AusCERT - Security Bulletins

Subscribe to AusCERT - Security Bulletins hírcsatorna
Latest published security bulletins. See https://www.auscert.org.au/rss/ for feed information.
Frissítve: 36 perc 25 másodperc
2022. április 13.

ESB-2022.1585 - [SUSE] opensc: CVSS (Max): 7.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1585 Security update for opensc 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: opensc Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2021-42782 CVE-2021-42781 CVE-2021-42780 CVE-2021-42779 Original Bulletin: https://www.suse.com/support/update/announcement/2022/suse-su-20221156-1 Comment: CVSS (Max): 7.8 CVE-2021-42782 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for opensc ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:1156-1 Rating: important References: #1114649 #1191957 #1191992 #1192000 #1192005 Cross-References: CVE-2021-42779 CVE-2021-42780 CVE-2021-42781 CVE-2021-42782 Affected Products: SUSE CaaS Platform 4.0 SUSE Enterprise Storage 6 SUSE Linux Enterprise Desktop 15-SP3 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP3 SUSE Linux Enterprise Micro 5.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Realtime Extension 15-SP2 SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP3 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP Applications 15-SP3 SUSE Manager Proxy 4.2 SUSE Manager Server 4.2 openSUSE Leap 15.3 ______________________________________________________________________________ An update that solves four vulnerabilities and has one errata is now available. Description: This update for opensc fixes the following issues: Security issues fixed: o CVE-2021-42782: Stack buffer overflow issues in various places (bsc# 1191957). o CVE-2021-42781: Fixed multiple heap buffer overflows in pkcs15-oberthur.c (bsc#1192000). o CVE-2021-42780: Fixed use after return in insert_pin() (bsc#1192005). o CVE-2021-42779: Fixed use after free in sc_file_valid() (bsc#1191992). Non-security issues fixed: o Fixes segmentation fault in 'pkcs11-tool.c'. (bsc#1114649) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2022-1156=1 o SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2022-1156=1 o SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2022-1156=1 o SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2022-1156=1 o SUSE Linux Enterprise Realtime Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-1156=1 o SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-1156=1 o SUSE Linux Enterprise Micro 5.1: zypper in -t patch SUSE-SUSE-MicroOS-5.1-2022-1156=1 o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2022-1156=1 o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2022-1156=1 o SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2022-1156=1 o SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. I will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: o openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): opensc-0.19.0-150100.3.16.1 opensc-debuginfo-0.19.0-150100.3.16.1 opensc-debugsource-0.19.0-150100.3.16.1 o openSUSE Leap 15.3 (x86_64): opensc-32bit-0.19.0-150100.3.16.1 opensc-32bit-debuginfo-0.19.0-150100.3.16.1 o SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): opensc-0.19.0-150100.3.16.1 opensc-debuginfo-0.19.0-150100.3.16.1 opensc-debugsource-0.19.0-150100.3.16.1 o SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): opensc-0.19.0-150100.3.16.1 opensc-debuginfo-0.19.0-150100.3.16.1 opensc-debugsource-0.19.0-150100.3.16.1 o SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): opensc-0.19.0-150100.3.16.1 opensc-debuginfo-0.19.0-150100.3.16.1 opensc-debugsource-0.19.0-150100.3.16.1 o SUSE Linux Enterprise Realtime Extension 15-SP2 (x86_64): opensc-0.19.0-150100.3.16.1 opensc-debuginfo-0.19.0-150100.3.16.1 opensc-debugsource-0.19.0-150100.3.16.1 o SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): opensc-0.19.0-150100.3.16.1 opensc-debuginfo-0.19.0-150100.3.16.1 opensc-debugsource-0.19.0-150100.3.16.1 o SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64): opensc-0.19.0-150100.3.16.1 opensc-debuginfo-0.19.0-150100.3.16.1 opensc-debugsource-0.19.0-150100.3.16.1 o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): opensc-0.19.0-150100.3.16.1 opensc-debuginfo-0.19.0-150100.3.16.1 opensc-debugsource-0.19.0-150100.3.16.1 o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): opensc-0.19.0-150100.3.16.1 opensc-debuginfo-0.19.0-150100.3.16.1 opensc-debugsource-0.19.0-150100.3.16.1 o SUSE Enterprise Storage 6 (aarch64 x86_64): opensc-0.19.0-150100.3.16.1 opensc-debuginfo-0.19.0-150100.3.16.1 opensc-debugsource-0.19.0-150100.3.16.1 o SUSE CaaS Platform 4.0 (x86_64): opensc-0.19.0-150100.3.16.1 opensc-debuginfo-0.19.0-150100.3.16.1 opensc-debugsource-0.19.0-150100.3.16.1 References: o https://www.suse.com/security/cve/CVE-2021-42779.html o https://www.suse.com/security/cve/CVE-2021-42780.html o https://www.suse.com/security/cve/CVE-2021-42781.html o https://www.suse.com/security/cve/CVE-2021-42782.html o https://bugzilla.suse.com/1114649 o https://bugzilla.suse.com/1191957 o https://bugzilla.suse.com/1191992 o https://bugzilla.suse.com/1192000 o https://bugzilla.suse.com/1192005 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYV0uNLKJtyKPYoAQhX9g/5AYeIAgCn4/t3/MOjMbkVXT0SsOKRqGTx 9PAvcahV2SQwxKN9tYkGZIMT87DQzUFrG2U1N2ZFOEibxUrmBxEMYIcE8Z90ikyv WyZpAF27z51HvezRoBcykHr+GttflFKy/TXwqjQwNIjdyL4MKaCpcoNGcCmMxVrq 1GiPBbzXMeiOkyVj6BJ0gVPjRXOGyFO1+8H6SvBRYpTzcCHf+ZFcuLTcGYqpJvSv je6oyVSXYA6DOLSsz1ojZUWRK5CBKewgYdUSfnfDQiFo/9/WMKhCBGix3wRdT28g EVh9pG3c4UEFrkuBz5/89phfu6jByE7KlTY87tVW1tGUofjiY13EJEdWcaYfEd6K 8mMTnOM8th5/6t9SCH0I/EWaIWwJRM0RrTjY3SR7sTLHsxHVkYzrYfsgC+cAufNA xNoLDZgXkwFtKWlYksBrtZ4D+1CystOHb7d+s18a0ZHYkhFnCXzKfarHqj5nK7aB f1spNs+UdY8ELOv2UwdqSd4I8EX83tKdtqIUW9WG6S6WJnfQgY0xt7bDCKfWuV/i FDTXaOr/dOLWv+s9KVtfHVZf2ajXpkcDmZAi26NjcgS8JlaZBKKq+wlhFsZUGtAH cAk15iskVdY94DOUFSXVCAdzHNMssfyfV7Vy1Pwv79NjkqH6Xg/+o7zJ5ZLp6iBU nqwGLidJUjc= =UkBx -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1584 - [SUSE] mozilla-nss: CVSS (Max): 7.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1584 Security update for mozilla-nss 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: mozilla-nss Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2022-1097 Original Bulletin: https://www.suse.com/support/update/announcement/2022/suse-su-20221149-1 Comment: CVSS (Max): 7.5 CVE-2022-1097 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for mozilla-nss ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:1149-1 Rating: important References: #1197903 Cross-References: CVE-2022-1097 Affected Products: SUSE CaaS Platform 4.0 SUSE Enterprise Storage 6 SUSE Enterprise Storage 7 SUSE Linux Enterprise Desktop 15-SP3 SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS SUSE Linux Enterprise High Performance Computing 15-SP3 SUSE Linux Enterprise Micro 5.0 SUSE Linux Enterprise Micro 5.1 SUSE Linux Enterprise Micro 5.2 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Server Applications 15-SP3 SUSE Linux Enterprise Realtime Extension 15-SP2 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP2-BCL SUSE Linux Enterprise Server 15-SP2-LTSS SUSE Linux Enterprise Server 15-SP3 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15-SP2 SUSE Linux Enterprise Server for SAP Applications 15-SP3 SUSE Manager Proxy 4.1 SUSE Manager Proxy 4.2 SUSE Manager Retail Branch Server 4.1 SUSE Manager Server 4.1 SUSE Manager Server 4.2 openSUSE Leap 15.3 openSUSE Leap 15.4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for mozilla-nss fixes the following issues: Mozilla NSS 3.68.3 (bsc#1197903): - CVE-2022-1097: Fixed memory safety violations that could occur when PKCS#11 tokens are removed while in use. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o openSUSE Leap 15.4: zypper in -t patch openSUSE-SLE-15.4-2022-1149=1 o openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2022-1149=1 o SUSE Manager Server 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-1149=1 o SUSE Manager Retail Branch Server 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-1149=1 o SUSE Manager Proxy 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-1149=1 o SUSE Linux Enterprise Server for SAP 15-SP2: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-1149=1 o SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2022-1149=1 o SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2022-1149=1 o SUSE Linux Enterprise Server 15-SP2-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-1149=1 o SUSE Linux Enterprise Server 15-SP2-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-1149=1 o SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2022-1149=1 o SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2022-1149=1 o SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2022-1149=1 o SUSE Linux Enterprise Realtime Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-1149=1 o SUSE Linux Enterprise Module for Server Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP3-2022-1149=1 o SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-1149=1 o SUSE Linux Enterprise Micro 5.2: zypper in -t patch SUSE-SUSE-MicroOS-5.2-2022-1149=1 o SUSE Linux Enterprise Micro 5.1: zypper in -t patch SUSE-SUSE-MicroOS-5.1-2022-1149=1 o SUSE Linux Enterprise Micro 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2022-1149=1 o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-1149=1 o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-1149=1 o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2022-1149=1 o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2022-1149=1 o SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2022-1149=1 o SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2022-1149=1 o SUSE Enterprise Storage 7: zypper in -t patch SUSE-Storage-7-2022-1149=1 o SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2022-1149=1 o SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. I will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: o openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64): libfreebl3-3.68.3-150000.3.67.1 libfreebl3-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-3.68.3-150000.3.67.1 libsoftokn3-3.68.3-150000.3.67.1 libsoftokn3-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-3.68.3-150000.3.67.1 mozilla-nss-3.68.3-150000.3.67.1 mozilla-nss-certs-3.68.3-150000.3.67.1 mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debugsource-3.68.3-150000.3.67.1 mozilla-nss-devel-3.68.3-150000.3.67.1 mozilla-nss-sysinit-3.68.3-150000.3.67.1 mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-tools-3.68.3-150000.3.67.1 mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1 o openSUSE Leap 15.4 (x86_64): libfreebl3-32bit-3.68.3-150000.3.67.1 libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-sysinit-32bit-3.68.3-150000.3.67.1 mozilla-nss-sysinit-32bit-debuginfo-3.68.3-150000.3.67.1 o openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): libfreebl3-3.68.3-150000.3.67.1 libfreebl3-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-3.68.3-150000.3.67.1 libsoftokn3-3.68.3-150000.3.67.1 libsoftokn3-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-3.68.3-150000.3.67.1 mozilla-nss-3.68.3-150000.3.67.1 mozilla-nss-certs-3.68.3-150000.3.67.1 mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debugsource-3.68.3-150000.3.67.1 mozilla-nss-devel-3.68.3-150000.3.67.1 mozilla-nss-sysinit-3.68.3-150000.3.67.1 mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-tools-3.68.3-150000.3.67.1 mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1 o openSUSE Leap 15.3 (x86_64): libfreebl3-32bit-3.68.3-150000.3.67.1 libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-sysinit-32bit-3.68.3-150000.3.67.1 mozilla-nss-sysinit-32bit-debuginfo-3.68.3-150000.3.67.1 o SUSE Manager Server 4.1 (ppc64le s390x x86_64): libfreebl3-3.68.3-150000.3.67.1 libfreebl3-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-3.68.3-150000.3.67.1 libsoftokn3-3.68.3-150000.3.67.1 libsoftokn3-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-3.68.3-150000.3.67.1 mozilla-nss-3.68.3-150000.3.67.1 mozilla-nss-certs-3.68.3-150000.3.67.1 mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debugsource-3.68.3-150000.3.67.1 mozilla-nss-devel-3.68.3-150000.3.67.1 mozilla-nss-sysinit-3.68.3-150000.3.67.1 mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-tools-3.68.3-150000.3.67.1 mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1 o SUSE Manager Server 4.1 (x86_64): libfreebl3-32bit-3.68.3-150000.3.67.1 libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1 o SUSE Manager Retail Branch Server 4.1 (x86_64): libfreebl3-3.68.3-150000.3.67.1 libfreebl3-32bit-3.68.3-150000.3.67.1 libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1 libfreebl3-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-3.68.3-150000.3.67.1 libfreebl3-hmac-32bit-3.68.3-150000.3.67.1 libsoftokn3-3.68.3-150000.3.67.1 libsoftokn3-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-3.68.3-150000.3.67.1 libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1 mozilla-nss-3.68.3-150000.3.67.1 mozilla-nss-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-certs-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debugsource-3.68.3-150000.3.67.1 mozilla-nss-devel-3.68.3-150000.3.67.1 mozilla-nss-sysinit-3.68.3-150000.3.67.1 mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-tools-3.68.3-150000.3.67.1 mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1 o SUSE Manager Proxy 4.1 (x86_64): libfreebl3-3.68.3-150000.3.67.1 libfreebl3-32bit-3.68.3-150000.3.67.1 libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1 libfreebl3-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-3.68.3-150000.3.67.1 libfreebl3-hmac-32bit-3.68.3-150000.3.67.1 libsoftokn3-3.68.3-150000.3.67.1 libsoftokn3-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-3.68.3-150000.3.67.1 libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1 mozilla-nss-3.68.3-150000.3.67.1 mozilla-nss-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-certs-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debugsource-3.68.3-150000.3.67.1 mozilla-nss-devel-3.68.3-150000.3.67.1 mozilla-nss-sysinit-3.68.3-150000.3.67.1 mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-tools-3.68.3-150000.3.67.1 mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise Server for SAP 15-SP2 (ppc64le x86_64): libfreebl3-3.68.3-150000.3.67.1 libfreebl3-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-3.68.3-150000.3.67.1 libsoftokn3-3.68.3-150000.3.67.1 libsoftokn3-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-3.68.3-150000.3.67.1 