AusCERT - Security Bulletins
Latest published security bulletins. See https://www.auscert.org.au/rss/ for feed information.
Frissítve: 36 perc 25 másodperc
ESB-2022.1585 - [SUSE] opensc: CVSS (Max): 7.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1585
Security update for opensc
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: opensc
Publisher: SUSE
Operating System: SUSE
Resolution: Patch/Upgrade
CVE Names: CVE-2021-42782 CVE-2021-42781 CVE-2021-42780
CVE-2021-42779
Original Bulletin:
https://www.suse.com/support/update/announcement/2022/suse-su-20221156-1
Comment: CVSS (Max): 7.8 CVE-2021-42782 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVSS Source: SUSE
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for opensc
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:1156-1
Rating: important
References: #1114649 #1191957 #1191992 #1192000 #1192005
Cross-References: CVE-2021-42779 CVE-2021-42780 CVE-2021-42781 CVE-2021-42782
Affected Products:
SUSE CaaS Platform 4.0
SUSE Enterprise Storage 6
SUSE Linux Enterprise Desktop 15-SP3
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS
SUSE Linux Enterprise High Performance Computing 15-SP3
SUSE Linux Enterprise Micro 5.1
SUSE Linux Enterprise Module for Basesystem 15-SP3
SUSE Linux Enterprise Realtime Extension 15-SP2
SUSE Linux Enterprise Server 15-SP1-BCL
SUSE Linux Enterprise Server 15-SP1-LTSS
SUSE Linux Enterprise Server 15-SP3
SUSE Linux Enterprise Server for SAP 15-SP1
SUSE Linux Enterprise Server for SAP Applications 15-SP3
SUSE Manager Proxy 4.2
SUSE Manager Server 4.2
openSUSE Leap 15.3
______________________________________________________________________________
An update that solves four vulnerabilities and has one errata is now available.
Description:
This update for opensc fixes the following issues:
Security issues fixed:
o CVE-2021-42782: Stack buffer overflow issues in various places (bsc#
1191957).
o CVE-2021-42781: Fixed multiple heap buffer overflows in pkcs15-oberthur.c
(bsc#1192000).
o CVE-2021-42780: Fixed use after return in insert_pin() (bsc#1192005).
o CVE-2021-42779: Fixed use after free in sc_file_valid() (bsc#1191992).
Non-security issues fixed:
o Fixes segmentation fault in 'pkcs11-tool.c'. (bsc#1114649)
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-1156=1
o SUSE Linux Enterprise Server for SAP 15-SP1:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2022-1156=1
o SUSE Linux Enterprise Server 15-SP1-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2022-1156=1
o SUSE Linux Enterprise Server 15-SP1-BCL:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2022-1156=1
o SUSE Linux Enterprise Realtime Extension 15-SP2:
zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-1156=1
o SUSE Linux Enterprise Module for Basesystem 15-SP3:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-1156=1
o SUSE Linux Enterprise Micro 5.1:
zypper in -t patch SUSE-SUSE-MicroOS-5.1-2022-1156=1
o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2022-1156=1
o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2022-1156=1
o SUSE Enterprise Storage 6:
zypper in -t patch SUSE-Storage-6-2022-1156=1
o SUSE CaaS Platform 4.0:
To install this update, use the SUSE CaaS Platform 'skuba' tool. I will
inform you if it detects new updates and let you then trigger updating of
the complete cluster in a controlled way.
Package List:
o openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
opensc-0.19.0-150100.3.16.1
opensc-debuginfo-0.19.0-150100.3.16.1
opensc-debugsource-0.19.0-150100.3.16.1
o openSUSE Leap 15.3 (x86_64):
opensc-32bit-0.19.0-150100.3.16.1
opensc-32bit-debuginfo-0.19.0-150100.3.16.1
o SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64):
opensc-0.19.0-150100.3.16.1
opensc-debuginfo-0.19.0-150100.3.16.1
opensc-debugsource-0.19.0-150100.3.16.1
o SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64):
opensc-0.19.0-150100.3.16.1
opensc-debuginfo-0.19.0-150100.3.16.1
opensc-debugsource-0.19.0-150100.3.16.1
o SUSE Linux Enterprise Server 15-SP1-BCL (x86_64):
opensc-0.19.0-150100.3.16.1
opensc-debuginfo-0.19.0-150100.3.16.1
opensc-debugsource-0.19.0-150100.3.16.1
o SUSE Linux Enterprise Realtime Extension 15-SP2 (x86_64):
opensc-0.19.0-150100.3.16.1
opensc-debuginfo-0.19.0-150100.3.16.1
opensc-debugsource-0.19.0-150100.3.16.1
o SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x
x86_64):
opensc-0.19.0-150100.3.16.1
opensc-debuginfo-0.19.0-150100.3.16.1
opensc-debugsource-0.19.0-150100.3.16.1
o SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64):
opensc-0.19.0-150100.3.16.1
opensc-debuginfo-0.19.0-150100.3.16.1
opensc-debugsource-0.19.0-150100.3.16.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64
x86_64):
opensc-0.19.0-150100.3.16.1
opensc-debuginfo-0.19.0-150100.3.16.1
opensc-debugsource-0.19.0-150100.3.16.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64
x86_64):
opensc-0.19.0-150100.3.16.1
opensc-debuginfo-0.19.0-150100.3.16.1
opensc-debugsource-0.19.0-150100.3.16.1
o SUSE Enterprise Storage 6 (aarch64 x86_64):
opensc-0.19.0-150100.3.16.1
opensc-debuginfo-0.19.0-150100.3.16.1
opensc-debugsource-0.19.0-150100.3.16.1
o SUSE CaaS Platform 4.0 (x86_64):
opensc-0.19.0-150100.3.16.1
opensc-debuginfo-0.19.0-150100.3.16.1
opensc-debugsource-0.19.0-150100.3.16.1
References:
o https://www.suse.com/security/cve/CVE-2021-42779.html
o https://www.suse.com/security/cve/CVE-2021-42780.html
o https://www.suse.com/security/cve/CVE-2021-42781.html
o https://www.suse.com/security/cve/CVE-2021-42782.html
o https://bugzilla.suse.com/1114649
o https://bugzilla.suse.com/1191957
o https://bugzilla.suse.com/1191992
o https://bugzilla.suse.com/1192000
o https://bugzilla.suse.com/1192005
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYV0uNLKJtyKPYoAQhX9g/5AYeIAgCn4/t3/MOjMbkVXT0SsOKRqGTx
9PAvcahV2SQwxKN9tYkGZIMT87DQzUFrG2U1N2ZFOEibxUrmBxEMYIcE8Z90ikyv
WyZpAF27z51HvezRoBcykHr+GttflFKy/TXwqjQwNIjdyL4MKaCpcoNGcCmMxVrq
1GiPBbzXMeiOkyVj6BJ0gVPjRXOGyFO1+8H6SvBRYpTzcCHf+ZFcuLTcGYqpJvSv
je6oyVSXYA6DOLSsz1ojZUWRK5CBKewgYdUSfnfDQiFo/9/WMKhCBGix3wRdT28g
EVh9pG3c4UEFrkuBz5/89phfu6jByE7KlTY87tVW1tGUofjiY13EJEdWcaYfEd6K
8mMTnOM8th5/6t9SCH0I/EWaIWwJRM0RrTjY3SR7sTLHsxHVkYzrYfsgC+cAufNA
xNoLDZgXkwFtKWlYksBrtZ4D+1CystOHb7d+s18a0ZHYkhFnCXzKfarHqj5nK7aB
f1spNs+UdY8ELOv2UwdqSd4I8EX83tKdtqIUW9WG6S6WJnfQgY0xt7bDCKfWuV/i
FDTXaOr/dOLWv+s9KVtfHVZf2ajXpkcDmZAi26NjcgS8JlaZBKKq+wlhFsZUGtAH
cAk15iskVdY94DOUFSXVCAdzHNMssfyfV7Vy1Pwv79NjkqH6Xg/+o7zJ5ZLp6iBU
nqwGLidJUjc=
=UkBx
-----END PGP SIGNATURE-----
ESB-2022.1584 - [SUSE] mozilla-nss: CVSS (Max): 7.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1584
Security update for mozilla-nss
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: mozilla-nss
Publisher: SUSE
Operating System: SUSE
Resolution: Patch/Upgrade
CVE Names: CVE-2022-1097
Original Bulletin:
https://www.suse.com/support/update/announcement/2022/suse-su-20221149-1
Comment: CVSS (Max): 7.5 CVE-2022-1097 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVSS Source: SUSE
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for mozilla-nss
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:1149-1
Rating: important
References: #1197903
Cross-References: CVE-2022-1097
Affected Products:
SUSE CaaS Platform 4.0
SUSE Enterprise Storage 6
SUSE Enterprise Storage 7
SUSE Linux Enterprise Desktop 15-SP3
SUSE Linux Enterprise High Performance Computing 15-ESPOS
SUSE Linux Enterprise High Performance Computing 15-LTSS
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing 15-SP3
SUSE Linux Enterprise Micro 5.0
SUSE Linux Enterprise Micro 5.1
SUSE Linux Enterprise Micro 5.2
SUSE Linux Enterprise Module for Basesystem 15-SP3
SUSE Linux Enterprise Module for Server Applications 15-SP3
SUSE Linux Enterprise Realtime Extension 15-SP2
SUSE Linux Enterprise Server 15-LTSS
SUSE Linux Enterprise Server 15-SP1-BCL
SUSE Linux Enterprise Server 15-SP1-LTSS
SUSE Linux Enterprise Server 15-SP2-BCL
SUSE Linux Enterprise Server 15-SP2-LTSS
SUSE Linux Enterprise Server 15-SP3
SUSE Linux Enterprise Server for SAP 15
SUSE Linux Enterprise Server for SAP 15-SP1
SUSE Linux Enterprise Server for SAP 15-SP2
SUSE Linux Enterprise Server for SAP Applications 15-SP3
SUSE Manager Proxy 4.1
SUSE Manager Proxy 4.2
SUSE Manager Retail Branch Server 4.1
SUSE Manager Server 4.1
SUSE Manager Server 4.2
openSUSE Leap 15.3
openSUSE Leap 15.4
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for mozilla-nss fixes the following issues:
Mozilla NSS 3.68.3 (bsc#1197903): - CVE-2022-1097: Fixed memory safety
violations that could occur when PKCS#11 tokens are removed while in use.
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o openSUSE Leap 15.4:
zypper in -t patch openSUSE-SLE-15.4-2022-1149=1
o openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-1149=1
o SUSE Manager Server 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-1149=1
o SUSE Manager Retail Branch Server 4.1:
zypper in -t patch
SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-1149=1
o SUSE Manager Proxy 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-1149=1
o SUSE Linux Enterprise Server for SAP 15-SP2:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-1149=1
o SUSE Linux Enterprise Server for SAP 15-SP1:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2022-1149=1
o SUSE Linux Enterprise Server for SAP 15:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2022-1149=1
o SUSE Linux Enterprise Server 15-SP2-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-1149=1
o SUSE Linux Enterprise Server 15-SP2-BCL:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-1149=1
o SUSE Linux Enterprise Server 15-SP1-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2022-1149=1
o SUSE Linux Enterprise Server 15-SP1-BCL:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2022-1149=1
o SUSE Linux Enterprise Server 15-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-2022-1149=1
o SUSE Linux Enterprise Realtime Extension 15-SP2:
zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-1149=1
o SUSE Linux Enterprise Module for Server Applications 15-SP3:
zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP3-2022-1149=1
o SUSE Linux Enterprise Module for Basesystem 15-SP3:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-1149=1
o SUSE Linux Enterprise Micro 5.2:
zypper in -t patch SUSE-SUSE-MicroOS-5.2-2022-1149=1
o SUSE Linux Enterprise Micro 5.1:
zypper in -t patch SUSE-SUSE-MicroOS-5.1-2022-1149=1
o SUSE Linux Enterprise Micro 5.0:
zypper in -t patch SUSE-SUSE-MicroOS-5.0-2022-1149=1
o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-1149=1
o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-1149=1
o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2022-1149=1
o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2022-1149=1
o SUSE Linux Enterprise High Performance Computing 15-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-2022-1149=1
o SUSE Linux Enterprise High Performance Computing 15-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-2022-1149=1
o SUSE Enterprise Storage 7:
zypper in -t patch SUSE-Storage-7-2022-1149=1
o SUSE Enterprise Storage 6:
zypper in -t patch SUSE-Storage-6-2022-1149=1
o SUSE CaaS Platform 4.0:
To install this update, use the SUSE CaaS Platform 'skuba' tool. I will
inform you if it detects new updates and let you then trigger updating of
the complete cluster in a controlled way.
Package List:
o openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):
libfreebl3-3.68.3-150000.3.67.1
libfreebl3-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-3.68.3-150000.3.67.1
libsoftokn3-3.68.3-150000.3.67.1
libsoftokn3-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-3.68.3-150000.3.67.1
mozilla-nss-3.68.3-150000.3.67.1
mozilla-nss-certs-3.68.3-150000.3.67.1
mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debugsource-3.68.3-150000.3.67.1
mozilla-nss-devel-3.68.3-150000.3.67.1
mozilla-nss-sysinit-3.68.3-150000.3.67.1
mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-tools-3.68.3-150000.3.67.1
mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1
o openSUSE Leap 15.4 (x86_64):
libfreebl3-32bit-3.68.3-150000.3.67.1
libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-sysinit-32bit-3.68.3-150000.3.67.1
mozilla-nss-sysinit-32bit-debuginfo-3.68.3-150000.3.67.1
o openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
libfreebl3-3.68.3-150000.3.67.1
libfreebl3-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-3.68.3-150000.3.67.1
libsoftokn3-3.68.3-150000.3.67.1
libsoftokn3-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-3.68.3-150000.3.67.1
mozilla-nss-3.68.3-150000.3.67.1
mozilla-nss-certs-3.68.3-150000.3.67.1
mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debugsource-3.68.3-150000.3.67.1
mozilla-nss-devel-3.68.3-150000.3.67.1
mozilla-nss-sysinit-3.68.3-150000.3.67.1
mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-tools-3.68.3-150000.3.67.1
mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1
o openSUSE Leap 15.3 (x86_64):
libfreebl3-32bit-3.68.3-150000.3.67.1
libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-sysinit-32bit-3.68.3-150000.3.67.1
mozilla-nss-sysinit-32bit-debuginfo-3.68.3-150000.3.67.1
o SUSE Manager Server 4.1 (ppc64le s390x x86_64):
libfreebl3-3.68.3-150000.3.67.1
libfreebl3-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-3.68.3-150000.3.67.1
libsoftokn3-3.68.3-150000.3.67.1
libsoftokn3-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-3.68.3-150000.3.67.1
mozilla-nss-3.68.3-150000.3.67.1
mozilla-nss-certs-3.68.3-150000.3.67.1
mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debugsource-3.68.3-150000.3.67.1
mozilla-nss-devel-3.68.3-150000.3.67.1
mozilla-nss-sysinit-3.68.3-150000.3.67.1
mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-tools-3.68.3-150000.3.67.1
mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1
o SUSE Manager Server 4.1 (x86_64):
libfreebl3-32bit-3.68.3-150000.3.67.1
libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1
o SUSE Manager Retail Branch Server 4.1 (x86_64):
libfreebl3-3.68.3-150000.3.67.1
libfreebl3-32bit-3.68.3-150000.3.67.1
libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1
libfreebl3-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-3.68.3-150000.3.67.1
libfreebl3-hmac-32bit-3.68.3-150000.3.67.1
libsoftokn3-3.68.3-150000.3.67.1
libsoftokn3-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-3.68.3-150000.3.67.1
libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1
mozilla-nss-3.68.3-150000.3.67.1
mozilla-nss-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-certs-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debugsource-3.68.3-150000.3.67.1
mozilla-nss-devel-3.68.3-150000.3.67.1
mozilla-nss-sysinit-3.68.3-150000.3.67.1
mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-tools-3.68.3-150000.3.67.1
mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1
o SUSE Manager Proxy 4.1 (x86_64):
libfreebl3-3.68.3-150000.3.67.1
libfreebl3-32bit-3.68.3-150000.3.67.1
libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1
libfreebl3-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-3.68.3-150000.3.67.1
libfreebl3-hmac-32bit-3.68.3-150000.3.67.1
libsoftokn3-3.68.3-150000.3.67.1
libsoftokn3-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-3.68.3-150000.3.67.1
libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1
mozilla-nss-3.68.3-150000.3.67.1
mozilla-nss-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-certs-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debugsource-3.68.3-150000.3.67.1
mozilla-nss-devel-3.68.3-150000.3.67.1
mozilla-nss-sysinit-3.68.3-150000.3.67.1
mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-tools-3.68.3-150000.3.67.1
mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise Server for SAP 15-SP2 (ppc64le x86_64):
libfreebl3-3.68.3-150000.3.67.1
libfreebl3-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-3.68.3-150000.3.67.1
libsoftokn3-3.68.3-150000.3.67.1
libsoftokn3-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-3.68.3-150000.3.67.1
mozilla-nss-3.68.3-150000.3.67.1
mozilla-nss-certs-3.68.3-150000.3.67.1
mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debugsource-3.68.3-150000.3.67.1
mozilla-nss-devel-3.68.3-150000.3.67.1
mozilla-nss-sysinit-3.68.3-150000.3.67.1
mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-tools-3.68.3-150000.3.67.1
mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise Server for SAP 15-SP2 (x86_64):
libfreebl3-32bit-3.68.3-150000.3.67.1
libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64):
libfreebl3-3.68.3-150000.3.67.1
libfreebl3-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-3.68.3-150000.3.67.1
libsoftokn3-3.68.3-150000.3.67.1
libsoftokn3-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-3.68.3-150000.3.67.1
mozilla-nss-3.68.3-150000.3.67.1
mozilla-nss-certs-3.68.3-150000.3.67.1
mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debugsource-3.68.3-150000.3.67.1
mozilla-nss-devel-3.68.3-150000.3.67.1
mozilla-nss-sysinit-3.68.3-150000.3.67.1
mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-tools-3.68.3-150000.3.67.1
mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64):
libfreebl3-32bit-3.68.3-150000.3.67.1
libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64):
libfreebl3-3.68.3-150000.3.67.1
libfreebl3-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-3.68.3-150000.3.67.1
libsoftokn3-3.68.3-150000.3.67.1
libsoftokn3-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-3.68.3-150000.3.67.1
mozilla-nss-3.68.3-150000.3.67.1
mozilla-nss-certs-3.68.3-150000.3.67.1
mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debugsource-3.68.3-150000.3.67.1
mozilla-nss-devel-3.68.3-150000.3.67.1
mozilla-nss-sysinit-3.68.3-150000.3.67.1
mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-tools-3.68.3-150000.3.67.1
mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise Server for SAP 15 (x86_64):
libfreebl3-32bit-3.68.3-150000.3.67.1
libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise Server 15-SP2-LTSS (aarch64 ppc64le s390x x86_64):
libfreebl3-3.68.3-150000.3.67.1
libfreebl3-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-3.68.3-150000.3.67.1
libsoftokn3-3.68.3-150000.3.67.1
libsoftokn3-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-3.68.3-150000.3.67.1
