-libs-debuginfo-9.16.23-5.el9_1.x86_64.rpm bind-utils-9.16.23-5.el9_1.x86_64.rpm bind-utils-debuginfo-9.16.23-5.el9_1.x86_64.rpm Red Hat CodeReady Linux Builder (v. 9): aarch64: bind-debuginfo-9.16.23-5.el9_1.aarch64.rpm bind-debugsource-9.16.23-5.el9_1.aarch64.rpm bind-devel-9.16.23-5.el9_1.aarch64.rpm bind-dnssec-utils-debuginfo-9.16.23-5.el9_1.aarch64.rpm bind-libs-debuginfo-9.16.23-5.el9_1.aarch64.rpm bind-utils-debuginfo-9.16.23-5.el9_1.aarch64.rpm noarch: bind-doc-9.16.23-5.el9_1.noarch.rpm ppc64le: bind-debuginfo-9.16.23-5.el9_1.ppc64le.rpm bind-debugsource-9.16.23-5.el9_1.ppc64le.rpm bind-devel-9.16.23-5.el9_1.ppc64le.rpm bind-dnssec-utils-debuginfo-9.16.23-5.el9_1.ppc64le.rpm bind-libs-debuginfo-9.16.23-5.el9_1.ppc64le.rpm bind-utils-debuginfo-9.16.23-5.el9_1.ppc64le.rpm s390x: bind-debuginfo-9.16.23-5.el9_1.s390x.rpm bind-debugsource-9.16.23-5.el9_1.s390x.rpm bind-devel-9.16.23-5.el9_1.s390x.rpm bind-dnssec-utils-debuginfo-9.16.23-5.el9_1.s390x.rpm bind-libs-debuginfo-9.16.23-5.el9_1.s390x.rpm bind-utils-debuginfo-9.16.23-5.el9_1.s390x.rpm x86_64: bind-debuginfo-9.16.23-5.el9_1.i686.rpm bind-debuginfo-9.16.23-5.el9_1.x86_64.rpm bind-debugsource-9.16.23-5.el9_1.i686.rpm bind-debugsource-9.16.23-5.el9_1.x86_64.rpm bind-devel-9.16.23-5.el9_1.i686.rpm bind-devel-9.16.23-5.el9_1.x86_64.rpm bind-dnssec-utils-debuginfo-9.16.23-5.el9_1.i686.rpm bind-dnssec-utils-debuginfo-9.16.23-5.el9_1.x86_64.rpm bind-libs-9.16.23-5.el9_1.i686.rpm bind-libs-debuginfo-9.16.23-5.el9_1.i686.rpm bind-libs-debuginfo-9.16.23-5.el9_1.x86_64.rpm bind-utils-debuginfo-9.16.23-5.el9_1.i686.rpm bind-utils-debuginfo-9.16.23-5.el9_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-25220 https://access.redhat.com/security/cve/CVE-2022-0396 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3PhLdzjgjWX9erEAQhVSw/9HlIwMZZuRgTsbY2yARvJ+sRk08hViRo6 ++sV0vMtt3ym5eQES1al4uwAFbVH3B+EZLVuox02PnKVvIM35QnzVFxSa24HToTp l3tl+c9QnDwx3VGceX9og5o/ezSKqT8UeMQF/gamcB5kwGbbeb+Gp7cpSyXsmjB1 h418DMq/BBE1kLx2MAmIAn/r8x8ISsRbk3j96VEtLrQDtbSKCrE7jmQMaGRB4NhK 4pcgEdcVC6mpBIBRSoLqSVvY9cEdbWqB2LBKArSic/GS2RFfXiSTbPP+kHhd8WHF 0pHQpQa2CXqWuoyrk4cmlvyqmp+C1oCuwsjUWm3dIouIpLU3P1PH3Xua+DMcHfNl z3wW5E8hihVQ7taw/c6jKMlIrPVzdNM7zfdqV4PBoMQ6y6nPDP23wNGIBMIArjO/ n841K1Lzp1vrChLKgtYOK4H/s6Fbtb/+fe6Q5wOVPPEeksfoKzjJjZj/J7J+RymH Bd6n+f9iMQzOkj9zb6cgrvt2aLcr29XHfcCRH81i/CEPAEFGT86qOXqIZO0+qV/u qhHDKy3rLqYsOR4BlwhFhovUGCt8rBJ8LOiZlUTxzNG4PNze4F1hG1d0qzYQv0Iw zfOrgT8NGDmGCt2nwtmy813NDmzVegwrS7w0ayLzpcwcJMVOoO0nKi5kzX1slEyu rbPwX0ROLTo= =0klO - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3Q4w8kNZI30y1K9AQiYghAAiHYvOxD9yV6z9zoLSgBBtDZAYQGIUKrO IOq2lUDJDWmR9IlVbktCChRKQ7T7Keh7UxPGfizyb7mbcZkHEte1sI3nyzEg0Y3L ZN2y9O1JSPzxnuXp103Ej4QflR7qhLoOgOMumzAaAb5B8+Jp1YGmN0LTW8rYXq3H F4E/mDdUb4g0i+4FAUXSA2Vi2kKfIik0O2XCfZnjghQFNjH4M9H87TX2KbRCNzkT 8YBRSJ6/dwynOAGHGDbBbzKhrhT74Qlq9E0RuOdkDqaMvDa0VI9BUNgABmwXlIsD kBh66QZ2oaekNGMHaqguh9t2mipR1S90oXo3Js/2+e0x/1jXAMTgFqiJyl/0jq19 rPxj/Oun8Sa5OV6o3yMstgEy6AkY7aNXcVAH7Ei7nROrHiSFi56mbs7kGivKp0ZP aUUgAV1AGgySEzYS9sXVh8bGDG4QO8aScLMYIbcYpQRcty/Rj+CLvoGcAIo3N4rt yFf2GejqYu8upDn1+1Ra6wIuUfkNLBIsYaTEPgflDJ8Ypc3cI0LIFK4vOoxCSgb9 axnH19jl/KU4P5XvvPyMr5cQAXn//ladcp+J87oxwg0XffIe96Ym5ZS0MlBC8unW egMQlD1lhIIzVrdBzCivl4d5TcssYZc4J+S3FkKWKLMNuKhT2pBKNivfC4YzIiyA SdvalEeJq2k= =uaEv -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5895 - [RedHat] httpd: CVSS (Max): 8.1

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5895 httpd security, bug fix, and enhancement update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: httpd Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-31813 CVE-2022-30556 CVE-2022-30522 CVE-2022-29404 CVE-2022-28615 CVE-2022-28614 CVE-2022-26377 CVE-2022-23943 CVE-2022-22721 CVE-2022-22719 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8067 Comment: CVSS (Max): 8.1 CVE-2022-23943 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: httpd security, bug fix, and enhancement update Advisory ID: RHSA-2022:8067-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8067 Issue date: 2022-11-15 CVE Names: CVE-2022-22719 CVE-2022-22721 CVE-2022-23943 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556 CVE-2022-31813 ===================================================================== 1. Summary: An update for httpd is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. The following packages have been upgraded to a later upstream version: httpd (2.4.53). (BZ#2079939) Security Fix(es): * httpd: mod_sed: Read/write beyond bounds (CVE-2022-23943) * httpd: mod_lua: Use of uninitialized value of in r:parsebody (CVE-2022-22719) * httpd: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody (CVE-2022-22721) * httpd: mod_proxy_ajp: Possible request smuggling (CVE-2022-26377) * httpd: mod_lua: DoS in r:parsebody (CVE-2022-29404) * httpd: mod_sed: DoS vulnerability (CVE-2022-30522) * httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism (CVE-2022-31813) * httpd: Out-of-bounds read via ap_rwrite() (CVE-2022-28614) * httpd: Out-of-bounds read in ap_strcmp_match() (CVE-2022-28615) * httpd: mod_lua: Information disclosure with websockets (CVE-2022-30556) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the updated packages, the httpd daemon will be restarted automatically. 5. Bugs fixed (https://bugzilla.redhat.com/): 2064319 - CVE-2022-23943 httpd: mod_sed: Read/write beyond bounds 2064320 - CVE-2022-22721 httpd: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody 2064322 - CVE-2022-22719 httpd: mod_lua: Use of uninitialized value of in r:parsebody 2073459 - Cannot override LD_LIBARY_PATH in Apache HTTPD using SetEnv or PassEnv. Needs documentation. 2075406 - httpd.conf uses icon bomb.gif for all files/dirs ending with core 2079939 - httpd rebase to 2.4.53 2094997 - CVE-2022-26377 httpd: mod_proxy_ajp: Possible request smuggling 2095002 - CVE-2022-28614 httpd: Out-of-bounds read via ap_rwrite() 2095006 - CVE-2022-28615 httpd: Out-of-bounds read in ap_strcmp_match() 2095012 - CVE-2022-29404 httpd: mod_lua: DoS in r:parsebody 2095015 - CVE-2022-30522 httpd: mod_sed: DoS vulnerability 2095018 - CVE-2022-30556 httpd: mod_lua: Information disclosure with websockets 2095020 - CVE-2022-31813 httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism 2095838 - mod_mime_magic: invalid type 0 in mconvert() 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: httpd-2.4.53-7.el9.src.rpm aarch64: httpd-2.4.53-7.el9.aarch64.rpm httpd-core-2.4.53-7.el9.aarch64.rpm httpd-core-debuginfo-2.4.53-7.el9.aarch64.rpm httpd-debuginfo-2.4.53-7.el9.aarch64.rpm httpd-debugsource-2.4.53-7.el9.aarch64.rpm httpd-devel-2.4.53-7.el9.aarch64.rpm httpd-tools-2.4.53-7.el9.aarch64.rpm httpd-tools-debuginfo-2.4.53-7.el9.aarch64.rpm mod_ldap-2.4.53-7.el9.aarch64.rpm mod_ldap-debuginfo-2.4.53-7.el9.aarch64.rpm mod_lua-2.4.53-7.el9.aarch64.rpm mod_lua-debuginfo-2.4.53-7.el9.aarch64.rpm mod_proxy_html-2.4.53-7.el9.aarch64.rpm mod_proxy_html-debuginfo-2.4.53-7.el9.aarch64.rpm mod_session-2.4.53-7.el9.aarch64.rpm mod_session-debuginfo-2.4.53-7.el9.aarch64.rpm mod_ssl-2.4.53-7.el9.aarch64.rpm mod_ssl-debuginfo-2.4.53-7.el9.aarch64.rpm noarch: httpd-filesystem-2.4.53-7.el9.noarch.rpm httpd-manual-2.4.53-7.el9.noarch.rpm ppc64le: httpd-2.4.53-7.el9.ppc64le.rpm httpd-core-2.4.53-7.el9.ppc64le.rpm httpd-core-debuginfo-2.4.53-7.el9.ppc64le.rpm httpd-debuginfo-2.4.53-7.el9.ppc64le.rpm httpd-debugsource-2.4.53-7.el9.ppc64le.rpm httpd-devel-2.4.53-7.el9.ppc64le.rpm httpd-tools-2.4.53-7.el9.ppc64le.rpm httpd-tools-debuginfo-2.4.53-7.el9.ppc64le.rpm mod_ldap-2.4.53-7.el9.ppc64le.rpm mod_ldap-debuginfo-2.4.53-7.el9.ppc64le.rpm mod_lua-2.4.53-7.el9.ppc64le.rpm mod_lua-debuginfo-2.4.53-7.el9.ppc64le.rpm mod_proxy_html-2.4.53-7.el9.ppc64le.rpm mod_proxy_html-debuginfo-2.4.53-7.el9.ppc64le.rpm mod_session-2.4.53-7.el9.ppc64le.rpm mod_session-debuginfo-2.4.53-7.el9.ppc64le.rpm mod_ssl-2.4.53-7.el9.ppc64le.rpm mod_ssl-debuginfo-2.4.53-7.el9.ppc64le.rpm s390x: httpd-2.4.53-7.el9.s390x.rpm httpd-core-2.4.53-7.el9.s390x.rpm httpd-core-debuginfo-2.4.53-7.el9.s390x.rpm httpd-debuginfo-2.4.53-7.el9.s390x.rpm httpd-debugsource-2.4.53-7.el9.s390x.rpm httpd-devel-2.4.53-7.el9.s390x.rpm httpd-tools-2.4.53-7.el9.s390x.rpm httpd-tools-debuginfo-2.4.53-7.el9.s390x.rpm mod_ldap-2.4.53-7.el9.s390x.rpm mod_ldap-debuginfo-2.4.53-7.el9.s390x.rpm mod_lua-2.4.53-7.el9.s390x.rpm mod_lua-debuginfo-2.4.53-7.el9.s390x.rpm mod_proxy_html-2.4.53-7.el9.s390x.rpm mod_proxy_html-debuginfo-2.4.53-7.el9.s390x.rpm mod_session-2.4.53-7.el9.s390x.rpm mod_session-debuginfo-2.4.53-7.el9.s390x.rpm mod_ssl-2.4.53-7.el9.s390x.rpm mod_ssl-debuginfo-2.4.53-7.el9.s390x.rpm x86_64: httpd-2.4.53-7.el9.x86_64.rpm httpd-core-2.4.53-7.el9.x86_64.rpm httpd-core-debuginfo-2.4.53-7.el9.x86_64.rpm httpd-debuginfo-2.4.53-7.el9.x86_64.rpm httpd-debugsource-2.4.53-7.el9.x86_64.rpm httpd-devel-2.4.53-7.el9.x86_64.rpm httpd-tools-2.4.53-7.el9.x86_64.rpm httpd-tools-debuginfo-2.4.53-7.el9.x86_64.rpm mod_ldap-2.4.53-7.el9.x86_64.rpm mod_ldap-debuginfo-2.4.53-7.el9.x86_64.rpm mod_lua-2.4.53-7.el9.x86_64.rpm mod_lua-debuginfo-2.4.53-7.el9.x86_64.rpm mod_proxy_html-2.4.53-7.el9.x86_64.rpm mod_proxy_html-debuginfo-2.4.53-7.el9.x86_64.rpm mod_session-2.4.53-7.el9.x86_64.rpm mod_session-debuginfo-2.4.53-7.el9.x86_64.rpm mod_ssl-2.4.53-7.el9.x86_64.rpm mod_ssl-debuginfo-2.4.53-7.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-22719 https://access.redhat.com/security/cve/CVE-2022-22721 https://access.redhat.com/security/cve/CVE-2022-23943 https://access.redhat.com/security/cve/CVE-2022-26377 https://access.redhat.com/security/cve/CVE-2022-28614 https://access.redhat.com/security/cve/CVE-2022-28615 https://access.redhat.com/security/cve/CVE-2022-29404 https://access.redhat.com/security/cve/CVE-2022-30522 https://access.redhat.com/security/cve/CVE-2022-30556 https://access.redhat.com/security/cve/CVE-2022-31813 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3OMbtzjgjWX9erEAQi+FhAAo5TZLQhEKcVKirhu9FgTXKvVgAVNerft atmEk68++cjisOUIJI8bzD9lQ+DmRF9pjlSG0kVB64UkRAIEvT/MLq1kN4I0qTIm LrjjA+qV6NYVuZCd178OXR/Qn1W8/iUfjC/W6UMGp8306n1aggcOY/kzrSlX2ZWU ftQDrAPbUGqAWFwTK8eAlW9VlVOzD+6AHb00ew2yFkjFjCic0EPAz0kwoGMm4oGi PrPhzIUra8vvgTuYJN1p2Ypkt6sFFOVBqJwL116tGv63F0PqRzUfiKgqvfH16HuT VUcFgYV+05osb6bpQclNW4dLwCzpNcGCEwkEmZgYNGyetI2O8+6HFn+MdJna+uYO mykzjAXz1tyzx8RnEexR/4E4aLWQKcr1YM27CE5NVAGgqxaf+6SCiCV5NvT/3vFk KjKwQPUrb8SWHbWf6mxC6xInx9Iy6c6Ag4K1pk09fr7XjyZ9/GeFbbe08nirZm8a xSs4jQIhfRzW7wsKqEjd6eNW+QeD1qKFuGiLMSN6+2km7AUTTcTIfVd7orMY/v4Q WD++Xe+my6LHthH2+qYGWyc+oEp3DChQbka71X07iqVCqkKzQj9sE2GdbcTeAj6/ pInRoDF8ZuZv3TPFn+BQ12C3WZ0HzlXF/MDs6fG+iZkIPrgukj1EfauoY11JoJNd wTPRPoUAq9w= =hHrA - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3Q4lMkNZI30y1K9AQhZmA/9HLr6tiqjCdBfJCpJvgs6AItEq0kkXEqS f+C0LYLTCCQTgfIgFnY9v5WYcZ0Hs+PNpG4Kt049RrMngdVpWNBKlyUnAHDeT7Hm DP0QrYqxo9pvn7M/y9+EZuCTw7nSW7KchSAJDxlOl3jKiN35TwqUAZ6UjXi6Pb+N LPPIAkInGgMQgNYaozJUHzQ/wYXn6/bIrgCEnN2O2rb9uM3d1P07RyNy16UTSVNn X4rqhzf0TlhgGUVyBUEmAdEBxE28RoDib2xFwxhHR9A+df4U7fIyVCAMQmU2fMbW 62Jm/DwCsx1MnyXBMsUHRHlUSaRlPv0i1RUykgiew7KNuQWHo7dSo15NpcXI+q64 3UsqRSpJ2OMJFtyKhKkHmv9AT8EfwQlOtHeId4g33cWjzUSoNNvIvR45T5k1AeNP eovFmood0qCIvzjqb5JTRxhIjmH0QseYI95XoTqY6znXFH5ThywhJklWZ1kHW9wj XfjoVFzbvNkUZDrBSnmM3bxPP97Yc5rUqfrcee+Up2dSXkSY6r2JxGFnfh/w+yLJ BMC0kF31jhLjG8KhvWlTqIiEkz+9J+Br0gKyf90YviAR1RM0w/yi03Z5po/zrS6v WyqLIsmdAmiqpDHQC4s6m/QTqIYVfjsMRtnLyjug8k7otd60Xp0BuCnpSXDTiBuz YkPqhAfDXwk= =Izij -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5894 - [RedHat] unbound security: CVSS (Max): 6.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5894 unbound security, bug fix, and enhancement update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: unbound security Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-30699 CVE-2022-30698 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8062 Comment: CVSS (Max): 6.5 CVE-2022-30699 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: unbound security, bug fix, and enhancement update Advisory ID: RHSA-2022:8062-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8062 Issue date: 2022-11-15 CVE Names: CVE-2022-30698 CVE-2022-30699 ===================================================================== 1. Summary: An update for unbound is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. The following packages have been upgraded to a later upstream version: unbound (1.16.2). (BZ#2087120) Security Fix(es): * unbound: novel ghost domain attack that allows attackers to trigger continued resolvability of malicious domain names (CVE-2022-30698) * unbound: novel ghost domain attack that allows attackers to trigger continued resolvability of malicious domain names (CVE-2022-30699) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1981415 - unbound: don't use deprecated functions in OpenSSL 3.0 2056116 - unbound-devel is not available on Centos 9 Stream 2071543 - Unbound fails resolution of any SHA-1 signed domain [rhel-9.1.0] 2071943 - failing devel man pages for rhel 9 2079548 - [unbound: FIPS mode] does not resolve ED25519 and ED448 2087120 - [rebase] Rebase to 1.16.0 2094336 - unbound-keygen needs to be stoped 2116725 - CVE-2022-30698 unbound: novel ghost domain attack that allows attackers to trigger continued resolvability of malicious domain names 2116729 - CVE-2022-30699 unbound: novel ghost domain attack that allows attackers to trigger continued resolvability of malicious domain names 2116802 - unbound-keygen requires openssl [rhel9] 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: unbound-1.16.2-2.el9.src.rpm aarch64: python3-unbound-1.16.2-2.el9.aarch64.rpm python3-unbound-debuginfo-1.16.2-2.el9.aarch64.rpm unbound-1.16.2-2.el9.aarch64.rpm unbound-debuginfo-1.16.2-2.el9.aarch64.rpm unbound-debugsource-1.16.2-2.el9.aarch64.rpm unbound-libs-1.16.2-2.el9.aarch64.rpm unbound-libs-debuginfo-1.16.2-2.el9.aarch64.rpm ppc64le: python3-unbound-1.16.2-2.el9.ppc64le.rpm python3-unbound-debuginfo-1.16.2-2.el9.ppc64le.rpm unbound-1.16.2-2.el9.ppc64le.rpm unbound-debuginfo-1.16.2-2.el9.ppc64le.rpm unbound-debugsource-1.16.2-2.el9.ppc64le.rpm unbound-libs-1.16.2-2.el9.ppc64le.rpm unbound-libs-debuginfo-1.16.2-2.el9.ppc64le.rpm s390x: python3-unbound-1.16.2-2.el9.s390x.rpm python3-unbound-debuginfo-1.16.2-2.el9.s390x.rpm unbound-1.16.2-2.el9.s390x.rpm unbound-debuginfo-1.16.2-2.el9.s390x.rpm unbound-debugsource-1.16.2-2.el9.s390x.rpm unbound-libs-1.16.2-2.el9.s390x.rpm unbound-libs-debuginfo-1.16.2-2.el9.s390x.rpm x86_64: python3-unbound-1.16.2-2.el9.x86_64.rpm python3-unbound-debuginfo-1.16.2-2.el9.i686.rpm python3-unbound-debuginfo-1.16.2-2.el9.x86_64.rpm unbound-1.16.2-2.el9.x86_64.rpm unbound-debuginfo-1.16.2-2.el9.i686.rpm unbound-debuginfo-1.16.2-2.el9.x86_64.rpm unbound-debugsource-1.16.2-2.el9.i686.rpm unbound-debugsource-1.16.2-2.el9.x86_64.rpm unbound-libs-1.16.2-2.el9.i686.rpm unbound-libs-1.16.2-2.el9.x86_64.rpm unbound-libs-debuginfo-1.16.2-2.el9.i686.rpm unbound-libs-debuginfo-1.16.2-2.el9.x86_64.rpm Red Hat CodeReady Linux Builder (v. 9): aarch64: python3-unbound-debuginfo-1.16.2-2.el9.aarch64.rpm unbound-debuginfo-1.16.2-2.el9.aarch64.rpm unbound-debugsource-1.16.2-2.el9.aarch64.rpm unbound-devel-1.16.2-2.el9.aarch64.rpm unbound-libs-debuginfo-1.16.2-2.el9.aarch64.rpm ppc64le: python3-unbound-debuginfo-1.16.2-2.el9.ppc64le.rpm unbound-debuginfo-1.16.2-2.el9.ppc64le.rpm unbound-debugsource-1.16.2-2.el9.ppc64le.rpm unbound-devel-1.16.2-2.el9.ppc64le.rpm unbound-libs-debuginfo-1.16.2-2.el9.ppc64le.rpm s390x: python3-unbound-debuginfo-1.16.2-2.el9.s390x.rpm unbound-debuginfo-1.16.2-2.el9.s390x.rpm unbound-debugsource-1.16.2-2.el9.s390x.rpm unbound-devel-1.16.2-2.el9.s390x.rpm unbound-libs-debuginfo-1.16.2-2.el9.s390x.rpm x86_64: python3-unbound-debuginfo-1.16.2-2.el9.i686.rpm python3-unbound-debuginfo-1.16.2-2.el9.x86_64.rpm unbound-debuginfo-1.16.2-2.el9.i686.rpm unbound-debuginfo-1.16.2-2.el9.x86_64.rpm unbound-debugsource-1.16.2-2.el9.i686.rpm unbound-debugsource-1.16.2-2.el9.x86_64.rpm unbound-devel-1.16.2-2.el9.i686.rpm unbound-devel-1.16.2-2.el9.x86_64.rpm unbound-libs-debuginfo-1.16.2-2.el9.i686.rpm unbound-libs-debuginfo-1.16.2-2.