mozilla-nss-3.68.3-150000.3.67.1 mozilla-nss-certs-3.68.3-150000.3.67.1 mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debugsource-3.68.3-150000.3.67.1 mozilla-nss-devel-3.68.3-150000.3.67.1 mozilla-nss-sysinit-3.68.3-150000.3.67.1 mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-tools-3.68.3-150000.3.67.1 mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise Server for SAP 15-SP2 (x86_64): libfreebl3-32bit-3.68.3-150000.3.67.1 libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): libfreebl3-3.68.3-150000.3.67.1 libfreebl3-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-3.68.3-150000.3.67.1 libsoftokn3-3.68.3-150000.3.67.1 libsoftokn3-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-3.68.3-150000.3.67.1 mozilla-nss-3.68.3-150000.3.67.1 mozilla-nss-certs-3.68.3-150000.3.67.1 mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debugsource-3.68.3-150000.3.67.1 mozilla-nss-devel-3.68.3-150000.3.67.1 mozilla-nss-sysinit-3.68.3-150000.3.67.1 mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-tools-3.68.3-150000.3.67.1 mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): libfreebl3-32bit-3.68.3-150000.3.67.1 libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libfreebl3-3.68.3-150000.3.67.1 libfreebl3-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-3.68.3-150000.3.67.1 libsoftokn3-3.68.3-150000.3.67.1 libsoftokn3-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-3.68.3-150000.3.67.1 mozilla-nss-3.68.3-150000.3.67.1 mozilla-nss-certs-3.68.3-150000.3.67.1 mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debugsource-3.68.3-150000.3.67.1 mozilla-nss-devel-3.68.3-150000.3.67.1 mozilla-nss-sysinit-3.68.3-150000.3.67.1 mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-tools-3.68.3-150000.3.67.1 mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise Server for SAP 15 (x86_64): libfreebl3-32bit-3.68.3-150000.3.67.1 libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise Server 15-SP2-LTSS (aarch64 ppc64le s390x x86_64): libfreebl3-3.68.3-150000.3.67.1 libfreebl3-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-3.68.3-150000.3.67.1 libsoftokn3-3.68.3-150000.3.67.1 libsoftokn3-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-3.68.3-150000.3.67.1 mozilla-nss-3.68.3-150000.3.67.1 mozilla-nss-certs-3.68.3-150000.3.67.1 mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debugsource-3.68.3-150000.3.67.1 mozilla-nss-devel-3.68.3-150000.3.67.1 mozilla-nss-sysinit-3.68.3-150000.3.67.1 mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-tools-3.68.3-150000.3.67.1 mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise Server 15-SP2-LTSS (x86_64): libfreebl3-32bit-3.68.3-150000.3.67.1 libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise Server 15-SP2-BCL (x86_64): libfreebl3-3.68.3-150000.3.67.1 libfreebl3-32bit-3.68.3-150000.3.67.1 libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1 libfreebl3-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-3.68.3-150000.3.67.1 libfreebl3-hmac-32bit-3.68.3-150000.3.67.1 libsoftokn3-3.68.3-150000.3.67.1 libsoftokn3-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-3.68.3-150000.3.67.1 libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1 mozilla-nss-3.68.3-150000.3.67.1 mozilla-nss-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-certs-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debugsource-3.68.3-150000.3.67.1 mozilla-nss-devel-3.68.3-150000.3.67.1 mozilla-nss-sysinit-3.68.3-150000.3.67.1 mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-tools-3.68.3-150000.3.67.1 mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): libfreebl3-3.68.3-150000.3.67.1 libfreebl3-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-3.68.3-150000.3.67.1 libsoftokn3-3.68.3-150000.3.67.1 libsoftokn3-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-3.68.3-150000.3.67.1 mozilla-nss-3.68.3-150000.3.67.1 mozilla-nss-certs-3.68.3-150000.3.67.1 mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debugsource-3.68.3-150000.3.67.1 mozilla-nss-devel-3.68.3-150000.3.67.1 mozilla-nss-sysinit-3.68.3-150000.3.67.1 mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-tools-3.68.3-150000.3.67.1 mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise Server 15-SP1-LTSS (x86_64): libfreebl3-32bit-3.68.3-150000.3.67.1 libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): libfreebl3-3.68.3-150000.3.67.1 libfreebl3-32bit-3.68.3-150000.3.67.1 libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1 libfreebl3-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-3.68.3-150000.3.67.1 libfreebl3-hmac-32bit-3.68.3-150000.3.67.1 libsoftokn3-3.68.3-150000.3.67.1 libsoftokn3-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-3.68.3-150000.3.67.1 libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1 mozilla-nss-3.68.3-150000.3.67.1 mozilla-nss-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-certs-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debugsource-3.68.3-150000.3.67.1 mozilla-nss-devel-3.68.3-150000.3.67.1 mozilla-nss-sysinit-3.68.3-150000.3.67.1 mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-tools-3.68.3-150000.3.67.1 mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libfreebl3-3.68.3-150000.3.67.1 libfreebl3-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-3.68.3-150000.3.67.1 libsoftokn3-3.68.3-150000.3.67.1 libsoftokn3-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-3.68.3-150000.3.67.1 mozilla-nss-3.68.3-150000.3.67.1 mozilla-nss-certs-3.68.3-150000.3.67.1 mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debugsource-3.68.3-150000.3.67.1 mozilla-nss-devel-3.68.3-150000.3.67.1 mozilla-nss-sysinit-3.68.3-150000.3.67.1 mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-tools-3.68.3-150000.3.67.1 mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise Realtime Extension 15-SP2 (x86_64): libfreebl3-3.68.3-150000.3.67.1 libfreebl3-32bit-3.68.3-150000.3.67.1 libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1 libfreebl3-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-3.68.3-150000.3.67.1 libfreebl3-hmac-32bit-3.68.3-150000.3.67.1 libsoftokn3-3.68.3-150000.3.67.1 libsoftokn3-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-3.68.3-150000.3.67.1 libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1 mozilla-nss-3.68.3-150000.3.67.1 mozilla-nss-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-certs-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debugsource-3.68.3-150000.3.67.1 mozilla-nss-devel-3.68.3-150000.3.67.1 mozilla-nss-sysinit-3.68.3-150000.3.67.1 mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-tools-3.68.3-150000.3.67.1 mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise Module for Server Applications 15-SP3 (aarch64 ppc64le s390x x86_64): libfreebl3-hmac-3.68.3-150000.3.67.1 libsoftokn3-hmac-3.68.3-150000.3.67.1 mozilla-nss-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debugsource-3.68.3-150000.3.67.1 o SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): libfreebl3-3.68.3-150000.3.67.1 libfreebl3-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-3.68.3-150000.3.67.1 libsoftokn3-3.68.3-150000.3.67.1 libsoftokn3-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-3.68.3-150000.3.67.1 mozilla-nss-3.68.3-150000.3.67.1 mozilla-nss-certs-3.68.3-150000.3.67.1 mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debugsource-3.68.3-150000.3.67.1 mozilla-nss-devel-3.68.3-150000.3.67.1 mozilla-nss-sysinit-3.68.3-150000.3.67.1 mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-tools-3.68.3-150000.3.67.1 mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64): libfreebl3-32bit-3.68.3-150000.3.67.1 libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64): libfreebl3-3.68.3-150000.3.67.1 libfreebl3-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-3.68.3-150000.3.67.1 libsoftokn3-3.68.3-150000.3.67.1 libsoftokn3-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-3.68.3-150000.3.67.1 mozilla-nss-3.68.3-150000.3.67.1 mozilla-nss-certs-3.68.3-150000.3.67.1 mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debugsource-3.68.3-150000.3.67.1 mozilla-nss-tools-3.68.3-150000.3.67.1 mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64): libfreebl3-3.68.3-150000.3.67.1 libfreebl3-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-3.68.3-150000.3.67.1 libsoftokn3-3.68.3-150000.3.67.1 libsoftokn3-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-3.68.3-150000.3.67.1 mozilla-nss-3.68.3-150000.3.67.1 mozilla-nss-certs-3.68.3-150000.3.67.1 mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debugsource-3.68.3-150000.3.67.1 mozilla-nss-tools-3.68.3-150000.3.67.1 mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise Micro 5.0 (aarch64 x86_64): libfreebl3-3.68.3-150000.3.67.1 libfreebl3-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-3.68.3-150000.3.67.1 libsoftokn3-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-3.68.3-150000.3.67.1 mozilla-nss-certs-3.68.3-150000.3.67.1 mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debugsource-3.68.3-150000.3.67.1 o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (aarch64 x86_64): libfreebl3-3.68.3-150000.3.67.1 libfreebl3-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-3.68.3-150000.3.67.1 libsoftokn3-3.68.3-150000.3.67.1 libsoftokn3-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-3.68.3-150000.3.67.1 mozilla-nss-3.68.3-150000.3.67.1 mozilla-nss-certs-3.68.3-150000.3.67.1 mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debugsource-3.68.3-150000.3.67.1 mozilla-nss-devel-3.68.3-150000.3.67.1 mozilla-nss-sysinit-3.68.3-150000.3.67.1 mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-tools-3.68.3-150000.3.67.1 mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (x86_64): libfreebl3-32bit-3.68.3-150000.3.67.1 libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (aarch64 x86_64): libfreebl3-3.68.3-150000.3.67.1 libfreebl3-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-3.68.3-150000.3.67.1 libsoftokn3-3.68.3-150000.3.67.1 libsoftokn3-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-3.68.3-150000.3.67.1 mozilla-nss-3.68.3-150000.3.67.1 mozilla-nss-certs-3.68.3-150000.3.67.1 mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debugsource-3.68.3-150000.3.67.1 mozilla-nss-devel-3.68.3-150000.3.67.1 mozilla-nss-sysinit-3.68.3-150000.3.67.1 mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-tools-3.68.3-150000.3.67.1 mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (x86_64): libfreebl3-32bit-3.68.3-150000.3.67.1 libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): libfreebl3-3.68.3-150000.3.67.1 libfreebl3-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-3.68.3-150000.3.67.1 libsoftokn3-3.68.3-150000.3.67.1 libsoftokn3-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-3.68.3-150000.3.67.1 mozilla-nss-3.68.3-150000.3.67.1 mozilla-nss-certs-3.68.3-150000.3.67.1 mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debugsource-3.68.3-150000.3.67.1 mozilla-nss-devel-3.68.3-150000.3.67.1 mozilla-nss-sysinit-3.68.3-150000.3.67.1 mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-tools-3.68.3-150000.3.67.1 mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64): libfreebl3-32bit-3.68.3-150000.3.67.1 libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): libfreebl3-3.68.3-150000.3.67.1 libfreebl3-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-3.68.3-150000.3.67.1 libsoftokn3-3.68.3-150000.3.67.1 libsoftokn3-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-3.68.3-150000.3.67.1 mozilla-nss-3.68.3-150000.3.67.1 mozilla-nss-certs-3.68.3-150000.3.67.1 mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debugsource-3.68.3-150000.3.67.1 mozilla-nss-devel-3.68.3-150000.3.67.1 mozilla-nss-sysinit-3.68.3-150000.3.67.1 mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-tools-3.68.3-150000.3.67.1 mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64): libfreebl3-32bit-3.68.3-150000.3.67.1 libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libfreebl3-3.68.3-150000.3.67.1 libfreebl3-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-3.68.3-150000.3.67.1 libsoftokn3-3.68.3-150000.3.67.1 libsoftokn3-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-3.68.3-150000.3.67.1 mozilla-nss-3.68.3-150000.3.67.1 mozilla-nss-certs-3.68.3-150000.3.67.1 mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debugsource-3.68.3-150000.3.67.1 mozilla-nss-devel-3.68.3-150000.3.67.1 mozilla-nss-sysinit-3.68.3-150000.3.67.1 mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-tools-3.68.3-150000.3.67.1 mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libfreebl3-32bit-3.68.3-150000.3.67.1 libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libfreebl3-3.68.3-150000.3.67.1 libfreebl3-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-3.68.3-150000.3.67.1 libsoftokn3-3.68.3-150000.3.67.1 libsoftokn3-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-3.68.3-150000.3.67.1 mozilla-nss-3.68.3-150000.3.67.1 mozilla-nss-certs-3.68.3-150000.3.67.1 mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debugsource-3.68.3-150000.3.67.1 mozilla-nss-devel-3.68.3-150000.3.67.1 mozilla-nss-sysinit-3.68.3-150000.3.67.1 mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-tools-3.68.3-150000.3.67.1 mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1 o SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libfreebl3-32bit-3.68.3-150000.3.67.1 libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1 o SUSE Enterprise Storage 7 (aarch64 x86_64): libfreebl3-3.68.3-150000.3.67.1 libfreebl3-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-3.68.3-150000.3.67.1 libsoftokn3-3.68.3-150000.3.67.1 libsoftokn3-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-3.68.3-150000.3.67.1 mozilla-nss-3.68.3-150000.3.67.1 mozilla-nss-certs-3.68.3-150000.3.67.1 mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debugsource-3.68.3-150000.3.67.1 mozilla-nss-devel-3.68.3-150000.3.67.1 mozilla-nss-sysinit-3.68.3-150000.3.67.1 mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-tools-3.68.3-150000.3.67.1 mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1 o SUSE Enterprise Storage 7 (x86_64): libfreebl3-32bit-3.68.3-150000.3.67.1 libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1 o SUSE Enterprise Storage 6 (aarch64 x86_64): libfreebl3-3.68.3-150000.3.67.1 libfreebl3-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-3.68.3-150000.3.67.1 libsoftokn3-3.68.3-150000.3.67.1 libsoftokn3-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-3.68.3-150000.3.67.1 mozilla-nss-3.68.3-150000.3.67.1 mozilla-nss-certs-3.68.3-150000.3.67.1 mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debugsource-3.68.3-150000.3.67.1 mozilla-nss-devel-3.68.3-150000.3.67.1 mozilla-nss-sysinit-3.68.3-150000.3.67.1 mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-tools-3.68.3-150000.3.67.1 mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1 o SUSE Enterprise Storage 6 (x86_64): libfreebl3-32bit-3.68.3-150000.3.67.1 libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1 o SUSE CaaS Platform 4.0 (x86_64): libfreebl3-3.68.3-150000.3.67.1 libfreebl3-32bit-3.68.3-150000.3.67.1 libfreebl3-32bit-debuginfo-3.68.3-150000.3.67.1 libfreebl3-debuginfo-3.68.3-150000.3.67.1 libfreebl3-hmac-3.68.3-150000.3.67.1 libfreebl3-hmac-32bit-3.68.3-150000.3.67.1 libsoftokn3-3.68.3-150000.3.67.1 libsoftokn3-32bit-3.68.3-150000.3.67.1 libsoftokn3-32bit-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-debuginfo-3.68.3-150000.3.67.1 libsoftokn3-hmac-3.68.3-150000.3.67.1 libsoftokn3-hmac-32bit-3.68.3-150000.3.67.1 mozilla-nss-3.68.3-150000.3.67.1 mozilla-nss-32bit-3.68.3-150000.3.67.1 mozilla-nss-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-certs-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-3.68.3-150000.3.67.1 mozilla-nss-certs-32bit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-certs-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-debugsource-3.68.3-150000.3.67.1 mozilla-nss-devel-3.68.3-150000.3.67.1 mozilla-nss-sysinit-3.68.3-150000.3.67.1 mozilla-nss-sysinit-debuginfo-3.68.3-150000.3.67.1 mozilla-nss-tools-3.68.3-150000.3.67.1 mozilla-nss-tools-debuginfo-3.68.3-150000.3.67.1 References: o https://www.suse.com/security/cve/CVE-2022-1097.html o https://bugzilla.suse.com/1197903 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYVyeNLKJtyKPYoAQivsxAAir6qjv06kE5SOqsfP5PQMLApV9zfoa4E slPHAQBm3iJ1WOSeHrki8cYiCNWR3i8bIETIbgpPod8SoCCewq4u9wdYwGdWc9lO ipCT2hrTkrcyGTU9KUuZdV+NikLMNKbQUmDuHaqv7eUhm8yDhJHksUmwkQhmJvuQ Rrg6QhgucI5WixIkxPAG4A1dEkunVxF6mlGg35vc/X8otcRXiMvdx+Mp5Q3lF4xJ dUFJqrZIuLza2JUCytNgxeW9ztlO4QxMfUmkG6nFkqqLzRuZZknz8QV7gM4K980x uic9qvZx/6myrdDl8FvAEMmywWJ/7Cy3LG76rg3Cm8vokicdNVdFI1eRh6zlpDwD sDAqbOdi23fcuT5bZWag3N/N1YUGU+lFEd9bM4dmeZkxjuYzSyyPQVrSbthLWtuE Q7/nVjQel6AUoLDVN2ldI91W8IiO6wGn28k2byx5Ur0nwQ1E2F1V456tPFUnYL4/ ifFwReXecenOUBaPZLKw6s2BKOfmNjnGKy7+iZAQQPhfM7tSqRwd7Dwl6VkWoZ55 GRXupHVrH90nymmc9JmyoUpsoAYOTYQjVlJ/GkNGZOovsjy3GlXgGVBvkapB+6Sl iQMKa47hNb2bThkcwP7/9795sCev0drmxmXPrk8yN7R/b5auV693qcUj31b/F/LN rHtS3tpDjNY= =lJim -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1583 - [SUSE] libsolv, libzypp and zypper: CVSS (Max): None

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1583 Security update for libsolv, libzypp, zypper 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libsolv libzypp zypper Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade Original Bulletin: https://www.suse.com/support/update/announcement/2022/suse-su-20221157-1 Comment: CVSS (Max): None available when published - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for libsolv, libzypp, zypper ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:1157-1 Rating: important References: #1184501 #1194848 #1195999 #1196061 #1196317 #1196368 #1196514 #1196925 #1197134 Affected Products: SUSE Enterprise Storage 7 SUSE Linux Enterprise Desktop 15-SP2 SUSE Linux Enterprise Desktop 15-SP3 SUSE Linux Enterprise High Performance Computing 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS SUSE Linux Enterprise High Performance Computing 15-SP3 SUSE Linux Enterprise Installer 15-SP2 SUSE Linux Enterprise Micro 5.0 SUSE Linux Enterprise Micro 5.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Realtime Extension 15-SP2 SUSE Linux Enterprise Server 15-SP2 SUSE Linux Enterprise Server 15-SP2-BCL SUSE Linux Enterprise Server 15-SP2-LTSS SUSE Linux Enterprise Server 15-SP3 SUSE Linux Enterprise Server for SAP 15-SP2 SUSE Linux Enterprise Server for SAP Applications 15-SP2 SUSE Linux Enterprise Server for SAP Applications 15-SP3 SUSE Linux Enterprise Storage 7 SUSE Manager Proxy 4.1 SUSE Manager Proxy 4.2 SUSE Manager Retail Branch Server 4.1 SUSE Manager Server 4.1 SUSE Manager Server 4.2 openSUSE Leap 15.3 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for libsolv, libzypp, zypper fixes the following issues: Security relevant fix: o Harden package signature checks (bsc#1184501). libsolv update to 0.7.22: o reworked choice rule generation to cover more usecases o support SOLVABLE_PREREQ_IGNOREINST in the ordering code (bsc#1196514) o support parsing of Debian's Multi-Arch indicator o fix segfault on conflict resolution when using bindings o fix split provides not working if the update includes a forbidden vendor change o support strict repository priorities new solver flag: SOLVER_FLAG_STRICT_REPO_PRIORITY o support zstd compressed control files in debian packages o add an ifdef allowing to rename Solvable dependency members ("requires" is a keyword in C++20) o support setting/reading userdata in solv files new functions: repowriter_set_userdata, solv_read_userdata o support queying of the custom vendor check function new function: pool_get_custom_vendorcheck o support solv files with an idarray block o allow accessing the toolversion at runtime libzypp update to 17.30.0: o ZConfig: Update solver settings if target changes (bsc#1196368) o Fix possible hang in singletrans mode (bsc#1197134) o Do 2 retries if mount is still busy. o Fix package signature check (bsc#1184501) Pay attention that header and payload are secured by a valid signature and report more detailed which signature is missing. o Retry umount if device is busy (bsc#1196061, closes #381) A previously released ISO image may need a bit more time to release it's loop device. So we wait a bit and retry. o Fix serializing/deserializing type mismatch in zypp-rpm protocol (bsc# 1196925) o Fix handling of ISO media in releaseAll (bsc#1196061) o Hint on common ptf resolver conflicts (bsc#1194848) o Hint on ptf<>patch resolver conflicts (bsc#1194848) zypper update to 1.14.52: o info: print the packages upstream URL if available (fixes #426) o info: Fix SEGV with not installed PTFs (bsc#1196317) o Don't prevent less restrictive umasks (bsc#1195999) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2022-1157=1 o SUSE Manager Server 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-1157=1 o SUSE Manager Retail Branch Server 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-1157=1 o SUSE Manager Proxy 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-1157=1 o SUSE Linux Enterprise Server for SAP 15-SP2: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-1157=1 o SUSE Linux Enterprise Server 15-SP2-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-1157=1 o SUSE Linux Enterprise Server 15-SP2-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-1157=1 o SUSE Linux Enterprise Realtime Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-1157=1 o SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2022-1157=1 o SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-1157=1 o SUSE Linux Enterprise Micro 5.1: zypper in -t patch SUSE-SUSE-MicroOS-5.1-2022-1157=1 o SUSE Linux Enterprise Micro 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2022-1157=1 o SUSE Linux Enterprise Installer 15-SP2: zypper in -t patch SUSE-SLE-INSTALLER-15-SP2-2022-1157=1 