mozilla-nss-3.68.3-150000.3.67.1
mozilla-nss-certs-3.68.3-150000.3.67.1
mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debugsource-3.68.3-150000.3.67.1
mozilla-nss-devel-3.68.3-150000.3.67.1
mozilla-nss-sysinit-3.68.3-150000.3.67.1
mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-tools-3.68.3-150000.3.67.1
mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise Server 15-SP2-LTSS (x86_64):
libfreebl3-32bit-3.68.3-150000.3.67.1
libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise Server 15-SP2-BCL (x86_64):
libfreebl3-3.68.3-150000.3.67.1
libfreebl3-32bit-3.68.3-150000.3.67.1
libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1
libfreebl3-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-3.68.3-150000.3.67.1
libfreebl3-hmac-32bit-3.68.3-150000.3.67.1
libsoftokn3-3.68.3-150000.3.67.1
libsoftokn3-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-3.68.3-150000.3.67.1
libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1
mozilla-nss-3.68.3-150000.3.67.1
mozilla-nss-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-certs-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debugsource-3.68.3-150000.3.67.1
mozilla-nss-devel-3.68.3-150000.3.67.1
mozilla-nss-sysinit-3.68.3-150000.3.67.1
mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-tools-3.68.3-150000.3.67.1
mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64):
libfreebl3-3.68.3-150000.3.67.1
libfreebl3-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-3.68.3-150000.3.67.1
libsoftokn3-3.68.3-150000.3.67.1
libsoftokn3-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-3.68.3-150000.3.67.1
mozilla-nss-3.68.3-150000.3.67.1
mozilla-nss-certs-3.68.3-150000.3.67.1
mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debugsource-3.68.3-150000.3.67.1
mozilla-nss-devel-3.68.3-150000.3.67.1
mozilla-nss-sysinit-3.68.3-150000.3.67.1
mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-tools-3.68.3-150000.3.67.1
mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise Server 15-SP1-LTSS (x86_64):
libfreebl3-32bit-3.68.3-150000.3.67.1
libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise Server 15-SP1-BCL (x86_64):
libfreebl3-3.68.3-150000.3.67.1
libfreebl3-32bit-3.68.3-150000.3.67.1
libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1
libfreebl3-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-3.68.3-150000.3.67.1
libfreebl3-hmac-32bit-3.68.3-150000.3.67.1
libsoftokn3-3.68.3-150000.3.67.1
libsoftokn3-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-3.68.3-150000.3.67.1
libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1
mozilla-nss-3.68.3-150000.3.67.1
mozilla-nss-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-certs-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debugsource-3.68.3-150000.3.67.1
mozilla-nss-devel-3.68.3-150000.3.67.1
mozilla-nss-sysinit-3.68.3-150000.3.67.1
mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-tools-3.68.3-150000.3.67.1
mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x):
libfreebl3-3.68.3-150000.3.67.1
libfreebl3-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-3.68.3-150000.3.67.1
libsoftokn3-3.68.3-150000.3.67.1
libsoftokn3-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-3.68.3-150000.3.67.1
mozilla-nss-3.68.3-150000.3.67.1
mozilla-nss-certs-3.68.3-150000.3.67.1
mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debugsource-3.68.3-150000.3.67.1
mozilla-nss-devel-3.68.3-150000.3.67.1
mozilla-nss-sysinit-3.68.3-150000.3.67.1
mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-tools-3.68.3-150000.3.67.1
mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise Realtime Extension 15-SP2 (x86_64):
libfreebl3-3.68.3-150000.3.67.1
libfreebl3-32bit-3.68.3-150000.3.67.1
libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1
libfreebl3-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-3.68.3-150000.3.67.1
libfreebl3-hmac-32bit-3.68.3-150000.3.67.1
libsoftokn3-3.68.3-150000.3.67.1
libsoftokn3-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-3.68.3-150000.3.67.1
libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1
mozilla-nss-3.68.3-150000.3.67.1
mozilla-nss-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-certs-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debugsource-3.68.3-150000.3.67.1
mozilla-nss-devel-3.68.3-150000.3.67.1
mozilla-nss-sysinit-3.68.3-150000.3.67.1
mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-tools-3.68.3-150000.3.67.1
mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise Module for Server Applications 15-SP3 (aarch64
ppc64le s390x x86_64):
libfreebl3-hmac-3.68.3-150000.3.67.1
libsoftokn3-hmac-3.68.3-150000.3.67.1
mozilla-nss-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debugsource-3.68.3-150000.3.67.1
o SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x
x86_64):
libfreebl3-3.68.3-150000.3.67.1
libfreebl3-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-3.68.3-150000.3.67.1
libsoftokn3-3.68.3-150000.3.67.1
libsoftokn3-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-3.68.3-150000.3.67.1
mozilla-nss-3.68.3-150000.3.67.1
mozilla-nss-certs-3.68.3-150000.3.67.1
mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debugsource-3.68.3-150000.3.67.1
mozilla-nss-devel-3.68.3-150000.3.67.1
mozilla-nss-sysinit-3.68.3-150000.3.67.1
mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-tools-3.68.3-150000.3.67.1
mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64):
libfreebl3-32bit-3.68.3-150000.3.67.1
libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64):
libfreebl3-3.68.3-150000.3.67.1
libfreebl3-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-3.68.3-150000.3.67.1
libsoftokn3-3.68.3-150000.3.67.1
libsoftokn3-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-3.68.3-150000.3.67.1
mozilla-nss-3.68.3-150000.3.67.1
mozilla-nss-certs-3.68.3-150000.3.67.1
mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debugsource-3.68.3-150000.3.67.1
mozilla-nss-tools-3.68.3-150000.3.67.1
mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64):
libfreebl3-3.68.3-150000.3.67.1
libfreebl3-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-3.68.3-150000.3.67.1
libsoftokn3-3.68.3-150000.3.67.1
libsoftokn3-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-3.68.3-150000.3.67.1
mozilla-nss-3.68.3-150000.3.67.1
mozilla-nss-certs-3.68.3-150000.3.67.1
mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debugsource-3.68.3-150000.3.67.1
mozilla-nss-tools-3.68.3-150000.3.67.1
mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise Micro 5.0 (aarch64 x86_64):
libfreebl3-3.68.3-150000.3.67.1
libfreebl3-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-3.68.3-150000.3.67.1
libsoftokn3-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-3.68.3-150000.3.67.1
mozilla-nss-certs-3.68.3-150000.3.67.1
mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debugsource-3.68.3-150000.3.67.1
o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (aarch64
x86_64):
libfreebl3-3.68.3-150000.3.67.1
libfreebl3-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-3.68.3-150000.3.67.1
libsoftokn3-3.68.3-150000.3.67.1
libsoftokn3-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-3.68.3-150000.3.67.1
mozilla-nss-3.68.3-150000.3.67.1
mozilla-nss-certs-3.68.3-150000.3.67.1
mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debugsource-3.68.3-150000.3.67.1
mozilla-nss-devel-3.68.3-150000.3.67.1
mozilla-nss-sysinit-3.68.3-150000.3.67.1
mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-tools-3.68.3-150000.3.67.1
mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (x86_64):
libfreebl3-32bit-3.68.3-150000.3.67.1
libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (aarch64
x86_64):
libfreebl3-3.68.3-150000.3.67.1
libfreebl3-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-3.68.3-150000.3.67.1
libsoftokn3-3.68.3-150000.3.67.1
libsoftokn3-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-3.68.3-150000.3.67.1
mozilla-nss-3.68.3-150000.3.67.1
mozilla-nss-certs-3.68.3-150000.3.67.1
mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debugsource-3.68.3-150000.3.67.1
mozilla-nss-devel-3.68.3-150000.3.67.1
mozilla-nss-sysinit-3.68.3-150000.3.67.1
mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-tools-3.68.3-150000.3.67.1
mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (x86_64):
libfreebl3-32bit-3.68.3-150000.3.67.1
libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64
x86_64):
libfreebl3-3.68.3-150000.3.67.1
libfreebl3-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-3.68.3-150000.3.67.1
libsoftokn3-3.68.3-150000.3.67.1
libsoftokn3-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-3.68.3-150000.3.67.1
mozilla-nss-3.68.3-150000.3.67.1
mozilla-nss-certs-3.68.3-150000.3.67.1
mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debugsource-3.68.3-150000.3.67.1
mozilla-nss-devel-3.68.3-150000.3.67.1
mozilla-nss-sysinit-3.68.3-150000.3.67.1
mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-tools-3.68.3-150000.3.67.1
mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64):
libfreebl3-32bit-3.68.3-150000.3.67.1
libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64
x86_64):
libfreebl3-3.68.3-150000.3.67.1
libfreebl3-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-3.68.3-150000.3.67.1
libsoftokn3-3.68.3-150000.3.67.1
libsoftokn3-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-3.68.3-150000.3.67.1
mozilla-nss-3.68.3-150000.3.67.1
mozilla-nss-certs-3.68.3-150000.3.67.1
mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debugsource-3.68.3-150000.3.67.1
mozilla-nss-devel-3.68.3-150000.3.67.1
mozilla-nss-sysinit-3.68.3-150000.3.67.1
mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-tools-3.68.3-150000.3.67.1
mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64):
libfreebl3-32bit-3.68.3-150000.3.67.1
libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64):
libfreebl3-3.68.3-150000.3.67.1
libfreebl3-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-3.68.3-150000.3.67.1
libsoftokn3-3.68.3-150000.3.67.1
libsoftokn3-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-3.68.3-150000.3.67.1
mozilla-nss-3.68.3-150000.3.67.1
mozilla-nss-certs-3.68.3-150000.3.67.1
mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debugsource-3.68.3-150000.3.67.1
mozilla-nss-devel-3.68.3-150000.3.67.1
mozilla-nss-sysinit-3.68.3-150000.3.67.1
mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-tools-3.68.3-150000.3.67.1
mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64):
libfreebl3-32bit-3.68.3-150000.3.67.1
libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64):
libfreebl3-3.68.3-150000.3.67.1
libfreebl3-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-3.68.3-150000.3.67.1
libsoftokn3-3.68.3-150000.3.67.1
libsoftokn3-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-3.68.3-150000.3.67.1
mozilla-nss-3.68.3-150000.3.67.1
mozilla-nss-certs-3.68.3-150000.3.67.1
mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debugsource-3.68.3-150000.3.67.1
mozilla-nss-devel-3.68.3-150000.3.67.1
mozilla-nss-sysinit-3.68.3-150000.3.67.1
mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-tools-3.68.3-150000.3.67.1
mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1
o SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64):
libfreebl3-32bit-3.68.3-150000.3.67.1
libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1
o SUSE Enterprise Storage 7 (aarch64 x86_64):
libfreebl3-3.68.3-150000.3.67.1
libfreebl3-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-3.68.3-150000.3.67.1
libsoftokn3-3.68.3-150000.3.67.1
libsoftokn3-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-3.68.3-150000.3.67.1
mozilla-nss-3.68.3-150000.3.67.1
mozilla-nss-certs-3.68.3-150000.3.67.1
mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debugsource-3.68.3-150000.3.67.1
mozilla-nss-devel-3.68.3-150000.3.67.1
mozilla-nss-sysinit-3.68.3-150000.3.67.1
mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-tools-3.68.3-150000.3.67.1
mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1
o SUSE Enterprise Storage 7 (x86_64):
libfreebl3-32bit-3.68.3-150000.3.67.1
libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1
o SUSE Enterprise Storage 6 (aarch64 x86_64):
libfreebl3-3.68.3-150000.3.67.1
libfreebl3-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-3.68.3-150000.3.67.1
libsoftokn3-3.68.3-150000.3.67.1
libsoftokn3-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-3.68.3-150000.3.67.1
mozilla-nss-3.68.3-150000.3.67.1
mozilla-nss-certs-3.68.3-150000.3.67.1
mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debugsource-3.68.3-150000.3.67.1
mozilla-nss-devel-3.68.3-150000.3.67.1
mozilla-nss-sysinit-3.68.3-150000.3.67.1
mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-tools-3.68.3-150000.3.67.1
mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1
o SUSE Enterprise Storage 6 (x86_64):
libfreebl3-32bit-3.68.3-150000.3.67.1
libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1
o SUSE CaaS Platform 4.0 (x86_64):
libfreebl3-3.68.3-150000.3.67.1
libfreebl3-32bit-3.68.3-150000.3.67.1
libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1
libfreebl3-debuginfo-3.68.3-150000.3.67.1
libfreebl3-hmac-3.68.3-150000.3.67.1
libfreebl3-hmac-32bit-3.68.3-150000.3.67.1
libsoftokn3-3.68.3-150000.3.67.1
libsoftokn3-32bit-3.68.3-150000.3.67.1
libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-debuginfo-3.68.3-150000.3.67.1
libsoftokn3-hmac-3.68.3-150000.3.67.1
libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1
mozilla-nss-3.68.3-150000.3.67.1
mozilla-nss-32bit-3.68.3-150000.3.67.1
mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-certs-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-3.68.3-150000.3.67.1
mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-debugsource-3.68.3-150000.3.67.1
mozilla-nss-devel-3.68.3-150000.3.67.1
mozilla-nss-sysinit-3.68.3-150000.3.67.1
mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1
mozilla-nss-tools-3.68.3-150000.3.67.1
mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1
References:
o https://www.suse.com/security/cve/CVE-2022-1097.html
o https://bugzilla.suse.com/1197903
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYVyeNLKJtyKPYoAQivsxAAir6qjv06kE5SOqsfP5PQMLApV9zfoa4E
slPHAQBm3iJ1WOSeHrki8cYiCNWR3i8bIETIbgpPod8SoCCewq4u9wdYwGdWc9lO
ipCT2hrTkrcyGTU9KUuZdV+NikLMNKbQUmDuHaqv7eUhm8yDhJHksUmwkQhmJvuQ
Rrg6QhgucI5WixIkxPAG4A1dEkunVxF6mlGg35vc/X8otcRXiMvdx+Mp5Q3lF4xJ
dUFJqrZIuLza2JUCytNgxeW9ztlO4QxMfUmkG6nFkqqLzRuZZknz8QV7gM4K980x
uic9qvZx/6myrdDl8FvAEMmywWJ/7Cy3LG76rg3Cm8vokicdNVdFI1eRh6zlpDwD
sDAqbOdi23fcuT5bZWag3N/N1YUGU+lFEd9bM4dmeZkxjuYzSyyPQVrSbthLWtuE
Q7/nVjQel6AUoLDVN2ldI91W8IiO6wGn28k2byx5Ur0nwQ1E2F1V456tPFUnYL4/
ifFwReXecenOUBaPZLKw6s2BKOfmNjnGKy7+iZAQQPhfM7tSqRwd7Dwl6VkWoZ55
GRXupHVrH90nymmc9JmyoUpsoAYOTYQjVlJ/GkNGZOovsjy3GlXgGVBvkapB+6Sl
iQMKa47hNb2bThkcwP7/9795sCev0drmxmXPrk8yN7R/b5auV693qcUj31b/F/LN
rHtS3tpDjNY=
=lJim
-----END PGP SIGNATURE-----
ESB-2022.1583 - [SUSE] libsolv, libzypp and zypper: CVSS (Max): None
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1583
Security update for libsolv, libzypp, zypper
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libsolv
libzypp
zypper
Publisher: SUSE
Operating System: SUSE
Resolution: Patch/Upgrade
Original Bulletin:
https://www.suse.com/support/update/announcement/2022/suse-su-20221157-1
Comment: CVSS (Max): None available when published
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for libsolv, libzypp, zypper
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:1157-1
Rating: important
References: #1184501 #1194848 #1195999 #1196061 #1196317 #1196368
#1196514 #1196925 #1197134
Affected Products:
SUSE Enterprise Storage 7
SUSE Linux Enterprise Desktop 15-SP2
SUSE Linux Enterprise Desktop 15-SP3
SUSE Linux Enterprise High Performance Computing 15-SP2
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing 15-SP3
SUSE Linux Enterprise Installer 15-SP2
SUSE Linux Enterprise Micro 5.0
SUSE Linux Enterprise Micro 5.1
SUSE Linux Enterprise Module for Basesystem 15-SP3
SUSE Linux Enterprise Module for Development Tools 15-SP3
SUSE Linux Enterprise Realtime Extension 15-SP2
SUSE Linux Enterprise Server 15-SP2
SUSE Linux Enterprise Server 15-SP2-BCL
SUSE Linux Enterprise Server 15-SP2-LTSS
SUSE Linux Enterprise Server 15-SP3
SUSE Linux Enterprise Server for SAP 15-SP2
SUSE Linux Enterprise Server for SAP Applications 15-SP2
SUSE Linux Enterprise Server for SAP Applications 15-SP3
SUSE Linux Enterprise Storage 7
SUSE Manager Proxy 4.1
SUSE Manager Proxy 4.2
SUSE Manager Retail Branch Server 4.1
SUSE Manager Server 4.1
SUSE Manager Server 4.2
openSUSE Leap 15.3
______________________________________________________________________________
An update that contains security fixes can now be installed.
Description:
This update for libsolv, libzypp, zypper fixes the following issues:
Security relevant fix:
o Harden package signature checks (bsc#1184501).
libsolv update to 0.7.22:
o reworked choice rule generation to cover more usecases
o support SOLVABLE_PREREQ_IGNOREINST in the ordering code (bsc#1196514)
o support parsing of Debian's Multi-Arch indicator
o fix segfault on conflict resolution when using bindings
o fix split provides not working if the update includes a forbidden vendor
change
o support strict repository priorities new solver flag:
SOLVER_FLAG_STRICT_REPO_PRIORITY
o support zstd compressed control files in debian packages
o add an ifdef allowing to rename Solvable dependency members ("requires" is
a keyword in C++20)
o support setting/reading userdata in solv files new functions:
repowriter_set_userdata, solv_read_userdata
o support queying of the custom vendor check function new function:
pool_get_custom_vendorcheck
o support solv files with an idarray block
o allow accessing the toolversion at runtime
libzypp update to 17.30.0:
o ZConfig: Update solver settings if target changes (bsc#1196368)
o Fix possible hang in singletrans mode (bsc#1197134)
o Do 2 retries if mount is still busy.
o Fix package signature check (bsc#1184501) Pay attention that header and
payload are secured by a valid signature and report more detailed which
signature is missing.
o Retry umount if device is busy (bsc#1196061, closes #381) A previously
released ISO image may need a bit more time to release it's loop device. So
we wait a bit and retry.