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-30698 https://access.redhat.com/security/cve/CVE-2022-30699 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3PhMdzjgjWX9erEAQi2qg/+JsLmnjmeg2U0b5tZnC5duXL1O4iNyIwm V8y6hDiGaY2Iubih0SO29gLZYG3sN+dJdsspe8Vv9OqJso2Gm5J2gjgKZXxe6qZW GUKcMRpwG+jM5RSBv9uogsW63tD0YQfIZbFRBJy0BE9TMRFtgHveseKG+OlLKFOP 2h/SbYILATEZA1Lw/c9KIDBOLB7wNny+Qrg46U1cU9ZH1oN9pOUGjBxH6VfkUA6S SItza5DGOnKGbAOVFS79Y+MSCCGjXgIyY38y8mr8PkOh00d7eZ+13JwKnDaPfnxH vVdo30jh9Tfs/LX0c+nn3IKyv3h9y2DtMEpxKnI927YRu4WPM9erSrxOX80KrJ+L ENkVeb3YdkT+OqV3wvK9JblW8iDwlGSb0jC9LaWUx5An5hUqMKRoXydkKWTnC3Cp 4fofXWhWnqKQfRwHdx1rVhRuR/x2iG8VY7TvvRNocNb4YW4ilq+dIX0Q++iltna7 9V1vScJm3mINkqyU4uL2AJJhoDdcPpElvwcxTiRkg7FCn7BO9gj9mxHzO3xZu3RN FShTo5J2XIf8a1gtMMHV8C8F7BsAgV7oTMSGlqSLgmx0BKiis/FtO5I2C6Unn/Ac Sal3wXzA64ZPyHHDOeRsz0FFkhAMDB6SZzbCuvkaNLaga6z7NTvNaifkXvlnbib3 QoahqRtuado= =Wd6S - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3Q4dckNZI30y1K9AQguRQ//eJd0vfzhO8bC0g2uGxBfhb0VqeWCyG8i coMSHyfKHwu6CivKqOMcJhnZjm0mvRCZxWkpAPk+Lml53yb9ggvg+fdizAaLxmf3 KpAQghLApnMDBdxIkvUPnuDl6OANC4RTZIZPpRbA4W6MOnw6dolTXfsyLHznWpGA Gy8qS+ZrMRrPkxvFe4Cq3uGiCv2fUtmiMlQkLHHRLLQ4/s8olwZPYwGxgP/q/Wn5 JTCkTwTccaMNSWhiHa0hZ7R6AZsRy1toYYFR4Y6pWNj037e7bFKYiAynvFeMpay/ tdpFHaV9tHadjcTard/e2SFGvwXE/erLR8pJxbSYrCCY9OI/6iwjK6p8EPljpzjH QpAHAJCEempfL5JxbF458RAcw6nPRq2do8CtWUvthKHlsiDnO6HdZZLMKDa4Xnzu mksEh0Feli1IOGzPrBSE7U81q8pLNrp3ArDCRTsPlqJb3z0CHU9L3iNaz4O799T9 Se7xqTtBO3cnfjfVLrwgdBxrGEKVQ9LAzZKBEsKMZnoDRYgSqOBxXFT+bBeiCY1J Djijnvl24DrIJ1sI8JzNFAKxfPo9wYy2wHSzkz6XzGm3gmrcjn2H6r9vm7H+o1S5 xRyANEBQhWQjxQUBdfjMGSLow6B4a0YRJ9hMVk7Ocmx/UcyAX9+S1w4/q8vh0Ouz GVyInSz3aSY= =zwQ4 -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5893 - [RedHat] grafana: CVSS (Max): 7.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5893 grafana security, bug fix, and enhancement update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: grafana Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-32148 CVE-2022-31107 CVE-2022-30635 CVE-2022-30633 CVE-2022-30632 CVE-2022-30631 CVE-2022-30630 CVE-2022-28131 CVE-2022-21713 CVE-2022-21703 CVE-2022-21702 CVE-2022-21698 CVE-2022-21673 CVE-2022-1962 CVE-2022-1705 CVE-2021-23648 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8057 Comment: CVSS (Max): 7.5 CVE-2022-30635 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: grafana security, bug fix, and enhancement update Advisory ID: RHSA-2022:8057-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8057 Issue date: 2022-11-15 CVE Names: CVE-2021-23648 CVE-2022-1705 CVE-2022-1962 CVE-2022-21673 CVE-2022-21698 CVE-2022-21702 CVE-2022-21703 CVE-2022-21713 CVE-2022-28131 CVE-2022-30630 CVE-2022-30631 CVE-2022-30632 CVE-2022-30633 CVE-2022-30635 CVE-2022-32148 ===================================================================== 1. Summary: An update for grafana is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. The following packages have been upgraded to a later upstream version: grafana (7.5.15). (BZ#2055349) Security Fix(es): * sanitize-url: XSS due to improper sanitization in sanitizeUrl function (CVE-2021-23648) * golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705) * golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962) * grafana: Forward OAuth Identity Token can allow users to access some data sources (CVE-2022-21673) * prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698) * grafana: XSS vulnerability in data source handling (CVE-2022-21702) * grafana: CSRF vulnerability can lead to privilege escalation (CVE-2022-21703) * grafana: IDOR vulnerability can lead to information disclosure (CVE-2022-21713) * golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131) * golang: io/fs: stack exhaustion in Glob (CVE-2022-30630) * golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631) * golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632) * golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633) * golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635) * golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2044628 - CVE-2022-21673 grafana: Forward OAuth Identity Token can allow users to access some data sources 2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter 2050648 - CVE-2022-21702 grafana: XSS vulnerability in data source handling 2050742 - CVE-2022-21703 grafana: CSRF vulnerability can lead to privilege escalation 2050743 - CVE-2022-21713 grafana: IDOR vulnerability can lead to information disclosure 2055349 - Rebase of Grafana in RHEL 9.1 2065290 - CVE-2021-23648 sanitize-url: XSS due to improper sanitization in sanitizeUrl function 2104367 - CVE-2022-31107 grafana: OAuth account takeover 2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read 2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob 2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header 2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions 2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working 2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob 2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode 2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip 2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: grafana-7.5.15-3.el9.src.rpm aarch64: grafana-7.5.15-3.el9.aarch64.rpm grafana-debuginfo-7.5.15-3.el9.aarch64.rpm ppc64le: grafana-7.5.15-3.el9.ppc64le.rpm grafana-debuginfo-7.5.15-3.el9.ppc64le.rpm s390x: grafana-7.5.15-3.el9.s390x.rpm grafana-debuginfo-7.5.15-3.el9.s390x.rpm x86_64: grafana-7.5.15-3.el9.x86_64.rpm grafana-debuginfo-7.5.15-3.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-23648 https://access.redhat.com/security/cve/CVE-2022-1705 https://access.redhat.com/security/cve/CVE-2022-1962 https://access.redhat.com/security/cve/CVE-2022-21673 https://access.redhat.com/security/cve/CVE-2022-21698 https://access.redhat.com/security/cve/CVE-2022-21702 https://access.redhat.com/security/cve/CVE-2022-21703 https://access.redhat.com/security/cve/CVE-2022-21713 https://access.redhat.com/security/cve/CVE-2022-28131 https://access.redhat.com/security/cve/CVE-2022-30630 https://access.redhat.com/security/cve/CVE-2022-30631 https://access.redhat.com/security/cve/CVE-2022-30632 https://access.redhat.com/security/cve/CVE-2022-30633 https://access.redhat.com/security/cve/CVE-2022-30635 https://access.redhat.com/security/cve/CVE-2022-32148 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3OMc9zjgjWX9erEAQi0HA/8Cyww+6XfCKlKLVfnpNcj1p0tXUTvcjnS OnnlUiQjXS44wBO73RbGWZL0FSZf3kjIEmzm20Tq6NZJ1K3Krw709BLd6ijx/uDi QoROhHbujrLa52FUEl5pQspiE8gtLRX/DfxtV8dQcCsDD5ocUarOoT661wFoxipy SsV9AZLw971eoGgYEeB7iD9pgnUZqATMqf75bLxMgBd8RgHT7VkheOckS+ThJrTy UhVXyORoLaMvbFdvcLn/U3B+ocRiEvEICQ3yFW7GkvElMEawQr1f7TSHSqAiGB3G IYiAV13YsatkPes+VQFiHBxKLkXuCPUJn1V0zovrfQI96gEGWsm4k9p6DogweNyK jQ67cjLzkBKYQoLI77NhV19dsvMjct4bQWMiVSVkdWRNECAXFyxIdndR/DalEydm GDXzyk8CLWRXm5l/149RhOfbIoVPqe9b/lzMZGF/TGvi/Fl+m3hPXSB0STgiCXSD 0bNAscp6a+GEf+m4J+rf/fjePuSjYU4noUiWzL7mkZs9v/W7JGz67+h8SPRIVnH6 65rurVnpCVgie5ObFV2WKCmkCL1q1yBTwSVIfaRL60c+Za8eRZzjA9+t+3A2mbBs l3oUVRAea2zLk3qXmaLbT/vAA49MClAd4IQw8OOAy1Zs2B8Yg/CyclKvgXnGcMCM cIsuNoeU9+M= =CKDa - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3Q2/ckNZI30y1K9AQhOChAAn+gEZc8zX2Bbkj11x8rwsDnUQavcTd/x pn4rITTa5pdyqZPtykbl2UqEASrwQ7NxHnF2+0YMr340NIJnT6IPQAoV0xGRJlYD pGixsXHRlzAYoR/Zl+jcgxGW+EMFs3oYjjtjsbDmIslVp//fEXD6RoZJGQqzKEz3 8Ni3hpjUJiJIHpEluwD8cFmoZmW/llI1qcKr7t1Yss27XejMvUuXw0dJA7ZcfFGf SJnizvFo8fJ95hcr82pyvEUCpORo4sBfSjlZ5QZ4rOShtlW/aWko/6fHE08jXNbX FhNIb4as8feZ1xvawTRdeD373E5h0B1GAb3+ttIp1cH7Nv8A2WMbUiZl7JxL7CTX ZO96VLQcLfZqQewb4vbJSLkH5RNSmMagYkcBJfTFlkRcxB/p63Xoc52EEH9OP1XS BwnzcVPUfv0+QGrv/74POLG6bTQKrE9AJcxQWIHAv5pfuMkdSFyN7P9ENljvRMg/ C5vziVlRmXt9UpUfUfb8IPMpinMJo8U2XRyFxXV1w6JkArtZ/UeyGCdTlmchLNjP 526VCC+JHom1NWzydmU/8sF6znGCSLm6cLkfJLwcBLHPEYIwJPB04gbSLnqXKYeM a3B+orgnXSkSmXo8JEIJIiScQFEFIBg27oeGNcmlQl54TxCbPGF9qnuDNDIvPied 2tT+gpL0X+U= =bz+D -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5892 - [RedHat] webkit2gtk3: CVSS (Max): 8.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5892 webkit2gtk3 security and bug fix update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: webkit2gtk3 Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-30293 CVE-2022-26719 CVE-2022-26717 CVE-2022-26716 CVE-2022-26710 CVE-2022-26709 CVE-2022-26700 CVE-2022-22662 CVE-2022-22629 CVE-2022-22628 CVE-2022-22624 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8054 Comment: CVSS (Max): 8.8 CVE-2022-26719 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: webkit2gtk3 security and bug fix update Advisory ID: RHSA-2022:8054-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8054 Issue date: 2022-11-15 CVE Names: CVE-2022-22624 CVE-2022-22628 CVE-2022-22629 CVE-2022-22662 CVE-2022-26700 CVE-2022-26709 CVE-2022-26710 CVE-2022-26716 CVE-2022-26717 CVE-2022-26719 CVE-2022-30293 ===================================================================== 1. Summary: An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Security Fix(es): * webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2022-22624) * webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2022-22628) * webkitgtk: Buffer overflow leading to arbitrary code execution (CVE-2022-22629) * webkitgtk: Cookie management issue leading to sensitive user information disclosure (CVE-2022-22662) * webkitgtk: Memory corruption issue leading to arbitrary code execution (CVE-2022-26700) * webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2022-26709) * webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2022-26710) * webkitgtk: Memory corruption issue leading to arbitrary code execution (CVE-2022-26716) * webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2022-26717) * webkitgtk: Memory corruption issue leading to arbitrary code execution (CVE-2022-26719) * webkitgtk: Heap buffer overflow in WebCore::TextureMapperLayer::setContentsLayer leading to arbitrary code execution (CVE-2022-30293) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2061996 - Upgrade WebKitGTK for RHEL 9.1 2073893 - CVE-2022-22624 webkitgtk: Use-after-free leading to arbitrary code execution 2073896 - CVE-2022-22628 webkitgtk: Use-after-free leading to arbitrary code execution 2073899 - CVE-2022-22629 webkitgtk: Buffer overflow leading to arbitrary code execution 2082548 - CVE-2022-30293 webkitgtk: Heap buffer overflow in WebCore::TextureMapperLayer::setContentsLayer leading to arbitrary code execution 2092732 - CVE-2022-26700 webkitgtk: Memory corruption issue leading to arbitrary code execution 2092733 - CVE-2022-26709 webkitgtk: Use-after-free leading to arbitrary code execution 2092734 - CVE-2022-26716 webkitgtk: Memory corruption issue leading to arbitrary code execution 2092735 - CVE-2022-26717 webkitgtk: Use-after-free leading to arbitrary code execution 2092736 - CVE-2022-26719 webkitgtk: Memory corruption issue leading to arbitrary code execution 2104787 - CVE-2022-22662 webkitgtk: Cookie management issue leading to sensitive user information disclosure 2104789 - CVE-2022-26710 webkitgtk: Use-after-free leading to arbitrary code execution 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: webkit2gtk3-2.36.7-1.el9.src.rpm aarch64: webkit2gtk3-2.36.7-1.el9.aarch64.rpm webkit2gtk3-debuginfo-2.36.7-1.el9.aarch64.rpm webkit2gtk3-debugsource-2.36.7-1.el9.aarch64.rpm webkit2gtk3-devel-2.36.7-1.el9.aarch64.rpm webkit2gtk3-devel-debuginfo-2.36.7-1.el9.aarch64.rpm webkit2gtk3-jsc-2.36.7-1.el9.aarch64.rpm webkit2gtk3-jsc-debuginfo-2.36.7-1.el9.aarch64.rpm webkit2gtk3-jsc-devel-2.36.7-1.el9.aarch64.rpm webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9.aarch64.rpm ppc64le: webkit2gtk3-2.36.7-1.el9.ppc64le.rpm webkit2gtk3-debuginfo-2.36.7-1.el9.ppc64le.rpm webkit2gtk3-debugsource-2.36.7-1.el9.ppc64le.rpm webkit2gtk3-devel-2.36.7-1.el9.ppc64le.rpm webkit2gtk3-devel-debuginfo-2.36.7-1.el9.ppc64le.rpm webkit2gtk3-jsc-2.36.7-1.el9.ppc64le.rpm webkit2gtk3-jsc-debuginfo-2.36.7-1.el9.ppc64le.rpm webkit2gtk3-jsc-devel-2.36.7-1.el9.ppc64le.rpm webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9.ppc64le.rpm s390x: webkit2gtk3-2.36.7-1.el9.s390x.rpm webkit2gtk3-debuginfo-2.36.7-1.el9.s390x.rpm webkit2gtk3-debugsource-2.36.7-1.el9.s390x.rpm webkit2gtk3-devel-2.36.7-1.el9.s390x.rpm webkit2gtk3-devel-debuginfo-2.36.7-1.el9.s390x.rpm webkit2gtk3-jsc-2.36.7-1.el9.s390x.rpm webkit2gtk3-jsc-debuginfo-2.36.7-1.el9.s390x.rpm webkit2gtk3-jsc-devel-2.36.7-1.el9.s390x.rpm webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9.s390x.rpm x86_64: webkit2gtk3-2.36.7-1.el9.i686.rpm webkit2gtk3-2.36.7-1.el9.x86_64.rpm webkit2gtk3-debuginfo-2.36.7-1.el9.i686.rpm webkit2gtk3-debuginfo-2.36.7-1.el9.x86_64.rpm webkit2gtk3-debugsource-2.36.7-1.el9.i686.rpm webkit2gtk3-debugsource-2.36.7-1.el9.x86_64.rpm webkit2gtk3-devel-2.36.7-1.el9.i686.rpm webkit2gtk3-devel-2.36.7-1.el9.x86_64.rpm webkit2gtk3-devel-debuginfo-2.36.7-1.el9.i686.rpm webkit2gtk3-devel-debuginfo-2.36.7-1.el9.x86_64.rpm webkit2gtk3-jsc-2.36.7-1.el9.i686.rpm webkit2gtk3-jsc-2.36.7-1.el9.x86_64.rpm webkit2gtk3-jsc-debuginfo-2.36.7-1.el9.i686.rpm webkit2gtk3-jsc-debuginfo-2.36.7-1.el9.x86_64.rpm webkit2gtk3-jsc-devel-2.36.7-1.el9.i686.rpm webkit2gtk3-jsc-devel-2.36.7-1.el9.x86_64.rpm webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9.i686.rpm webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-22624 https://access.redhat.com/security/cve/CVE-2022-22628 https://access.redhat.com/security/cve/CVE-2022-22629 https://access.redhat.com/security/cve/CVE-2022-22662 https://access.redhat.com/security/cve/CVE-2022-26700 https://access.redhat.com/security/cve/CVE-2022-26709 https://access.redhat.com/security/cve/CVE-2022-26710 https://access.redhat.com/security/cve/CVE-2022-26716 https://access.redhat.com/security/cve/CVE-2022-26717 https://access.redhat.com/security/cve/CVE-2022-26719 https://access.redhat.com/security/cve/CVE-2022-30293 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3PhNNzjgjWX9erEAQjsxA//e3e3o5MsuGWIcDr3QU3zPT+1zQymzdZX X0oSq7JCHRFVefNXaiVxl0WEaxVTQcenhr/A7SaX4Ma6Hy/B64yzRShe60OO3IFm xsuLDaist0ol9Tyay1lPwhI6HqwCvZd7u+7P8iMKZyGynM56hVlOKW9YDal+a4u8 Nsxp2svs6Yq3rif40CSuuYdpAQ54Tiduz4mjGaD8eGStOUKeQ2SldrbwUFZJn5wR zI6f0B3eY6gWb64xkhX5G4OzC7KzI/gnFJls15mece5L8NiNpz6znRKEjo0mlMzN nAkTk4/E2bPUJwrB6FNJvOZhpOnr86fxezIzRIstzXRovkPQbubpC6AVCkrTNXnM cdh0tYzts6TJ4Pdlbti7pq2hoKkTfagdMGfftZwowvlhpl+7xaK+LwnivK885atz jw/2QztgTQfrgw0/B/ZoqzoRhm9ExcViYgPtIYiAWGd4d7HLgBROGtjWS7rMKrSV mCjE/AKfgtJsnMyBRpqCcpz5qWQdGEvpaU+ZieeL9ygOdh1qg66ZRlEO7yuQDCTE mC4Snqzi5mRu6K/b66nlzlA1/jWs+/vOgfiXs+V43S1mN16B+cRbXLJhPCXJAxnY g1QwMmc4xjIKauClchw/kokItJvJLYdqlsae7nI95qTD+WBtEmvh8k19JtUi7jG6 dICPDYbUcGQ= =qQaN - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3Q20MkNZI30y1K9AQjsfg//WIemic4EEsjlIqHQvbq9OAgLY3pzbc9s OLwOUtdEE/KzpOUlxc/tspFNQB1U8pWzv8AiD7iyB9/9jIKjZacjPOYfcUlmQrC5 H3tYcFn3VQ6MjeDDChWBrpOyWVDb4RtIuy/nroSzVJUZaHI+fh4q9ygFFlLa9yV5 qVXexgwHjF3ryZTYLuctQrrF0VFGrerMEEH2huBvW0+9zPuatxk478TN8LRH6YuA QMuxxAn6a6rVlq5wiYSEBoAEh6ZRpj4hK+h9NtT0Lpqz+RnpE3+UVWI6ssEGA5PM tnFbqEqlCgEf0Oba4+5FYf25Akn6p54BDEKIL65FGnvkRge+Y7Axw1lHwR0egMNz hngEnROgiMYbKOI3pRzTSpN9r1v+N5uHpiYfAqbI13ULgZP33UcLquI/4YnRS26L MKIH7G03leLOJqQmXDKsE0IuiN69HTqzpbdutqnY2RLN+kby1QV95AqP4yo6ESce dhX3nFo6Vpt0j/0Is4bTdJqdTX2rTuUj30aRrPDCW8UjM307r5NQpKQptpiaTAUN mN69EE+N5UtNl2eVQIbKf2INWCy4JfMXWByusBH+Gmiavlji0gopMd39imKSnzia m3N7XobCVXD6VaV2pXf7qxAxf2VNqPO+etlC6MF+SsdJU775D5xCZaYBbV2ocZJz D4TpOgNa3sA= =C565 -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5891 - [RedHat] qt5: CVSS (Max): 7.