o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-1157=1 o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-1157=1 o SUSE Enterprise Storage 7: zypper in -t patch SUSE-Storage-7-2022-1157=1 Package List: o openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): libsolv-debuginfo-0.7.22-150200.12.1 libsolv-debugsource-0.7.22-150200.12.1 libsolv-demo-0.7.22-150200.12.1 libsolv-demo-debuginfo-0.7.22-150200.12.1 libsolv-devel-0.7.22-150200.12.1 libsolv-devel-debuginfo-0.7.22-150200.12.1 libsolv-tools-0.7.22-150200.12.1 libsolv-tools-debuginfo-0.7.22-150200.12.1 libzypp-17.30.0-150200.36.1 libzypp-debuginfo-17.30.0-150200.36.1 libzypp-debugsource-17.30.0-150200.36.1 libzypp-devel-17.30.0-150200.36.1 libzypp-devel-doc-17.30.0-150200.36.1 perl-solv-0.7.22-150200.12.1 perl-solv-debuginfo-0.7.22-150200.12.1 python-solv-0.7.22-150200.12.1 python-solv-debuginfo-0.7.22-150200.12.1 python3-solv-0.7.22-150200.12.1 python3-solv-debuginfo-0.7.22-150200.12.1 ruby-solv-0.7.22-150200.12.1 ruby-solv-debuginfo-0.7.22-150200.12.1 zypper-1.14.52-150200.30.2 zypper-debuginfo-1.14.52-150200.30.2 zypper-debugsource-1.14.52-150200.30.2 o openSUSE Leap 15.3 (noarch): zypper-aptitude-1.14.52-150200.30.2 zypper-log-1.14.52-150200.30.2 zypper-needs-restarting-1.14.52-150200.30.2 o SUSE Manager Server 4.1 (ppc64le s390x x86_64): libsolv-debuginfo-0.7.22-150200.12.1 libsolv-debugsource-0.7.22-150200.12.1 libsolv-devel-0.7.22-150200.12.1 libsolv-devel-debuginfo-0.7.22-150200.12.1 libsolv-tools-0.7.22-150200.12.1 libsolv-tools-debuginfo-0.7.22-150200.12.1 libzypp-17.30.0-150200.36.1 libzypp-debuginfo-17.30.0-150200.36.1 libzypp-debugsource-17.30.0-150200.36.1 libzypp-devel-17.30.0-150200.36.1 perl-solv-0.7.22-150200.12.1 perl-solv-debuginfo-0.7.22-150200.12.1 python3-solv-0.7.22-150200.12.1 python3-solv-debuginfo-0.7.22-150200.12.1 ruby-solv-0.7.22-150200.12.1 ruby-solv-debuginfo-0.7.22-150200.12.1 zypper-1.14.52-150200.30.2 zypper-debuginfo-1.14.52-150200.30.2 zypper-debugsource-1.14.52-150200.30.2 o SUSE Manager Server 4.1 (noarch): zypper-log-1.14.52-150200.30.2 zypper-needs-restarting-1.14.52-150200.30.2 o SUSE Manager Retail Branch Server 4.1 (noarch): zypper-log-1.14.52-150200.30.2 zypper-needs-restarting-1.14.52-150200.30.2 o SUSE Manager Retail Branch Server 4.1 (x86_64): libsolv-debuginfo-0.7.22-150200.12.1 libsolv-debugsource-0.7.22-150200.12.1 libsolv-devel-0.7.22-150200.12.1 libsolv-devel-debuginfo-0.7.22-150200.12.1 libsolv-tools-0.7.22-150200.12.1 libsolv-tools-debuginfo-0.7.22-150200.12.1 libzypp-17.30.0-150200.36.1 libzypp-debuginfo-17.30.0-150200.36.1 libzypp-debugsource-17.30.0-150200.36.1 libzypp-devel-17.30.0-150200.36.1 perl-solv-0.7.22-150200.12.1 perl-solv-debuginfo-0.7.22-150200.12.1 python3-solv-0.7.22-150200.12.1 python3-solv-debuginfo-0.7.22-150200.12.1 ruby-solv-0.7.22-150200.12.1 ruby-solv-debuginfo-0.7.22-150200.12.1 zypper-1.14.52-150200.30.2 zypper-debuginfo-1.14.52-150200.30.2 zypper-debugsource-1.14.52-150200.30.2 o SUSE Manager Proxy 4.1 (x86_64): libsolv-debuginfo-0.7.22-150200.12.1 libsolv-debugsource-0.7.22-150200.12.1 libsolv-devel-0.7.22-150200.12.1 libsolv-devel-debuginfo-0.7.22-150200.12.1 libsolv-tools-0.7.22-150200.12.1 libsolv-tools-debuginfo-0.7.22-150200.12.1 libzypp-17.30.0-150200.36.1 libzypp-debuginfo-17.30.0-150200.36.1 libzypp-debugsource-17.30.0-150200.36.1 libzypp-devel-17.30.0-150200.36.1 perl-solv-0.7.22-150200.12.1 perl-solv-debuginfo-0.7.22-150200.12.1 python3-solv-0.7.22-150200.12.1 python3-solv-debuginfo-0.7.22-150200.12.1 ruby-solv-0.7.22-150200.12.1 ruby-solv-debuginfo-0.7.22-150200.12.1 zypper-1.14.52-150200.30.2 zypper-debuginfo-1.14.52-150200.30.2 zypper-debugsource-1.14.52-150200.30.2 o SUSE Manager Proxy 4.1 (noarch): zypper-log-1.14.52-150200.30.2 zypper-needs-restarting-1.14.52-150200.30.2 o SUSE Linux Enterprise Server for SAP 15-SP2 (ppc64le x86_64): libsolv-debuginfo-0.7.22-150200.12.1 libsolv-debugsource-0.7.22-150200.12.1 libsolv-devel-0.7.22-150200.12.1 libsolv-devel-debuginfo-0.7.22-150200.12.1 libsolv-tools-0.7.22-150200.12.1 libsolv-tools-debuginfo-0.7.22-150200.12.1 libzypp-17.30.0-150200.36.1 libzypp-debuginfo-17.30.0-150200.36.1 libzypp-debugsource-17.30.0-150200.36.1 libzypp-devel-17.30.0-150200.36.1 perl-solv-0.7.22-150200.12.1 perl-solv-debuginfo-0.7.22-150200.12.1 python3-solv-0.7.22-150200.12.1 python3-solv-debuginfo-0.7.22-150200.12.1 ruby-solv-0.7.22-150200.12.1 ruby-solv-debuginfo-0.7.22-150200.12.1 zypper-1.14.52-150200.30.2 zypper-debuginfo-1.14.52-150200.30.2 zypper-debugsource-1.14.52-150200.30.2 o SUSE Linux Enterprise Server for SAP 15-SP2 (noarch): zypper-log-1.14.52-150200.30.2 zypper-needs-restarting-1.14.52-150200.30.2 o SUSE Linux Enterprise Server 15-SP2-LTSS (aarch64 ppc64le s390x x86_64): libsolv-debuginfo-0.7.22-150200.12.1 libsolv-debugsource-0.7.22-150200.12.1 libsolv-devel-0.7.22-150200.12.1 libsolv-devel-debuginfo-0.7.22-150200.12.1 libsolv-tools-0.7.22-150200.12.1 libsolv-tools-debuginfo-0.7.22-150200.12.1 libzypp-17.30.0-150200.36.1 libzypp-debuginfo-17.30.0-150200.36.1 libzypp-debugsource-17.30.0-150200.36.1 libzypp-devel-17.30.0-150200.36.1 perl-solv-0.7.22-150200.12.1 perl-solv-debuginfo-0.7.22-150200.12.1 python3-solv-0.7.22-150200.12.1 python3-solv-debuginfo-0.7.22-150200.12.1 ruby-solv-0.7.22-150200.12.1 ruby-solv-debuginfo-0.7.22-150200.12.1 zypper-1.14.52-150200.30.2 zypper-debuginfo-1.14.52-150200.30.2 zypper-debugsource-1.14.52-150200.30.2 o SUSE Linux Enterprise Server 15-SP2-LTSS (noarch): zypper-log-1.14.52-150200.30.2 zypper-needs-restarting-1.14.52-150200.30.2 o SUSE Linux Enterprise Server 15-SP2-BCL (x86_64): libsolv-debuginfo-0.7.22-150200.12.1 libsolv-debugsource-0.7.22-150200.12.1 libsolv-devel-0.7.22-150200.12.1 libsolv-devel-debuginfo-0.7.22-150200.12.1 libsolv-tools-0.7.22-150200.12.1 libsolv-tools-debuginfo-0.7.22-150200.12.1 libzypp-17.30.0-150200.36.1 libzypp-debuginfo-17.30.0-150200.36.1 libzypp-debugsource-17.30.0-150200.36.1 libzypp-devel-17.30.0-150200.36.1 perl-solv-0.7.22-150200.12.1 perl-solv-debuginfo-0.7.22-150200.12.1 python3-solv-0.7.22-150200.12.1 python3-solv-debuginfo-0.7.22-150200.12.1 ruby-solv-0.7.22-150200.12.1 ruby-solv-debuginfo-0.7.22-150200.12.1 zypper-1.14.52-150200.30.2 zypper-debuginfo-1.14.52-150200.30.2 zypper-debugsource-1.14.52-150200.30.2 o SUSE Linux Enterprise Server 15-SP2-BCL (noarch): zypper-log-1.14.52-150200.30.2 zypper-needs-restarting-1.14.52-150200.30.2 o SUSE Linux Enterprise Realtime Extension 15-SP2 (x86_64): libsolv-debuginfo-0.7.22-150200.12.1 libsolv-debugsource-0.7.22-150200.12.1 libsolv-devel-0.7.22-150200.12.1 libsolv-devel-debuginfo-0.7.22-150200.12.1 libsolv-tools-0.7.22-150200.12.1 libsolv-tools-debuginfo-0.7.22-150200.12.1 libzypp-17.30.0-150200.36.1 libzypp-debuginfo-17.30.0-150200.36.1 libzypp-debugsource-17.30.0-150200.36.1 libzypp-devel-17.30.0-150200.36.1 perl-solv-0.7.22-150200.12.1 perl-solv-debuginfo-0.7.22-150200.12.1 python3-solv-0.7.22-150200.12.1 python3-solv-debuginfo-0.7.22-150200.12.1 ruby-solv-0.7.22-150200.12.1 ruby-solv-debuginfo-0.7.22-150200.12.1 zypper-1.14.52-150200.30.2 zypper-debuginfo-1.14.52-150200.30.2 zypper-debugsource-1.14.52-150200.30.2 o SUSE Linux Enterprise Realtime Extension 15-SP2 (noarch): zypper-log-1.14.52-150200.30.2 zypper-needs-restarting-1.14.52-150200.30.2 o SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 ppc64le s390x