o Fix serializing/deserializing type mismatch in zypp-rpm protocol (bsc#
1196925)
o Fix handling of ISO media in releaseAll (bsc#1196061)
o Hint on common ptf resolver conflicts (bsc#1194848)
o Hint on ptf<>patch resolver conflicts (bsc#1194848)
zypper update to 1.14.52:
o info: print the packages upstream URL if available (fixes #426)
o info: Fix SEGV with not installed PTFs (bsc#1196317)
o Don't prevent less restrictive umasks (bsc#1195999)
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-1157=1
o SUSE Manager Server 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-1157=1
o SUSE Manager Retail Branch Server 4.1:
zypper in -t patch
SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-1157=1
o SUSE Manager Proxy 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-1157=1
o SUSE Linux Enterprise Server for SAP 15-SP2:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-1157=1
o SUSE Linux Enterprise Server 15-SP2-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-1157=1
o SUSE Linux Enterprise Server 15-SP2-BCL:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-1157=1
o SUSE Linux Enterprise Realtime Extension 15-SP2:
zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-1157=1
o SUSE Linux Enterprise Module for Development Tools 15-SP3:
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2022-1157=1
o SUSE Linux Enterprise Module for Basesystem 15-SP3:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-1157=1
o SUSE Linux Enterprise Micro 5.1:
zypper in -t patch SUSE-SUSE-MicroOS-5.1-2022-1157=1
o SUSE Linux Enterprise Micro 5.0:
zypper in -t patch SUSE-SUSE-MicroOS-5.0-2022-1157=1
o SUSE Linux Enterprise Installer 15-SP2:
zypper in -t patch SUSE-SLE-INSTALLER-15-SP2-2022-1157=1
o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-1157=1
o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-1157=1
o SUSE Enterprise Storage 7:
zypper in -t patch SUSE-Storage-7-2022-1157=1
Package List:
o openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
libsolv-debuginfo-0.7.22-150200.12.1
libsolv-debugsource-0.7.22-150200.12.1
libsolv-demo-0.7.22-150200.12.1
libsolv-demo-debuginfo-0.7.22-150200.12.1
libsolv-devel-0.7.22-150200.12.1
libsolv-devel-debuginfo-0.7.22-150200.12.1
libsolv-tools-0.7.22-150200.12.1
libsolv-tools-debuginfo-0.7.22-150200.12.1
libzypp-17.30.0-150200.36.1
libzypp-debuginfo-17.30.0-150200.36.1
libzypp-debugsource-17.30.0-150200.36.1
libzypp-devel-17.30.0-150200.36.1
libzypp-devel-doc-17.30.0-150200.36.1
perl-solv-0.7.22-150200.12.1
perl-solv-debuginfo-0.7.22-150200.12.1
python-solv-0.7.22-150200.12.1
python-solv-debuginfo-0.7.22-150200.12.1
python3-solv-0.7.22-150200.12.1
python3-solv-debuginfo-0.7.22-150200.12.1
ruby-solv-0.7.22-150200.12.1
ruby-solv-debuginfo-0.7.22-150200.12.1
zypper-1.14.52-150200.30.2
zypper-debuginfo-1.14.52-150200.30.2
zypper-debugsource-1.14.52-150200.30.2
o openSUSE Leap 15.3 (noarch):
zypper-aptitude-1.14.52-150200.30.2
zypper-log-1.14.52-150200.30.2
zypper-needs-restarting-1.14.52-150200.30.2
o SUSE Manager Server 4.1 (ppc64le s390x x86_64):
libsolv-debuginfo-0.7.22-150200.12.1
libsolv-debugsource-0.7.22-150200.12.1
libsolv-devel-0.7.22-150200.12.1
libsolv-devel-debuginfo-0.7.22-150200.12.1
libsolv-tools-0.7.22-150200.12.1
libsolv-tools-debuginfo-0.7.22-150200.12.1
libzypp-17.30.0-150200.36.1
libzypp-debuginfo-17.30.0-150200.36.1
libzypp-debugsource-17.30.0-150200.36.1
libzypp-devel-17.30.0-150200.36.1
perl-solv-0.7.22-150200.12.1
perl-solv-debuginfo-0.7.22-150200.12.1
python3-solv-0.7.22-150200.12.1
python3-solv-debuginfo-0.7.22-150200.12.1
ruby-solv-0.7.22-150200.12.1
ruby-solv-debuginfo-0.7.22-150200.12.1
zypper-1.14.52-150200.30.2
zypper-debuginfo-1.14.52-150200.30.2
zypper-debugsource-1.14.52-150200.30.2
o SUSE Manager Server 4.1 (noarch):
zypper-log-1.14.52-150200.30.2
zypper-needs-restarting-1.14.52-150200.30.2
o SUSE Manager Retail Branch Server 4.1 (noarch):
zypper-log-1.14.52-150200.30.2
zypper-needs-restarting-1.14.52-150200.30.2
o SUSE Manager Retail Branch Server 4.1 (x86_64):
libsolv-debuginfo-0.7.22-150200.12.1
libsolv-debugsource-0.7.22-150200.12.1
libsolv-devel-0.7.22-150200.12.1
libsolv-devel-debuginfo-0.7.22-150200.12.1
libsolv-tools-0.7.22-150200.12.1
libsolv-tools-debuginfo-0.7.22-150200.12.1
libzypp-17.30.0-150200.36.1
libzypp-debuginfo-17.30.0-150200.36.1
libzypp-debugsource-17.30.0-150200.36.1
libzypp-devel-17.30.0-150200.36.1
perl-solv-0.7.22-150200.12.1
perl-solv-debuginfo-0.7.22-150200.12.1
python3-solv-0.7.22-150200.12.1
python3-solv-debuginfo-0.7.22-150200.12.1
ruby-solv-0.7.22-150200.12.1
ruby-solv-debuginfo-0.7.22-150200.12.1
zypper-1.14.52-150200.30.2
zypper-debuginfo-1.14.52-150200.30.2
zypper-debugsource-1.14.52-150200.30.2
o SUSE Manager Proxy 4.1 (x86_64):
libsolv-debuginfo-0.7.22-150200.12.1
libsolv-debugsource-0.7.22-150200.12.1
libsolv-devel-0.7.22-150200.12.1
libsolv-devel-debuginfo-0.7.22-150200.12.1
libsolv-tools-0.7.22-150200.12.1
libsolv-tools-debuginfo-0.7.22-150200.12.1
libzypp-17.30.0-150200.36.1
libzypp-debuginfo-17.30.0-150200.36.1
libzypp-debugsource-17.30.0-150200.36.1
libzypp-devel-17.30.0-150200.36.1
perl-solv-0.7.22-150200.12.1
perl-solv-debuginfo-0.7.22-150200.12.1
python3-solv-0.7.22-150200.12.1
python3-solv-debuginfo-0.7.22-150200.12.1
ruby-solv-0.7.22-150200.12.1
ruby-solv-debuginfo-0.7.22-150200.12.1
zypper-1.14.52-150200.30.2
zypper-debuginfo-1.14.52-150200.30.2
zypper-debugsource-1.14.52-150200.30.2
o SUSE Manager Proxy 4.1 (noarch):
zypper-log-1.14.52-150200.30.2
zypper-needs-restarting-1.14.52-150200.30.2
o SUSE Linux Enterprise Server for SAP 15-SP2 (ppc64le x86_64):
libsolv-debuginfo-0.7.22-150200.12.1
libsolv-debugsource-0.7.22-150200.12.1
libsolv-devel-0.7.22-150200.12.1
libsolv-devel-debuginfo-0.7.22-150200.12.1
libsolv-tools-0.7.22-150200.12.1
libsolv-tools-debuginfo-0.7.22-150200.12.1
libzypp-17.30.0-150200.36.1
libzypp-debuginfo-17.30.0-150200.36.1
libzypp-debugsource-17.30.0-150200.36.1
libzypp-devel-17.30.0-150200.36.1
perl-solv-0.7.22-150200.12.1
perl-solv-debuginfo-0.7.22-150200.12.1
python3-solv-0.7.22-150200.12.1
python3-solv-debuginfo-0.7.22-150200.12.1
ruby-solv-0.7.22-150200.12.1
ruby-solv-debuginfo-0.7.22-150200.12.1
zypper-1.14.52-150200.30.2
zypper-debuginfo-1.14.52-150200.30.2
zypper-debugsource-1.14.52-150200.30.2
o SUSE Linux Enterprise Server for SAP 15-SP2 (noarch):
zypper-log-1.14.52-150200.30.2
zypper-needs-restarting-1.14.52-150200.30.2
o SUSE Linux Enterprise Server 15-SP2-LTSS (aarch64 ppc64le s390x x86_64):
libsolv-debuginfo-0.7.22-150200.12.1
libsolv-debugsource-0.7.22-150200.12.1
libsolv-devel-0.7.22-150200.12.1
libsolv-devel-debuginfo-0.7.22-150200.12.1
libsolv-tools-0.7.22-150200.12.1
libsolv-tools-debuginfo-0.7.22-150200.12.1
libzypp-17.30.0-150200.36.1
libzypp-debuginfo-17.30.0-150200.36.1
libzypp-debugsource-17.30.0-150200.36.1
libzypp-devel-17.30.0-150200.36.1
perl-solv-0.7.22-150200.12.1
perl-solv-debuginfo-0.7.22-150200.12.1
python3-solv-0.7.22-150200.12.1
python3-solv-debuginfo-0.7.22-150200.12.1
ruby-solv-0.7.22-150200.12.1
ruby-solv-debuginfo-0.7.22-150200.12.1
zypper-1.14.52-150200.30.2
zypper-debuginfo-1.14.52-150200.30.2
zypper-debugsource-1.14.52-150200.30.2
o SUSE Linux Enterprise Server 15-SP2-LTSS (noarch):
zypper-log-1.14.52-150200.30.2
zypper-needs-restarting-1.14.52-150200.30.2
o SUSE Linux Enterprise Server 15-SP2-BCL (x86_64):
libsolv-debuginfo-0.7.22-150200.12.1
libsolv-debugsource-0.7.22-150200.12.1
libsolv-devel-0.7.22-150200.12.1
libsolv-devel-debuginfo-0.7.22-150200.12.1
libsolv-tools-0.7.22-150200.12.1
libsolv-tools-debuginfo-0.7.22-150200.12.1
libzypp-17.30.0-150200.36.1
libzypp-debuginfo-17.30.0-150200.36.1
libzypp-debugsource-17.30.0-150200.36.1
libzypp-devel-17.30.0-150200.36.1
perl-solv-0.7.22-150200.12.1
perl-solv-debuginfo-0.7.22-150200.12.1
python3-solv-0.7.22-150200.12.1
python3-solv-debuginfo-0.7.22-150200.12.1
ruby-solv-0.7.22-150200.12.1
ruby-solv-debuginfo-0.7.22-150200.12.1
zypper-1.14.52-150200.30.2
zypper-debuginfo-1.14.52-150200.30.2
zypper-debugsource-1.14.52-150200.30.2
o SUSE Linux Enterprise Server 15-SP2-BCL (noarch):
zypper-log-1.14.52-150200.30.2
zypper-needs-restarting-1.14.52-150200.30.2
o SUSE Linux Enterprise Realtime Extension 15-SP2 (x86_64):
libsolv-debuginfo-0.7.22-150200.12.1
libsolv-debugsource-0.7.22-150200.12.1
libsolv-devel-0.7.22-150200.12.1
libsolv-devel-debuginfo-0.7.22-150200.12.1
libsolv-tools-0.7.22-150200.12.1
libsolv-tools-debuginfo-0.7.22-150200.12.1
libzypp-17.30.0-150200.36.1
libzypp-debuginfo-17.30.0-150200.36.1
libzypp-debugsource-17.30.0-150200.36.1
libzypp-devel-17.30.0-150200.36.1
perl-solv-0.7.22-150200.12.1
perl-solv-debuginfo-0.7.22-150200.12.1
python3-solv-0.7.22-150200.12.1
python3-solv-debuginfo-0.7.22-150200.12.1
ruby-solv-0.7.22-150200.12.1
ruby-solv-debuginfo-0.7.22-150200.12.1
zypper-1.14.52-150200.30.2
zypper-debuginfo-1.14.52-150200.30.2
zypper-debugsource-1.14.52-150200.30.2
o SUSE Linux Enterprise Realtime Extension 15-SP2 (noarch):
zypper-log-1.14.52-150200.30.2
zypper-needs-restarting-1.14.52-150200.30.2
o SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 ppc64le
s390x x86_64):
libsolv-debuginfo-0.7.22-150200.12.1
libsolv-debugsource-0.7.22-150200.12.1
perl-solv-0.7.22-150200.12.1
perl-solv-debuginfo-0.7.22-150200.12.1
o SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x
x86_64):
libsolv-debuginfo-0.7.22-150200.12.1
libsolv-debugsource-0.7.22-150200.12.1
libsolv-devel-0.7.22-150200.12.1
libsolv-devel-debuginfo-0.7.22-150200.12.1
libsolv-tools-0.7.22-150200.12.1
libsolv-tools-debuginfo-0.7.22-150200.12.1
libzypp-17.30.0-150200.36.1
libzypp-debuginfo-17.30.0-150200.36.1
libzypp-debugsource-17.30.0-150200.36.1
libzypp-devel-17.30.0-150200.36.1
python3-solv-0.7.22-150200.12.1
python3-solv-debuginfo-0.7.22-150200.12.1
ruby-solv-0.7.22-150200.12.1
ruby-solv-debuginfo-0.7.22-150200.12.1
zypper-1.14.52-150200.30.2
zypper-debuginfo-1.14.52-150200.30.2
zypper-debugsource-1.14.52-150200.30.2
o SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch):
zypper-log-1.14.52-150200.30.2
zypper-needs-restarting-1.14.52-150200.30.2
o SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64):
libsolv-debuginfo-0.7.22-150200.12.1
libsolv-debugsource-0.7.22-150200.12.1
libsolv-tools-0.7.22-150200.12.1
libsolv-tools-debuginfo-0.7.22-150200.12.1
libzypp-17.30.0-150200.36.1
libzypp-debuginfo-17.30.0-150200.36.1
libzypp-debugsource-17.30.0-150200.36.1
zypper-1.14.52-150200.30.2
zypper-debuginfo-1.14.52-150200.30.2
zypper-debugsource-1.14.52-150200.30.2
o SUSE Linux Enterprise Micro 5.1 (noarch):
zypper-needs-restarting-1.14.52-150200.30.2
o SUSE Linux Enterprise Micro 5.0 (aarch64 x86_64):
libsolv-debuginfo-0.7.22-150200.12.1
libsolv-debugsource-0.7.22-150200.12.1
libsolv-tools-0.7.22-150200.12.1
libsolv-tools-debuginfo-0.7.22-150200.12.1
libzypp-17.30.0-150200.36.1
libzypp-debuginfo-17.30.0-150200.36.1
libzypp-debugsource-17.30.0-150200.36.1
zypper-1.14.52-150200.30.2
zypper-debuginfo-1.14.52-150200.30.2
zypper-debugsource-1.14.52-150200.30.2
o SUSE Linux Enterprise Micro 5.0 (noarch):
zypper-needs-restarting-1.14.52-150200.30.2
o SUSE Linux Enterprise Installer 15-SP2 (aarch64 ppc64le s390x x86_64):
libsolv-tools-0.7.22-150200.12.1
libzypp-17.30.0-150200.36.1
o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (aarch64
x86_64):
libsolv-debuginfo-0.7.22-150200.12.1
libsolv-debugsource-0.7.22-150200.12.1
libsolv-devel-0.7.22-150200.12.1
libsolv-devel-debuginfo-0.7.22-150200.12.1
libsolv-tools-0.7.22-150200.12.1
libsolv-tools-debuginfo-0.7.22-150200.12.1
libzypp-17.30.0-150200.36.1
libzypp-debuginfo-17.30.0-150200.36.1
libzypp-debugsource-17.30.0-150200.36.1
libzypp-devel-17.30.0-150200.36.1
perl-solv-0.7.22-150200.12.1
perl-solv-debuginfo-0.7.22-150200.12.1
python3-solv-0.7.22-150200.12.1
python3-solv-debuginfo-0.7.22-150200.12.1
ruby-solv-0.7.22-150200.12.1
ruby-solv-debuginfo-0.7.22-150200.12.1
zypper-1.14.52-150200.30.2
zypper-debuginfo-1.14.52-150200.30.2
zypper-debugsource-1.14.52-150200.30.2
o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (noarch):
zypper-log-1.14.52-150200.30.2
zypper-needs-restarting-1.14.52-150200.30.2
o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (aarch64
x86_64):
libsolv-debuginfo-0.7.22-150200.12.1
libsolv-debugsource-0.7.22-150200.12.1
libsolv-devel-0.7.22-150200.12.1
libsolv-devel-debuginfo-0.7.22-150200.12.1
libsolv-tools-0.7.22-150200.12.1
libsolv-tools-debuginfo-0.7.22-150200.12.1
libzypp-17.30.0-150200.36.1
libzypp-debuginfo-17.30.0-150200.36.1
libzypp-debugsource-17.30.0-150200.36.1
libzypp-devel-17.30.0-150200.36.1
perl-solv-0.7.22-150200.12.1
perl-solv-debuginfo-0.7.22-150200.12.1
python3-solv-0.7.22-150200.12.1
python3-solv-debuginfo-0.7.22-150200.12.1
ruby-solv-0.7.22-150200.12.1
ruby-solv-debuginfo-0.7.22-150200.12.1
zypper-1.14.52-150200.30.2
zypper-debuginfo-1.14.52-150200.30.2
zypper-debugsource-1.14.52-150200.30.2
o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (noarch):
zypper-log-1.14.52-150200.30.2
zypper-needs-restarting-1.14.52-150200.30.2
o SUSE Enterprise Storage 7 (aarch64 x86_64):
libsolv-debuginfo-0.7.22-150200.12.1
libsolv-debugsource-0.7.22-150200.12.1
libsolv-devel-0.7.22-150200.12.1
libsolv-devel-debuginfo-0.7.22-150200.12.1
libsolv-tools-0.7.22-150200.12.1
libsolv-tools-debuginfo-0.7.22-150200.12.1
libzypp-17.30.0-150200.36.1
libzypp-debuginfo-17.30.0-150200.36.1
libzypp-debugsource-17.30.0-150200.36.1
libzypp-devel-17.30.0-150200.36.1
perl-solv-0.7.22-150200.12.1
perl-solv-debuginfo-0.7.22-150200.12.1
python3-solv-0.7.22-150200.12.1
python3-solv-debuginfo-0.7.22-150200.12.1
ruby-solv-0.7.22-150200.12.1
ruby-solv-debuginfo-0.7.22-150200.12.1
zypper-1.14.52-150200.30.2
zypper-debuginfo-1.14.52-150200.30.2
zypper-debugsource-1.14.52-150200.30.2
o SUSE Enterprise Storage 7 (noarch):
zypper-log-1.14.52-150200.30.2
zypper-needs-restarting-1.14.52-150200.30.2
References:
o https://bugzilla.suse.com/1184501
o https://bugzilla.suse.com/1194848
o https://bugzilla.suse.com/1195999
o https://bugzilla.suse.com/1196061
o https://bugzilla.suse.com/1196317
o https://bugzilla.suse.com/1196368
o https://bugzilla.suse.com/1196514
o https://bugzilla.suse.com/1196925
o https://bugzilla.suse.com/1197134
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYVvuNLKJtyKPYoAQhnSA//TnYumEQP6V589QpYTE93UtdDrt1l8RaU
9ghNLKUEwndqfT0VsHXZbO3FJxf4R+2cz/1ALkVFx5D62OgphQ6bVm4j5ZQZUsPM
MtaFxkys1/CXkBuZ+Ar3krwC8bhwcdcKknPYs2FWVm6xj5P9Jnw8FgfWzUlewF+9
hQ+beOMajx8lf6c1ULJ44tLdb96t1woKmhRD5+gpnQfe9gJqiqFcu18mv7QwNfws
zWqGYztN2XgfYvvCB1S8SGplqC4uYjmmVfHyJp5YmGI0xrb4RC49WlII4ublgIRg
vEqzNe4nBOJNQ7bEjMCPHxyLzSl1GrTxrroA7w+PW3wX049tKPn9VwhPH9D4jfDm
U5KW0hfbLwx2VOaPvWKtostOrFst+0fngJ6ydWgj8mo0koxlFYQEgqNCrXURa21x
uYQz03y3CpUXLwxd9m5XhpXbr+S+Rkua4p+4fL15oqwZrYqGcLZs1YW8O0wc6eRv
yqp7ThkMCRC1SIAZwcvs+PRqj21kJPMuNEWvqZnTSmD3vyMolUa/9bx2AtgSmpMf
vHONvCHBPee+5iuzD9Q4jc5c3TaUBSrvQepTbJS8QoYB8j6Fks7AcmHKtBQ90AeO
NqeWjuxJYCJZgWcKSmHMWT85EuIxt0dZJvwmbYKlZARocXMDr5C1yC4+JqiDFSyW
p6iZgJcDVWs=
=E9Ae
-----END PGP SIGNATURE-----
ESB-2022.1582 - [SUSE] libexif: CVSS (Max): 7.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1582
Security update for libexif
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libexif
Publisher: SUSE
Operating System: SUSE
Resolution: Patch/Upgrade
CVE Names: CVE-2020-0452 CVE-2020-0198 CVE-2020-0181
Original Bulletin:
https://www.suse.com/support/update/announcement/2022/suse-su-20221148-1
Comment: CVSS (Max): 7.5 CVE-2020-0452 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVSS Source: SUSE
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for libexif
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:1148-1
Rating: important
References: #1172768 #1172802 #1178479
Cross-References: CVE-2020-0181 CVE-2020-0198 CVE-2020-0452
Affected Products:
SUSE CaaS Platform 4.0
SUSE Enterprise Storage 6
SUSE Enterprise Storage 7
SUSE Linux Enterprise Desktop 15-SP3
SUSE Linux Enterprise Desktop 15-SP4
SUSE Linux Enterprise High Performance Computing 15-ESPOS
SUSE Linux Enterprise High Performance Computing 15-LTSS
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing 15-SP3
SUSE Linux Enterprise High Performance Computing 15-SP4
SUSE Linux Enterprise Module for Desktop Applications 15-SP3
SUSE Linux Enterprise Module for Desktop Applications 15-SP4
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4
SUSE Linux Enterprise Realtime Extension 15-SP2
SUSE Linux Enterprise Server 15-LTSS
SUSE Linux Enterprise Server 15-SP1-BCL
SUSE Linux Enterprise Server 15-SP1-LTSS
SUSE Linux Enterprise Server 15-SP2-BCL
SUSE Linux Enterprise Server 15-SP2-LTSS
SUSE Linux Enterprise Server 15-SP3
SUSE Linux Enterprise Server 15-SP4
SUSE Linux Enterprise Server for SAP 15
SUSE Linux Enterprise Server for SAP 15-SP1
SUSE Linux Enterprise Server for SAP 15-SP2
SUSE Linux Enterprise Server for SAP Applications 15-SP3
SUSE Linux Enterprise Server for SAP Applications 15-SP4
SUSE Manager Proxy 4.1
SUSE Manager Proxy 4.2
SUSE Manager Retail Branch Server 4.1
SUSE Manager Server 4.1
SUSE Manager Server 4.2
openSUSE Leap 15.3
openSUSE Leap 15.4
______________________________________________________________________________
An update that fixes three vulnerabilities is now available.
Description:
This update for libexif fixes the following issues:
o CVE-2020-0181: Fixed an integer overflow that could lead to denial of
service (bsc#1172802).
o CVE-2020-0198: Fixed and unsigned integer overflow that could lead to
denial of service (bsc#1172768).
o CVE-2020-0452: Fixed a buffer overflow check that could be optimized away
by the compiler (bsc#1178479).