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5891 qt5 security and bug fix update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: qt5 Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-25255 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8022 Comment: CVSS (Max): 7.8 CVE-2022-25255 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: qt5 security and bug fix update Advisory ID: RHSA-2022:8022-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8022 Issue date: 2022-11-15 CVE Names: CVE-2022-25255 ===================================================================== 1. Summary: An update for qt5 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 9) - noarch Red Hat Enterprise Linux AppStream (v. 9) - noarch 3. Description: The Qt5 libraries packages provide Qt 5, version 5 of the Qt cross-platform application framework. Security Fix(es): * qt: QProcess could execute a binary from the current working directory when not found in the PATH (CVE-2022-25255) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2055505 - CVE-2022-25255 qt: QProcess could execute a binary from the current working directory when not found in the PATH 2061352 - Rebase qt5 to 5.15.3 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: qt5-5.15.3-1.el9.src.rpm noarch: qt5-5.15.3-1.el9.noarch.rpm qt5-rpm-macros-5.15.3-1.el9.noarch.rpm qt5-srpm-macros-5.15.3-1.el9.noarch.rpm Red Hat CodeReady Linux Builder (v. 9): noarch: qt5-devel-5.15.3-1.el9.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-25255 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3PhN9zjgjWX9erEAQhP0hAAnZQLHunFeJwBFniQZgiqZNfNjd45c1t9 fDokaCxq5cVZPA0pwvz3fBM9AMJDSdLbWLVdq/dMsgNkngVxmgxH3EiTx7ftgcft QMWoE4HkSvvWLPUhWWKyeNLNpQOmoxMTrDZndlliuwY7LLb3o8Kg1hIzJwhuGePa IxP3qWaX0k7PoTWsefsPOec4QceF6v+mGO2XXNGImsVeiM6s7C/HsPFYrgHBhuxb JnIxIrfGY4L6+gzkc1UNqXymJtI1m3+zk+4VlJ6sO1sAxrOnxsZnpwrNyfOQw1su pjpyZCB+N1elA1Foe4EaVICI5SI0lFie3qkusNRk/Seroni5PABYLA0nc1DmBo42 7/1RWDmqwQICn5oy0TIa49CDwl9+t01XVBcZAqsQ67RTbtkoo+LCqrVdaqIWocso Kb1JUgWj5Z2nmbadZUlVY42rQtD7+kQp70WXO15wnAkVrLYkwRsLhxdFGxiCSgaK imGBcrFefTULKEhagqQrIcU3ayektQXe9mzo0YLQifbLwkxCW/5IuDdxn+6nKtKC ZcrSEnXgFFvjyvPBTGN8oq2bKTyfM8lZlFyNRDKgmVz0VwBoJ9YArEksh6Bi024B F7iiLnsMNDDvKTanP5D19XO6YDBRnhfZxYiB7m3yqpBsoVgu0g0TKbQfpbHfmjvs pPgfZltANlI= =OLJm - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3Q2fckNZI30y1K9AQhf2Q/6AxZ9abpNW+c0lVuQ+tBZ7ybuvSKU/mVu wvQ2jmLPUwzH8+GK05hSB2g/AkdAsJQ2hcBwuBYvJrz0Tr2yLWhpwlMdeXmZOmYq W+POhgVh0FUBCcd/w8vCF2eiBYZHwfp3MorHMj4bR7GFVNtODaHPG1UeXNmCAjMg +ATP1pv+Wb6lDCb5+wcQ6IG3f0O4lYh7huYLkEySPKjFwkj2ejsn8+RtBUxWbgRL sxvqtfodaoibz8ql8a9DNMa57lXjrJgYIiKmpZUPoGOvJusi7FYopjDkXpMGuc/m 4RxNzIHM0uUHlzx/RgW8xwveIorw4R+yTykDPu+r/5aGCSbCj5tYI+GJhAFg6D0a lGKEMk/PGdSH+TDZ3Yq6XPKCXMr+9TvAEwUj1WXB2gP6RYkNRNlJE2pRJHCaS62w TVljU++3HLbSLYrfKH3IjpnadnQGEukOTfEo6RBUZihw1W8Y2vwX4uZT9Z1lOiML so7f4tSZ+yNV7w6LB4i9CfiMTaabzYd0KOc0LKcd6WQzA9E5A9AdCOCJOtJkbenC bk8Upk/Ycbpu+VdtnZj9NT1k6HHSfObnyny66hvTd0gVlvcviIQiOjgIDKcpVLXB 38p03tkCGdOUZ9F/kTJFZUnr5n7g+pQfszYSqO12lM6K7hKkyqMCAgQHoM9KH17U 1Dt2HjY4q5w= =IGgD -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5890 - [RedHat] fribidi: CVSS (Max): 7.0

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5890 fribidi security update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: fribidi Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-25310 CVE-2022-25309 CVE-2022-25308 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8011 Comment: CVSS (Max): 7.0 CVE-2022-25308 (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: fribidi security update Advisory ID: RHSA-2022:8011-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8011 Issue date: 2022-11-15 CVE Names: CVE-2022-25308 CVE-2022-25309 CVE-2022-25310 ===================================================================== 1. Summary: An update for fribidi is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: FriBidi is a library to handle bidirectional scripts (for example Hebrew, Arabic), so that the display is done in the proper way, while the text data itself is always written in logical order. Security Fix(es): * fribidi: Stack based buffer overflow (CVE-2022-25308) * fribidi: Heap-buffer-overflow in fribidi_cap_rtl_to_unicode (CVE-2022-25309) * fribidi: SEGV in fribidi_remove_bidi_marks (CVE-2022-25310) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2047890 - CVE-2022-25308 fribidi: Stack based buffer overflow 2047896 - CVE-2022-25309 fribidi: Heap-buffer-overflow in fribidi_cap_rtl_to_unicode 2047923 - CVE-2022-25310 fribidi: SEGV in fribidi_remove_bidi_marks 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: fribidi-1.0.10-6.el9.2.src.rpm aarch64: fribidi-1.0.10-6.el9.2.aarch64.rpm fribidi-debuginfo-1.0.10-6.el9.2.aarch64.rpm fribidi-debugsource-1.0.10-6.el9.2.aarch64.rpm fribidi-devel-1.0.10-6.el9.2.aarch64.rpm ppc64le: fribidi-1.0.10-6.el9.2.ppc64le.rpm fribidi-debuginfo-1.0.10-6.el9.2.ppc64le.rpm fribidi-debugsource-1.0.10-6.el9.2.ppc64le.rpm fribidi-devel-1.0.10-6.el9.2.ppc64le.rpm s390x: fribidi-1.0.10-6.el9.2.s390x.rpm fribidi-debuginfo-1.0.10-6.el9.2.s390x.rpm fribidi-debugsource-1.0.10-6.el9.2.s390x.rpm fribidi-devel-1.0.10-6.el9.2.s390x.rpm x86_64: fribidi-1.0.10-6.el9.2.i686.rpm fribidi-1.0.10-6.el9.2.x86_64.rpm fribidi-debuginfo-1.0.10-6.el9.2.i686.rpm fribidi-debuginfo-1.0.10-6.el9.2.x86_64.rpm fribidi-debugsource-1.0.10-6.el9.2.i686.rpm fribidi-debugsource-1.0.10-6.el9.2.x86_64.rpm fribidi-devel-1.0.10-6.el9.2.i686.rpm fribidi-devel-1.0.10-6.el9.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-25308 https://access.redhat.com/security/cve/CVE-2022-25309 https://access.redhat.com/security/cve/CVE-2022-25310 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3OMdtzjgjWX9erEAQiawBAAhv67WtXYKZVF00wsIwbaDm55oz1dHi+R TzmJ5fIwJQ6PTl9Yai+9vlVIRJ6v3CJGvQkhzKL2ajua4XWPEKOuxNgGWuXe07DY A3IMmpSGcu4Xjbi827k0aDs1DHUcrfSbNe6J41Tsk2QceNXjkuaxfS8wr5jBXc94 T1yTKxaKCXuBhZNXjYhPXqyjdCcKvw625aRYmPnk3y2Ogt+Kr5eNqRogTQgg9qzn YEb0ysLVGf3DzmO8x5AvPbgwMiS/WsX+P12eF747kyHjzC8oONN1qyCZ02L1yudq CvGww/rxyKlzfAmhMqJDlta7ADIzTdiw6KN5h189esPpL0KK1qMDb50xCNmmx4Yx U7N3ScfBSP+Ws/JHTRLjbKUsCKkUm/8SH60eBkzMOwOnAZL+1dsVYxTonOpBX3gD CD9+6N9YmZGfcp4wnEEDNYafChJezwnrs/sAPLWvMkE7GvplKkue12fbPKI+yXdZ JPhY4A6XlYBuw0kXuwQCcCJ2BtwVyW8rWVSRj0YSXtNRjrrHsZTZlLSkIw4PaWn8 lzsp4RzRxlfJRRbwfs4AGwMpDjNHDdGa3Onnp8kbpHtfFA21D4tj2/tfzUJ+IZeW I2V/9ZAj9i8qjGBsaNYonj/qXl04i6VZCxb/5W6wQoSXDxUyagRovmYxx+CD5Iu3 nCBmB26imLw= =553+ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3Q0/8kNZI30y1K9AQirDRAAoz/oKYNVQ+/uCJPqrmsqrus1CzgWjfm3 qPlC9eEOhaEuamONMq5E7ae7fGL1T/U9p56XXBe1O7pdbqwfCEqhUg8fQN76dY4p xXeml1ZtlJh+/Ssys9QzbO5m+mNt7tV1qngug2hLbW4ixOrGMVe+KfdfRJWA4+zx ubZmf9tRKQSNTKxNRRWxHgHAujIX3IO7UsXaQbtfJXhbeQ0HbTAmAGZxPP49HhY4 254K/DmcsPEPVNLEMhTOwRXlApjF7Xh7OK8fRJXAYTGkY7LRQJ08rh/j/c5kYC/Q vIfbCrAh8YBziEApZo6lniGc84Kzhx3Hv57takcKtLhRncspJVR4Qao7MPYGfY5M Lwfs+RnWeRGbxsTQniC6kkXFsPx3u53bO8o7XHALf+bezTmzTMOBci7FOZNXwzsu XrTanYN/fOFedS7URcAIK2DeL2Fr7wtjMrwGFzGBshnn/pU8InByij1SdI6ywzbj 4DE57O/YWzDoGuxMc8nurtn7ZfFnNlu/z/ipk7u6BohhqCTOZ09YayQpegVEOYX1 dMxFrXi1LACehYf2QAinbUoN/eTgtrjQswDAVgGv/RzkV6EXoYjBCAnlQSCS5gp/ +J8u62bc0ZJqmpbxAFho2ovr2RmwNoAXSNW7Nvm1Zd4qJgcE6x21WeC1LChT0rtp 5ppWRbE6Vhw= =dc3/ -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5889 - [RedHat] buildah: CVSS (Max): 7.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5889 buildah security and bug fix update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: buildah Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-27191 CVE-2022-2990 CVE-2022-2989 CVE-2021-33198 CVE-2021-33197 CVE-2021-33195 CVE-2021-20291 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8008 Comment: CVSS (Max): 7.5 CVE-2022-27191 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:NI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: buildah security and bug fix update Advisory ID: RHSA-2022:8008-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8008 Issue date: 2022-11-15 CVE Names: CVE-2021-20291 CVE-2021-33195 CVE-2021-33197 CVE-2021-33198 CVE-2022-2989 CVE-2022-2990 CVE-2022-27191 ===================================================================== 1. Summary: An update for buildah is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to: Create a working container, either from scratch or using an image as a starting point; Create an image, either from a working container or using the instructions in a Dockerfile; Build both Docker and OCI images. Security Fix(es): * containers/storage: DoS via malicious image (CVE-2021-20291) * golang: net: lookup functions may return invalid host names (CVE-2021-33195) * golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197) * golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198) * golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191) * podman: possible information disclosure and modification (CVE-2022-2989) * buildah: possible information disclosure and modification (CVE-2022-2990) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1939485 - CVE-2021-20291 containers/storage: DoS via malicious image 1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names 1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty 1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents 2064702 - CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server 2081835 - networking is broken when building containers due to missing container networking package dependencies 2121445 - CVE-2022-2989 podman: possible information disclosure and modification 2121453 - CVE-2022-2990 buildah: possible information disclosure and modification 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: buildah-1.27.0-2.el9.src.rpm aarch64: buildah-1.27.0-2.el9.aarch64.rpm buildah-debuginfo-1.27.0-2.el9.aarch64.rpm buildah-debugsource-1.27.0-2.el9.aarch64.rpm buildah-tests-1.27.0-2.el9.aarch64.rpm buildah-tests-debuginfo-1.27.0-2.el9.aarch64.rpm ppc64le: buildah-1.27.0-2.el9.ppc64le.rpm buildah-debuginfo-1.27.0-2.el9.ppc64le.rpm buildah-debugsource-1.27.0-2.el9.ppc64le.rpm buildah-tests-1.27.0-2.el9.ppc64le.rpm buildah-tests-debuginfo-1.27.0-2.el9.ppc64le.rpm s390x: buildah-1.27.0-2.el9.s390x.rpm buildah-debuginfo-1.27.0-2.el9.s390x.rpm buildah-debugsource-1.27.0-2.el9.s390x.rpm buildah-tests-1.27.0-2.el9.s390x.rpm buildah-tests-debuginfo-1.27.0-2.el9.s390x.rpm x86_64: buildah-1.27.0-2.el9.x86_64.rpm buildah-debuginfo-1.27.0-2.el9.x86_64.rpm buildah-debugsource-1.27.0-2.el9.x86_64.rpm buildah-tests-1.27.0-2.el9.x86_64.rpm buildah-tests-debuginfo-1.27.0-2.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-20291 https://access.redhat.com/security/cve/CVE-2021-33195 https://access.redhat.com/security/cve/CVE-2021-33197 https://access.redhat.com/security/cve/CVE-2021-33198 https://access.redhat.com/security/cve/CVE-2022-2989 https://access.redhat.com/security/cve/CVE-2022-2990 https://access.redhat.com/security/cve/CVE-2022-27191 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3PhO9zjgjWX9erEAQjSFg//TmQoiB4pxBXzwpB8PKdSXPda8mbc4fEY tTxG4fDB5j/Xix/MkMajS+kWL6RmwLdnrR34cKzyQ7MPYAxbW0efssoChZ5fuFMO CC8W8FBieAWSf+zJaaGDIUvEhUKL189Qeic175ilgkExNus3OycvtJnJdZa/uyjZ 0NPHe3oqRpt/jmRdrlBogQtzgDcj3440M0ER5wQcQyXa7DHF0aQKGFoC93D+QrAa x3m7mK0vcAhIvOLYLhEXiGUKqqW9b+lYYgszMVi/gxdnIDXT+3in08sO1xzZrOAv 1sc4FJ+lBAYz23yFF8KeLRZOUOk/Js4mylN033nggmVPyU+uISXKkY9jtqJ2LBM2 bGQW+a0x4B/ef0Al4TYoDvieSCWGzlHBdFlylMXD0bPTx9j04z8/dqGSvn+rGRtH whgq9782nXiRYt8itbTa/FL9IezrQz7/ryg1lVVQLxh2nhCaAa2NAEpky77Fupj9 mhRqYp0evBgoMTkMOkyskSp9YXjOZNLk/DB2n3oAnYgwOfOinz8fGy4KsL6D/pkt 5jLo8rvjbeTplnCwJrwUwpRb7MF3lua1oXCYCJf/3h7m/SCuVO0LRywNLdSF2BX7 r+LYttzHSYP/4E39Lpefq1trvt0qqnyJx8183KnTQA8M9yW4V3abEmrjXJUxQLfT zXvxQ+zuUq0= =rzwm - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3Q0zckNZI30y1K9AQjXYw//fRhCdP4WQ+GKIj5vR05cdQU7carIwCEb LB9jgv+pCF36gR6ZzC8Gz5PPTGY29odl28FAhZp/OVD7Q5U/2FEX714zTFXjrEis 1PMubKhRtsKeOUyzi57ipDhz6WwyK6daS0tOSDG7L1mBZZOiz11E9dCBPk+ZYXLE /PgC7Ixxdw3XLUyyr+bBB4SwY2O9NKztYUjuvgSowd7haHMxr67PMYIsQ6fOjKH3 KjPNTTL8kdGDgmWHZ3cTe4s2kAQfhkwmSdXW6qHEjj9v6NZTDpxKI/tjUKiDP0X0 Xx+L5n2fV1QwD5KShviuXfYs9YqFqkVzoEG0Y5XpYiQ1pkf9ELWIwnymhi5YthsE fBbAs06sNDxP8r+N4bBM7PQVXzJepolCVtVIua1/BpYWy3oB1oqMueInxeIuydmK Izl3+YSJbxE6Xumb+ZfyjovUcXQnzgHC9bvsAEJULyCCyCxekDzlHnww5f2DqHnn PXB2IOHGO83mIfCe4R7RFZe6QkVW4rkVgdFl9PgTQJKM4JOQZLaPMpW/JC0k4cR9 EFrV+gcHNDgaBr7YYI5ssmVdKRjQBDrBlDpdDmD6Ztvx4SSFiVgtfUwT4mbRnbZT 9QS7LAbaEBnrmw5VEy8jQFZYnXQokIo+DKRDFGx96V33lrqp1S1SkyVUx7NBYjBS 0osOODMU5M4= =5Pmp -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5888 - [RedHat] libvirt: CVSS (Max): 5.0