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o openSUSE Leap 15.4:
zypper in -t patch openSUSE-SLE-15.4-2022-1148=1
o openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-1148=1
o SUSE Manager Server 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-1148=1
o SUSE Manager Retail Branch Server 4.1:
zypper in -t patch
SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-1148=1
o SUSE Manager Proxy 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-1148=1
o SUSE Linux Enterprise Server for SAP 15-SP2:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-1148=1
o SUSE Linux Enterprise Server for SAP 15-SP1:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2022-1148=1
o SUSE Linux Enterprise Server for SAP 15:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2022-1148=1
o SUSE Linux Enterprise Server 15-SP2-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-1148=1
o SUSE Linux Enterprise Server 15-SP2-BCL:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-1148=1
o SUSE Linux Enterprise Server 15-SP1-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2022-1148=1
o SUSE Linux Enterprise Server 15-SP1-BCL:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2022-1148=1
o SUSE Linux Enterprise Server 15-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-2022-1148=1
o SUSE Linux Enterprise Realtime Extension 15-SP2:
zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-1148=1
o SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4:
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2022-1148=
1
o SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3:
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2022-1148=
1
o SUSE Linux Enterprise Module for Desktop Applications 15-SP4:
zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP4-2022-1148=1
o SUSE Linux Enterprise Module for Desktop Applications 15-SP3:
zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2022-1148=1
o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-1148=1
o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-1148=1
o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2022-1148=1
o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2022-1148=1
o SUSE Linux Enterprise High Performance Computing 15-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-2022-1148=1
o SUSE Linux Enterprise High Performance Computing 15-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-2022-1148=1
o SUSE Enterprise Storage 7:
zypper in -t patch SUSE-Storage-7-2022-1148=1
o SUSE Enterprise Storage 6:
zypper in -t patch SUSE-Storage-6-2022-1148=1
o SUSE CaaS Platform 4.0:
To install this update, use the SUSE CaaS Platform 'skuba' tool. I will
inform you if it detects new updates and let you then trigger updating of
the complete cluster in a controlled way.
Package List:
o openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):
libexif-debugsource-0.6.22-150000.5.9.1
libexif-devel-0.6.22-150000.5.9.1
libexif12-0.6.22-150000.5.9.1
libexif12-debuginfo-0.6.22-150000.5.9.1
o openSUSE Leap 15.4 (x86_64):
libexif-devel-32bit-0.6.22-150000.5.9.1
libexif12-32bit-0.6.22-150000.5.9.1
libexif12-32bit-debuginfo-0.6.22-150000.5.9.1
o openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
libexif-debugsource-0.6.22-150000.5.9.1
libexif-devel-0.6.22-150000.5.9.1
libexif12-0.6.22-150000.5.9.1
libexif12-debuginfo-0.6.22-150000.5.9.1
o openSUSE Leap 15.3 (x86_64):
libexif-devel-32bit-0.6.22-150000.5.9.1
libexif12-32bit-0.6.22-150000.5.9.1
libexif12-32bit-debuginfo-0.6.22-150000.5.9.1
o SUSE Manager Server 4.1 (ppc64le s390x x86_64):
libexif-debugsource-0.6.22-150000.5.9.1
libexif-devel-0.6.22-150000.5.9.1
libexif12-0.6.22-150000.5.9.1
libexif12-debuginfo-0.6.22-150000.5.9.1
o SUSE Manager Retail Branch Server 4.1 (x86_64):
libexif-debugsource-0.6.22-150000.5.9.1
libexif-devel-0.6.22-150000.5.9.1
libexif12-0.6.22-150000.5.9.1
libexif12-debuginfo-0.6.22-150000.5.9.1
o SUSE Manager Proxy 4.1 (x86_64):
libexif-debugsource-0.6.22-150000.5.9.1
libexif-devel-0.6.22-150000.5.9.1
libexif12-0.6.22-150000.5.9.1
libexif12-debuginfo-0.6.22-150000.5.9.1
o SUSE Linux Enterprise Server for SAP 15-SP2 (ppc64le x86_64):
libexif-debugsource-0.6.22-150000.5.9.1
libexif-devel-0.6.22-150000.5.9.1
libexif12-0.6.22-150000.5.9.1
libexif12-debuginfo-0.6.22-150000.5.9.1
o SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64):
libexif-debugsource-0.6.22-150000.5.9.1
libexif-devel-0.6.22-150000.5.9.1
libexif12-0.6.22-150000.5.9.1
libexif12-debuginfo-0.6.22-150000.5.9.1
o SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64):
libexif-debugsource-0.6.22-150000.5.9.1
libexif-devel-0.6.22-150000.5.9.1
libexif12-0.6.22-150000.5.9.1
libexif12-debuginfo-0.6.22-150000.5.9.1
o SUSE Linux Enterprise Server 15-SP2-LTSS (aarch64 ppc64le s390x x86_64):
libexif-debugsource-0.6.22-150000.5.9.1
libexif-devel-0.6.22-150000.5.9.1
libexif12-0.6.22-150000.5.9.1
libexif12-debuginfo-0.6.22-150000.5.9.1
o SUSE Linux Enterprise Server 15-SP2-BCL (x86_64):
libexif-debugsource-0.6.22-150000.5.9.1
libexif-devel-0.6.22-150000.5.9.1
libexif12-0.6.22-150000.5.9.1
libexif12-debuginfo-0.6.22-150000.5.9.1
o SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64):
libexif-debugsource-0.6.22-150000.5.9.1
libexif-devel-0.6.22-150000.5.9.1
libexif12-0.6.22-150000.5.9.1
libexif12-debuginfo-0.6.22-150000.5.9.1
o SUSE Linux Enterprise Server 15-SP1-BCL (x86_64):
libexif-debugsource-0.6.22-150000.5.9.1
libexif-devel-0.6.22-150000.5.9.1
libexif12-0.6.22-150000.5.9.1
libexif12-debuginfo-0.6.22-150000.5.9.1
o SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x):
libexif-debugsource-0.6.22-150000.5.9.1
libexif-devel-0.6.22-150000.5.9.1
libexif12-0.6.22-150000.5.9.1
libexif12-debuginfo-0.6.22-150000.5.9.1
o SUSE Linux Enterprise Realtime Extension 15-SP2 (x86_64):
libexif-debugsource-0.6.22-150000.5.9.1
libexif-devel-0.6.22-150000.5.9.1
libexif12-0.6.22-150000.5.9.1
libexif12-debuginfo-0.6.22-150000.5.9.1
o SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (x86_64):
libexif-debugsource-0.6.22-150000.5.9.1
libexif12-32bit-0.6.22-150000.5.9.1
libexif12-32bit-debuginfo-0.6.22-150000.5.9.1
o SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (x86_64):
libexif-debugsource-0.6.22-150000.5.9.1
libexif12-32bit-0.6.22-150000.5.9.1
libexif12-32bit-debuginfo-0.6.22-150000.5.9.1
o SUSE Linux Enterprise Module for Desktop Applications 15-SP4 (aarch64
ppc64le s390x x86_64):
libexif-debugsource-0.6.22-150000.5.9.1
libexif-devel-0.6.22-150000.5.9.1
libexif12-0.6.22-150000.5.9.1
libexif12-debuginfo-0.6.22-150000.5.9.1
o SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64
ppc64le s390x x86_64):
libexif-debugsource-0.6.22-150000.5.9.1
libexif-devel-0.6.22-150000.5.9.1
libexif12-0.6.22-150000.5.9.1
libexif12-debuginfo-0.6.22-150000.5.9.1
o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (aarch64
x86_64):
libexif-debugsource-0.6.22-150000.5.9.1
libexif-devel-0.6.22-150000.5.9.1
libexif12-0.6.22-150000.5.9.1
libexif12-debuginfo-0.6.22-150000.5.9.1
o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (aarch64
x86_64):
libexif-debugsource-0.6.22-150000.5.9.1
libexif-devel-0.6.22-150000.5.9.1
libexif12-0.6.22-150000.5.9.1
libexif12-debuginfo-0.6.22-150000.5.9.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64
x86_64):
libexif-debugsource-0.6.22-150000.5.9.1
libexif-devel-0.6.22-150000.5.9.1
libexif12-0.6.22-150000.5.9.1
libexif12-debuginfo-0.6.22-150000.5.9.1
o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64
x86_64):
libexif-debugsource-0.6.22-150000.5.9.1
libexif-devel-0.6.22-150000.5.9.1
libexif12-0.6.22-150000.5.9.1
libexif12-debuginfo-0.6.22-150000.5.9.1
o SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64):
libexif-debugsource-0.6.22-150000.5.9.1
libexif-devel-0.6.22-150000.5.9.1
libexif12-0.6.22-150000.5.9.1
libexif12-debuginfo-0.6.22-150000.5.9.1
o SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64):
libexif-debugsource-0.6.22-150000.5.9.1
libexif-devel-0.6.22-150000.5.9.1
libexif12-0.6.22-150000.5.9.1
libexif12-debuginfo-0.6.22-150000.5.9.1
o SUSE Enterprise Storage 7 (aarch64 x86_64):
libexif-debugsource-0.6.22-150000.5.9.1
libexif-devel-0.6.22-150000.5.9.1
libexif12-0.6.22-150000.5.9.1
libexif12-debuginfo-0.6.22-150000.5.9.1
o SUSE Enterprise Storage 6 (aarch64 x86_64):
libexif-debugsource-0.6.22-150000.5.9.1
libexif-devel-0.6.22-150000.5.9.1
libexif12-0.6.22-150000.5.9.1
libexif12-debuginfo-0.6.22-150000.5.9.1
o SUSE CaaS Platform 4.0 (x86_64):
libexif-debugsource-0.6.22-150000.5.9.1
libexif-devel-0.6.22-150000.5.9.1
libexif12-0.6.22-150000.5.9.1
libexif12-debuginfo-0.6.22-150000.5.9.1
References:
o https://www.suse.com/security/cve/CVE-2020-0181.html
o https://www.suse.com/security/cve/CVE-2020-0198.html
o https://www.suse.com/security/cve/CVE-2020-0452.html
o https://bugzilla.suse.com/1172768
o https://bugzilla.suse.com/1172802
o https://bugzilla.suse.com/1178479
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYVtONLKJtyKPYoAQi1zg/7BrXCWRoOzLJpQYuYgtB/6IdirldokGk9
foJtiVbjQj+s51P43yL76+LL2Q+h0zS5Cq3KX2Ju4xRyEpJacB/fZ5fWd/8LeN/W
aZpgH3XKIoa2qFs+aPEvMIVOVAzWcIxvIlVsj6uPcOOBheQTXOCQLwPFZY9meY/O
S9BMG8CvMY75qUd+zAsycavasBgrraQCYWDFEfV7eBJAkKo0KHL2CgPQv3nIfNLZ
ffviy2MGkXFbFLM3hNIT2WdUFgWt6/JGLzmak9S6i/M5BPF3KQPQoF7dLgFi2ntu
GIBfnxoLnUhgpMOVQNZ2O8JtfDWDwzbl/cMQiFrW+ofX6dSCeXDKqds1vCxlhW0B
Gbx+vc+oAq49V5xQw/6GVHHepnZydCDCccwJj6fumed6YTfm/Rt86KP6527JjzLh
RxmGQLRyl6X/IPggOwG2dv0gFszIhjKYTZT8ifpQypl1MvdvBMukXYh0epE6FTD3
IUIgqPYhsXmanlwCGL6WKz949Ich7Stcb1ZJqpfXOwyr2cdELgKwXzXYudH6hd89
zj0wKMB/havWz/CvfkGqE8CgFO7TZ0gZEPtLEYYvO/hxXsWsg2yTVXnuc6dlShca
VmRfeFY50wy0zNrH+0rb9vOpZm3dyXs/TcXlo1z4E3mzuZ7elR6Gu24crnmwIHpi
qXl+hYLSl8E=
=I1D+
-----END PGP SIGNATURE-----
ESB-2022.1581 - [SUSE] go1.16: CVSS (Max): 7.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1581
Security update for go1.16
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: go1.16
Publisher: SUSE
Operating System: SUSE
Resolution: Patch/Upgrade
CVE Names: CVE-2022-24921
Original Bulletin:
https://www.suse.com/support/update/announcement/2022/suse-su-20221164-1
Comment: CVSS (Max): 7.5 CVE-2022-24921 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: SUSE
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for go1.16
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:1164-1
Rating: important
References: #1182345 #1183043 #1196732
Cross-References: CVE-2022-24921
Affected Products:
SUSE Enterprise Storage 7
SUSE Linux Enterprise Desktop 15-SP3
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing 15-SP3
SUSE Linux Enterprise Module for Development Tools 15-SP3
SUSE Linux Enterprise Realtime Extension 15-SP2
SUSE Linux Enterprise Server 15-SP2-BCL
SUSE Linux Enterprise Server 15-SP2-LTSS
SUSE Linux Enterprise Server 15-SP3
SUSE Linux Enterprise Server for SAP 15-SP2
SUSE Linux Enterprise Server for SAP Applications 15-SP3
SUSE Manager Proxy 4.1
SUSE Manager Proxy 4.2
SUSE Manager Retail Branch Server 4.1
SUSE Manager Server 4.1
SUSE Manager Server 4.2
openSUSE Leap 15.3
openSUSE Leap 15.4
______________________________________________________________________________
An update that solves one vulnerability and has two fixes is now available.
Description:
This update for go1.16 fixes the following issues:
Update to version 1.16.15 (bsc#1182345): - CVE-2022-24921: Fixed a potential
denial of service via large regular expressions (bsc#1196732).
Non-security fixes: - Fixed an issue with v2 modules (go#51331). - Fixed an
issue when building source in riscv64 (go#51198). - Increased compatibility for
the DNS protocol in the net module (go#51161). - Fixed an issue with histograms
in the runtime/metrics module (go#50733).
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o openSUSE Leap 15.4:
zypper in -t patch openSUSE-SLE-15.4-2022-1164=1
o openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-1164=1
o SUSE Manager Server 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-1164=1
o SUSE Manager Retail Branch Server 4.1:
zypper in -t patch
SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-1164=1
o SUSE Manager Proxy 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-1164=1
o SUSE Linux Enterprise Server for SAP 15-SP2:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-1164=1
o SUSE Linux Enterprise Server 15-SP2-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-1164=1
o SUSE Linux Enterprise Server 15-SP2-BCL:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-1164=1
o SUSE Linux Enterprise Realtime Extension 15-SP2:
zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-1164=1
o SUSE Linux Enterprise Module for Development Tools 15-SP3:
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2022-1164=1
o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-1164=1
o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-1164=1
o SUSE Enterprise Storage 7:
zypper in -t patch SUSE-Storage-7-2022-1164=1
Package List:
o openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):
go1.16-1.16.15-150000.1.46.1
go1.16-doc-1.16.15-150000.1.46.1
o openSUSE Leap 15.4 (aarch64 x86_64):
go1.16-race-1.16.15-150000.1.46.1
o openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
go1.16-1.16.15-150000.1.46.1
go1.16-doc-1.16.15-150000.1.46.1
o openSUSE Leap 15.3 (aarch64 x86_64):
go1.16-race-1.16.15-150000.1.46.1
o SUSE Manager Server 4.1 (ppc64le s390x x86_64):
go1.16-1.16.15-150000.1.46.1
go1.16-doc-1.16.15-150000.1.46.1
o SUSE Manager Server 4.1 (x86_64):
go1.16-race-1.16.15-150000.1.46.1
o SUSE Manager Retail Branch Server 4.1 (x86_64):
go1.16-1.16.15-150000.1.46.1
go1.16-doc-1.16.15-150000.1.46.1
go1.16-race-1.16.15-150000.1.46.1
o SUSE Manager Proxy 4.1 (x86_64):
go1.16-1.16.15-150000.1.46.1
go1.16-doc-1.16.15-150000.1.46.1
go1.16-race-1.16.15-150000.1.46.1
o SUSE Linux Enterprise Server for SAP 15-SP2 (ppc64le x86_64):
go1.16-1.16.15-150000.1.46.1
go1.16-doc-1.16.15-150000.1.46.1
o SUSE Linux Enterprise Server for SAP 15-SP2 (x86_64):
go1.16-race-1.16.15-150000.1.46.1
o SUSE Linux Enterprise Server 15-SP2-LTSS (aarch64 ppc64le s390x x86_64):
go1.16-1.16.15-150000.1.46.1
go1.16-doc-1.16.15-150000.1.46.1
o SUSE Linux Enterprise Server 15-SP2-LTSS (aarch64 x86_64):
go1.16-race-1.16.15-150000.1.46.1
o SUSE Linux Enterprise Server 15-SP2-BCL (x86_64):
go1.16-1.16.15-150000.1.46.1
go1.16-doc-1.16.15-150000.1.46.1
go1.16-race-1.16.15-150000.1.46.1
o SUSE Linux Enterprise Realtime Extension 15-SP2 (x86_64):
go1.16-1.16.15-150000.1.46.1
go1.16-doc-1.16.15-150000.1.46.1
go1.16-race-1.16.15-150000.1.46.1
o SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 ppc64le
s390x x86_64):
go1.16-1.16.15-150000.1.46.1
go1.16-doc-1.16.15-150000.1.46.1
o SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 x86_64):
go1.16-race-1.16.15-150000.1.46.1
o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (aarch64
x86_64):
go1.16-1.16.15-150000.1.46.1
go1.16-doc-1.16.15-150000.1.46.1
go1.16-race-1.16.15-150000.1.46.1
o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (aarch64
x86_64):
go1.16-1.16.15-150000.1.46.1
go1.16-doc-1.16.15-150000.1.46.1
go1.16-race-1.16.15-150000.1.46.1
o SUSE Enterprise Storage 7 (aarch64 x86_64):
go1.16-1.16.15-150000.1.46.1
go1.16-doc-1.16.15-150000.1.46.1
go1.16-race-1.16.15-150000.1.46.1
References:
o https://www.suse.com/security/cve/CVE-2022-24921.html
o https://bugzilla.suse.com/1182345
o https://bugzilla.suse.com/1183043
o https://bugzilla.suse.com/1196732
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYVpeNLKJtyKPYoAQjcdQ//YrVOWvSYADOaFFY5cexk0Uw7qin3mzZ4
Rk+dVAgEpw2Bt9HJCsXYuq2Bebz0Nhgjv8yIAgtAxKglU3SLzDq8qr5STaaFJxkS
bt5wPSrTjxEzoN4s2xEvBZqnSwfHUChMRNal9aFjGtJjwOswsHtdyBkkMxQaHOej
tqU0FWDpTgdsxeMrch+964pHh7JxfIkhlDmlxeZqQlQI9wezuRxys8ixUPFloct/
JWH0kIW/+h1mDTWzYN2mKdQThNcIN3SqalZXmJ+pNhQJTIkWY7u8MtAfZC1lw9mz
ZrLKvh3JKTQpw8YVJxakyXRVEoX+bNhQuhSkrjR63uil0eX1Ewr/Nol85YV7xvuK
rV+0kpscnNY2Rq3fM8v/ShRml5Xr2TyGBKubuL5WA3DnLkHDn2J26OmhLWdkzDiW
byboLeAS4mwo6ICF7LBUBdlPm9+eLFlv7izWSkZOBAIo8PlBQEgTojwl2ZAqUVaM
cD/SFxV0aPINjMHy1xP7mBy+ollZki3dFZ+vQILptULbmkSzzVjWOaOFoM0zl5kj
BJG7lfARQTWLpTxzL/Fkk59nlVQZ/S0x6CBdjoOJJoIOxZid+FZbswEBSjgKykhi
TzvWRIU6YFp7aWgM1fLedAzDNqbMTYWJl39UGHLEJpNZZf4LLxeDqDr2pee9Akil
ehOGvXEyeys=
=ARCl
-----END PGP SIGNATURE-----
ESB-2022.1580 - [RedHat] Red Hat OpenShift Serverless: CVSS (Max): 9.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1580
Release of OpenShift Serverless 1.21.1
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat OpenShift Serverless
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-22963
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:1292
Comment: CVSS (Max): 9.8 CVE-2022-22963 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Low: Release of OpenShift Serverless 1.21.1
Advisory ID: RHSA-2022:1292-01
Product: Red Hat OpenShift Serverless
Advisory URL: https://access.redhat.com/errata/RHSA-2022:1292
Issue date: 2022-04-11
CVE Names: CVE-2022-22963
=====================================================================
1. Summary:
Release of OpenShift Serverless 1.21.1
Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
This version of the OpenShift Serverless Operator, which is supported on
Red Hat OpenShift Container Platform versions 4.6, 4.7, 4.8, 4.9, and 4.10,
includes a security fix. For more information, see the documentation listed
in the References section.
Security Fix(es):
* spring-cloud-function: Remote code execution by malicious Spring
Expression (CVE-2022-22963)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
See the Red Hat OpenShift Container Platform 4.6 documentation at:
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless/index
See the Red Hat OpenShift Container Platform 4.7 documentation at:
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index
See the Red Hat OpenShift Container Platform 4.8 documentation at:
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index
See the Red Hat OpenShift Container Platform 4.9 documentation at:
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index
See the Red Hat OpenShift Container Platform 4.10 documentation at:
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index
4. Bugs fixed (https://bugzilla.redhat.com/):
2070668 - CVE-2022-22963 spring-cloud-function: Remote code execution by malicious Spring Expression
5. References:
https://access.redhat.com/security/cve/CVE-2022-22963
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/security/vulnerabilities/RHSB-2022-003
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index
6. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYlVRTdzjgjWX9erEAQgR4hAAh66FM9+lM2X7d2l44qBtnX52PqWkNIMd
7DnRFFp+bqHyh3Hx7taxlcb6av9yVwmb6WnxOF9gqyJnq0UrprauaDIz/EOjFiNK
y3blJVaR7cbBlvbBLoQZcWcMLoKWkW8yyNiMDKjgHTN+HQLXPTnfGtaaAPR6CxIl
VIxCO048FAH+eGSZ7UdO7JpCO2RndjZum2gCHL6nKRB4bSGkMok7zoZskPdnZL89
gtJVo5zmd74Q9/3Mhwv3W1pi82dxQF+FlMQeo9LeGVtCE7Cs0Jq58cl0/Jt8axsW
0w+QQ1ZMZkXgc2qY1N7gpAGqsKt738ZcC/LKRbpKRhk7Y81JYnyT7y+rZCWQfGH/
v1sKtKnULhEHiVWVNYnyTif8E1RXbZFJEO6RaDYersgCaS0qR9VscWogT/m6Vmk9
/rXQdyghyA08derh0UTEcbVwUZvzqSmSo7KcUtGeTP3Jy9xd76hK3+/hiJL45gyT
0I8HwyQprwrNXjijD3EY0a1U4ke4ufyDqhHgQzNAkyhwFZGtjE5dYnaYckZVG0h0
iw/BCa9v/PvJ62vAEEeKmuLxd9OY8J1RvkxLI41TDWs1OICEiTytBoKcbtkhgfVN
h/PwbrbMWPH/5N5QS0yNxASDnvNZ9EuQTBizwEQkHYArXoSIBKQWdqODqpRD6u2X
i8LdSrRG05U=
=vkMk
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYVAuNLKJtyKPYoAQjsvA//bLHzoBji9WLq34TGJFlxWg9Rkjp7BaEk
sBgy/XTAPhfKSLN9F7xahHUiAbvORJGHlZAQ2CKaQGskuMA1WNPWIj/s1UkONYrr
zAC7KnpgS3cX1aNMaTz2jWfw68KktGP7QYpWiHN7TUckPWRQsu2MMf/f4Slp7hJ5
Kiw7KiZnjiOQEq+ZTuMx69H05ojseu5SizHq9CEFa3B3YmKlRjN3MnCGod3sF0FC
w8OTbltLcsoL5uA+MBk8YmTFILVDWB4zV2Nz2xaLDG98l0+DtY4cLpbp39Pn/yUZ
G7zk5hw4GNPHF2NNvuv2xiPWOFtZpK3OFYH1iEA6OuqiA6zBljrhXg+WZXNB2/ct
onEYOV2Ai603/FlyfaYYFA1lpyv3RVEm38N+twTSCJoCQaiE8/0KkTCN3O7eMCP/
2lA5d0PmUS26DIgwl6yeoCzZ/SDA5Kxm1dP0kTsj260RZgsJZqaN2gNo2AGcDNtM
8djiOZMc64Jj84TWqar783K+jcCSGTN/tO0YGRDaU1QYNkhS/OMkF+ilzQEj/aBQ
WC++AkqVT6JkVlKukufBhn47iDO7cXtXZWXFyshe18WhG9KzYQhPNSnH7oOqbLGM
L9zyW/Hxhu5LlB+oIXtjDAXAgzLEEqGyHJQ2UqNOIXDtC6KugEomnpEMqTz29rNg
GecVpuCCUqI=
=tPDV
-----END PGP SIGNATURE-----
ESB-2022.1579 - [RedHat] expat: CVSS (Max): 9.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1579
expat security update
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: expat
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-25315 CVE-2022-25236 CVE-2022-25235
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:1309
Comment: CVSS (Max): 9.8 CVE-2022-25315 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: expat security update
Advisory ID: RHSA-2022:1309-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:1309
Issue date: 2022-04-11
CVE Names: CVE-2022-25235 CVE-2022-25236 CVE-2022-25315
=====================================================================
1. Summary:
An update for expat is now available for Red Hat Enterprise Linux 6
Extended Lifecycle Support.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Server (v. 6 ELS) - i386, s390x, x86_64
3. Description:
Expat is a C library for parsing XML documents.
Security Fix(es):
* expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code
execution (CVE-2022-25235)
* expat: Namespace-separator characters in "xmlns[:prefix]" attribute
values can lead to arbitrary code execution (CVE-2022-25236)
* expat: Integer overflow in storeRawNames() (CVE-2022-25315)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the updated packages, applications using the Expat library
must be restarted for the update to take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
2056363 - CVE-2022-25315 expat: Integer overflow in storeRawNames()
2056366 - CVE-2022-25235 expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution
2056370 - CVE-2022-25236 expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution
6. Package List:
Red Hat Enterprise Linux Server (v. 6 ELS):
Source:
expat-2.0.1-14.el6_10.src.rpm
i386:
expat-2.0.1-14.el6_10.i686.rpm
expat-debuginfo-2.0.1-14.el6_10.i686.rpm
expat-devel-2.0.1-14.el6_10.i686.rpm
s390x:
expat-2.0.1-14.el6_10.s390.rpm
expat-2.0.1-14.el6_10.s390x.rpm
expat-debuginfo-2.0.1-14.el6_10.s390.rpm
expat-debuginfo-2.0.1-14.el6_10.s390x.rpm
expat-devel-2.0.1-14.el6_10.s390.rpm
expat-devel-2.0.1-14.el6_10.s390x.rpm
x86_64:
expat-2.0.1-14.el6_10.i686.rpm
expat-2.0.1-14.el6_10.x86_64.rpm
expat-debuginfo-2.0.1-14.el6_10.i686.rpm
expat-debuginfo-2.0.1-14.el6_10.x86_64.rpm
expat-devel-2.0.1-14.el6_10.i686.rpm
expat-devel-2.0.1-14.el6_10.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-25235
https://access.redhat.com/security/cve/CVE-2022-25236
https://access.redhat.com/security/cve/CVE-2022-25315
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYlWl4dzjgjWX9erEAQiRRRAAgD1A54DPBKn5oG7KWsoaAYzJ21cE3Vmn
c3aISch04WQ+jdXrkuSqI8iipOTNzrlIrqvFcyC02t7YnGGmmsaIhV09EFAiJXaK
lGerb79oWEEXI2GstS1K2lkXDB4YZ9EDAX5wYY3INqIxzrEx4mayZfjsTEELX/a9
StGIr1sumJpuR/GSwzvnul4XJfBjm5kMdkWtD0jL9/Z/04eJHD8COu1YV8bmom6Q
bDiSMrBGGoPlwfzgmC1KUqisOJc+WnerHbHbvjNkzgZ3zZAw0EpiaWJKZKScDb3g
/rtOGLwL2yn15WSqKyfDjVz9U5k3/v+lq8l1zzhP7GTrCl5YZ9LJlk1d5/LNKIvE
K6TcfQh1Uo8gS7rcSPAMjCQCQsrQB3O1Ew5n27mCKq0Kq+RqgXxypPvG4zSgXQ6F
Qvt/HpIedRumjsvJgvuSJ1Ef0Mec2cWwIq5xaAAjbCp1PXTSiXo6SrHax0lRpNJo
xotvDi7lSwbuI7DQuTTf8HrY4SAZjXvN9FIj4H6l6Aswx5zmDJ5IR2MU4o7KTmiY
ebzLltQMYlwK6onaFvCkAphIQbg/gCJUO6ifLtO3IUp766v4fUT4LUtQuEFkVxgw
tQz2Q8Cvik4nMqBDPnxvRTF/WwyvX3O74x0Mezmi45UK1d7+TzWDjFQtTwe+FpPB
LprhWJEc5pc=
=EBBS
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYU8+NLKJtyKPYoAQjgTw//XiqB8CiypFfw4J6jmbpF2VltYB7tr6Y0
oQx3VqOCDTcyI8bP+ZSNtzbgN/dDBOk8PpAcsWc+fHbk2jd3MV7upGux22WbOzx+
vDioNE745CKSNhawXlT7TqcXqfwvZlAuFip2w+4Q6zhStgF0fUdlxeu9S9LIUYEZ
kwsM0P1neyg9X9TAWHCXIpcnVGb8ApgyHyrGM0R67vnCpjafuk+Jom2QfYrmRViS
zZp9nZ7OC6FLs1+QZB8tvc5cfhtlNGJz6KTuS2oiEMF6RzxEso4ZTYD9Sb/iOl8J
jmdbCnVzXzrZxyEUV+MiNcF6PtPXk2/GHpdhEnqJTj6PGo50K+A+yUFgmO1JOYTo
Eu12vkY1hWXQJQdnLodi4G3pytztbOEPvhA6IlnMHjraCW/HqDMEUz78z0cQWaq5
mANndOjURUlUoUjy52/oy9kPIIKE+4r06iSkExmx5zz5SDPbEiREJlfsPt82CCnx
7TM8BL2Wv97j2U1kE5WjRShHvcIh9Z4+37ekY43gyfU0UM95xXGHoRK3/i8T8O0V
jT39meF8jCLuG/UHrbfsqtn9om3rOzQxXiwfejnMBmbsqnISXlNgqXW/KCOzEJKN
KFPnKeKbxfc8BZOeIUBlRFgg58a5GVTd61BO96KKJic9uhzQDIVcC1YyXkR5Xnbf
J8ylTJPLkDQ=
=0x7m
-----END PGP SIGNATURE-----
ESB-2022.1578 - [RedHat] OpenShift Container Platform 4.8.36: CVSS (Max): 7.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1578
OpenShift Container Platform 4.8.36 security update
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenShift Container Platform 4.8.36
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-0567
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:1154
Comment: CVSS (Max): 7.5 CVE-2022-0567 (CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: OpenShift Container Platform 4.8.36 security update
Advisory ID: RHSA-2022:1154-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2022:1154
Issue date: 2022-04-11
CVE Names: CVE-2022-0567
=====================================================================
1. Summary:
Red Hat OpenShift Container Platform release 4.8.36 is now available with
updates to packages and images that fix several bugs and add enhancements.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
This advisory contains the container images for Red Hat OpenShift Container
Platform 4.8.36. See the following advisory for the RPM packages for this
release:
https://access.redhat.com/errata/RHSA-2022:1153
Space precludes documenting all of the container images in this advisory.
See the following Release Notes documentation, which will be updated
shortly for this release, for details about these changes:
https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html
Security Fix(es):
* ovn-kubernetes: Ingress network policy can be overruled by egress network
policy on another pod (CVE-2022-0567)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
You may download the oc tool and use it to inspect release image metadata
as follows:
(For x86_64 architecture)
$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.8.36-x86_64
The image digest is
sha256:faf1f5ae9636ef79c6027cd1ca68b0a93607f8ccc12e8e537f8f8bc21d7dfb15
(For s390x architecture)
$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.8.36-s390x
The image digest is
sha256:a12f7b0736d8a4cbf201d95899712b448b977eaae4b3178b04adb565cb6b636a
(For ppc64le architecture)
$ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.8.36-ppc64le
The image digest is
sha256:f90df1f857eec5ac6c40ccb50bfd1c4a4e962a89b1ae4da354094385c6c130fc
All OpenShift Container Platform 4.8 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html
3. Solution:
For OpenShift Container Platform 4.8 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html
Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html
4. Bugs fixed (https://bugzilla.redhat.com/):
2026110 - Altering the Schedule Profile configurations doesn't affect the placement of the pods
2043808 - No way to verify if IPs with leading zeros are still valid in the apiserver
2052097 - global pull secret not working in OCP4.7.4+ for additional private registries
2053122 - Build is not recognizing the USER group from an s2i image
2053326 - CVE-2022-0567 ovn-kubernetes: Ingress network policy can be overruled by egress network policy on another pod
2057557 - Services of type loadbalancer do not work if the traffic reaches the node from an interface different from br-ex
2060450 - Overview page does not load from openshift console for some set of users after upgrading to 4.7.19
2063836 - [4.8z] High cpu load on Juniper Qfx5120 Network switches after upgrade to Openshift 4.8.26
2064634 - MachineSet is not scaling up due to an OpenStack error trying to create multiple ports with the same MAC address
2065311 - [4.8z] Network policies are not implemented or updated by OVN-Kubernetes
2066302 - Ingress Operator is not closing TCP connections.
2066675 - AWS io2 machine fails due to no iops despite it being configured
2066760 - `oc debug node` does not meet compliance requirement
2067107 - co/image-registry is degrade because ImagePrunerDegraded: Job has reached the specified backoff limit
2068509 - ovnkube-masters suddenly stop processing add/del events for pods
2068895 - PodDisruptionBudgetAtLimit alert fired in SNO cluster
5. References:
https://access.redhat.com/security/cve/CVE-2022-0567
https://access.redhat.com/security/updates/classification/#important
6. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYlWl6dzjgjWX9erEAQgfhhAAmvaAvmjDJ5b5sC8koswYGmHaupFmec45
cnZLFJoduhthbumGBBPMytYerZ9+jwXGXaZXtnZ9PnMSxbuSuAMox8qtqJq9SyjV
GYT52RliREDdntC1Tuxy2DuDvcPfGJs5Jx30WLUrCiGjZ4Dz0NNbAk1xG3Jm86t1
imKsRR9r1gwPZPsjZn8ILTyMqqTL0gaowOLQbf6vhcAWzoH1t40JaJuHsnYEQdE6
40nvB9E29mivmtXrq42pBfg+u8sbwNRwazBPNqAcoqUhi99tEyX4vjE81x3RAst/
bVJaf23bWZzNxnhILflzGMKk2NRSdD/fUxKttax9z3d2zDCjDJxKrm352Cn61FyA
YTc7SrZZr5N+Jct+nnrOdNu1ESeqXwF7tSwsJPPuWbKj9K9ySLIXuNNE4fXbFvUV
35VQa5FC0iF5wPSMngjyhR6Ua8xylcm/pL92iKw74BdBxwMScUoyqHKKl6powy2D
62JvZNAxdbhEwLT8PNEVp14+plcaj8XzM+AT8x5ViklDTacUnCn8vxvV2x2GKJxK
cqS46zuAE8QaxhNF5YtzbwypvruH2mcqgDZay9VpzunDWAdthrhML/+ZvkNiJQhr
QllOwM6ZLFp2+dgZCkA6ccF03+RnqdZd0Z/9uHYQeJmU15nObR/Z9BSsivpQeSp9
whbBvLBKO3c=
=7WWR
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYU7ONLKJtyKPYoAQjxfA/8DHjRrGFEnpC91St5hGazj+hH2yZFtcVe
1QUAdQn1UF5UPpMwNCc43qaZPojbGB27RjvUbtO23LTw6UC7LryJNAKLENIHTpZT
JS4Otgskcr/3NZ9PrXkUtVNL8oe61xd+kq/ngYKqz/01Pp6bQlhMaPGFJwGXmNUt
259TxQjw6PmvzYkBpfMqZyLiY96N6dN1cWhqpNA/8cmHPbsNnPuPsUY/wwYoKDRP
APRU5JhYWcyMK+RNJQYUhQJp9FaiC9XsUyyi7H+nSNJI4O/v49RX+s+9k81Hd5w9
+VnCxad22lzXwVh0qqHs5Vm5LI930x5rinu932vXzyP+4UivT4UtCvUp0hahkUNp
1IOz9jeXxQeDJt/mV1sWkUhWjtmKrf6DOEXdi/O0lT6kXiyYiikcbYapBd02FROR
gGdx+AtT2+bpw5asNKBc1bcEH91h94yrUtrI8fd7+pGGWcvUrlPzQ3GM2hP04bjV
+km/GdDUulg1cxlo9qWmJtusiIQ/CjCsCtwZ1o7yxdy01YvLvb+R3DsnWscwCQD4
z49laePksZAfjnqNZJsKNVicmuzdM5AYozh0Ke2AZpEgU7103+yIEkJRY+IyWlgk
08/2Ojw5DcLJhlYNIi1UP94uCuS0Vke4cdjbrpoBCa2tAgJeGtPljH5aD6eNnQy7
FnlJ0A+lTIk=
=wrea
-----END PGP SIGNATURE-----
ESB-2022.1577 - [RedHat] thunderbird: CVSS (Max): 7.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1577
thunderbird security update
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: thunderbird
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-28289 CVE-2022-28286 CVE-2022-28285
CVE-2022-28282 CVE-2022-28281 CVE-2022-24713
CVE-2022-1197 CVE-2022-1196 CVE-2022-1097
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:1326
Comment: CVSS (Max): 7.5 CVE-2022-28289 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: thunderbird security update
Advisory ID: RHSA-2022:1326-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:1326
Issue date: 2022-04-12
CVE Names: CVE-2022-1097 CVE-2022-1196 CVE-2022-1197
CVE-2022-24713 CVE-2022-28281 CVE-2022-28282
CVE-2022-28285 CVE-2022-28286 CVE-2022-28289
=====================================================================
1. Summary:
An update for thunderbird is now available for Red Hat Enterprise Linux 8.2
Extended Update Support.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream EUS (v. 8.2) - aarch64, ppc64le, x86_64
3. Description:
Mozilla Thunderbird is a standalone mail and newsgroup client.
This update upgrades Thunderbird to version 91.8.0.
Security Fix(es):
* Mozilla: Use-after-free in NSSToken objects (CVE-2022-1097)
* Mozilla: Out of bounds write due to unexpected WebAuthN Extensions
(CVE-2022-28281)
* Mozilla: Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8
(CVE-2022-28289)
* Mozilla: Use-after-free after VR Process destruction (CVE-2022-1196)
* Mozilla: OpenPGP revocation information was ignored (CVE-2022-1197)
* Mozilla: Use-after-free in DocumentL10n::TranslateDocument
(CVE-2022-28282)
* Mozilla: Incorrect AliasSet used in JIT Codegen (CVE-2022-28285)
* Mozilla: Denial of Service via complex regular expressions
(CVE-2022-24713)
* Mozilla: iframe contents could be rendered outside the border
(CVE-2022-28286)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running instances of Thunderbird must be restarted for the update to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
2072559 - CVE-2022-1097 Mozilla: Use-after-free in NSSToken objects
2072560 - CVE-2022-28281 Mozilla: Out of bounds write due to unexpected WebAuthN Extensions
2072561 - CVE-2022-1196 Mozilla: Use-after-free after VR Process destruction
2072562 - CVE-2022-28282 Mozilla: Use-after-free in DocumentL10n::TranslateDocument
2072563 - CVE-2022-28285 Mozilla: Incorrect AliasSet used in JIT Codegen
2072564 - CVE-2022-28286 Mozilla: iframe contents could be rendered outside the border
2072565 - CVE-2022-24713 Mozilla: Denial of Service via complex regular expressions
2072566 - CVE-2022-28289 Mozilla: Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8
2072963 - CVE-2022-1197 Mozilla: OpenPGP revocation information was ignored
6. Package List:
Red Hat Enterprise Linux AppStream EUS (v. 8.2):
Source:
thunderbird-91.8.0-1.el8_2.src.rpm
aarch64:
thunderbird-91.8.0-1.el8_2.aarch64.rpm
thunderbird-debuginfo-91.8.0-1.el8_2.aarch64.rpm
thunderbird-debugsource-91.8.0-1.el8_2.aarch64.rpm
ppc64le:
thunderbird-91.8.0-1.el8_2.ppc64le.rpm
thunderbird-debuginfo-91.8.0-1.el8_2.ppc64le.rpm
thunderbird-debugsource-91.8.0-1.el8_2.ppc64le.rpm
x86_64:
thunderbird-91.8.0-1.el8_2.x86_64.rpm
thunderbird-debuginfo-91.8.0-1.el8_2.x86_64.rpm
thunderbird-debugsource-91.8.0-1.el8_2.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-1097
https://access.redhat.com/security/cve/CVE-2022-1196
https://access.redhat.com/security/cve/CVE-2022-1197
https://access.redhat.com/security/cve/CVE-2022-24713
https://access.redhat.com/security/cve/CVE-2022-28281
https://access.redhat.com/security/cve/CVE-2022-28282
https://access.redhat.com/security/cve/CVE-2022-28285
https://access.redhat.com/security/cve/CVE-2022-28286
https://access.redhat.com/security/cve/CVE-2022-28289
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYlWl2tzjgjWX9erEAQjtsQ//TJr3sdrdIE7JwSx7n2IiYbBl6GOU8C7o
dMatcSRZ7aF6UqTFJmY9dWD9By16CKVyID8Tof6GNajYSUBUzH17vccd/ron4V4i
Ch0WlRZN8dwKmuYUKuuxjU+AhZL1umsrb4AjT/kRa7IrpIPIO+0BUSKPxiEAKs16
sAf8mpRxgZEMSruEwQIeFbqA+FT2/+jLCWkb14k3pvglkSCT0A/V9bFMpXFQHSub
S2bQPJa+RALY0KAOKWfi4CO3a5B+vMdnOaAr7JXFRvTVAu5F+G2uPXjXvWsMu2uC
en4UfUTPGyQ2Q7TaHJ8mcLghfoFg8eSkYrjP3oMAiu/VRdqARn5afAVwh80SIdU0
TQOlSnWzLAhHC1Y4zr6WGohC0UC3tLxWzlPMnzOqNNoezXuhPkwbTm1ykRG0zLQq
RQ9ZLR9LskIKv+vVcr7p8fS15Ffk/Qa2z/UV89LdKA44xh8rcYRfGVTGYiVDyaKE
9EllAWaNEMbT9Bopln6Wz+QTKlydfz5tGmOYvK+3jwAgPCrbT0yiIHNar/73wEPi
H0eBJqTjnOuzRoD5SnUnODN6PT0wNxk6Jv3i3TqN4DXHNPz7LSWV4yZkyhg/2X2v
06ujzfbYiKUzMZJW6EvOmm3OKF4nktnYbWHIyiQsEK/W8JF7ADFnnzN5gv116S6u
oGyMFntDWto=
=igYT
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYU5uNLKJtyKPYoAQh43RAAo5ofUO1tWI3moZU2cSFdCp+UIRxm8p3z
0bhXwbb5nJS5iQ9z2tciAuErQCe7QKMjkWtGB1I3BqbTgB857rKL0fEHVXWxzWpT
qfzafeeyonc9ppxxth86kau86AOekX9OGW0QpqZAF1n/USIC2TAVdpodwVaVgBq0
fU4m4LdTMpikuISjQVA3CxV4eKOWxuSgFfF8o9Hywm63MlemxbkFS1gBwZf3H1GI
t2I1xHmB7FoQhHxmTo6svQn8LYoxTYr9mHKcnDyJV2AR5VSbJ+EnLrqqKDWg5ijL
Rq0I8KMhyEA7VqudIM0CmXM8kwHXxJDJTCilV/hZbYPJ/++HX8cj+yvIULp6NPgJ
GZwc+vGmoOCCnumZJAuenmve6CH0GOfMgk/vV0ewL46cOx7256JzebkYM/pUZdVa
zK+MTuIOGgaKUgjYuT3OtG61ayZGNS97NbhyppEf+ST5PwBg+0zvk67+oaArsqpn
UWpGdsZPIUdTVcb/pY/jSi4niAvKaZgNL0jzbm9ORF/+6GppJNVfkxSeKZbXNUeu
XsDJ29Feon2i0SXQDybY/3vYxzQwwqr4l9gb6+7A1Iu4S9wRjv75mNkVL4jj03SN
q5xkNYhpuBVq+U41oUOnMemKlEAK7leLsHctRI27TOPF4+utWpYt+KdINfUGk4SN
d3TJAIlqOaI=
=NWC/
-----END PGP SIGNATURE-----
ESB-2022.1576 - [RedHat] kernel: CVSS (Max): 7.4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1576
kernel security and bug fix update
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: kernel
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-22942 CVE-2021-4083 CVE-2021-4028
CVE-2021-0920
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:1324
Comment: CVSS (Max): 7.4 CVE-2021-4083 (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: kernel security and bug fix update
Advisory ID: RHSA-2022:1324-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:1324
Issue date: 2022-04-12
CVE Names: CVE-2021-0920 CVE-2021-4028 CVE-2021-4083
CVE-2022-22942
=====================================================================
1. Summary:
An update for kernel is now available for Red Hat Enterprise Linux 7.7
Advanced Update Support, Red Hat Enterprise Linux 7.7 Telco Extended Update
Support, and Red Hat Enterprise Linux 7.7 Update Services for SAP
Solutions.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Server AUS (v. 7.7) - noarch, x86_64
Red Hat Enterprise Linux Server E4S (v. 7.7) - noarch, ppc64le, x86_64
Red Hat Enterprise Linux Server Optional AUS (v. 7.7) - x86_64
Red Hat Enterprise Linux Server Optional E4S (v. 7.7) - ppc64le, x86_64
Red Hat Enterprise Linux Server Optional TUS (v. 7.7) - x86_64
Red Hat Enterprise Linux Server TUS (v. 7.7) - noarch, x86_64
3. Description:
The kernel packages contain the Linux kernel, the core of any Linux
operating system.