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5888 libvirt security, bug fix, and enhancement update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libvirt Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-0897 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:8003 Comment: CVSS (Max): 5.0 CVE-2022-0897 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Low: libvirt security, bug fix, and enhancement update Advisory ID: RHSA-2022:8003-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:8003 Issue date: 2022-11-15 CVE Names: CVE-2022-0897 ===================================================================== 1. Summary: An update for libvirt is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. The following packages have been upgraded to a later upstream version: libvirt (8.5.0). (BZ#2060313) Security Fix(es): * libvirt: missing locking in nwfilterConnectNumOfNWFilters can lead to denial of service (CVE-2022-0897) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the updated packages, libvirtd will be restarted automatically. 5. Bugs fixed (https://bugzilla.redhat.com/): 1475431 - migration/postcopy: Handle network failures (libvirt) 1653327 - libvirt: Implement virtio-iommu support for aarch64 1745868 - Remove the support for 'virtio-input-host-pci-{non-}transitional model 1866400 - RFE: provide API which allows to take memory snapshot in sync with storage when storage is outsourced (e.g. using vhost-user-blk) 1901394 - --tls-destination doesn't take effect for disk migration 1910856 - Disk pool changed to be inactive after restarting libvirtd 1999372 - Error unclear when starting guest with wrong virtiofsd path 2026765 - Can't define a TFTP server without a DHCP server in network configuration 2035163 - Starting guest with spice audio backend should fail when SPICE graphics is disabled in QEMU 2036300 - video heads can be configured for 'bochs_display' even max_outputs is not supported 2037146 - Better to report error when setting acpi index='0' in device 2038045 - Documentation about using virt-admin to manage other daemons should be added 2040548 - 'unassigned' address type changed after hotplug 2040555 - Pinning iothread to not allowed cpuset fails but vm xml got updated unexpectedly 2041665 - guestinfo returns wrong value when domain's filesystems are frozen 2045953 - 'virsh nodedev-list --cap storage' doesn't list host nvme storage 2045959 - Not update Documentation for systemd config file 2046024 - virsh domsetlaunchsecstate not report an error message when the input parameter is not enough 2051451 - qemu driver must not use hardcoded "/machine/unattached/device[0]" QOM path when probing cpu flags 2057067 - `virsh blockjob --abort' logs error when cancelling a copy job started with '--reuse-external --shallow', where the target image has a backing file 2057768 - [RFE]Support copy/paste in the VNC console in libvirt 2060313 - Rebase libvirt for RHEL 9.1 2060776 - missing 'nvram-template' when start ovmf guest [rhel-9.1.0] 2063883 - CVE-2022-0897 libvirt: missing locking in nwfilterConnectNumOfNWFilters can lead to denial of service 2064115 - Start encrypted tpm guest failed 2065381 - Libvirt multiqueue support for vDPA [rhel-9.1.0] 2065399 - virtnwfilterd modular daemon occasionally hangs on concurrent access [rhel-9.1.0] 2070380 - Start a guest with numatune restrictive mode has different behavior with virsh numatune cmd. 2073867 - Missing the doc of dirtyrate.calc_mode and dirtyrate.vcpu..megabytes_per_second 2073887 - Segmentation fault when listening specified event types 2075383 - The vlan tag setting does not work in the xml 2075464 - There is error log when restart virtqemud during vm is running 2075765 - [cgroup] Libvirt cannot operate vm control groups after restarting virtqemud 2075837 - virtnwfilterd crashed when start->reload->restart virtnwfilterd with running guest having filter setting 2078274 - Blockcopy failed with catchXMLError 2081981 - input element with non-virtio bus should fail to accept the model attribute 2082540 - Update device to update the rss setting report success but no changes in xml 2089431 - [RFE] RFE to allow enabling ZEROCOPY live migration through libvirt 2092833 - [RFE] Support vDPA live migration in libvirt 2092856 - Hotplug interface fail with null file descriptor 2095260 - Revert the patch to ignore KVM_CAP_MAX_VCPUS in libvirt 2102009 - Attach interface fail will cause unexpected behavior 2103119 - [RFE] Expose supported TPM version in domCapabilities (via 'swtpm') 2103524 - Run virsh dumpxml cmd with extra options should return error 2105231 - [MT2910] XML error: Invalid value for attribute 'speed' in element 'link': '(null)'. 2107424 - "mem lock limit" of qemu process is not restored when kill src virtqemud during zerocopy migration. 2107892 - Migrate parameters are not restored if kill virtproxyd/virtqemud during migration 2111070 - --postcopy-bandwidth is not hornored when recovering postcopy migration 2112348 - pass the OPENSSL_CONF env var through to the "ssh" binary 2121141 - [libvirt] Kernel does not provide mount namespace 2121441 - NVME disk hot-plug fails due to the denial from selinux 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: libvirt-8.5.0-7.el9_1.src.rpm aarch64: libvirt-8.5.0-7.el9_1.aarch64.rpm libvirt-client-8.5.0-7.el9_1.aarch64.rpm libvirt-client-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-config-network-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-config-nwfilter-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-interface-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-interface-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-network-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-network-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-nodedev-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-nodedev-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-nwfilter-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-nwfilter-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-qemu-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-qemu-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-secret-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-secret-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-storage-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-storage-core-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-storage-core-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-storage-disk-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-storage-disk-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-storage-iscsi-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-storage-iscsi-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-storage-logical-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-storage-logical-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-storage-mpath-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-storage-mpath-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-storage-rbd-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-storage-rbd-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-storage-scsi-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-storage-scsi-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-kvm-8.5.0-7.el9_1.aarch64.rpm libvirt-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-debugsource-8.5.0-7.el9_1.aarch64.rpm libvirt-libs-8.5.0-7.el9_1.aarch64.rpm libvirt-libs-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-lock-sanlock-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-nss-8.5.0-7.el9_1.aarch64.rpm libvirt-nss-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-wireshark-debuginfo-8.5.0-7.el9_1.aarch64.rpm ppc64le: libvirt-8.5.0-7.el9_1.ppc64le.rpm libvirt-client-8.5.0-7.el9_1.ppc64le.rpm libvirt-client-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-config-network-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-config-nwfilter-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-interface-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-interface-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-network-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-network-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-nodedev-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-nodedev-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-nwfilter-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-nwfilter-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-secret-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-secret-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-storage-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-storage-core-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-storage-core-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-storage-disk-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-storage-disk-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-storage-iscsi-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-storage-iscsi-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-storage-logical-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-storage-logical-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-storage-mpath-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-storage-mpath-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-storage-rbd-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-storage-rbd-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-storage-scsi-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-storage-scsi-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-debugsource-8.5.0-7.el9_1.ppc64le.rpm libvirt-libs-8.5.0-7.el9_1.ppc64le.rpm libvirt-libs-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-nss-8.5.0-7.el9_1.ppc64le.rpm libvirt-nss-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-wireshark-debuginfo-8.5.0-7.el9_1.ppc64le.rpm s390x: libvirt-8.5.0-7.el9_1.s390x.rpm libvirt-client-8.5.0-7.el9_1.s390x.rpm libvirt-client-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-config-network-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-config-nwfilter-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-interface-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-interface-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-network-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-network-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-nodedev-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-nodedev-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-nwfilter-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-nwfilter-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-qemu-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-qemu-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-secret-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-secret-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-storage-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-storage-core-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-storage-core-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-storage-disk-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-storage-disk-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-storage-iscsi-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-storage-iscsi-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-storage-logical-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-storage-logical-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-storage-mpath-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-storage-mpath-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-storage-rbd-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-storage-rbd-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-storage-scsi-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-storage-scsi-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-kvm-8.5.0-7.el9_1.s390x.rpm libvirt-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-debugsource-8.5.0-7.el9_1.s390x.rpm libvirt-libs-8.5.0-7.el9_1.s390x.rpm libvirt-libs-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-lock-sanlock-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-nss-8.5.0-7.el9_1.s390x.rpm libvirt-nss-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-wireshark-debuginfo-8.5.0-7.el9_1.s390x.rpm x86_64: libvirt-8.5.0-7.el9_1.x86_64.rpm libvirt-client-8.5.0-7.el9_1.x86_64.rpm libvirt-client-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-config-network-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-config-nwfilter-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-interface-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-interface-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-network-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-network-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-nodedev-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-nodedev-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-nwfilter-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-nwfilter-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-qemu-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-qemu-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-secret-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-secret-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-storage-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-storage-core-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-storage-core-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-storage-disk-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-storage-disk-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-storage-iscsi-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-storage-iscsi-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-storage-logical-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-storage-logical-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-storage-mpath-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-storage-mpath-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-storage-rbd-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-storage-rbd-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-storage-scsi-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-storage-scsi-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-kvm-8.5.0-7.el9_1.x86_64.rpm libvirt-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-debugsource-8.5.0-7.el9_1.x86_64.rpm libvirt-libs-8.5.0-7.el9_1.x86_64.rpm libvirt-libs-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-lock-sanlock-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-nss-8.5.0-7.el9_1.x86_64.rpm libvirt-nss-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-wireshark-debuginfo-8.5.0-7.el9_1.x86_64.rpm Red Hat CodeReady Linux Builder (v. 9): aarch64: libvirt-client-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-interface-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-network-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-nodedev-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-nwfilter-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-qemu-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-secret-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-storage-core-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-storage-disk-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-storage-iscsi-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-storage-logical-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-storage-mpath-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-storage-rbd-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-daemon-driver-storage-scsi-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-debugsource-8.5.0-7.el9_1.aarch64.rpm libvirt-devel-8.5.0-7.el9_1.aarch64.rpm libvirt-docs-8.5.0-7.el9_1.aarch64.rpm libvirt-libs-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-lock-sanlock-8.5.0-7.el9_1.aarch64.rpm libvirt-lock-sanlock-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-nss-debuginfo-8.5.0-7.el9_1.aarch64.rpm libvirt-wireshark-debuginfo-8.5.0-7.el9_1.aarch64.rpm ppc64le: libvirt-client-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-interface-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-network-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-nodedev-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-nwfilter-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-secret-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-storage-core-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-storage-disk-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-storage-iscsi-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-storage-logical-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-storage-mpath-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-storage-rbd-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-daemon-driver-storage-scsi-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-debugsource-8.5.0-7.el9_1.ppc64le.rpm libvirt-devel-8.5.0-7.el9_1.ppc64le.rpm libvirt-docs-8.5.0-7.el9_1.ppc64le.rpm libvirt-libs-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-nss-debuginfo-8.5.0-7.el9_1.ppc64le.rpm libvirt-wireshark-debuginfo-8.5.0-7.el9_1.ppc64le.rpm s390x: libvirt-client-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-interface-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-network-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-nodedev-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-nwfilter-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-qemu-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-secret-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-storage-core-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-storage-disk-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-storage-iscsi-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-storage-logical-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-storage-mpath-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-storage-rbd-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-daemon-driver-storage-scsi-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-debugsource-8.5.0-7.el9_1.s390x.rpm libvirt-devel-8.5.0-7.el9_1.s390x.rpm libvirt-docs-8.5.0-7.el9_1.s390x.rpm libvirt-libs-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-lock-sanlock-8.5.0-7.el9_1.s390x.rpm libvirt-lock-sanlock-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-nss-debuginfo-8.5.0-7.el9_1.s390x.rpm libvirt-wireshark-debuginfo-8.5.0-7.el9_1.s390x.rpm x86_64: libvirt-client-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-interface-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-network-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-nodedev-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-nwfilter-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-qemu-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-secret-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-storage-core-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-storage-disk-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-storage-iscsi-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-storage-logical-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-storage-mpath-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-storage-rbd-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-daemon-driver-storage-scsi-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-debugsource-8.5.0-7.el9_1.x86_64.rpm libvirt-devel-8.5.0-7.el9_1.x86_64.rpm libvirt-docs-8.5.0-7.el9_1.x86_64.rpm libvirt-libs-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-lock-sanlock-8.5.0-7.el9_1.x86_64.rpm libvirt-lock-sanlock-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-nss-debuginfo-8.5.0-7.el9_1.x86_64.rpm libvirt-wireshark-debuginfo-8.5.0-7.el9_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-0897 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3Pgp9zjgjWX9erEAQj06Q//ZqJOFncLtpJxKDYhIaCHd17RYE/VPAt3 4iTTJwC+z6DBCvxSrH6ixEn1FnEQOBHTYRWCgUlmWKSKhMcaJKSBoggBOuD6OpC3 3dTxxfl5pi1pBDhS5u3PccLYgf23MKpF+B36Sp9KxJg2y6TyOYhwtwkknMVEXorX WDlrUVYEKJMTCPBMS3BA+H3O36uRQw+wGbl2qxSLWmX/v8ConjClAPVqaMFOBo9E 9Tfhe5HHVy7KuJY7iBNi7pSnP1Hmw4paKSCwWL4i8lmELbWTfbzxRZ+HIx+urZzS 4cj33agJmm8tNyeIW4U91oosCN37+aK4zTnfBSWftZHhg0PSbB+G0o2lMmEAPxCJ O/lJMvEgeDAZnH51RhA4GQXfleATYMXay2NmSIl1jVTHRkvoYHK+IhTXQONmIhyo dztTtRLNfzQ8iTjEYVJhBNqbwMioqpjaM2vUm0aMtxxSV6S5zZcE60XBwOoyCDdL AtS7EMcT0dWyEfTS6yhq854DMTAVE9ym1ZFPwH3QSZK0nDaJuvX8w9r/78WldVyI SgmbjplLRjCpNBveB87N0hMlt/rs17BpVBquKS443wyzNUjwtR36wO25pONVKTvv VPdxkZoFNFQ+0bCfC+xSH4cwXS177u9V5ut602X2VdohcmnTsMjAzogF6M2j/O+z Wfe/R2UQlfo= =xBto - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3Q0tckNZI30y1K9AQgmKhAAnlPPNEOrbacX/IZ0QaLNIoR4MW7TwNy1 szEEn3l7ow6PLfzKHXkHKVIZ8RZicjkluMENZl2sKq63APQ5EoD5l+eVRTFVUFRo D4p7TWS0c+x4cc/Dy27TdYVl3GgFIQZFW5YCVHHayZPCnS5Y0Z9l0j1mJMecCwPd 6zxbMlmXIrjhTi0VJIfXwYxS9q8w+HzCLDtQlo+1tHBlRdR5MrlfrnTnwrUnLqh5 PcGmEdyH3dk0ErHJv3KkdAwp7a+fIkh2/a8XdAO3fB6sMw1KqsfEUVlkKapej2nF uhNYTqzEZ+bjuZzkPxyFzU47nOMUJxHLdUu+rgqF0XSOANDZ0MO29RtYeavAzvxN qlGYHT1kHKqU9qNBCIA7esOYoic+tbnb4vf8mfnyKoN0e/4pfU9eG75lHh96nFyy kosYeAdPN8VOVUcdypFbUz5ELY0/0LkU0wE8jS9w7+aZ3Kn5GTBL0RWvNHwu9oF8 Aabv6W2rX7VIzo1wFxurOW8yDcmyaijozyVr4/F97dqdl2IubS2uXCDprJ9OVx0t KweTv9zs/kWRMMQoQGlzdB+SGsVj2HG/Y6A2R3VSnXWKqlqyQy4IVXWeA6eKCu4A TUlakvQ1PnbOnj/9NlDlohQTfNABIrQWOQAXVvXNg+U4UubLKw8YfBkNGA60vKpa FKmwqcWDtWk= =rAJ3 -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5887 - [RedHat] speex: CVSS (Max): 5.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5887 speex security update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: speex Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2020-23903 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:7979 Comment: CVSS (Max): 5.5 CVE-2020-23903 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Low: speex security update Advisory ID: RHSA-2022:7979-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:7979 Issue date: 2022-11-15 CVE Names: CVE-2020-23903 ===================================================================== 1. Summary: An update for speex is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: Speex is a patent-free compression format designed especially for speech. It is specialized for voice communications at low bit-rates. Security Fix(es): * speex: divide by zero in read_samples() via crafted WAV file (CVE-2020-23903) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2024250 - CVE-2020-23903 speex: divide by zero in read_samples() via crafted WAV file 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: speex-1.2.0-11.el9.src.rpm aarch64: speex-1.2.0-11.el9.aarch64.rpm speex-debuginfo-1.2.0-11.el9.aarch64.rpm speex-debugsource-1.2.0-11.el9.aarch64.rpm speex-tools-debuginfo-1.2.0-11.el9.aarch64.rpm ppc64le: speex-1.2.0-11.el9.ppc64le.rpm speex-debuginfo-1.2.0-11.el9.ppc64le.rpm speex-debugsource-1.2.0-11.el9.ppc64le.rpm speex-tools-debuginfo-1.2.0-11.el9.ppc64le.rpm s390x: speex-1.2.0-11.el9.s390x.rpm speex-debuginfo-1.2.0-11.el9.s390x.rpm speex-debugsource-1.2.0-11.el9.s390x.rpm speex-tools-debuginfo-1.2.0-11.el9.s390x.rpm x86_64: speex-1.2.0-11.el9.i686.rpm speex-1.2.0-11.el9.x86_64.rpm speex-debuginfo-1.2.0-11.el9.i686.rpm speex-debuginfo-1.2.0-11.el9.x86_64.rpm speex-debugsource-1.2.0-11.el9.i686.rpm speex-debugsource-1.2.0-11.el9.x86_64.rpm speex-tools-debuginfo-1.2.0-11.el9.i686.rpm speex-tools-debuginfo-1.2.0-11.el9.x86_64.rpm Red Hat CodeReady Linux Builder (v. 9): aarch64: speex-debuginfo-1.2.0-11.el9.aarch64.rpm speex-debugsource-1.2.0-11.el9.aarch64.rpm speex-devel-1.2.0-11.el9.aarch64.rpm speex-tools-debuginfo-1.2.0-11.el9.aarch64.rpm ppc64le: speex-debuginfo-1.2.0-11.el9.ppc64le.rpm speex-debugsource-1.2.0-11.el9.ppc64le.rpm speex-devel-1.2.0-11.el9.ppc64le.rpm speex-tools-debuginfo-1.2.0-11.el9.ppc64le.rpm s390x: speex-debuginfo-1.2.0-11.el9.s390x.rpm speex-debugsource-1.2.0-11.el9.s390x.rpm speex-devel-1.2.0-11.el9.s390x.rpm speex-tools-debuginfo-1.2.0-11.el9.s390x.rpm x86_64: speex-debuginfo-1.2.0-11.el9.i686.rpm speex-debuginfo-1.2.0-11.el9.x86_64.rpm speex-debugsource-1.2.0-11.el9.i686.rpm speex-debugsource-1.2.0-11.el9.x86_64.rpm speex-devel-1.2.0-11.el9.i686.rpm speex-devel-1.2.0-11.el9.x86_64.rpm speex-tools-debuginfo-1.2.0-11.el9.i686.rpm speex-tools-debuginfo-1.2.0-11.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-23903 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3OMedzjgjWX9erEAQgS4RAAi26Dt98tqjcq7pMiIWB2VwDQlgkFrgug Ux1A9jpIypUQKBuxEbfruJlPJJvNjhDnhiMhJL3cLsI17pNdw+Q9lvgYDEtHvjw5 WtupnQIPEWArzpRMtk6FlIBZarncGjPNBcsXtOz8yeu9fqeQ6MmfiyFpq7OFr8H4 EzTnEXmkVyhUYj/DTUAD1eKk5TqKsvh7vOp3tt1lgQQOvGFNkx9rVGtry65MO6pb TRAdDn4FTfoPWZAcVFH2CxsU9Ob0oHziTB1wqACUPJVRaMfJMBUEj1/T8nzLSAbX drkp3Zyk503Fx7vazP8Rllc4xHZlnpKsR6Pr/Thi5Vc6wfBePGRIopMRzEgOxP2C vpvCCQ70wW0nAh04xp4syDvTUW35DSApYB/yjw8xeNsyN+2tMqPRK//k8KSkFa9/ X+g/Ey8Z06U5KQ1yWBNgKMoRmXA5zfXtLS9lS9ArXtAeripa/gLhl4cHcUxnU1W5 IxlfhIqSnHSHIFumm77W9vmRmYojlvtQGvZPO2wGmoiID16xB+LwUWNiqOJLqi5z M3GX6nt9trzpnJqyGLTfW0vr7xpY8fDL2GZaAsngkQRTOFsdonF0wmjUZPEFo7Se wIVKQjhljfdceibYUk7jdSFnDulX+VQOyBgWgp+EaJuwdt0NzW7LcXfFxCI/1eRp whTtb7CD4wM= =7XMZ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3Q0m8kNZI30y1K9AQgoMA/7ByD7MjOcdX73qVukfLdC+NQL1YNevBI6 Y/+h2wo2UC1YKkE0E57cn9Cx9gM/8/ZXVVwfhwvLlTv40Ax/vJkMUyouAPPEx0Ck 0PGRAGrZdnJaknupCT+FS/V+4JXfEQ5qNnGEiwYK1KahaTXUD3xgNIpwa4QHwf7J lMXac9j/oenmpY694OyvsVQq6YBUWV6Y5eIBYxXQr/zfUuJjjbnDxmY22nuDY8l3 bNRMcKNAgpQul/YgSpvj0tYABvLJCk4Slc2z2Xf7V6tx6z1mydXjw620w4PabYmL jaz/qgJEeNMEkz/p/DqD/ax7huB1UBr146IkmzNugy6Ps9cKunxutIN8D5XfQvv3 Hn6HezS4upAuwQdnK+EuSViSGurjX9PLuCAcxwnpLE/4GKjvPeyKZTzMZLNavU9l P5Ku+VF2DZzi+Vv6Hemt9mZaNay+pMEGDppq9MO5zAYRG6j9M4Emh5PVOjSLa3YR niSC+M0RjZhKJJGb/RSBNv8RxXdtl8ugKYe7KQ4IO5wXFXbYxvYLbrHlqCsusadi OS9xBerabmLP+2JqOlgtjQHoWH2sIQVIQ25KR0cF9RpMJ1P9t/6Pd89LODktXZ+Q wVvG32Us5ay3JGy6adGXTKmuYs/XV910RC/ZZ/1yDflgzZChPZHxJ0iLAI95o2+x Qx5NrhrU6y8= =LdE+ -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5886 - [RedHat] gimp: CVSS (Max): 6.2

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5886 gimp security and enhancement update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: gimp Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-32990 CVE-2022-30067 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:7978 Comment: CVSS (Max): 6.2 CVE-2022-30067 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: gimp security and enhancement update Advisory ID: RHSA-2022:7978-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:7978 Issue date: 2022-11-15 CVE Names: CVE-2022-30067 CVE-2022-32990 ===================================================================== 1. Summary: An update for gimp is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: The GIMP (GNU Image Manipulation Program) is an image composition and editing program. GIMP provides a large image manipulation toolbox, including channel operations and layers, effects, sub-pixel imaging and anti-aliasing, and conversions, all with multi-level undo. Security Fix(es): * gimp: buffer overflow through a crafted XCF file (CVE-2022-30067) * gimp: unhandled exception via a crafted XCF file may lead to DoS (CVE-2022-32990) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2087591 - CVE-2022-30067 gimp: buffer overflow through a crafted XCF file 2103202 - CVE-2022-32990 gimp: unhandled exception via a crafted XCF file may lead to DoS 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: gimp-2.99.8-3.el9.src.rpm aarch64: gimp-2.99.8-3.el9.aarch64.rpm gimp-debuginfo-2.99.8-3.el9.aarch64.rpm gimp-debugsource-2.99.8-3.el9.aarch64.rpm gimp-devel-tools-debuginfo-2.99.8-3.el9.aarch64.rpm gimp-libs-2.99.8-3.el9.aarch64.rpm gimp-libs-debuginfo-2.99.8-3.el9.aarch64.rpm ppc64le: gimp-2.99.8-3.el9.ppc64le.rpm gimp-debuginfo-2.99.8-3.el9.ppc64le.rpm gimp-debugsource-2.99.8-3.el9.ppc64le.rpm gimp-devel-tools-debuginfo-2.99.8-3.el9.ppc64le.rpm gimp-libs-2.99.8-3.el9.ppc64le.rpm gimp-libs-debuginfo-2.99.8-3.el9.ppc64le.rpm s390x: gimp-2.99.8-3.el9.s390x.rpm gimp-debuginfo-2.99.8-3.el9.s390x.rpm gimp-debugsource-2.99.8-3.el9.s390x.rpm gimp-devel-tools-debuginfo-2.99.8-3.el9.s390x.rpm gimp-libs-2.99.8-3.el9.s390x.rpm gimp-libs-debuginfo-2.99.8-3.el9.s390x.rpm x86_64: gimp-2.99.8-3.el9.x86_64.rpm gimp-debuginfo-2.99.8-3.el9.i686.rpm gimp-debuginfo-2.99.8-3.el9.x86_64.rpm gimp-debugsource-2.99.8-3.el9.i686.rpm gimp-debugsource-2.99.8-3.el9.x86_64.rpm gimp-devel-tools-debuginfo-2.99.8-3.el9.i686.rpm gimp-devel-tools-debuginfo-2.99.8-3.el9.x86_64.rpm gimp-libs-2.99.8-3.el9.i686.rpm gimp-libs-2.99.8-3.el9.x86_64.rpm gimp-libs-debuginfo-2.99.8-3.el9.i686.rpm gimp-libs-debuginfo-2.99.8-3.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-30067 https://access.redhat.com/security/cve/CVE-2022-32990 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3OMfNzjgjWX9erEAQj5TA//bPsUi7sLSgUYBRJ4F1TTjT0sBrKPN5ZG FAYwxZEsez6Bxco5qckXUvJcPD8rcl6BYrA46M1dHlN9hK0jfdKxHsMg7ZSNB8BF A862I5hRMFXb8sBy8szLTvzHvRE5hmedH3QElCQN2EqNinVeHYSApJYLeamIkuYx 8wf70QHGrlGJb38ddRg2hKADDJCV10k4NUepgb+UNVPDPwQCmyk2gaPD4BBplPok tmP908mU50IKwgwnjnw1Li7fxtrJmmZE7teogW7oAkqeFjNNtf3DUXUeqMtK0I8a pZlpYG2FlepWtn2SGHiAfkkwWNtQlv2suwRGBsaroyGc2zI+BLwr3/kyjTRBrYEa +rayYOQ7BiqGMvycIPW114adiEuYeLGa2z4u4W+lpJIDq1x3oZte2CgbxquYxjGR huIhgJg1ZjkJMTtOf0yhCgkgDAs9C9Uv6/GqPnokMn90bH/45REvnlAAmNU/iRfX TTbHugkSsdYskOMEAwtCRxMZ1JAf0FXTXJUfHcoQKsGAcde71Rf5+gukxHUm/5yU K5vuh4RGVQi81ewHiNRiPdL3EDS85hy11/s86UPFa87mFdDEdK73p3pB1IyO6a0X Wi9rvXUd/MdPTiS/HB+3T1bHMUxA4EJxYIIjF5qE3BPJoofgjfErHHugXa8jZnNq EqA1kj/GHYo= =X7Ae - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3Q0fskNZI30y1K9AQh5GxAAsgaEVSVODhnyuvV1z2X1uSvYgVUov473 t17x7JynDxBqhChIw5LUEUm5P/6Y/lk/nX0nCALqpzLhbdhF6uZls9Xrc7llT6tN 0xH7ObEkdh0k1WqhOk1wC1zhZ1qQePW7rtc1DKcarzFSoXUXS8jfx6R0l6x655S9 QXpp69J1CpT156seJlqdZe8BS+3BLsvdYmEklCi47IH8kVfnmn37FxaFQ/OVzXp6 Ki/fQOhlqgxj+tDLxBMQA7sHVswuHUL5tRza0AEOE+oY4bkwwB7ytDB5KFBnd+gu qykBslN+V2za2g5reTf66fjYBQgrhlLcXsfchq4AsKDUuTesp2yBE6Dx9TIrjtKd jO9RWOSq/MSEh8rslevl7AI98CdNc/5xAQb9natplJ5B6snhro5bJgCZAtke+jxE q13xVQdUhQWb4GATzXBveM+MXbXYWiLOefg5GJwHTTQ/f7DC1bLjMbT06XmUlWgi IniE60ov62sg24QpnnmFdcrV46NPQDooMmIIGf0xlYuzm8Z6neDJYlrcj3VOYHg+ xHmrh9hjdSHeW68TCG7dtnfrR8teqy4ZeO+SVeOpTSDSN45//MZXjlMdTqKvkIG8 0FYS5+mbEYetp9BkEZ78/SWSF7938PLwQbWKWVD5sUCjUBwFJ4i9VoYJWMBOfV/x H2ZSfG3b+QE= =jzVi -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5885 - [RedHat] protobuf: CVSS (Max): 7.