Security Fix(es):
* kernel: Use After Free in unix_gc() which could result in a local
privilege escalation (CVE-2021-0920)
* kernel: use-after-free in RDMA listen() (CVE-2021-4028)
* kernel: fget: check that the fd still exists after getting a ref to it
(CVE-2021-4083)
* kernel: failing usercopy allows for use-after-free exploitation
(CVE-2022-22942)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Bug Fix(es):
* guest using rtl8139 can not connect to network (BZ#2063889)
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
The system must be rebooted for this update to take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
2027201 - CVE-2021-4028 kernel: use-after-free in RDMA listen()
2029923 - CVE-2021-4083 kernel: fget: check that the fd still exists after getting a ref to it
2031930 - CVE-2021-0920 kernel: Use After Free in unix_gc() which could result in a local privilege escalation
2044809 - CVE-2022-22942 kernel: failing usercopy allows for use-after-free exploitation
6. Package List:
Red Hat Enterprise Linux Server AUS (v. 7.7):
Source:
kernel-3.10.0-1062.66.1.el7.src.rpm
noarch:
kernel-abi-whitelists-3.10.0-1062.66.1.el7.noarch.rpm
kernel-doc-3.10.0-1062.66.1.el7.noarch.rpm
x86_64:
bpftool-3.10.0-1062.66.1.el7.x86_64.rpm
bpftool-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-debug-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-debug-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-debug-devel-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-debuginfo-common-x86_64-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-devel-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-headers-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-tools-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-tools-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-tools-libs-3.10.0-1062.66.1.el7.x86_64.rpm
perf-3.10.0-1062.66.1.el7.x86_64.rpm
perf-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
python-perf-3.10.0-1062.66.1.el7.x86_64.rpm
python-perf-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
Red Hat Enterprise Linux Server E4S (v. 7.7):
Source:
kernel-3.10.0-1062.66.1.el7.src.rpm
noarch:
kernel-abi-whitelists-3.10.0-1062.66.1.el7.noarch.rpm
kernel-doc-3.10.0-1062.66.1.el7.noarch.rpm
ppc64le:
bpftool-3.10.0-1062.66.1.el7.ppc64le.rpm
bpftool-debuginfo-3.10.0-1062.66.1.el7.ppc64le.rpm
kernel-3.10.0-1062.66.1.el7.ppc64le.rpm
kernel-bootwrapper-3.10.0-1062.66.1.el7.ppc64le.rpm
kernel-debug-3.10.0-1062.66.1.el7.ppc64le.rpm
kernel-debug-debuginfo-3.10.0-1062.66.1.el7.ppc64le.rpm
kernel-debuginfo-3.10.0-1062.66.1.el7.ppc64le.rpm
kernel-debuginfo-common-ppc64le-3.10.0-1062.66.1.el7.ppc64le.rpm
kernel-devel-3.10.0-1062.66.1.el7.ppc64le.rpm
kernel-headers-3.10.0-1062.66.1.el7.ppc64le.rpm
kernel-tools-3.10.0-1062.66.1.el7.ppc64le.rpm
kernel-tools-debuginfo-3.10.0-1062.66.1.el7.ppc64le.rpm
kernel-tools-libs-3.10.0-1062.66.1.el7.ppc64le.rpm
perf-3.10.0-1062.66.1.el7.ppc64le.rpm
perf-debuginfo-3.10.0-1062.66.1.el7.ppc64le.rpm
python-perf-3.10.0-1062.66.1.el7.ppc64le.rpm
python-perf-debuginfo-3.10.0-1062.66.1.el7.ppc64le.rpm
x86_64:
bpftool-3.10.0-1062.66.1.el7.x86_64.rpm
bpftool-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-debug-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-debug-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-debug-devel-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-debuginfo-common-x86_64-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-devel-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-headers-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-tools-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-tools-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-tools-libs-3.10.0-1062.66.1.el7.x86_64.rpm
perf-3.10.0-1062.66.1.el7.x86_64.rpm
perf-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
python-perf-3.10.0-1062.66.1.el7.x86_64.rpm
python-perf-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
Red Hat Enterprise Linux Server TUS (v. 7.7):
Source:
kernel-3.10.0-1062.66.1.el7.src.rpm
noarch:
kernel-abi-whitelists-3.10.0-1062.66.1.el7.noarch.rpm
kernel-doc-3.10.0-1062.66.1.el7.noarch.rpm
x86_64:
bpftool-3.10.0-1062.66.1.el7.x86_64.rpm
bpftool-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-debug-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-debug-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-debug-devel-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-debuginfo-common-x86_64-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-devel-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-headers-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-tools-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-tools-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-tools-libs-3.10.0-1062.66.1.el7.x86_64.rpm
perf-3.10.0-1062.66.1.el7.x86_64.rpm
perf-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
python-perf-3.10.0-1062.66.1.el7.x86_64.rpm
python-perf-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
Red Hat Enterprise Linux Server Optional AUS (v. 7.7):
x86_64:
bpftool-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-debug-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-debuginfo-common-x86_64-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-tools-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-tools-libs-devel-3.10.0-1062.66.1.el7.x86_64.rpm
perf-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
python-perf-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
Red Hat Enterprise Linux Server Optional E4S (v. 7.7):
ppc64le:
bpftool-debuginfo-3.10.0-1062.66.1.el7.ppc64le.rpm
kernel-debug-debuginfo-3.10.0-1062.66.1.el7.ppc64le.rpm
kernel-debug-devel-3.10.0-1062.66.1.el7.ppc64le.rpm
kernel-debuginfo-3.10.0-1062.66.1.el7.ppc64le.rpm
kernel-debuginfo-common-ppc64le-3.10.0-1062.66.1.el7.ppc64le.rpm
kernel-tools-debuginfo-3.10.0-1062.66.1.el7.ppc64le.rpm
kernel-tools-libs-devel-3.10.0-1062.66.1.el7.ppc64le.rpm
perf-debuginfo-3.10.0-1062.66.1.el7.ppc64le.rpm
python-perf-debuginfo-3.10.0-1062.66.1.el7.ppc64le.rpm
x86_64:
bpftool-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-debug-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-debuginfo-common-x86_64-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-tools-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-tools-libs-devel-3.10.0-1062.66.1.el7.x86_64.rpm
perf-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
python-perf-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
Red Hat Enterprise Linux Server Optional TUS (v. 7.7):
x86_64:
bpftool-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-debug-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-debuginfo-common-x86_64-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-tools-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
kernel-tools-libs-devel-3.10.0-1062.66.1.el7.x86_64.rpm
perf-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
python-perf-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-0920
https://access.redhat.com/security/cve/CVE-2021-4028
https://access.redhat.com/security/cve/CVE-2021-4083
https://access.redhat.com/security/cve/CVE-2022-22942
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYlWl0dzjgjWX9erEAQjNoBAAkg59cuZJknFcK2kCfOAjviIxo0Fzm+rB
Ka7UFBEqzzz/CAq8rrokGWpjR8Q5vRleaegGdmbWJ0QaBWjAIjJzJ5qqYQxIZfh8
p5SuDollpjb8v9Yi6OYNAcnkmBPR7G/K//z6NOhnXfpxTX1p8QcvqTWDt4qXGKPQ
JkuzE8Zw/u0K+87aIn4gZVwTAtHrfGLKpZKnprVDKt81pg9zgSXJcpUYtKYOjF/M
Z9b8dUMl5r8d7Xy5mDlhhBHNVyeL+Hf1ucAHpflWxJXCXXM7IFefxQhWEL5mSK3/
KcjFu2RjG5dVKf8+ILQrdULW/1WxIPJEXAQY799sAsgSy+XdgG8FhU5D0ETentGB
NB4eGPwlzEbdZMHkrj8W9GidaKYjGGEZJsnFdpQndB29B3UFEQfeCLwR/BZhy5Jc
AilViTRyn+WMRFrO+uz4/vECCM3FkM89pl8vQK5UZX0XwjNzxAKH9he2FznJlK+k
pZml1TTPnaAPUrWvSGWO967a8lxYm3faaOYFUqhRJzv+BoUoVpzZOrLaiDqIJxPX
bEB/x/sJaPOjqVKM2Y5Ltzm+/LSFT0kZFI/nWhTVbk4VL0YMosYjg1d4EaN2NWTo
OnbA92GYBIBsQE+0SsACkuYXrQua71jQV/3xYqdk7KD7QdOIG4LqXYpIwF4BHoQ7
PwbfLaK67DM=
=v3P6
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYU3ONLKJtyKPYoAQjcQhAAh96O5oj35AlswvUeVzFT0vvaHAOLTDfl
3HGM2PA0UsdZadeVmZ1JmVPVyO5dKlDIaKW3b5idFxn2U1A9Mvf0zzIp2UMH4un3
BGdahapZdN7qu9y2UKl/9dQRtU3I0c73Oqun0mAaRdzy0YHWzwnnMmouJ3g2vW6w
3DahOhFCKACpY2Ox/Di00UUI1UDVCdH6HDSJwguoU4Fa5rLchavIW12D/Sis3A/O
eumpeVVVGwsAQ3YppHd3TpSuVIpqRKQT2Z7eNn48X5GsvVrQ66V5TOHVRadGvYuq
2z1TY8uOas7L6+y+KQURYEoQg0TbfkV0UuNZ9RBNCHRxl3e3T3qXAy98UHduWZfw
sEoFzRLLa5CG0fHyFHCQi8YdpZUUn2RwQiHHsluTTC4MJ2oyAFWFC3PfMxAN4NNR
8/p8kO1lvq7t65k8tEisPmLCNrDCuRljlrgQcK99t8QTzwY+iHIkUAdi7ODYxK+l
kiEuIEdsh50+XydLCBce/oDjz4eiWgCIp/amDfAhQ2IY9YUFSDIfO/pnPCKQHZdP
0QNUopSsKwYMi9QeJXz7ALgBncvuUFR4DiSXtAF1jNBx9XUNZ9xLowd2DdBl4Xcn
ctHArnGEgzOWzCjYj4agZdLjws+4iY94nhjG3808gHTfGnNLUJ2u/Mgs3c5NCre5
/5ZClhL/crM=
=jS5e
-----END PGP SIGNATURE-----
ESB-2022.1575 - [RedHat] OpenShift Virtualization 4.8.5 RPMs: CVSS (Max): 7.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1575
OpenShift Virtualization 4.8.5 RPMs security update
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenShift Virtualization 4.8.5 RPMs
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2021-34558 CVE-2021-33198 CVE-2021-33197
CVE-2021-33195
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:1329
Comment: CVSS (Max): 7.5 CVE-2021-33198 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenShift Virtualization 4.8.5 RPMs security update
Advisory ID: RHSA-2022:1329-01
Product: cnv
Advisory URL: https://access.redhat.com/errata/RHSA-2022:1329
Issue date: 2022-04-12
CVE Names: CVE-2021-33195 CVE-2021-33197 CVE-2021-33198
CVE-2021-34558
=====================================================================
1. Summary:
Red Hat OpenShift Virtualization release 4.8.5 is now available with
updates to packages and images that fix several bugs and add enhancements.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
CNV 4.8 for RHEL 7 - x86_64
CNV 4.8 for RHEL 8 - x86_64
3. Description:
OpenShift Virtualization is Red Hat's virtualization solution designed for
Red Hat OpenShift Container Platform.
This advisory contains OpenShift Virtualization 4.8.5 RPMs.
Security Fix(es):
* golang: net: lookup functions may return invalid host names
(CVE-2021-33195)
* golang: net/http/httputil: ReverseProxy forwards connection headers if
first one is empty (CVE-2021-33197)
* golang: math/big.Rat: may cause a panic or an unrecoverable fatal error
if passed inputs with very large exponents (CVE-2021-33198)
* golang: crypto/tls: certificate of wrong type is causing TLS client to
panic (CVE-2021-34558)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
2044050 - 4.8.5 rpms
6. Package List:
CNV 4.8 for RHEL 7:
Source:
kubevirt-4.8.5-278.el7.src.rpm
x86_64:
kubevirt-virtctl-4.8.5-278.el7.x86_64.rpm
kubevirt-virtctl-redistributable-4.8.5-278.el7.x86_64.rpm
CNV 4.8 for RHEL 8:
Source:
kubevirt-4.8.5-278.el8.src.rpm
x86_64:
kubevirt-virtctl-4.8.5-278.el8.x86_64.rpm
kubevirt-virtctl-redistributable-4.8.5-278.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-33195
https://access.redhat.com/security/cve/CVE-2021-33197
https://access.redhat.com/security/cve/CVE-2021-33198
https://access.redhat.com/security/cve/CVE-2021-34558
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYlWlsdzjgjWX9erEAQjiAA//aMWeXha6TgTtIhczZPKQygKrInDUmR/D
NWWzbXGlhTqUewWc18GlRV9u8m+S2Zs9Yq5apfOMv5pnqEDeWrLEcyzhx/mJryfD
vk3Q59vI2a8pBl6VJYUt5zKwmmTVPPxwy0tK7J8UbA+Ub4+kII5fi7vC3UKRYuas
5Bk3UvXZFOk7OhuNxuyRbNblGExAiBG3lfBA/Taye64yKOVznXFRUJ6HEhEAbtTD
1q6yDgkgWJgHegw7hrnd34H3EVP9MFutbkWCMTXZB7draj1ziGUDwO16kdLCO05f
47UMc2CAq588XtumXob9+QMHp7Zwdh64SEbG11o9o2UXxH+w3+iLnkTj2mQzgF2t
izyvKgHgHsgtyPSDlTOU160jv7rTe05HeA9QoZpQYGCTGoMvQZuvls5+MBrkEXf5
xV/TVfpQxaRbWTw4UmuIuNoNsZUQgLetbtJDLjJBtD7ko2+pMHK1VbfKQ6x2bpuT
mRN3IpokYZpEptnoLdVJuadSuUKppmWT0TYsB+Fu5Z1orONRJ0oiJg258hW0sSut
wD6G0ucWsEvpbuVaY+pu9OrYQ0yESfiVqap+PbqgAFt9d3CHZTQwQjf4gxH84x5l
n5zkJyLrvg6h389bAKAPzY2sHi+utlW9GfyXRyA5F17udf5qO0WjnOwrjkO9imj5
VzyXMOf0wiM=
=we3S
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYU1+NLKJtyKPYoAQg02g/+L3fPQhGcKIUSY6V5sdxTDYfPRUjUhk/G
YVv9nYTENqFoCBdP6+sYPoEPO7PMLRrdvkj+TDtLLTpGck/eqoJxNXmCa/XLA7HY
lJ7LmPPrIU6v1tFLZme1k8rsv2mSBcKbfV6RRZDsbPLagKR/uMkl71MU21+/lW3c
OopxVOcVr87yd1kOs9GMIu/DNNsss2wxoCvmciBRlTYqExmrWu78Y8ThDK74p1sL
LBcX+Z5wPCpjQmSsjX3mNQGsK6PGEbUkDx7nc6Q40MK8aD7OrxNylmeKSntPMLIq
APwWoCG1oIidlfd6Jl+TEz6wvvTZbMl3JZKiXsUyZX4t5FDYvp53J7Swindi8+KQ
kPt1xyO/FGiiExNI+GbQ69+6IOSM/xoXTBvpSoaBJy8zLD9jEUuObR0FDY2YYhPs
t+C5M8QyeTctQAgT8XbdO/L3y+6kxvE0rnEKv1DfoiGVAnWU4zOrVWu51C7+0zhd
JQpTAq+sHJTWXBq1+QrUpaCtqHta6gHhZMM7tQTV0S9HSxb7y52fVpz2RM3rf+c7
ZEs2VkDz0hDLaQsumvv1Yai1TUu7Ko0w3hUY9UkUefraNGCgXBMlILZ6F0M72x9K
VVMCwfI4n2mHZa2VkIe957uICXEz96NuKWXN5zPQVNjUT7n42NVOnuENemDu7ZcU
1+HUhFPNnq0=
=wF4n
-----END PGP SIGNATURE-----
ESB-2022.1574 - [RedHat] Red Hat OpenShift Application Runtimes: CVSS (Max): 7.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1574
Red Hat support for Spring Boot 2.5.10 update
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat OpenShift Application Runtimes
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2021-42340 CVE-2021-41079 CVE-2021-33037
CVE-2021-30640 CVE-2021-20289 CVE-2021-3859
CVE-2021-3642 CVE-2021-3629 CVE-2021-3597
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:1179
Comment: CVSS (Max): 7.5 CVE-2021-42340 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat support for Spring Boot 2.5.10 update
Advisory ID: RHSA-2022:1179-01
Product: Red Hat OpenShift Application Runtimes
Advisory URL: https://access.redhat.com/errata/RHSA-2022:1179
Issue date: 2022-04-12
CVE Names: CVE-2021-3597 CVE-2021-3629 CVE-2021-3642
CVE-2021-3859 CVE-2021-20289 CVE-2021-30640
CVE-2021-33037 CVE-2021-41079 CVE-2021-42340
=====================================================================
1. Summary:
An update is now available for Red Hat OpenShift Application Runtimes.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each
vulnerability. For more information, see the CVE links in the References
section.
2. Description:
Red Hat support for Spring Boot provides an application platform that
reduces the complexity of developing and operating applications (monoliths
and microservices) for OpenShift as a containerized platform.
This release of Red Hat support for Spring Boot 2.5.10 serves as a
replacement for Red Hat support for Spring Boot 2.4.9, and includes bug
fixes and enhancements. For more information, see the release notes listed
in the References section.
Security Fix(es):
* undertow: client side invocation timeout raised when calling over HTTP2
(CVE-2021-3859)
* tomcat: Infinite loop while reading an unexpected TLS packet when using
OpenSSL JSSE engine (CVE-2021-41079)
* tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could
lead to DoS (CVE-2021-42340)
* undertow: HTTP2SourceChannel fails to write final frame under some
circumstances may lead to DoS (CVE-2021-3597)
* undertow: potential security issue in flow control over HTTP/2 may lead
to DOS (CVE-2021-3629)
* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)
* tomcat: HTTP request smuggling when used with a reverse proxy
(CVE-2021-33037)
* resteasy: Error message exposes endpoint class information
(CVE-2021-20289)
* tomcat: JNDI realm authentication weakness (CVE-2021-30640)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.
The References section of this erratum contains a download link for the
update. You must be logged in to download the update.
4. Bugs fixed (https://bugzilla.redhat.com/):
1935927 - CVE-2021-20289 resteasy: Error message exposes endpoint class information
1970930 - CVE-2021-3597 undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS
1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS
1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer
1981533 - CVE-2021-33037 tomcat: HTTP request smuggling when used with a reverse proxy
1981544 - CVE-2021-30640 tomcat: JNDI realm authentication weakness
2004820 - CVE-2021-41079 tomcat: Infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine
2010378 - CVE-2021-3859 undertow: client side invocation timeout raised when calling over HTTP2
2014356 - CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS
5. References:
https://access.redhat.com/security/cve/CVE-2021-3597
https://access.redhat.com/security/cve/CVE-2021-3629
https://access.redhat.com/security/cve/CVE-2021-3642
https://access.redhat.com/security/cve/CVE-2021-3859
https://access.redhat.com/security/cve/CVE-2021-20289
https://access.redhat.com/security/cve/CVE-2021-30640
https://access.redhat.com/security/cve/CVE-2021-33037
https://access.redhat.com/security/cve/CVE-2021-41079
https://access.redhat.com/security/cve/CVE-2021-42340
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.spring.boot&version=2.5.10
https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.5/html/release_notes_for_spring_boot_2.5/index
6. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYlX6EdzjgjWX9erEAQg9yA/+P1/lTMOi1yV6LLfSX3BdGGK82PYJsuO5
mafisp3yqeixCcljWGYZTjGeptsYoVqDPR1KqYJ2RKJyHcFYdI0DvdrmUHODIVAN
jgmXaeM+i5HfuSX7o+qsH5ZGkuSVT/H6MCTahZo4QwyzNjT2Zmri1jV0D/LA9fW9
pQd91GVrDeVfL0YzOJkdPaaIqaF/suOcH3saCeuABJ5H0qehRBQdlvh0z4ZjZTek
g8knA+/X83ggC1DLlCj9AmHT+RTlD1VrlUgXqrygcCgA58+JK5vM12/mMIslkEL6
+iNCkgpV6nYEW/N0G2CfH9sTk8JYpoY78Yx7V2hT1AxkEPaeReyVjTYcqfV1LenU
2Beo4J1WU4+T5CUao4P/2+MLSsDJDSadfEXM1sGJayULONl61bSCB/+Z/CMA7I/P
sLLhvN4TvMQB1dAfFmj9MFSArQQnxbrzkhp5/rPqWSHTfb1d0sSFU7SpqC4HYH+z
LCcLfC4ItUd5eBLRMtcJQdnFsPqL/3UdoqHyh5CKjJgTVXs/2Q8vKVdIFihon8GB
bPl7YGZT7zyhuSDi26nC0ThjanbE0LVG7Y2MUYNEyQz3gqXU8+HJKBRpKOwihqwM
RFJnNFSPqP3eHfbOMBGQpAzdkT7iLRCuyEGUesN6IplndYdn4fepDep/rdqeGk14
lGgYrqQ7rUU=
=fUW+
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYUweNLKJtyKPYoAQgOsw//dT29ikqu9kMfhibATlpzv3apMjR4xtPw
kakGpyYw9h2DE8xCYP4RqlqVl1ZBNNJQe76mQcK5xREaTqYLbcz3ZwCouaAExKOS
UcIKASSm6APobAOPU8fddxdQKyURpWrVj1Lidj9QykhFeGROL6jttFH5rYxfXn/S
qruNaW2sUDn/jPv7UZsjW7l0HQeTHyUrc5Fv9KG7OcromxJf03zdpk7XgqRypwBW
/5O0ONE8tE5WiZQpYmgt5IPA++fJ9qaIEm9fw+pPKGkYd0gb0NcUHBIFvuUigDLp
4Imr3yO1lHGbCXHhUkgx0G//S4D5ZLVeqJHo3Z4AYbsL2jDmh4ZssAz0dw1OuwVZ
jUsvWbIKtB4EP4kCVaWG9miRORK4FBnVJLSX4i4OHRq3LzzOMNxa9Y4xrlbGiBHP
PyUJ2ChK9ixWqgYAlYklwK/kKQ/d04MEsQmbeuXhG0AIwA96B5icSwAJ9dVZTj6n
eESxSrojejsqOvvwFjvbnglKpfosMYwTWxwOg3Gd0kTj1TOJCwoZalOgTax+gb0V
0woG2Za598lY1g/wFkW3O5K2lrdiQMTFC6Pw2A1+b8nIS/BGzARdbun85ODz4Bqu
d+bsuc9DFKjsonGO9n4bYsEtdMPQTnAL/3v212TA8NWoi10YGTEyr3hBR3Vweurh
y4sKNDXliiQ=
=67OQ
-----END PGP SIGNATURE-----
ESB-2022.1573 - [Win][UNIX/Linux] Ruby: CVSS (Max): None
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1573
CVE-2022-28739: Buffer overrun in String-to-Float conversion
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Ruby
Publisher: Ruby
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2022-28739
Original Bulletin:
https://www.ruby-lang.org/en/news/2022/04/12/buffer-overrun-in-string-to-float-cve-2022-28739/
Comment: CVSS (Max): None available when published
- --------------------------BEGIN INCLUDED TEXT--------------------
CVE-2022-28739: Buffer overrun in String-to-Float conversion
Posted by mame on 12 Apr 2022
A buffer-overrun vulnerability is discovered in a conversion algorithm from a
String to a Float. This vulnerability has been assigned the CVE identifier
CVE-2022-28739 . We strongly recommend upgrading Ruby.
Details
Due to a bug in an internal function that converts a String to a Float, some
convertion methods like Kernel#Float and String#to_f could cause buffer
over-read. A typical consequence is a process termination due to segmentation
fault, but in a limited circumstances, it may be exploitable for illegal memory
read.
Please update Ruby to 2.6.10, 2.7.6, 3.0.4, or 3.1.2.
Affected versions
o ruby 2.6.9 or prior
o ruby 2.7.5 or prior
o ruby 3.0.3 or prior
o ruby 3.1.1 or prior
Credits
Thanks to piao for discovering this issue.
History
o Originally published at 2022-04-12 12:00:00 (UTC)
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYNnuNLKJtyKPYoAQilLRAAlHjBVdgR92lQPsbYfRVOEcds9kY3E1aF
SJ0wtOd2/JYmCtqOfYNxdtD7UookLfml+dU/k0lzYe/xCOtlTS0/65Ef2l2Hhx6T
ysfrnGnm+fzA0UGhkKaovbkZADDw+NIraXkblYY+VkLa9hKruPIRU9o0brg67gIT
uJNVbInTckl969C08xfoM0J0bVU2ml2qrRBhsjBZmORVtgN/zQ5WBn9c866cwkQZ
Oy6bKf/FsvKnpmv8+pLm9by1Z0/blHX9tjdZGZpnFR332+XPiimmcl7WkvlDjozo
XPVKG7Kb+uJ/rdZA2QGKNbAnXAJhO17CzRvK1sTpFEph2UkxWGBGf5BCAqw4+qqq
/Uas1BlFCh0570ro8zGqcgQfcZ3/KUF5RlN2AMYnxAUzJUk2mMI66qgnYSy8Iyi3
ki7J07dt59R2zKYn3bi4PIa2BIy1TbziOYrUqY3nj9AyAD1oJPAGzRGfWNjY6v/I
7vOsgNKFE6HLKGQvS8bkvO1mtQ683+nbDQ1yBxaN1z3ARrQs1TBDTvMAVtzK9aas
DVWWr5EPfKqN0iJpG48uDjcgCsd6aXBi2IjM1ha9jADHYRdxqkSpIamqs3vIROZD
CZwpAQYE+v1Wkbai/V4ulON0bH92Uc6rzqtFJ7J058UuqKL3tkzFKPFqKN/qysKe
ouFZXyljUY0=
=JjsO
-----END PGP SIGNATURE-----
ESB-2022.1572 - [Win][UNIX/Linux] Ruby: CVSS (Max): None
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1572
CVE-2022-28738: Double free in Regexp compilation
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Ruby
Publisher: Ruby
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2022-28738
Original Bulletin:
https://www.ruby-lang.org/en/news/2022/04/12/double-free-in-regexp-compilation-cve-2022-28738/
Comment: CVSS (Max): None available when published
- --------------------------BEGIN INCLUDED TEXT--------------------
CVE-2022-28738: Double free in Regexp compilation
Posted by mame on 12 Apr 2022
A double-free vulnerability is discovered in Regexp compilation. This
vulnerability has been assigned the CVE identifier CVE-2022-28738 . We strongly
recommend upgrading Ruby.
Details
Due to a bug in the Regexp compilation process, creating a Regexp object with a
crafted source string could cause the same memory to be freed twice. This is
known as a double free vulnerability. Note that, in general, it is
considered unsafe to create and use a Regexp object generated from untrusted
input. In this case, however, following a comprehensive assessment, we treat
this issue as a vulnerability.
Please update Ruby to 3.0.4, or 3.1.2.
Affected versions
o ruby 3.0.3 or prior
o ruby 3.1.1 or prior
Note that ruby 2.6 series and 2.7 series are not affected.
Credits
Thanks to piao for discovering this issue.
History
o Originally published at 2022-04-12 12:00:00 (UTC)
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYNlONLKJtyKPYoAQiE+xAAnhy0UZV828OtgdI4ZciBksEgCFTq1VNX
ky08aQ90bVQI5TbdKZE1sa0xzFPACbJ/CLFtHb/UpOaIvjcDSckaeMD6T//hxJFB
wBneIPPCyOIp5tf5Mu3tIiHG+sFN8QmH+z0H7A/tnwb549IhwZtK/BTYFykLReoq
blbQINyeoKYmi0KMoO3VD1hLi3IQnZ7nxjhfOnPTfQ7IDLcvwswD8WPKqxEbKbVd
iXw31HFkBI1hpjh8F8UibGwQzJTT7fMp3pb3DOkJqkkZwQ//XK/3lUZniZSyJN3Z
AGglprY7XDVrroV9MJBK/acFy2exQldkZoSP9uc2gqlzPLVj4MWFi4JWkjEFz0Lj
bB9eegZHW6Hedlqspasm41QlLbvIJfY/G0I8WNjunKnECv0D8Hp4by89e7dRQgiP
y0ys436BrU+Xhi69vI/6dytEq0QjqjRFkIEeCdOCnqnXI7sfCpQfpGZZ4+PyOEXa
oepv+Yj5/r3bfDSJp9JobeKaS0Pc4jZoqWvsDgaQQurNag+T3UYbPrWwcr9WiEXh
oV4DXrvG2pmEnIszFDXZR7BJ/l49zovpJYyhaxLe04dqY9KC/hHHvsG5tFrTswpt
33vpJvH+YCTrdh0jIBH0dE2GK78cIJ8kHtCD+7+xFv+DtZB/MmOF6aO3BX7rBPMQ
YJQ8OxGuf28=
=G/uG
-----END PGP SIGNATURE-----
ESB-2022.1571 - [Appliance] Aethon TUG Home Base Server: CVSS (Max): 9.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1571
Advisory (icsa-22-102-05) Aethon TUG Home Base Server
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Aethon TUG Home Base Server
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Mitigation
CVE Names: CVE-2022-27494 CVE-2022-26423 CVE-2022-1070
CVE-2022-1066 CVE-2022-1059
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-102-05
Comment: CVSS (Max): 9.8 CVE-2022-1070 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-102-05)
Aethon TUG Home Base Server
Original release date: April 12, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 9.8
o ATTENTION: Exploitable remotely/low attack complexity
o Vendor: Aethon (owned by ST Engineering)
o Equipment: TUG Home Base Server
o Vulnerabilities: Missing Authorization, Channel Accessible by Non-endpoint,
Cross-site Scripting
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could cause a
denial-of-service condition, allow full control of robot functions, or expose
sensitive information.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Aethon reports these vulnerabilities affect the following versions of TUG Home
Base Server, a server used to control and communicate with autonomous mobile
robots in hospitals:
o All versions prior to Version 24
3.2 VULNERABILITY OVERVIEW
3.2.1 MISSING AUTHORIZATION CWE-862
An unauthenticated attacker can arbitrarily add new users with administrative
privileges and delete or modify existing users.
CVE-2022-1066 has been assigned to this vulnerability. A CVSS v3 base score of
8.2 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:L/I:H/A:N ).
3.2.2 MISSING AUTHORIZATION CWE-862
An unauthenticated attacker can freely access hashed user credentials.
CVE-2022-26423 has been assigned to this vulnerability. A CVSS v3 base score of
8.2 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:L/I:H/A:N ).
3.2.3 CHANNEL ACCESSIBLE BY NON-ENDPOINT CWE-300
An unauthenticated attacker can connect to the TUG Home Base Server websocket
to take control of TUG robots.
CVE-2022-1070 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.2.4 CROSS-SITE SCRIPTING CWE-79
The "Reports" tab of the Fleet Management Console is vulnerable to stored
cross-site scripting attacks when new reports are created or edited.
CVE-2022-27494 has been assigned to this vulnerability. A CVSS v3 base score of
7.6 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:U/
C:L/I:H/A:L ).
3.2.5 CROSS-SITE SCRIPTING CWE-79
The "Load" tab of the Fleet Management Console is vulnerable to reflected
cross-site scripting attacks.
CVE-2022-1059 has been assigned to this vulnerability. A CVSS v3 base score of
7.6 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:U/
C:L/I:H/A:L ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
o COUNTRIES/AREAS DEPLOYED: East Asia, United States
o COMPANY HEADQUARTERS LOCATION: Singapore
3.4 RESEARCHER
Asher Brass and Daniel Brodie of Cynerio reported these vulnerabilities to
CISA.
4. MITIGATIONS
Aethon has implemented a mitigation plan to address these vulnerabilities.
Aethon has checked all locations where this product is in use to ensure
firewalls are active and to update systems to the newest software (Version 24).
For more information about these issues and the associated mitigation
practices, please contact Aethon .
CISA recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. Specifically, users should:
o Minimize network exposure for all control system devices and/or systems,
and ensure they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls and
isolate them from the business network.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize VPN is only
as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves
from social engineering attacks:
o Do not click web links or open unsolicited attachments in email messages.
o Refer to Recognizing and Avoiding Email Scams for more information on
avoiding email scams.
o Refer to Avoiding Social Engineering and Phishing Attacks for more
information on social engineering attacks.
No known public exploits specifically target these vulnerabilities.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYNieNLKJtyKPYoAQhqQQ/+PatpC8KqzXHzdy5CJ/M8QwcNMqbTrH4J
14C+/RP2gBfmpydryCneDHELmlumkXJUckdp4EAD9Eo8cqlwB3Hx6eqJHSF+ewFZ
cEQQyAbGr4T2PBcWJ0xpxyDdn9LIW3QRLwgMoVQ0E6s1vnKPsIYfAKcNgxTgd3lr
u68MZqo3r44MUIVhOeW9/nw6kbAxVytvvJ/At86drZj6jnmYNn0inP9NF4lrsukS
O83v8r39T9qQsAfldcptgz8mUos7Bg/+n7lUb6WSjv+B2/CPqsDUR2ik+pAydedu
HifpxMjKI54hLDGQ+7KG36GrAy47yjZdukIxooDNCKmBS3Lnhd7gVQ1jjM+fqYEr
j2FVTB5AsvAoRtbdcMO8ETdkUW6c6xm/tlu/rlijcMP9jV2m2GWSp+7iCyBmqI/N
LrcMu2n+0xFB3cmgc9RoTsN2+2bdnX5FvJuEahLZOIRFv0WRxCva8ytScOn5za1M
jlbV3/Ymy/pHAAXJj6YguV9kAt204JC9rS5tdjRbVjejFw3Qce5BoA4r9oreChb/
P++CEB1y9v7+BSvVCdJf/8Zl/EVZD4g4BXQRf5GX2qeSebukzYrB1SUOsCOrDPLU
esyhwywWH10nOi4B4gaRr0nrFkIfuq5UVQCXDGBaawj2ZZ+lwahFTfnxb9OWN59C
jD2c4I1Hrl0=
=HB+A
-----END PGP SIGNATURE-----
ESB-2022.1570 - [Appliance] Mitsubishi Electric GT25-WLAN: CVSS (Max): 6.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1570
Advisory (icsa-22-102-04) Mitsubishi Electric GT25-WLAN
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Mitsubishi Electric GT25-WLAN
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2020-26146 CVE-2020-26144 CVE-2020-26143
CVE-2020-26140 CVE-2020-24588 CVE-2020-24587
CVE-2020-24586
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-102-04
Comment: CVSS (Max): 6.5 CVE-2020-26143 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-102-04)
Mitsubishi Electric GT25-WLAN
Original release date: April 12, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 6.5
o ATTENTION: Exploitable remotely
o Vendor: Mitsubishi Electric
o Equipment: Wireless LAN communication unit GT25-WLAN in GOT2000 Series GT25
or GT27
o Vulnerabilities: Improper Removal of Sensitive Information Before Storage
or Transfer, Inadequate Encryption Strength, Missing Authentication for
Critical Function, Injection, Improper Input Validation
2. RISK EVALUATION
There are multiple vulnerabilities due to design flaws in the frame
fragmentation functionality and the frame aggregation functionality in the
Wireless Communication Standards IEEE 802.11. These vulnerabilities could allow
an attacker to steal communication contents or inject unauthorized packets.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Wireless LAN communication unit GT25-WLAN in GOT2000
Series GT25 or GT27, are affected:
o GT25-WLAN: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER REMOVAL OF SENSITIVE INFORMATION BEFORE STORAGE OR TRANSFER
CWE-212
The affected product is vulnerable to a fragment cache attack as it does not
clear fragments from memory when (re)connecting. This may allow an attacker to
steal communication contents or inject unauthorized packets.
CVE-2020-24586 has been assigned to this vulnerability. A CVSS v3 base score of
3.5 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:R/S:U/C:L/
I:N/A:N ).
3.2.2 INADEQUATE ENCRYPTION STRENGTH CWE-326
The affected product is vulnerable to a mixed key attack as it reassembles
fragments encrypted under different keys. This may allow an attacker to steal
communication contents.
CVE-2020-24587 has been assigned to this vulnerability. A CVSS v3 base score of
2.6 has been assigned; the CVSS vector string is ( AV:A/AC:H/PR:N/UI:R/S:U/C:L/
I:N/A:N ).
3.2.3 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
The affected product is vulnerable to an aggregation attack as it accepts
non-SPP A-MSDU frames. This may allow an attacker to inject unauthorized
packets.
CVE-2020-24588 has been assigned to this vulnerability. A CVSS v3 base score of
3.5 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:R/S:U/C:N/
I:L/A:N ).
3.2.4 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A
DOWNSTREAM COMPONENT ('INJECTION') CWE-74
The affected product can accept plaintext data frames in a protected network.
This may allow an attacker to inject unauthorized packets.
CVE-2020-26140 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/C:N/
I:H/A:N ).
3.2.5 IMPROPER INPUT VALIDATION CWE-20
The affected product is vulnerable to accepting fragmented plaintext data
frames in a protected network. This may allow an attacker to inject
unauthorized packets.
CVE-2020-26143 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/C:N/
I:H/A:N ).
3.2.6 IMPROPER INPUT VALIDATION CWE-20
The affected product can accept plaintext A-MSDU frames that start with an
RFC1042 header with EtherType EAPOL in an encrypted network. This may allow an
attacker to inject unauthorized packets.