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5885 protobuf security update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: protobuf Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2021-22570 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:7970 Comment: CVSS (Max): 7.5 CVE-2021-22570 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: protobuf security update Advisory ID: RHSA-2022:7970-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:7970 Issue date: 2022-11-15 CVE Names: CVE-2021-22570 ===================================================================== 1. Summary: An update for protobuf is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: The protobuf packages provide Protocol Buffers, Google's data interchange format. Protocol Buffers can encode structured data in an efficient yet extensible format, and provide a flexible, efficient, and automated mechanism for serializing structured data. Security Fix(es): * protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference (CVE-2021-22570) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2049429 - CVE-2021-22570 protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: protobuf-3.14.0-13.el9.src.rpm aarch64: protobuf-3.14.0-13.el9.aarch64.rpm protobuf-compiler-debuginfo-3.14.0-13.el9.aarch64.rpm protobuf-debuginfo-3.14.0-13.el9.aarch64.rpm protobuf-debugsource-3.14.0-13.el9.aarch64.rpm protobuf-lite-3.14.0-13.el9.aarch64.rpm protobuf-lite-debuginfo-3.14.0-13.el9.aarch64.rpm noarch: python3-protobuf-3.14.0-13.el9.noarch.rpm ppc64le: protobuf-3.14.0-13.el9.ppc64le.rpm protobuf-compiler-debuginfo-3.14.0-13.el9.ppc64le.rpm protobuf-debuginfo-3.14.0-13.el9.ppc64le.rpm protobuf-debugsource-3.14.0-13.el9.ppc64le.rpm protobuf-lite-3.14.0-13.el9.ppc64le.rpm protobuf-lite-debuginfo-3.14.0-13.el9.ppc64le.rpm s390x: protobuf-3.14.0-13.el9.s390x.rpm protobuf-compiler-debuginfo-3.14.0-13.el9.s390x.rpm protobuf-debuginfo-3.14.0-13.el9.s390x.rpm protobuf-debugsource-3.14.0-13.el9.s390x.rpm protobuf-lite-3.14.0-13.el9.s390x.rpm protobuf-lite-debuginfo-3.14.0-13.el9.s390x.rpm x86_64: protobuf-3.14.0-13.el9.i686.rpm protobuf-3.14.0-13.el9.x86_64.rpm protobuf-compiler-debuginfo-3.14.0-13.el9.i686.rpm protobuf-compiler-debuginfo-3.14.0-13.el9.x86_64.rpm protobuf-debuginfo-3.14.0-13.el9.i686.rpm protobuf-debuginfo-3.14.0-13.el9.x86_64.rpm protobuf-debugsource-3.14.0-13.el9.i686.rpm protobuf-debugsource-3.14.0-13.el9.x86_64.rpm protobuf-lite-3.14.0-13.el9.i686.rpm protobuf-lite-3.14.0-13.el9.x86_64.rpm protobuf-lite-debuginfo-3.14.0-13.el9.i686.rpm protobuf-lite-debuginfo-3.14.0-13.el9.x86_64.rpm Red Hat CodeReady Linux Builder (v. 9): aarch64: protobuf-compiler-3.14.0-13.el9.aarch64.rpm protobuf-compiler-debuginfo-3.14.0-13.el9.aarch64.rpm protobuf-debuginfo-3.14.0-13.el9.aarch64.rpm protobuf-debugsource-3.14.0-13.el9.aarch64.rpm protobuf-devel-3.14.0-13.el9.aarch64.rpm protobuf-lite-debuginfo-3.14.0-13.el9.aarch64.rpm protobuf-lite-devel-3.14.0-13.el9.aarch64.rpm ppc64le: protobuf-compiler-3.14.0-13.el9.ppc64le.rpm protobuf-compiler-debuginfo-3.14.0-13.el9.ppc64le.rpm protobuf-debuginfo-3.14.0-13.el9.ppc64le.rpm protobuf-debugsource-3.14.0-13.el9.ppc64le.rpm protobuf-devel-3.14.0-13.el9.ppc64le.rpm protobuf-lite-debuginfo-3.14.0-13.el9.ppc64le.rpm protobuf-lite-devel-3.14.0-13.el9.ppc64le.rpm s390x: protobuf-compiler-3.14.0-13.el9.s390x.rpm protobuf-compiler-debuginfo-3.14.0-13.el9.s390x.rpm protobuf-debuginfo-3.14.0-13.el9.s390x.rpm protobuf-debugsource-3.14.0-13.el9.s390x.rpm protobuf-devel-3.14.0-13.el9.s390x.rpm protobuf-lite-debuginfo-3.14.0-13.el9.s390x.rpm protobuf-lite-devel-3.14.0-13.el9.s390x.rpm x86_64: protobuf-compiler-3.14.0-13.el9.i686.rpm protobuf-compiler-3.14.0-13.el9.x86_64.rpm protobuf-compiler-debuginfo-3.14.0-13.el9.i686.rpm protobuf-compiler-debuginfo-3.14.0-13.el9.x86_64.rpm protobuf-debuginfo-3.14.0-13.el9.i686.rpm protobuf-debuginfo-3.14.0-13.el9.x86_64.rpm protobuf-debugsource-3.14.0-13.el9.i686.rpm protobuf-debugsource-3.14.0-13.el9.x86_64.rpm protobuf-devel-3.14.0-13.el9.i686.rpm protobuf-devel-3.14.0-13.el9.x86_64.rpm protobuf-lite-debuginfo-3.14.0-13.el9.i686.rpm protobuf-lite-debuginfo-3.14.0-13.el9.x86_64.rpm protobuf-lite-devel-3.14.0-13.el9.i686.rpm protobuf-lite-devel-3.14.0-13.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-22570 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3OMf9zjgjWX9erEAQjPrxAAn/Wr7VqkJ14hap/PSkN2C1Ltwp5Jpwms RUgoqJhr0JI19nD6WME9H0sSJNLMAaS/jaMY5iaBEUURv0KTHX+UHdsJDSAMjKtK iqIwky9Db1EJSTAY+oR9DbUkK5A491GsmXL32Su/Bktf+7LCEu7pFoCo1aPIrIGT PUJmj/oxy4OwHN6qATEEHvGV8U2eoACZHjeuHDwF3y+rwzsg7Yk/xci01xq9PVhf vRtMYtJO5J1MFtLLS9Tgq9XqqhZkrJ2Yfbo6QXawZdWLgrB+flbrImZJPfkILe8X FKao9rbZEfJ7EUvIgFevtNsUMBhpb1ZzwmcpjigjqgHWW4HWWFOqgZ4Y7p26TejV 7T42NbJccqFJ0UUQvPAAOeg331CgQfeps/ZUbakXkUzTB3xhfMwFbXmjEkycwCN+ a5y6aQDWabrjANNjP2x78iESf6Ra2/WNWyTETat/KjONKWTmpkBrnJsHSscYnIC+ g3Br7EYXKcRC6Gqrcripv2l2HY9FR/G31uQzG40NipnduzbKzhEeFv3FaVJR6P7c 5T6BcLQLC7gu1LPL/ztgB42KpdtVycCfwQoGcvz2tlih9jlDqH1/RbhayPXrvvR5 KwDlz6Xyov7I1VRWn33oKlSyFsh5WyiLVE1NxcgHA/sV3zQbC+4T+MqUKTYGcG/D iXcioojD/tg= =227y - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3Q0ZskNZI30y1K9AQhbaQ//TFu8OPFkGdl5gaRXR9ht+GNCQ5rcgtAR GhMK7dwbgnmpIrMsEpuieltAf3F2Ol63SsO37BuMT+IzWtYReYakPYQvsbwtX260 NNOJ7yAPx3/RWl/tmKi0wSacuwF56lViTBCT5ElQZXAHaUdvv3zli2yklIjClXrI hjsOdlu2eLFhgJUezkr3MW6qUbqrgUnauMUWsuXvMRJ/b8jRtJ3CmsU0BBKOFnCC yzH7y56UiZLayDJCVyaoZ3FggGiZyPx984fQ+Bb+xzgyBhI/lcbdGswZvS8ZFgDM pqdmlrgjkVXK3ZeMz0OD/jCpkwuQUVA6GYHInOdmFKxcE551L5mUWAQcTFO5BWwl UdSBqwnZtVLSQAWo7W1aJZL57EbOg6cuejOrCtEbSJVe5rRWXO6MffdVy/B5TDnU TqSedcFb9MOQKscU/0Bn+2SV/NHRR+l9S9zO1KPJ9iem0zNcjDIKXFglqSdllVyP j/q/wx90YLaYFXvZI26mNFRkSdF7cm+PJM1XHHQPgUX7wgWIipsrr0D0hj1e+Uht wS/yJtb3+CMB4yf6cOoJZK4wFppQLF6tFe/rZEjGJJEOgnXLiQOQvZGDb2otqMfe vasyPQVGz+4StNGajjGrqyjdwU0n4v92X+EAD7HkF5yz5mYAubUClhTkVcC+5/0j 6dRneWr59GU= =Tuqy -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5884 - [RedHat] virt-v2v: CVSS (Max): 5.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5884 virt-v2v security, bug fix, and enhancement update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: virt-v2v Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-2211 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:7968 Comment: CVSS (Max): 5.5 CVE-2022-2211 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Low: virt-v2v security, bug fix, and enhancement update Advisory ID: RHSA-2022:7968-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:7968 Issue date: 2022-11-15 CVE Names: CVE-2022-2211 ===================================================================== 1. Summary: An update for virt-v2v is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 9) - noarch Red Hat Enterprise Linux AppStream (v. 9) - noarch, x86_64 3. Description: The virt-v2v package provides a tool for converting virtual machines to use the KVM (Kernel-based Virtual Machine) hypervisor or Red Hat Enterprise Virtualization. The tool modifies both the virtual machine image and its associated libvirt metadata. Also, virt-v2v can configure a guest to use VirtIO drivers if possible. Security Fix(es): * libguestfs: Buffer overflow in get_keys leads to DoS (CVE-2022-2211) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1684075 - Virt-v2v can't convert a guest from VMware via nbdkit-vddk if original guest disk address is irregular 1774386 - input_vmx: cleanly reject guests with snapshots when using "-it ssh" 1788823 - Virt-v2v firstboot scripts should run in order, with v2v network configuration happening first 1817050 - Can't convert guest from VMware with non-admin account and vddk >=7.0 by virt-v2v 1848862 - There is nbdkit curl error info if convert a guest from VMware without vddk by administrator account 1854275 - document that vmx+ssh "-ip" auth doesn't cover ssh / scp shell commands 1868048 - [RFE]virt-v2v should install qemu-ga on debian guest during the conversion 1883802 - -i vmx: SATA disks are not parsed 1985830 - Start or remove VM failure even v2v has already finished 2003503 - There is virt-v2v warning: fstrim on guest filesystem /dev/mapper/osprober-linux-sdb1 failed if non-os disk of source guest has few/no inodes lef 2028764 - Install the qemu-guest-agent package during the conversion process 2039597 - Failed to import VM when selecting OVA as a source on RHV webadmin 2047660 - Add '--compressed' support in modular v2v 2051564 - [RFE]Limiting the maximum number of disks per guest for v2v conversions 2059287 - RFE: Rebase virt-v2v to 2.0 in RHEL 9.1 2062360 - RFE: Virt-v2v should replace hairy "enable LEGACY crypto" advice which a more targeted mechanism 2064178 - nothing provides openssh-clients >= 8.8p1 needed by virt-v2v-1:2.0.0-1.el9.x86_64 2066773 - The /tmp/v2v.XXXX directory has incorrect permisison if run v2v by root 2069768 - Import of OVA fails if the user/group name contains spaces 2070186 - fix virtio-vsock check (for Linux guests) in virt-v2v 2070530 - Virt-v2v can't convert guest when os is installed on nvme disk via vmx+ssh 2074026 - Remove -o json option 2074801 - do not pass "--non-bootable --read-write" to "volume create " in openstack output module 2074805 - -o qemu mode fails with: qemu-system-x86_64: -balloon: invalid option and other problems 2076013 - RHEL9.1 guest can't boot into OS after v2v conversion 2082603 - virt-v2v -o qemu prints cosmetic warning: "warning: short-form boolean option 'readonly' deprecated" 2094779 - missing python dependency in rhel9.1 2100862 - CVE-2022-2211 libguestfs: Buffer overflow in get_keys leads to DoS 2101665 - "/dev/nvme0n1" is not remapped to "/dev/vda" (etc) in boot config files such as "/boot/grub2/device.map" 2107503 - RHEL 8.6 VM with "qemu64" CPU model can't start because "the CPU is incompatible with host CPU: Host CPU does not provide required features: svm" 2112801 - RHEL9 guest hangs during boot after conversion by virt-p2v 2116811 - virt-v2v: error: internal error: assertion failed at linux_kernels.ml, line 190, char 11 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: virt-v2v-2.0.7-6.el9.src.rpm noarch: virt-v2v-bash-completion-2.0.7-6.el9.noarch.rpm x86_64: virt-v2v-2.0.7-6.el9.x86_64.rpm virt-v2v-debuginfo-2.0.7-6.el9.x86_64.rpm virt-v2v-debugsource-2.0.7-6.el9.x86_64.rpm Red Hat CodeReady Linux Builder (v. 9): noarch: virt-v2v-man-pages-ja-2.0.7-6.el9.noarch.rpm virt-v2v-man-pages-uk-2.0.7-6.el9.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-2211 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3PhQNzjgjWX9erEAQj9AA/+LVRs5e5xUbvrRYoUnsKZPXZ0fWjz3Dsd D1P1qBp+IVgJIZNZpVgbuIk5c9C6mNzEFMd/1at0Tput1qu5b4VIUFz1KHvFPYIL xj+p+mAm5qIA5MKFkCcA7Rw8RdPeeXQojUFoKQU2p6nSUfptMwP7vbWjgRoJJlJ/ TTom+MIktIBhZXoNj9ZnOMMev+8kNbSxItWNrog7rGJLEsOrntRlAr9bcKcrmxV0 fYQ+GpoYsZUBFtN1eIt6695v3lyly0W4myFsjFS4sKr0y4RG8oqY2oyEqMw3qcmd UlciYz/QuKQqsY1ufc5JajhM0VHHXdv2RVxtJYn2cY4QI7aDeBsbl0wKG2Xs1+7v 19LmBNnikGzQHude/wNXdNkhTdJsvQkv+5ARvSmjkmywACuIbuyudJymG9S4Xzji gZRzSrfcdh2VqUBUVT4pjjKvFAUqa9BIFSm0iwMlDuuHZj9EhvB7ZydaUjOqfZfp tHZHGOl/sRtuojGVm56bXqp5u1ib+8VMVq8KCZGwD2dsMygeu3XnXOkvx/458FOY SpJG+z6GsV0jP193IK9B++54LSL6ZQLQ4yAvDUhxvCtm8nhGtsRGD6HXPOYdpdXM L1snWm51iEHrNavCuNf8Fh6Z1ewmWbZW+4RDWeo2rIn6HmSCj4iMW4twha+sqDDX uPMe6qqj+P4= =3mD0 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3Q0UskNZI30y1K9AQib0A/+K0o9GcehawZM2qdNkF7AqsNoStw+YT3K 1vQJ3VxR6pRkm+lfFJnLioA0YUCsRfhyg5YceiYBTyppedpG3HssYh0M47RBW0dK bW45WPo7nzuLjsIwcW/lov+mV0uwDWXTfC4lrWKAmy4HsRAZtuIWDOIkXnaeLTtY JLvFhrp3nmUHhBKbSZ0xsV4GWj+DHRvN8LB1T1GhLyEfjjUXluUuD2F9lngXB37h o+n9IGtRjzHIRfRGt8ss905PVznPEtzt3Fsheg3gmroQKHD6uzOpsgRkICfkax4Z nrHIAOMCce3juGmSzKqDsN2eN18sm7/BJ3lvtouGvvoPaTN87CgJXVuM/LmXac+1 XOKh0Y8jwufx1/LfVrjnjlc/gH4YJZeh+CoU4P09cKgsX715GAOzgCKg+ZSuSgnB ZNJK8nTxe2nDTcl0yU2sS5bteisBbFYEj03p+ya2FiIfgBIIac9PKvGKK3gAHmA1 gDvY+7pcgoImJIAWYAYlVxSyIyvQW/WXN7O5d/dylGgPcarxIW3QBvs6jQnlotIh mLWCmpAVPhxpliWx5WCfDOsdWMpeib5EXruUDVzhy1cuFqiJx463LT5eHCJLiVRf vkNcKoOA+HRCTT9vbgrDMu8xWvQSGe12mDcM8GgY6FOb2jpODjxO4kUGmo/cHNu3 xZDc/EkRcU0= =B2gb -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5883 - [RedHat] qemu-kvm: CVSS (Max): 7.