CVE-2020-26144 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/C:N/
I:H/A:N ).
3.2.7 IMPROPER INPUT VALIDATION CWE-20
The affected product can reassemble encrypted fragments with non-consecutive
packet numbers. This may allow an attacker to steal communication contents.
CVE-2020-26146 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( AV:A/AC:H/PR:N/UI:N/S:U/C:N/
I:H/A:N ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Japan
3.4 RESEARCHER
Mitsubishi Electric reported these vulnerabilities to CISA.
4. MITIGATIONS
Mitsubishi Electric has provided the following mitigations or workarounds.
When using the wireless LAN communication unit as an access point, check if the
wireless LAN communication unit settings are as follows.
o For the passphrase used for wireless LAN, avoid settings that can be
guessed from the consecutive numbers and MAC address, and set an
unpredictable passphrase combining letters and numbers.
o Use WPA or WPA2 as the security authentication method for wireless LAN.
o Use the IP filter function*1 to restrict the accessible IP addresses.
*1- Refer to GT Designer3 (GOT2000) Screen Design Manual (SH-081220ENG)
"5.4.3 Setting the IP filter"
When using the wireless LAN communication unit as a station, check if the
router settings are as follows:
o For the passphrase used for wireless LAN, avoid settings that can be
guessed from the consecutive numbers and MAC address, and set an
unpredictable passphrase combining letters and numbers.
o Use WPA or WPA2 as the security authentication method for wireless LAN.
o If you change the router settings, hide its presence on the Internet to
make it difficult for unauthorized access. (e.g., set to not respond to
PING requests).
o Set password for the router's Management portal, which is difficult to be
identified.
Check the following when using a computer or tablet, etc., on the same network.
o Update Antivirus software to the latest version.
o Do not open or access suspicious attachment file or linked URL.
CISA recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. Specifically, users should:
o Minimize network exposure for all control system devices and/or systems,
and ensure they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls and
isolate them from the business network.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize VPN is only
as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYNfONLKJtyKPYoAQhFMg/+NKZiU8iAMmt40NU/C/LAdyTUlZLPiH5m
82aNM+RkioOveYa2Pq/m4R6vPHsBo7VkZkIwcJU+YfGD1S2qdrEwm7zgpcc2C0i0
FG/QejmSPmSSt0NuAwy4yogTBb76CgGmF8i1d+Eo2QRqe/TI2NUSJutd6uRDoIsz
W29d8yVtgvSM3TxYD0Xn4cIUq1C071Wp/9Z2BRoU9DIA4dinPQOpHGsnuSPMuerf
5lmfuUo8fdwwnASAOlZ124A9fMCDEPvDzbxDCjmXyTCrCxbsHJ7ejyUduNMLtsoO
zgpU/Pa2DvStD15scHUlCVEU00GmykwhFHB0bqq+jdmErDpewQ6RoxGNAN0TLN9N
LBHqgE93amE4ZtBmObQjZJqdmUGAcFgFPBVsl+DXMoVhrG7MIaeupPEji7F/soy8
vgbiYp7/l9snXgPF86DaXRwckWvVLycGC35pPqvCyWG1IYpd7KB8gSUC4FgtaFdU
QTOv/OGDwvKpX0N4XH8d/uEK/O71sxlsT5Q7Y72NSlwrUx7FxHx+NK+ClZ0cuaCn
IBqpkERwdDLmbCOXMmSCDCh/IDRmaKS8wmcJmKs+ZNsgxj+/PJv5K3uSCjNLvL/v
2RRCVlw+bB5dEqac9lVM5Ivi3LLx0UV3IUzxUFnzgp9LOcFnT8CAGwV4Bpkhkj9X
03Xe+s424UM=
=dUgh
-----END PGP SIGNATURE-----
ESB-2022.1569 - [Win][UNIX/Linux] Inductive Automation Ignition: CVSS (Max): 6.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1569
Advisory (icsa-22-102-03) Inductive Automation Ignition
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Inductive Automation Ignition
Publisher: ICS-CERT
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2022-1264
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-102-03
Comment: CVSS (Max): 6.8 CVE-2022-1264 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-102-03)
Inductive Automation Ignition
Original release date: April 12, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 6.8
o ATTENTION: Exploitable remotely/low attack complexity
o Vendor: Inductive Automation
o Equipment: Ignition
o Vulnerability: Path Traversal
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an authenticated
attacker with network access to execute code by uploading a malicious zip file.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Inductive Automation Ignition software are affected:
o Inductive Automation Ignition: All 8.0 versions after 8.0.4
o Inductive Automation Ignition: All 8.1 versions prior to 8.1.10
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH
TRAVERSAL') CWE-22
The affected product may allow an attacker with access to the Ignition web
configuration to run arbitrary code.
CVE-2022-1264 has been assigned to this vulnerability. A CVSS v3 base score of
6.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:H/UI:N/S:C/
C:N/I:H/A:N ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy,
Information Technology
o COUNTRIES/AREAS DEPLOYED: United States
o COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
Mashav Sapir of Claroty reported this vulnerability to CISA.
4. MITIGATIONS
Inductive Automation recommends users upgrade the Ignition software to 8.1.10
or later.
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:
o Ensure the least-privilege user principle is followed.
o Minimize network exposure for all control system devices and/or systems,
and ensure they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls and
isolate them from the business network.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize VPN is only
as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves
from social engineering attacks:
o Do not click web links or open unsolicited attachments in email messages.
o Refer to Recognizing and Avoiding Email Scams for more information on
avoiding email scams.
o Refer to Avoiding Social Engineering and Phishing Attacks for more
information on social engineering attacks.
No known public exploits specifically target this vulnerability.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYNcONLKJtyKPYoAQjk1Q//Y1vQd2rushJb8YurwPcqg4b9mpuTedzd
4BLvr5hm3+cTvZSgbDbycRTTMnMyo7wZ/RvFZFXBttHFzU9ApDhCACIMKqYGTtfo
9Mv3ucUeeo0ykpG2hkFKcpFEqLMpJ5XmoIBszXIgCtVFRAfCwSiWo6R832VE6UJp
8KnI3b96CixBH+Zd+MU51I7D+1VC+F49y3doWidiLxe26AK88GD6qUAlDFNBmX/5
yGg/M/GhA35hCzdesilARYh7ji62UpjPqMNehbaDesxiJSj8SpELYk1AIWywqvAv
yj6WoiUoA+1Uzd0H3vJ/lrdTkH+Q2WdKPDI13C6J052AULdXF90Fga8+B+2QTrkp
sJpT5Wm/uYHCLBAhkNBf1sJW6rD72kzjVrDES+yTEwLQ7ZJKTi1j1qkjqPldeYwN
lkzOkOEutWY2vbeoghfBiItQa5s9dOwL+CH64+HIfd2L2a9ObHbKLyCtuV49rdBM
rGjGVB+pKgdIWGBhAq2QZsg1za+ZRnhVvx3+iWEPPGaUI471BZU8QAXKsfwppBVc
kdN2PWX3/5gKOBqhUg9N9LXanj5FBAKHUxOph3XpaRAUwH+0sRUIbDdhw3qFk8P9
65uSCueKaFGca5AdNp/epSe8OdlwllfhGTBsH44asSu5rSrXDlN1Ax18tfbgLMfB
dpnC57i1sFg=
=XVXB
-----END PGP SIGNATURE-----
ESB-2022.1568 - [Appliance] Mitsubishi Electric MELSEC-Q Series C Controller Module: CVSS (Max): 9.0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1568
Advisory (icsa-22-102-02) Mitsubishi Electric MELSEC-Q
Series C Controller Module
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Mitsubishi Electric MELSEC-Q Series C Controller Module
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2021-29998
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-102-02
Comment: CVSS (Max): 9.0 CVE-2021-29998 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-102-02)
Mitsubishi Electric MELSEC-Q Series C Controller Module
Original release date: April 12, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 9.0
o ATTENTION: Exploitable remotely
o Vendor: Mitsubishi Electric
o Equipment: MELSEC-Q Series C Controller Module
o Vulnerability: Heap-based Buffer Overflow
2. RISK EVALUATION
Successful exploitation of this vulnerability could cause a denial-of-service
condition or allow remote code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of MELSEC-Q Series C Controller Module using Wind River
VxWorks Version 6.4 are affected:
o Module Q12DCCPU-V: First 5 digits of serial number 24031 and prior
3.2 VULNERABILITY OVERVIEW
3.2.1 HEAP-BASED BUFFER OVERFLOW CWE-122
The affected product uses a vulnerable version of Wind River VxWorks that could
result in a heap-based buffer overflow in the DHCP client
CVE-2021-29998 has been assigned to this vulnerability. A CVSS v3 base score of
9.0 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:C/
C:H/I:H/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Japan
3.4 RESEARCHER
Mitsubishi Electric reported this vulnerability to CISA.
4. MITIGATIONS
Mitsubishi Electric recommends the following:
o Update to 24032 (first 5 digits of serial number) or later. Contact a
Mitsubishi Electric representative for more information.
o Disable the DHCP function in "Security Settings" of the C language
controller settings/monitor tool if the product is in "Extended mode" and
the DHCP client function is not required.
o Update DHCP server to the latest version.
o Use a firewall or virtual private network (VPN), etc. to prevent
unauthorized access when Internet access is required.
o Use within a trusted LAN that is properly divided by routers and firewalls.
For more information see Mitsubishi Electric's advisory 2022-001
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target this vulnerability. This
vulnerability has a high attack complexity.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYNY+NLKJtyKPYoAQitUQ/9FaL556yA6F/8Wa4tu36vOZJr5qJcLQIP
eEPhIZSD2sbB9Ihpno48oYypaGpDKbaPrjCpvTcPExtrUw9rLzFUhfMDxNJnGazA
jnF19Oc7T3whK582/xzyV77dyPQtHAsJutejViJ+8IrlU0yNNJr95vyhilDQfMS2
Tjx0W5hGvTGgQ7BJVbg8yyz9rY+c3eNfW/KZWK/jxiz3AK6VWX2GFTbqUmTFJIJx
WWpRtBBq39tNRrVSDnkPYcsh07EWk3x+cpmFM/5DzBS4PH8PxyLgvm+lBPU/yz+L
ZxG0T3ITnA63o0DRvPG767J0xc+Xkq4WMaokkpZwESIj1QmRj7R82PNWNgApFK6a
wQzlWgn89NZcJc5RcsTwdtiSa/tzKEAZlwmi7NCJsau7ZWRKzJlXWMpNiD0MHiN9
lkBgzl8m1guZT+eBF04kYkjdjsB1N067bPcCAQgmVamUfzwRrVcoeH5hTgkRfcnQ
Dtcrk3DAlYOGsnydGa+qrHlzXRyVXx3mtNGaPzw7BVXy+X5gJxcJvyWSrHxU1E3C
90JzkOI9VDuiP04YPlM1gBiFafWvb0bTeEGovg9kexB+2bPuZ7WA8H2SRJCjCxcc
mPQEeEvjMUIU4klBw9CB4ETdV9kRwDLwbSGqTQWtSOXzSZoWHhhAvUxi4Xkktj2B
1iKBTmvROwg=
=d7f3
-----END PGP SIGNATURE-----
ESB-2022.1567 - [Appliance] Valmet DNA: CVSS (Max): 8.8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1567
Advisory (icsa-22-102-01) Valmet DNA
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Valmet DNA
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2021-26726
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-102-01
Comment: CVSS (Max): 8.8 CVE-2021-26726 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-102-01)
Valmet DNA
Original release date: April 12, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 8.8
o ATTENTION: Exploitable from an adjacent network /low attack complexity
o Vendor: Valmet
o Equipment: DNA
o Vulnerability: Inadequate Encryption Strength
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to
execute commands remotely with system privileges.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Valmet DNA, a distributed control system, are
affected:
o Valmet DNA: Versions from Collection 2012 to Collection 2021
3.2 VULNERABILITY OVERVIEW
3.2.1 INADEQUATE ENCRYPTION STRENGTH CWE-326
An unauthenticated network user can craft specific packets targeting a Valmet
DNA service, listening by default on a specific TCP port. By exploiting a
predictable encryption key, the attacker can remotely trigger commands to be
executed with system privileges.
CVE-2021-26726 has been assigned to this vulnerability. A CVSS v3 base score of
8.8 has been calculated; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Multiple
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Finland
3.4 RESEARCHER
Ivan Speziale of Nozomi Networks reported this vulnerability to Valmet.
4. MITIGATIONS
Valmet recommends the following:
o Update to the latest version. Contact Valmet customer service to obtain the
update.
o Ensure a properly configured firewall is in place to prevent unauthorized
access from untrusted networks to the system.
For more information see Valmet's Security Advisory .
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:
o Minimize network exposure for all control system devices and/or systems,
and ensure they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls and
isolate them from the business network.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize VPN is only
as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target this vulnerability.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYNV+NLKJtyKPYoAQiUaxAAjZAhCyjM1AvzhZYERGtJSAaeZ6Ndu7wg
gjDTb8FgyT0HfcVss6djB+GL3Y7r0UQbLbgE/dsQh7VA1G4KaxrlxpsOP1TUerWG
TmAa0gUG+vCnnPBDwbx0e5UWD/4mfhR4MeBV6LZ6ETfdjxOsnC/OP1A2JCs3/f4K
MP5aKjoXXEttA8/BmVRUEGlfcHybpbaZG8X/kZxXI5ehyL/6Qds7/Nz0WYdeZWK7
/ytbiVUsIQ79yiPHPoHbdJZ+q3fEl+86GoRHOArDpt/1NLVWStO7c6Z+NlNXX41F
CglqgUBy2EXNGDc9/T54YwNVZ68oYucc9IBlHjJiQt9exBwBP7kIr//cCS8NvZfl
hQb3/Sl2IePLpX8N70BiFUDvl3RRRZof5TKVDf7GVhy6ZjPnHC0tOMjVA1fKm6u6
K3q42QH6E9rlgt1xhskEIn1BTatu4il2CJ8MzzbTDHj7VHNLfAkWPGn2OujEYjck
vasQsa0IOAOV4PVBIvrGYBDGzs3ggBK9RawWMQo9cyqHMTHbV8q8ZhDJMFpiHFRd
cRI3T86rlVHlhuea8So8yoDn3IczV/4B25trZQ+V4XiCpSkZD62IM5oG5D+PHcSE
lbtG/aLaTH0Pkz6LUMENkuj1T6HvAjNEO9GaQsqbefLyWFISPKlArgR/iJdw3wY1
eq5RKnFDKes=
=NkVa
-----END PGP SIGNATURE-----
ESB-2022.1566 - [Win] Citrix StoreFront: CVSS (Max): None
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1566
Citrix StoreFront Security Bulletin for CVE-2022-27503
13 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Citrix StoreFront
Publisher: Citrix
Operating System: Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2022-27503
Original Bulletin:
https://support.citrix.com/article/CTX377814
Comment: CVSS (Max): None available when published
- --------------------------BEGIN INCLUDED TEXT--------------------
Citrix StoreFront Security Bulletin for CVE-2022-27503
Reference: CTX377814
Category : Medium
Created : 11 April 2022
Modified : 12 April 2022
Description of Problem
A reflected cross-site scripting (XSS) issue has been discovered in Citrix
StoreFront when it is configured to use SAML authentication. If exploited, this
issue would allow an attacker to execute client-side JavaScript in the same
context as a legitimate user. This issue has the following identifier:
+--------------+-----------+-----------------------+--------------------------+
|CVE-ID |Description|Type |Pre-requisites |
+--------------+-----------+-----------------------+--------------------------+
| |Reflected |CWE-79: Improper |A victim user must have a |
| |Cross Site |Neutralization of Input|current session on a |
|CVE-2022-27503|Scripting |During Web Page |StoreFront that has been |
| |(XSS) |Generation ('Cross-site|configured to use SAML |
| | |Scripting') |authentication |
+--------------+-----------+-----------------------+--------------------------+
The issue affects the following supported versions of Citrix StoreFront:
o Citrix StoreFront 1912 LTSR up to and including CU4 (1912.0.4000)
o Citrix StoreFront 3.12 for 7.15 LTSR up to and including CU8 (3.12.8000)
Affected versions of Citrix Storefront are included within the following
supported versions of Citrix Virtual Apps and Desktops:
o Current Release (CR) versions of Citrix Virtual Apps and Desktops up to and
including 2112
o Citrix Virtual Apps and Desktops 1912 LTSR up to and including CU4
o Citrix XenApp & XenDesktop 7.15 LTSR up to and including CU8
Mitigating Factors
This issue only exists when Citrix StoreFront is configured to use SAML
authentication. StoreFront deployments that have not been configured to use
SAML authentication are unaffected.
What Customers Should Do
Citrix recommends that affected customers upgrade to a fixed version as their
patching schedule allows.
The issue has been addressed in the following supported Citrix StoreFront
versions:
o Citrix StoreFront 2203 LTSR (2203.0.0) and later versions
o Citrix StoreFront 1912 LTSR CU5 (1912.0.5000) and later cumulative updates
for 1912 LTSR
The latest versions of Citrix StoreFront can be downloaded from the following
location:
https://www.citrix.com/downloads/storefront/
These versions of Citrix StoreFront are included within the following supported
versions of Citrix Virtual Apps and Desktops:
o Citrix Virtual Apps and Desktops 2203 LTSR and later versions
o Citrix Virtual Apps and Desktops 1912 LTSR CU5 and later cumulative updates
for 1912 LTSR
The latest versions of Citrix Virtual Apps and Desktops can be downloaded from
the following location:
https://www.citrix.com/downloads/citrix-virtual-apps-and-desktops/
A hotfix has been released to address this issue for Citrix StoreFront 3.12 for
7.15 LTSR.
The hotfix for Citrix StoreFront 3.12 for 7.15 LTSR is available at the
following location:
https://support.citrix.com/article/CTX446966
Acknowledgements
Citrix would like to thank Michal Brzezicki and Pawel Zurek for working with us
to protect Citrix customers.
What Citrix is Doing
Citrix is notifying customers and channel partners about this potential
security issue through the publication of this security bulletin on the Citrix
Knowledge Center at https://support.citrix.com/securitybulletins .
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix
Technical Support. Contact details for Citrix Technical Support are available
at https://www.citrix.com/support/open-a-support-case .
Subscribe to Receive Alerts
Citrix strongly recommends that all customers subscribe to receive alerts when
a Citrix security bulletin is created or modified at https://support.citrix.com
/user/alerts .
Reporting Security Vulnerabilities to Citrix
Citrix welcomes input regarding the security of its products and considers any
and all potential vulnerabilities seriously. For details on our vulnerability
response process and guidance on how to report security-related issues to
Citrix, please see the following webpage: https://www.citrix.com/about/
trust-center/vulnerability-process.html .
Disclaimer
This document is provided on an "as is" basis and does not imply any kind of
guarantee or warranty, including the warranties of merchantability or fitness
for a particular use. Your use of the information on the document is at your
own risk. Citrix reserves the right to change or update this document at any
time. Customers are therefore recommended to always view the latest version of
this document directly from the Citrix Knowledge Center.
Changelog
Date Change
2022-04-12 Initial Publication
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYlYNTONLKJtyKPYoAQgZgQ//ZOLXzH4jom7dFBIeoucLvwCT1jyxwA5N
I+hwY/f0oFdUppHNZ6NQYrJzhvLZ6cOVKjkVpXwI634CBx/P5GPK3k9IhWx9pGVO
wGc68yTyGpa/fAShYQi3ZDm+aeIIfMPLql38KVKF37Qe9VLmjgK8iAn7b+5ReMRX
9UY7OG8NSjw4ur3u2a88GDqaRiMWN6s7p7NEI3VQ92gVowD3mfXrQSPG8/nTGdFa
qxx8FDfR3pIsQNpQp3yg6p2jlgwKsui3/tHeiLbYNkThhCskZeSO2QNMe+BRn35c
fsxhvxNHCFHjluXXIwMPpDTlEPtQHjYIysovnfBnAdxqTmjgdiPwx6fNC60X3j2e
d/emHvD17WiSGC4hVPjWInhqsMemTkBjgmwk/HaJyj8+C3xc3Y1D+lPNRlV/NfpU
NCQPJPrZGJQ3TIx2jKxRSucxlIttOMai6DbhqQNHm1Zqv6ns74pmz5GyYTNoVvOa
O6PPsmFRAbv/YPXzL5yPvV29X1DI5NY9rUj+bkRN+D9/C8zDffu+VOeWq7eq6dys
MDISZ9Ko3X8Kft/61vwjthCzCzkO6k0UtQzSm5ZtDFmhct87UcIu8+BVsgcE0jwL
e1LAE55AEljTD7lVJiTraWlCPlVrsNg4mWpC33Mrn8fos5ThGsPUFebcjZbus3al
OQ9ytK+M+oY=
=t9Zh
-----END PGP SIGNATURE-----