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5883 qemu-kvm security, bug fix, and enhancement update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: qemu-kvm Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2021-4158 CVE-2021-3750 CVE-2021-3611 CVE-2021-3507 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:7967 Comment: CVSS (Max): 7.5 CVE-2021-3750 (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: qemu-kvm security, bug fix, and enhancement update Advisory ID: RHSA-2022:7967-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:7967 Issue date: 2022-11-15 CVE Names: CVE-2021-3507 CVE-2021-3611 CVE-2021-3750 CVE-2021-4158 ===================================================================== 1. Summary: An update for qemu-kvm is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. The following packages have been upgraded to a later upstream version: qemu-kvm (7.0.0). (BZ#2064757) Security Fix(es): * QEMU: hcd-ehci: DMA reentrancy issue leads to use-after-free (CVE-2021-3750) * QEMU: fdc: heap buffer overflow in DMA read data transfers (CVE-2021-3507) * QEMU: intel-hda: segmentation fault due to stack overflow (CVE-2021-3611) * QEMU: NULL pointer dereference in pci_write() in hw/acpi/pcihp.c (CVE-2021-4158) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1477099 - virtio-iommu (including ACPI, VHOST/VFIO integration, migration support) 1708300 - RFE: qemu-nbd vs NBD_FLAG_CAN_MULTI_CONN 1879437 - Qemu coredump when refreshing block limits on an actively used iothread block device [rhel.9] 1904267 - Q35: Support SMBIOS 3.0 Entry Point Type 1951118 - CVE-2021-3507 QEMU: fdc: heap buffer overflow in DMA read data transfers 1968509 - Use MSG_ZEROCOPY on QEMU Live Migration 1973784 - CVE-2021-3611 QEMU: intel-hda: segmentation fault due to stack overflow 1982600 - qemu-kvm -help reports -spice despite not being compiled 1995710 - RFE: Allow virtio-scsi CD-ROM media change with IOThreads 1999073 - CVE-2021-3750 QEMU: hcd-ehci: DMA reentrancy issue leads to use-after-free 2020993 - 'qemu-img convert' to Qcow2 Images over RBD Failed 2023977 - Duplicate SMBIOS handles when creating large VMs 2026955 - RFE: set default resolution/EDID info to a more sensible modern size like 1280x800 (WXGA) 2035002 - CVE-2021-4158 QEMU: NULL pointer dereference in pci_write() in hw/acpi/pcihp.c 2037612 - [Win11][tpm][QL41112 PF] vfio_listener_region_add received unaligned region 2041823 - [aarch64][numa] When there are at least 6 Numa nodes serial log shows 'arch topology borken' 2044162 - [RHEL9.1] Enable virtio-mem as tech-preview on ARM64 QEMU 2046029 - [WRB] New machine type property - dtb-kaslr-seed 2060839 - Consider deprecating CPU models like "kvm64" / "qemu64" on RHEL 9 2062809 - Guest can not start with SLIC acpi table [rhel-9.1.0] 2062813 - Mark all RHEL-8 and earlier machine types as deprecated [rhel-9.1.0] 2062817 - Missing qemu-kvm-block-ssh obsolete breaks upgrade path [rhel-9.1.0] 2062819 - Broken upgrade path due to qemu-kvm-hw-usbredir rename [rhel-9.1.0] 2062828 - [virtual network][rhel9][vDPA] qemu crash after hot unplug vdpa device [rhel-9.1.0] 2064500 - Install qemu-kvm-6.2.0-11.el9_0.1 failed as conflict with qemu-kvm-block-ssh-6.2.0-11.el9_0.1 2064530 - Rebuild qemu-kvm with clang-14 2064757 - Rebase to QEMU 7.0.0 2064771 - Update machine type compatibility for QEMU 7.0.0 update [x86_64] 2064782 - Update machine type compatibility for QEMU 7.0.0 update [s390x] 2065398 - watchdog: BUG: soft lockup - CPU#3 stuck for 22s! [cat:2843] [rhel-9.1.0] 2066824 - Aarch64: Drop unsupported CPU types 2070804 - PXE boot crash qemu when using multiqueue vDPA 2072379 - Fail to rebuild the reference count tables of qcow2 image on host block devices (e.g. LVs) 2079347 - Guest boot blocked when scsi disks using same iothread and 100% CPU consumption 2079938 - qemu coredump when boot with multi disks (qemu) failed to set up stack guard page: Cannot allocate memory 2081022 - Build regression on ppc64le with c9s qemu-kvm 7.0.0-1 changes 2086262 - [Win11][tpm]vfio_listener_region_del received unaligned region 2094252 - Compile the virtio-iommu device on x86_64 2094270 - Do not set the hard vCPU limit to the soft vCPU limit in downstream qemu-kvm anymore 2095608 - Please correct the error message when try to start qemu with "-M kernel-irqchip=split" 2096143 - The migration port is not released if use it again for recovering postcopy migration 2099541 - qemu coredump with error Assertion `qemu_mutex_iothread_locked()' failed when repeatly hotplug/unplug disks in pause status 2099934 - Guest reboot on destination host after postcopy migration completed 2100106 - Fix virtio-iommu/vfio bypass 2107466 - zerocopy capability can be enabled when set migrate capabilities with multifd and compress/xbzrle together 2111994 - RHEL9: skey test in kvm_unit_test got failed 2112303 - virtio-blk: Can't boot fresh installation from used 512 cluster_size image under certain conditions 2114060 - vDPA state restore support through control virtqueue in Qemu 2116876 - Fixes for vDPA control virtqueue support in Qemu 2120275 - Wrong max_sectors_kb and Maximum transfer length on the pass-through device [rhel-9.1] 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: qemu-kvm-7.0.0-13.el9.src.rpm aarch64: qemu-guest-agent-7.0.0-13.el9.aarch64.rpm qemu-guest-agent-debuginfo-7.0.0-13.el9.aarch64.rpm qemu-img-7.0.0-13.el9.aarch64.rpm qemu-img-debuginfo-7.0.0-13.el9.aarch64.rpm qemu-kvm-7.0.0-13.el9.aarch64.rpm qemu-kvm-audio-pa-7.0.0-13.el9.aarch64.rpm qemu-kvm-audio-pa-debuginfo-7.0.0-13.el9.aarch64.rpm qemu-kvm-block-curl-7.0.0-13.el9.aarch64.rpm qemu-kvm-block-curl-debuginfo-7.0.0-13.el9.aarch64.rpm qemu-kvm-block-rbd-7.0.0-13.el9.aarch64.rpm qemu-kvm-block-rbd-debuginfo-7.0.0-13.el9.aarch64.rpm qemu-kvm-common-7.0.0-13.el9.aarch64.rpm qemu-kvm-common-debuginfo-7.0.0-13.el9.aarch64.rpm qemu-kvm-core-7.0.0-13.el9.aarch64.rpm qemu-kvm-core-debuginfo-7.0.0-13.el9.aarch64.rpm qemu-kvm-debuginfo-7.0.0-13.el9.aarch64.rpm qemu-kvm-debugsource-7.0.0-13.el9.aarch64.rpm qemu-kvm-device-display-virtio-gpu-7.0.0-13.el9.aarch64.rpm qemu-kvm-device-display-virtio-gpu-debuginfo-7.0.0-13.el9.aarch64.rpm qemu-kvm-device-display-virtio-gpu-gl-7.0.0-13.el9.aarch64.rpm qemu-kvm-device-display-virtio-gpu-gl-debuginfo-7.0.0-13.el9.aarch64.rpm qemu-kvm-device-display-virtio-gpu-pci-7.0.0-13.el9.aarch64.rpm qemu-kvm-device-display-virtio-gpu-pci-debuginfo-7.0.0-13.el9.aarch64.rpm qemu-kvm-device-display-virtio-gpu-pci-gl-7.0.0-13.el9.aarch64.rpm qemu-kvm-device-display-virtio-gpu-pci-gl-debuginfo-7.0.0-13.el9.aarch64.rpm qemu-kvm-device-usb-host-7.0.0-13.el9.aarch64.rpm qemu-kvm-device-usb-host-debuginfo-7.0.0-13.el9.aarch64.rpm qemu-kvm-docs-7.0.0-13.el9.aarch64.rpm qemu-kvm-tests-debuginfo-7.0.0-13.el9.aarch64.rpm qemu-kvm-tools-7.0.0-13.el9.aarch64.rpm qemu-kvm-tools-debuginfo-7.0.0-13.el9.aarch64.rpm qemu-pr-helper-7.0.0-13.el9.aarch64.rpm qemu-pr-helper-debuginfo-7.0.0-13.el9.aarch64.rpm ppc64le: qemu-guest-agent-7.0.0-13.el9.ppc64le.rpm qemu-guest-agent-debuginfo-7.0.0-13.el9.ppc64le.rpm qemu-img-7.0.0-13.el9.ppc64le.rpm qemu-img-debuginfo-7.0.0-13.el9.ppc64le.rpm qemu-kvm-debuginfo-7.0.0-13.el9.ppc64le.rpm qemu-kvm-debugsource-7.0.0-13.el9.ppc64le.rpm s390x: qemu-guest-agent-7.0.0-13.el9.s390x.rpm qemu-guest-agent-debuginfo-7.0.0-13.el9.s390x.rpm qemu-img-7.0.0-13.el9.s390x.rpm qemu-img-debuginfo-7.0.0-13.el9.s390x.rpm qemu-kvm-7.0.0-13.el9.s390x.rpm qemu-kvm-audio-pa-7.0.0-13.el9.s390x.rpm qemu-kvm-audio-pa-debuginfo-7.0.0-13.el9.s390x.rpm qemu-kvm-block-curl-7.0.0-13.el9.s390x.rpm qemu-kvm-block-curl-debuginfo-7.0.0-13.el9.s390x.rpm qemu-kvm-block-rbd-7.0.0-13.el9.s390x.rpm qemu-kvm-block-rbd-debuginfo-7.0.0-13.el9.s390x.rpm qemu-kvm-common-7.0.0-13.el9.s390x.rpm qemu-kvm-common-debuginfo-7.0.0-13.el9.s390x.rpm qemu-kvm-core-7.0.0-13.el9.s390x.rpm qemu-kvm-core-debuginfo-7.0.0-13.el9.s390x.rpm qemu-kvm-debuginfo-7.0.0-13.el9.s390x.rpm qemu-kvm-debugsource-7.0.0-13.el9.s390x.rpm qemu-kvm-device-display-virtio-gpu-7.0.0-13.el9.s390x.rpm qemu-kvm-device-display-virtio-gpu-ccw-7.0.0-13.el9.s390x.rpm qemu-kvm-device-display-virtio-gpu-ccw-debuginfo-7.0.0-13.el9.s390x.rpm qemu-kvm-device-display-virtio-gpu-debuginfo-7.0.0-13.el9.s390x.rpm qemu-kvm-device-display-virtio-gpu-gl-7.0.0-13.el9.s390x.rpm qemu-kvm-device-display-virtio-gpu-gl-debuginfo-7.0.0-13.el9.s390x.rpm qemu-kvm-device-usb-host-7.0.0-13.el9.s390x.rpm qemu-kvm-device-usb-host-debuginfo-7.0.0-13.el9.s390x.rpm qemu-kvm-docs-7.0.0-13.el9.s390x.rpm qemu-kvm-tests-debuginfo-7.0.0-13.el9.s390x.rpm qemu-kvm-tools-7.0.0-13.el9.s390x.rpm qemu-kvm-tools-debuginfo-7.0.0-13.el9.s390x.rpm qemu-pr-helper-7.0.0-13.el9.s390x.rpm qemu-pr-helper-debuginfo-7.0.0-13.el9.s390x.rpm x86_64: qemu-guest-agent-7.0.0-13.el9.x86_64.rpm qemu-guest-agent-debuginfo-7.0.0-13.el9.x86_64.rpm qemu-img-7.0.0-13.el9.x86_64.rpm qemu-img-debuginfo-7.0.0-13.el9.x86_64.rpm qemu-kvm-7.0.0-13.el9.x86_64.rpm qemu-kvm-audio-pa-7.0.0-13.el9.x86_64.rpm qemu-kvm-audio-pa-debuginfo-7.0.0-13.el9.x86_64.rpm qemu-kvm-block-curl-7.0.0-13.el9.x86_64.rpm qemu-kvm-block-curl-debuginfo-7.0.0-13.el9.x86_64.rpm qemu-kvm-block-rbd-7.0.0-13.el9.x86_64.rpm qemu-kvm-block-rbd-debuginfo-7.0.0-13.el9.x86_64.rpm qemu-kvm-common-7.0.0-13.el9.x86_64.rpm qemu-kvm-common-debuginfo-7.0.0-13.el9.x86_64.rpm qemu-kvm-core-7.0.0-13.el9.x86_64.rpm qemu-kvm-core-debuginfo-7.0.0-13.el9.x86_64.rpm qemu-kvm-debuginfo-7.0.0-13.el9.x86_64.rpm qemu-kvm-debugsource-7.0.0-13.el9.x86_64.rpm qemu-kvm-device-display-virtio-gpu-7.0.0-13.el9.x86_64.rpm qemu-kvm-device-display-virtio-gpu-debuginfo-7.0.0-13.el9.x86_64.rpm qemu-kvm-device-display-virtio-gpu-gl-7.0.0-13.el9.x86_64.rpm qemu-kvm-device-display-virtio-gpu-gl-debuginfo-7.0.0-13.el9.x86_64.rpm qemu-kvm-device-display-virtio-gpu-pci-7.0.0-13.el9.x86_64.rpm qemu-kvm-device-display-virtio-gpu-pci-debuginfo-7.0.0-13.el9.x86_64.rpm qemu-kvm-device-display-virtio-gpu-pci-gl-7.0.0-13.el9.x86_64.rpm qemu-kvm-device-display-virtio-gpu-pci-gl-debuginfo-7.0.0-13.el9.x86_64.rpm qemu-kvm-device-display-virtio-vga-7.0.0-13.el9.x86_64.rpm qemu-kvm-device-display-virtio-vga-debuginfo-7.0.0-13.el9.x86_64.rpm qemu-kvm-device-display-virtio-vga-gl-7.0.0-13.el9.x86_64.rpm qemu-kvm-device-display-virtio-vga-gl-debuginfo-7.0.0-13.el9.x86_64.rpm qemu-kvm-device-usb-host-7.0.0-13.el9.x86_64.rpm qemu-kvm-device-usb-host-debuginfo-7.0.0-13.el9.x86_64.rpm qemu-kvm-device-usb-redirect-7.0.0-13.el9.x86_64.rpm qemu-kvm-device-usb-redirect-debuginfo-7.0.0-13.el9.x86_64.rpm qemu-kvm-docs-7.0.0-13.el9.x86_64.rpm qemu-kvm-tests-debuginfo-7.0.0-13.el9.x86_64.rpm qemu-kvm-tools-7.0.0-13.el9.x86_64.rpm qemu-kvm-tools-debuginfo-7.0.0-13.el9.x86_64.rpm qemu-kvm-ui-egl-headless-7.0.0-13.el9.x86_64.rpm qemu-kvm-ui-egl-headless-debuginfo-7.0.0-13.el9.x86_64.rpm qemu-kvm-ui-opengl-7.0.0-13.el9.x86_64.rpm qemu-kvm-ui-opengl-debuginfo-7.0.0-13.el9.x86_64.rpm qemu-pr-helper-7.0.0-13.el9.x86_64.rpm qemu-pr-helper-debuginfo-7.0.0-13.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-3507 https://access.redhat.com/security/cve/CVE-2021-3611 https://access.redhat.com/security/cve/CVE-2021-3750 https://access.redhat.com/security/cve/CVE-2021-4158 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3OMhtzjgjWX9erEAQiSNw/+PECa4knr835Ovk54z9SclIiHdzc6yQk6 XOF3+t2hJtomewv83jwJP4mXI3IASX+FlEiZSA3R9iBz6rw/4m3VlwDHQO3Udfdy 6x5drqg1DQXo1WwyNvUuPncW8c9G/b7gEG85WnT2dRFUn+qN3RYgJzxhPgviyOTh 1PBw4RVHTOHOR9y8FMFMfVO5doWtlh1GfiaOVGRfTNMNWe76ldd5AFOa3Fez1MRl odAzuXVVXpnXx0zgYgxvu2mxCTSs0FkBZ/6Se1YHAx0YOKd311SU+EGDs5Xsl6vf 2TSrzN9JchmiS111fVWyATdMcKqUvwInAZNgm0NpTQZof+yeY7fxSXvlkZzUXrq7 8tCjTx4KR9FIj76gm1j2lL1OC8td083RFtiG9G69QJOgeIM2m1psPmRNwGo+/iS6 bK2W5cX5zuJvUJ0DvREY1L3CThxRYBfzBRwTDEHVNPbvXIrgU2h/yb7bwt1DaG2X 5poyHsbsHjW/oD1Shi4AP5PW3yJw6Mu+RhxOXFZC88bRw6wV6VhMuxuU1/DJ2W10 42kMgZHEQCMFKVK4E5rzog2iWHYToccPC0T4OYwFJA/DqY8E4HoWslraLAifPOxC wvjd50nu3/DjmF+5NHplVh9z65BQk/cEpnrTdjD0he3W0YynhfC1sD/+aLxChQ/D B1Vp/1EISs0= =LjZY - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3Q0MskNZI30y1K9AQgmtw//aT8YJMfEdBMgtheLpOSvZpwithEY6Qno CAZmm0tQ/6d1jqFd1vQPr1HltmQyZgYZRemRlCLMQ5S5DyfkM+bfCe/rEzVuNufo SoS9G2TUSAHrCAM+UUuECHDqeganadYcG6atukTb/Qh8sAu+YCc0jnsHc4xcBI8w 2Tiun9Q6imvkvy8Y18Y/yweRjvT8AKXcFU+ff+kpNFqzmDbxdQoUCxDXc6QPbMs7 jFb+0YJxkWXSFNW7y0ebCnPSRtChVmGnTLCJcrpXJSeqSv5Lzlm4T+4Ga0FKG8Xl LmzEoaP9UNY72kH1arAisTuOt6mvKP5oRJEnHNeZ/BdttODPqcPHxCtbkASGyJ2q wvHY/rZSiM9farYabJkjlK74fsnlMXUO1J89prsdB8ksTCHV66ES6Es4sYtS+bL7 OsFm1bzohvA/QJfFSCd+ZZLExa089fbppcqDqPMbaU6c95zKfwvy9JA2HIY3ZHBY 1h+GyrYp3phQ8QTfI195ArBI1Rv3L3zAe8Q2fr/gnOsV77FgmhjxI2C7fcK0m565 mWXpwuY3zuIGIHaBSvoQs8Ud/xGbM49R6tu+x7JvNobeuY426sJdIg2ItVmQtfCk pP3wd5+S2eLvPEuoIX+j6NkakukFQk18laefaUiZSb7Cj9g8vnW4G+Z95DFZiKU/ HneuLX1w8Z4= =KEfX -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5882 - [RedHat] guestfs-tools: CVSS (Max): 5.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5882 guestfs-tools security, bug fix, and enhancement update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: guestfs-tools Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-2211 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:7959 Comment: CVSS (Max): 5.5 CVE-2022-2211 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Low: guestfs-tools security, bug fix, and enhancement update Advisory ID: RHSA-2022:7959-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:7959 Issue date: 2022-11-15 CVE Names: CVE-2022-2211 ===================================================================== 1. Summary: An update for guestfs-tools is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, s390x, x86_64 3. Description: guestfs-tools is a set of tools that can be used to make batch configuration changes to guests, get disk used/free statistics, perform backups and guest clones, change registry/UUID/hostname info, build guests from scratch, and much more. Security Fix(es): * libguestfs: Buffer overflow in get_keys leads to DoS (CVE-2022-2211) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2059286 - RFE: Rebase guestfs-tools to 1.48 in RHEL 9.1 2072493 - [RFE] Request to add lvm system.devices cleanup operation to virt-sysprep 2075718 - Having to use "--selinux-relabel" is not intuitive given Red Hat products default to selinux enabled. 2089748 - Removal of "--selinux-relabel" option breaks existing scripts 2100862 - CVE-2022-2211 libguestfs: Buffer overflow in get_keys leads to DoS 2106286 - virt-sysprep: make an effort to support LUKS on LV 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: guestfs-tools-1.48.2-5.el9.src.rpm aarch64: guestfs-tools-1.48.2-5.el9.aarch64.rpm guestfs-tools-debuginfo-1.48.2-5.el9.aarch64.rpm guestfs-tools-debugsource-1.48.2-5.el9.aarch64.rpm noarch: virt-win-reg-1.48.2-5.el9.noarch.rpm s390x: guestfs-tools-1.48.2-5.el9.s390x.rpm guestfs-tools-debuginfo-1.48.2-5.el9.s390x.rpm guestfs-tools-debugsource-1.48.2-5.el9.s390x.rpm x86_64: guestfs-tools-1.48.2-5.el9.x86_64.rpm guestfs-tools-debuginfo-1.48.2-5.el9.x86_64.rpm guestfs-tools-debugsource-1.48.2-5.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-2211 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3OMidzjgjWX9erEAQh1Bg/+K+5p4OKmDWKd99Hn29Ow87+XRfhVNv/F jOb8SAOy0KnxyJgMPCEAD+JqARNMkAI14bcYYEAnLvOUJgkxEzaJiiwPLjsIgolK juf7fi8Ikl8VSRtoZIujpOGFqAEYeRxDUPt/p36mw/iLlRPZt9OvDSTl0kEo1FaZ v8BmbqLPr6wGiLZtQmJ0jO+2E1K2m1dmFcUeCt9crA0ehN3gpOULWorJyYtGnFKr dWtez1O6uurEl93IWbMM/n8C1vr1NYXqZo0GhfKXiSKiUmtR6a8WbzEr87nkK30E yoHPvhi1NgSZ8X1ONZ7MDBC+six+54VVqUyK/VMyLZE8/BozKEIOaCk8CBM4adJH 6KBW7y/nn40izHcYUcw44r/6B/09zeN5coYoIBqq+PUwwp5vTU8I17A8pZncxYPM e22eeTpID97lwT4AMeTXbC2EdMTMTNVsW13ZSONF3fXYMjGgcdoefeP803OUGIzm uus7znkLd5lR9V5KQnB60JBFVf6tEYqahQEI5E/UCDNJcw0UNTIegJUEXVBqBVqM wV63DANh2yvRWQsESMvxthWjxMVGkV+2R1P/2py5kD7mIUxlDLWJe3QKtJESTRkl TyIdgMQ9TIR2jSMz/cZ2gPdZgUOrNu6kvgZqoom3t1DcK+E465r9QA1jh/WoQfwl WbKw9UbaLms= =j1SI - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3QsLMkNZI30y1K9AQgNsg/9HGjRchyrIUrhFV2w4cSWjsAWU1Rvusnz JR41r9BKKkg4fKMLf/z6k2W8MXBrsgrIaF66649nJJZZGVRsQYuRyIOcui1CKloe OdAjFqGQUZvmwF23HHEJvnq2/mfOebuWH8B2xc0XN7LzPpQJJ+qznUT3l46lqh3C qjUFN/BtRFZTmt7wwBjgNfGMBIcJUdsM2a/w/GsI3mbcWijYmw1Ms0QRhAkv2m+V JJf/JI3vOLnaMx50j6n6UjlUbkZfKtf85oVXElOle/tLU1Gb5/rYc7KGRRwC5zkl JzKcxmlj5xV6sM6xn1rEk2ymc8fQsk9ulOWAsomRmzXqHqLxUAPl9ceVAKbtta43 RqVwK+yNQtzRTi4oIZQ43qwq3KhZ5WaJqK9R4+XVcrjnuNAvQIP2p4JE1ptEOQ1+ gQH9AO0DGicak3211j3fb+zlPM6aiEYj1pIyzuogYea1Tdiw/0gXH3/SQAwPaVY+ EaqiVm+NHwnswchFDE4fQNg0iVZFa7pfbIPnYpxSKW0kjqHQ2dQxmbpSqhIt3j3f XjPIMJGNI1uiiPNNDGH7LqyTpv3J6jONDu3zX1nIaVQ6WA6yMLkpJuRnJoU3bwAu MdKP7HAjMNOXrhVgqjSQcQXeBn1HJ7t7ouzAJnsp+k7JvYiczXrDbL183ikd+JR3 UwKbgHlQ9YI= =MKiO -----END PGP SIGNATURE-----
2022. november 16.

ESB-2022.5881 - [RedHat] libguestfs: CVSS (Max): 5.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5881 libguestfs security, bug fix, and enhancement update 16 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libguestfs Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-2211 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:7958 Comment: CVSS (Max): 5.5 CVE-2022-2211 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Low: libguestfs security, bug fix, and enhancement update Advisory ID: RHSA-2022:7958-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:7958 Issue date: 2022-11-15 CVE Names: CVE-2022-2211 ===================================================================== 1. Summary: An update for libguestfs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 9) - aarch64, noarch, s390x, x86_64 Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, s390x, x86_64 3. Description: The libguestfs packages contain a library used for accessing and modifying virtual machine disk images. Security Fix(es): * libguestfs: Buffer overflow in get_keys leads to DoS (CVE-2022-2211) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1674392 - No return values from a directory listing when there are simply too many files in that directory (NULL value return) 1794518 - Rewrite libguestfs use of setfiles so that it doesn't stop on ext4 immutable bits 1809453 - [RFE] Add support for LUKS encrypted disks with Clevis & Tang 1844341 - The duplicate block device is listed when iface is set to 'virtio' 1965941 - lvm-set-filter failed in guestfish with the latest lvm2 package 2033247 - document encrypted RBD disk limitation 2059285 - RFE: Rebase libguestfs to 1.48 in RHEL 9.1 2065172 - SHA 1 signatures required to inspect packages in RHEL 6 guests [rhel-9.1.0] 2084568 - Disable 5-level page tables when using -cpu max 2086368 - Add Rocky Linux to list of REDHAT distros for code generation 2097718 - Please build and ship php bindings to libguestfs 2100862 - CVE-2022-2211 libguestfs: Buffer overflow in get_keys leads to DoS 2117004 - RFE: Add support for Zstandard compression to guestfs_file_architecture API 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: libguestfs-1.48.4-2.el9.src.rpm aarch64: libguestfs-1.48.4-2.el9.aarch64.rpm libguestfs-appliance-1.48.4-2.el9.aarch64.rpm libguestfs-debuginfo-1.48.4-2.el9.aarch64.rpm libguestfs-debugsource-1.48.4-2.el9.aarch64.rpm libguestfs-gobject-debuginfo-1.48.4-2.el9.aarch64.rpm libguestfs-rescue-1.48.4-2.el9.aarch64.rpm libguestfs-rescue-debuginfo-1.48.4-2.el9.aarch64.rpm libguestfs-rsync-1.48.4-2.el9.aarch64.rpm libguestfs-xfs-1.48.4-2.el9.aarch64.rpm lua-guestfs-debuginfo-1.48.4-2.el9.aarch64.rpm ocaml-libguestfs-debuginfo-1.48.4-2.el9.aarch64.rpm perl-Sys-Guestfs-1.48.4-2.el9.aarch64.rpm perl-Sys-Guestfs-debuginfo-1.48.4-2.el9.aarch64.rpm php-libguestfs-debuginfo-1.48.4-2.el9.aarch64.rpm python3-libguestfs-1.48.4-2.el9.aarch64.rpm python3-libguestfs-debuginfo-1.48.4-2.el9.aarch64.rpm ruby-libguestfs-debuginfo-1.48.4-2.el9.aarch64.rpm noarch: libguestfs-bash-completion-1.48.4-2.el9.noarch.rpm libguestfs-inspect-icons-1.48.4-2.el9.noarch.rpm s390x: libguestfs-1.48.4-2.el9.s390x.rpm libguestfs-appliance-1.48.4-2.el9.s390x.rpm libguestfs-debuginfo-1.48.4-2.el9.s390x.rpm libguestfs-debugsource-1.48.4-2.el9.s390x.rpm libguestfs-gobject-debuginfo-1.48.4-2.el9.s390x.rpm libguestfs-rescue-1.48.4-2.el9.s390x.rpm libguestfs-rescue-debuginfo-1.48.4-2.el9.s390x.rpm libguestfs-rsync-1.48.4-2.el9.s390x.rpm libguestfs-xfs-1.48.4-2.el9.s390x.rpm lua-guestfs-debuginfo-1.48.4-2.el9.s390x.rpm ocaml-libguestfs-debuginfo-1.48.4-2.el9.s390x.rpm perl-Sys-Guestfs-1.48.4-2.el9.s390x.rpm perl-Sys-Guestfs-debuginfo-1.48.4-2.el9.s390x.rpm php-libguestfs-debuginfo-1.48.4-2.el9.s390x.rpm python3-libguestfs-1.48.4-2.el9.s390x.rpm python3-libguestfs-debuginfo-1.48.4-2.el9.s390x.rpm ruby-libguestfs-debuginfo-1.48.4-2.el9.s390x.rpm x86_64: libguestfs-1.48.4-2.el9.x86_64.rpm libguestfs-appliance-1.48.4-2.el9.x86_64.rpm libguestfs-debuginfo-1.48.4-2.el9.x86_64.rpm libguestfs-debugsource-1.48.4-2.el9.x86_64.rpm libguestfs-gobject-debuginfo-1.48.4-2.el9.x86_64.rpm libguestfs-rescue-1.48.4-2.el9.x86_64.rpm libguestfs-rescue-debuginfo-1.48.4-2.el9.x86_64.rpm libguestfs-rsync-1.48.4-2.el9.x86_64.rpm libguestfs-xfs-1.48.4-2.el9.x86_64.rpm lua-guestfs-debuginfo-1.48.4-2.el9.x86_64.rpm ocaml-libguestfs-debuginfo-1.48.4-2.el9.x86_64.rpm perl-Sys-Guestfs-1.48.4-2.el9.x86_64.rpm perl-Sys-Guestfs-debuginfo-1.48.4-2.el9.x86_64.rpm php-libguestfs-debuginfo-1.48.4-2.el9.x86_64.rpm python3-libguestfs-1.48.4-2.el9.x86_64.rpm python3-libguestfs-debuginfo-1.48.4-2.el9.x86_64.rpm ruby-libguestfs-debuginfo-1.48.4-2.el9.x86_64.rpm Red Hat CodeReady Linux Builder (v. 9): aarch64: libguestfs-debuginfo-1.48.4-2.el9.aarch64.rpm libguestfs-debugsource-1.48.4-2.el9.aarch64.rpm libguestfs-devel-1.48.4-2.el9.aarch64.rpm libguestfs-gobject-1.48.4-2.el9.aarch64.rpm libguestfs-gobject-debuginfo-1.48.4-2.el9.aarch64.rpm libguestfs-gobject-devel-1.48.4-2.el9.aarch64.rpm libguestfs-rescue-debuginfo-1.48.4-2.el9.aarch64.rpm lua-guestfs-1.48.4-2.el9.aarch64.rpm lua-guestfs-debuginfo-1.48.4-2.el9.aarch64.rpm ocaml-libguestfs-1.48.4-2.el9.aarch64.rpm ocaml-libguestfs-debuginfo-1.48.4-2.el9.aarch64.rpm ocaml-libguestfs-devel-1.48.4-2.el9.aarch64.rpm perl-Sys-Guestfs-debuginfo-1.48.4-2.el9.aarch64.rpm php-libguestfs-1.48.4-2.el9.aarch64.rpm php-libguestfs-debuginfo-1.48.4-2.el9.aarch64.rpm python3-libguestfs-debuginfo-1.48.4-2.el9.aarch64.rpm ruby-libguestfs-1.48.4-2.el9.aarch64.rpm ruby-libguestfs-debuginfo-1.48.4-2.el9.aarch64.rpm noarch: libguestfs-man-pages-ja-1.48.4-2.el9.noarch.rpm libguestfs-man-pages-uk-1.48.4-2.el9.noarch.rpm s390x: libguestfs-debuginfo-1.48.4-2.el9.s390x.rpm libguestfs-debugsource-1.48.4-2.el9.s390x.rpm libguestfs-devel-1.48.4-2.el9.s390x.rpm libguestfs-gobject-1.48.4-2.el9.s390x.rpm libguestfs-gobject-debuginfo-1.48.4-2.el9.s390x.rpm libguestfs-gobject-devel-1.48.4-2.el9.s390x.rpm libguestfs-rescue-debuginfo-1.48.4-2.el9.s390x.rpm lua-guestfs-1.48.4-2.el9.s390x.rpm lua-guestfs-debuginfo-1.48.4-2.el9.s390x.rpm ocaml-libguestfs-1.48.4-2.el9.s390x.rpm ocaml-libguestfs-debuginfo-1.48.4-2.el9.s390x.rpm ocaml-libguestfs-devel-1.48.4-2.el9.s390x.rpm perl-Sys-Guestfs-debuginfo-1.48.4-2.el9.s390x.rpm php-libguestfs-1.48.4-2.el9.s390x.rpm php-libguestfs-debuginfo-1.48.4-2.el9.s390x.rpm python3-libguestfs-debuginfo-1.48.4-2.el9.s390x.rpm ruby-libguestfs-1.48.4-2.el9.s390x.rpm ruby-libguestfs-debuginfo-1.48.4-2.el9.s390x.rpm x86_64: libguestfs-debuginfo-1.48.4-2.el9.x86_64.rpm libguestfs-debugsource-1.48.4-2.el9.x86_64.rpm libguestfs-devel-1.48.4-2.el9.x86_64.rpm libguestfs-gobject-1.48.4-2.el9.x86_64.rpm libguestfs-gobject-debuginfo-1.48.4-2.el9.x86_64.rpm libguestfs-gobject-devel-1.48.4-2.el9.x86_64.rpm libguestfs-rescue-debuginfo-1.48.4-2.el9.x86_64.rpm lua-guestfs-1.48.4-2.el9.x86_64.rpm lua-guestfs-debuginfo-1.48.4-2.el9.x86_64.rpm ocaml-libguestfs-1.48.4-2.el9.x86_64.rpm ocaml-libguestfs-debuginfo-1.48.4-2.el9.x86_64.rpm ocaml-libguestfs-devel-1.48.4-2.el9.x86_64.rpm perl-Sys-Guestfs-debuginfo-1.48.4-2.el9.x86_64.rpm php-libguestfs-1.48.4-2.el9.x86_64.rpm php-libguestfs-debuginfo-1.48.4-2.el9.x86_64.rpm python3-libguestfs-debuginfo-1.48.4-2.el9.x86_64.rpm ruby-libguestfs-1.48.4-2.el9.x86_64.rpm ruby-libguestfs-debuginfo-1.48.4-2.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-2211 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY3PhRNzjgjWX9erEAQhvYQ//WOhHDyYMyMZ7ZvphGgVONit46vH9In5d yDCONHRJtdpZz9Gnf0jDyjRhIsDrRGb41cHkHDD3DBGT8/v5F+OvUG9X59XXJDgu ZNER8K0z9/zHhpo4Ndki1nfv/RTBK4ItvJPYE32LFspP2L6z0ggGe22j8gJjJENa uyBYJBsoxVQe1YUzhODekyX02prkcbMg6+Xt68XSpCeK4Nt9ixc0jYmH5aUUQOZW AGB8dOhCX58L9gxSZdV1Ef24JQvqw78x02FDX6fbqnczayEs3Ilb1jYtMuDrrKus z2t84BmcRlMh9IUM/nSp7Jy4GYrafxQQTvPYtEAyCMd8bvbbaQsldjjFy9DE3v4+ VF302O3gQb9OYA5kTcDFAabEjgKG3vNw7yNKylry6dKv6OaWlbbh9C/Xa8TD6bVT 7ebNXaguzIx+BQPr/MuIAJeSV26h9YpdiWJIfYoYivd4SxORNe50A4Il9W7KXCx4 HOgFO9T2n0n855FhDE9kAPp6eTOYrY25UjdLanbQoJnc3BKXfCxx9AZoYpfmY3V8 UfbF5UgijDBnNbdU25ifetq/yWWi03ZlrdGoZqmxA+sGUct+jRpdCFScdXNjmOd3 drHTsfOJuMvSChuhlfvRaKB6nXxpgDeSBdZiMqzD2ZZ4L/Ta2j6miEauJkq87olb ge0yy6Zwqz8= =Yy+E - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3QsIMkNZI30y1K9AQhcXQ//U/Ys3nKG7091Jgp/o2xSJ+XyTSn0w1gy VK7Xfq7gg70kW08GdE8yjZUs8N/Jlz2ojHdMoxsMTLYnMfTfr+PFYslVZuNz26V2 ZEKVo/dwgAV7PgIfLFfvcArty1ysYQQ6LXRgQHZp1zIy++Hy1Qa6U30hEI1N5tlo vHCF7HObu2hbnjg7/Y6i1VGlIK1OocGoCKaTKWrNfDWNFENSwDuJ6MrWuRqqEtrr SaV0OU6ElZrvNA8q7lzyFSpbsYSLeoWsu4yNLwcXFmgBJNE7Zk3Xn6vdQ7ZtmbX9 gm+nRLDzHwl5mJ6Dp/s/4HnQgPVCg1I/TCZBFEvzKSUb+R/7+oZCuwd19fg/+Q9b /OEukQaZBgyMz1XFYUL+RE19BYHhPE2FA2beCfXTLkIZ1Ow0A1VBImEAGLWFy2RA th4R9IPKkrS+It7lngiaR8kT/ec2CTPTK785b52U2qS0V6CejjCwcHsU37xOoJNG Q254J5gxBnA+FU6+fQk5M/xSz+S9FtK9supzLVGgODI8ruJnIU/DSO9Y8l2bqSH/ RLpq2OzJ5qicEAz3cbgzbI324x1lfvAuEGEtj1extRFJIOCpISPXCkuAhqpfJydH GY7BpVj1fkR6IB4/fG90AtqNSeDd8atfj8i5dsXmDaY5lr5ZHb9LsLjtVzj3IC4k LN8IfegmOGk= =igrK -----END PGP SIGNATURE-----