x86_64): libsolv-debuginfo-0.7.22-150200.12.1 libsolv-debugsource-0.7.22-150200.12.1 perl-solv-0.7.22-150200.12.1 perl-solv-debuginfo-0.7.22-150200.12.1 o SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): libsolv-debuginfo-0.7.22-150200.12.1 libsolv-debugsource-0.7.22-150200.12.1 libsolv-devel-0.7.22-150200.12.1 libsolv-devel-debuginfo-0.7.22-150200.12.1 libsolv-tools-0.7.22-150200.12.1 libsolv-tools-debuginfo-0.7.22-150200.12.1 libzypp-17.30.0-150200.36.1 libzypp-debuginfo-17.30.0-150200.36.1 libzypp-debugsource-17.30.0-150200.36.1 libzypp-devel-17.30.0-150200.36.1 python3-solv-0.7.22-150200.12.1 python3-solv-debuginfo-0.7.22-150200.12.1 ruby-solv-0.7.22-150200.12.1 ruby-solv-debuginfo-0.7.22-150200.12.1 zypper-1.14.52-150200.30.2 zypper-debuginfo-1.14.52-150200.30.2 zypper-debugsource-1.14.52-150200.30.2 o SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch): zypper-log-1.14.52-150200.30.2 zypper-needs-restarting-1.14.52-150200.30.2 o SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64): libsolv-debuginfo-0.7.22-150200.12.1 libsolv-debugsource-0.7.22-150200.12.1 libsolv-tools-0.7.22-150200.12.1 libsolv-tools-debuginfo-0.7.22-150200.12.1 libzypp-17.30.0-150200.36.1 libzypp-debuginfo-17.30.0-150200.36.1 libzypp-debugsource-17.30.0-150200.36.1 zypper-1.14.52-150200.30.2 zypper-debuginfo-1.14.52-150200.30.2 zypper-debugsource-1.14.52-150200.30.2 o SUSE Linux Enterprise Micro 5.1 (noarch): zypper-needs-restarting-1.14.52-150200.30.2 o SUSE Linux Enterprise Micro 5.0 (aarch64 x86_64): libsolv-debuginfo-0.7.22-150200.12.1 libsolv-debugsource-0.7.22-150200.12.1 libsolv-tools-0.7.22-150200.12.1 libsolv-tools-debuginfo-0.7.22-150200.12.1 libzypp-17.30.0-150200.36.1 libzypp-debuginfo-17.30.0-150200.36.1 libzypp-debugsource-17.30.0-150200.36.1 zypper-1.14.52-150200.30.2 zypper-debuginfo-1.14.52-150200.30.2 zypper-debugsource-1.14.52-150200.30.2 o SUSE Linux Enterprise Micro 5.0 (noarch): zypper-needs-restarting-1.14.52-150200.30.2 o SUSE Linux Enterprise Installer 15-SP2 (aarch64 ppc64le s390x x86_64): libsolv-tools-0.7.22-150200.12.1 libzypp-17.30.0-150200.36.1 o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (aarch64 x86_64): libsolv-debuginfo-0.7.22-150200.12.1 libsolv-debugsource-0.7.22-150200.12.1 libsolv-devel-0.7.22-150200.12.1 libsolv-devel-debuginfo-0.7.22-150200.12.1 libsolv-tools-0.7.22-150200.12.1 libsolv-tools-debuginfo-0.7.22-150200.12.1 libzypp-17.30.0-150200.36.1 libzypp-debuginfo-17.30.0-150200.36.1 libzypp-debugsource-17.30.0-150200.36.1 libzypp-devel-17.30.0-150200.36.1 perl-solv-0.7.22-150200.12.1 perl-solv-debuginfo-0.7.22-150200.12.1 python3-solv-0.7.22-150200.12.1 python3-solv-debuginfo-0.7.22-150200.12.1 ruby-solv-0.7.22-150200.12.1 ruby-solv-debuginfo-0.7.22-150200.12.1 zypper-1.14.52-150200.30.2 zypper-debuginfo-1.14.52-150200.30.2 zypper-debugsource-1.14.52-150200.30.2 o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (noarch): zypper-log-1.14.52-150200.30.2 zypper-needs-restarting-1.14.52-150200.30.2 o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (aarch64 x86_64): libsolv-debuginfo-0.7.22-150200.12.1 libsolv-debugsource-0.7.22-150200.12.1 libsolv-devel-0.7.22-150200.12.1 libsolv-devel-debuginfo-0.7.22-150200.12.1 libsolv-tools-0.7.22-150200.12.1 libsolv-tools-debuginfo-0.7.22-150200.12.1 libzypp-17.30.0-150200.36.1 libzypp-debuginfo-17.30.0-150200.36.1 libzypp-debugsource-17.30.0-150200.36.1 libzypp-devel-17.30.0-150200.36.1 perl-solv-0.7.22-150200.12.1 perl-solv-debuginfo-0.7.22-150200.12.1 python3-solv-0.7.22-150200.12.1 python3-solv-debuginfo-0.7.22-150200.12.1 ruby-solv-0.7.22-150200.12.1 ruby-solv-debuginfo-0.7.22-150200.12.1 zypper-1.14.52-150200.30.2 zypper-debuginfo-1.14.52-150200.30.2 zypper-debugsource-1.14.52-150200.30.2 o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (noarch): zypper-log-1.14.52-150200.30.2 zypper-needs-restarting-1.14.52-150200.30.2 o SUSE Enterprise Storage 7 (aarch64 x86_64): libsolv-debuginfo-0.7.22-150200.12.1 libsolv-debugsource-0.7.22-150200.12.1 libsolv-devel-0.7.22-150200.12.1 libsolv-devel-debuginfo-0.7.22-150200.12.1 libsolv-tools-0.7.22-150200.12.1 libsolv-tools-debuginfo-0.7.22-150200.12.1 libzypp-17.30.0-150200.36.1 libzypp-debuginfo-17.30.0-150200.36.1 libzypp-debugsource-17.30.0-150200.36.1 libzypp-devel-17.30.0-150200.36.1 perl-solv-0.7.22-150200.12.1 perl-solv-debuginfo-0.7.22-150200.12.1 python3-solv-0.7.22-150200.12.1 python3-solv-debuginfo-0.7.22-150200.12.1 ruby-solv-0.7.22-150200.12.1 ruby-solv-debuginfo-0.7.22-150200.12.1 zypper-1.14.52-150200.30.2 zypper-debuginfo-1.14.52-150200.30.2 zypper-debugsource-1.14.52-150200.30.2 o SUSE Enterprise Storage 7 (noarch): zypper-log-1.14.52-150200.30.2 zypper-needs-restarting-1.14.52-150200.30.2 References: o https://bugzilla.suse.com/1184501 o https://bugzilla.suse.com/1194848 o https://bugzilla.suse.com/1195999 o https://bugzilla.suse.com/1196061 o https://bugzilla.suse.com/1196317 o https://bugzilla.suse.com/1196368 o https://bugzilla.suse.com/1196514 o https://bugzilla.suse.com/1196925 o https://bugzilla.suse.com/1197134 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYVvuNLKJtyKPYoAQhnSA//TnYumEQP6V589QpYTE93UtdDrt1l8RaU 9ghNLKUEwndqfT0VsHXZbO3FJxf4R+2cz/1ALkVFx5D62OgphQ6bVm4j5ZQZUsPM MtaFxkys1/CXkBuZ+Ar3krwC8bhwcdcKknPYs2FWVm6xj5P9Jnw8FgfWzUlewF+9 hQ+beOMajx8lf6c1ULJ44tLdb96t1woKmhRD5+gpnQfe9gJqiqFcu18mv7QwNfws zWqGYztN2XgfYvvCB1S8SGplqC4uYjmmVfHyJp5YmGI0xrb4RC49WlII4ublgIRg vEqzNe4nBOJNQ7bEjMCPHxyLzSl1GrTxrroA7w+PW3wX049tKPn9VwhPH9D4jfDm U5KW0hfbLwx2VOaPvWKtostOrFst+0fngJ6ydWgj8mo0koxlFYQEgqNCrXURa21x uYQz03y3CpUXLwxd9m5XhpXbr+S+Rkua4p+4fL15oqwZrYqGcLZs1YW8O0wc6eRv yqp7ThkMCRC1SIAZwcvs+PRqj21kJPMuNEWvqZnTSmD3vyMolUa/9bx2AtgSmpMf vHONvCHBPee+5iuzD9Q4jc5c3TaUBSrvQepTbJS8QoYB8j6Fks7AcmHKtBQ90AeO NqeWjuxJYCJZgWcKSmHMWT85EuIxt0dZJvwmbYKlZARocXMDr5C1yC4+JqiDFSyW p6iZgJcDVWs= =E9Ae -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1582 - [SUSE] libexif: CVSS (Max): 7.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1582 Security update for libexif 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libexif Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2020-0452 CVE-2020-0198 CVE-2020-0181 Original Bulletin: https://www.suse.com/support/update/announcement/2022/suse-su-20221148-1 Comment: CVSS (Max): 7.5 CVE-2020-0452 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for libexif ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:1148-1 Rating: important References: #1172768 #1172802 #1178479 Cross-References: CVE-2020-0181 CVE-2020-0198 CVE-2020-0452 Affected Products: SUSE CaaS Platform 4.0 SUSE Enterprise Storage 6 SUSE Enterprise Storage 7 SUSE Linux Enterprise Desktop 15-SP3 SUSE Linux Enterprise Desktop 15-SP4 SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS SUSE Linux Enterprise High Performance Computing 15-SP3 SUSE Linux Enterprise High Performance Computing 15-SP4 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 SUSE Linux Enterprise Module for Desktop Applications 15-SP4 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 SUSE Linux Enterprise Realtime Extension 15-SP2 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP2-BCL SUSE Linux Enterprise Server 15-SP2-LTSS SUSE Linux Enterprise Server 15-SP3 SUSE Linux Enterprise Server 15-SP4 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15-SP2 SUSE Linux Enterprise Server for SAP Applications 15-SP3 SUSE Linux Enterprise Server for SAP Applications 15-SP4 SUSE Manager Proxy 4.1 SUSE Manager Proxy 4.2 SUSE Manager Retail Branch Server 4.1 SUSE Manager Server 4.1 SUSE Manager Server 4.2 openSUSE Leap 15.3 openSUSE Leap 15.4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for libexif fixes the following issues: o CVE-2020-0181: Fixed an integer overflow that could lead to denial of service (bsc#1172802). o CVE-2020-0198: Fixed and unsigned integer overflow that could lead to denial of service (bsc#1172768). o CVE-2020-0452: Fixed a buffer overflow check that could be optimized away by the compiler (bsc#1178479). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o openSUSE Leap 15.4: zypper in -t patch openSUSE-SLE-15.4-2022-1148=1 o openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2022-1148=1 o SUSE Manager Server 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-1148=1 o SUSE Manager Retail Branch Server 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-1148=1 o SUSE Manager Proxy 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-1148=1 o SUSE Linux Enterprise Server for SAP 15-SP2: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-1148=1 o SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2022-1148=1 o SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2022-1148=1 o SUSE Linux Enterprise Server 15-SP2-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-1148=1 o SUSE Linux Enterprise Server 15-SP2-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-1148=1 o SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2022-1148=1 o SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2022-1148=1 o SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2022-1148=1 o SUSE Linux Enterprise Realtime Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-1148=1 o SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2022-1148= 1 o SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2022-1148= 1 o SUSE Linux Enterprise Module for Desktop Applications 15-SP4: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP4-2022-1148=1 o SUSE Linux Enterprise Module for Desktop Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2022-1148=1 o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-1148=1 o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-1148=1 o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2022-1148=1 o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2022-1148=1 o SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2022-1148=1 o SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2022-1148=1 o SUSE Enterprise Storage 7: zypper in -t patch SUSE-Storage-7-2022-1148=1 o SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2022-1148=1 o SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. I will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: o openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64): libexif-debugsource-0.6.22-150000.5.9.1 libexif-devel-0.6.22-150000.5.9.1 libexif12-0.6.22-150000.5.9.1 libexif12-debuginfo-0.6.22-150000.5.9.1 o openSUSE Leap 15.4 (x86_64): libexif-devel-32bit-0.6.22-150000.5.9.1 libexif12-32bit-0.6.22-150000.5.9.1 libexif12-32bit-debuginfo-0.6.22-150000.5.9.1 o openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): libexif-debugsource-0.6.22-150000.5.9.1 libexif-devel-0.6.22-150000.5.9.1 libexif12-0.6.22-150000.5.9.1 libexif12-debuginfo-0.6.22-150000.5.9.1 o openSUSE Leap 15.3 (x86_64): libexif-devel-32bit-0.6.22-150000.5.9.1 libexif12-32bit-0.6.22-150000.5.9.1 libexif12-32bit-debuginfo-0.6.22-150000.5.9.1 o SUSE Manager Server 4.1 (ppc64le s390x x86_64): libexif-debugsource-0.6.22-150000.5.9.1 libexif-devel-0.6.22-150000.5.9.1 libexif12-0.6.22-150000.5.9.1 libexif12-debuginfo-0.6.22-150000.5.9.1 o SUSE Manager Retail Branch Server 4.1 (x86_64): libexif-debugsource-0.6.22-150000.5.9.1 libexif-devel-0.6.22-150000.5.9.1 libexif12-0.6.22-150000.5.9.1 libexif12-debuginfo-0.6.22-150000.5.9.1 o SUSE Manager Proxy 4.1 (x86_64): libexif-debugsource-0.6.22-150000.5.9.1 libexif-devel-0.6.22-150000.5.9.1 libexif12-0.6.22-150000.5.9.1 libexif12-debuginfo-0.6.22-150000.5.9.1 o SUSE Linux Enterprise Server for SAP 15-SP2 (ppc64le x86_64): libexif-debugsource-0.6.22-150000.5.9.1 libexif-devel-0.6.22-150000.5.9.1 libexif12-0.6.22-150000.5.9.1 libexif12-debuginfo-0.6.22-150000.5.9.1 o SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): libexif-debugsource-0.6.22-150000.5.9.1 libexif-devel-0.6.22-150000.5.9.1 libexif12-0.6.22-150000.5.9.1 libexif12-debuginfo-0.6.22-150000.5.9.1 o SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libexif-debugsource-0.6.22-150000.5.9.1 libexif-devel-0.6.22-150000.5.9.1 libexif12-0.6.22-150000.5.9.1 libexif12-debuginfo-0.6.22-150000.5.9.1 o SUSE Linux Enterprise Server 15-SP2-LTSS (aarch64 ppc64le s390x x86_64): libexif-debugsource-0.6.22-150000.5.9.1 libexif-devel-0.6.22-150000.5.9.1 libexif12-0.6.22-150000.5.9.1 libexif12-debuginfo-0.6.22-150000.5.9.1 o SUSE Linux Enterprise Server 15-SP2-BCL (x86_64): libexif-debugsource-0.6.22-150000.5.9.1 libexif-devel-0.6.22-150000.5.9.1 libexif12-0.6.22-150000.5.9.1 libexif12-debuginfo-0.6.22-150000.5.9.1 o SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): libexif-debugsource-0.6.22-150000.5.9.1 libexif-devel-0.6.22-150000.5.9.1 libexif12-0.6.22-150000.5.9.1 libexif12-debuginfo-0.6.22-150000.5.9.1 o SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): libexif-debugsource-0.6.22-150000.5.9.1 libexif-devel-0.6.22-150000.5.9.1 libexif12-0.6.22-150000.5.9.1 libexif12-debuginfo-0.6.22-150000.5.9.1 o SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libexif-debugsource-0.6.22-150000.5.9.1 libexif-devel-0.6.22-150000.5.9.1 libexif12-0.6.22-150000.5.9.1 libexif12-debuginfo-0.6.22-150000.5.9.1 o SUSE Linux Enterprise Realtime Extension 15-SP2 (x86_64): libexif-debugsource-0.6.22-150000.5.9.1 libexif-devel-0.6.22-150000.5.9.1 libexif12-0.6.22-150000.5.9.1 libexif12-debuginfo-0.6.22-150000.5.9.1 o SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (x86_64): libexif-debugsource-0.6.22-150000.5.9.1 libexif12-32bit-0.6.22-150000.5.9.1 libexif12-32bit-debuginfo-0.6.22-150000.5.9.1 o SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (x86_64): libexif-debugsource-0.6.22-150000.5.9.1 libexif12-32bit-0.6.22-150000.5.9.1 libexif12-32bit-debuginfo-0.6.22-150000.5.9.1 o SUSE Linux Enterprise Module for Desktop Applications 15-SP4 (aarch64 ppc64le s390x x86_64): libexif-debugsource-0.6.22-150000.5.9.1 libexif-devel-0.6.22-150000.5.9.1 libexif12-0.6.22-150000.5.9.1 libexif12-debuginfo-0.6.22-150000.5.9.1 o SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le s390x x86_64): libexif-debugsource-0.6.22-150000.5.9.1 libexif-devel-0.6.22-150000.5.9.1 libexif12-0.6.22-150000.5.9.1 libexif12-debuginfo-0.6.22-150000.5.9.1 o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (aarch64 x86_64): libexif-debugsource-0.6.22-150000.5.9.1 libexif-devel-0.6.22-150000.5.9.1 libexif12-0.6.22-150000.5.9.1 libexif12-debuginfo-0.6.22-150000.5.9.1 o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (aarch64 x86_64): libexif-debugsource-0.6.22-150000.5.9.1 libexif-devel-0.6.22-150000.5.9.1 libexif12-0.6.22-150000.5.9.1 libexif12-debuginfo-0.6.22-150000.5.9.1 o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): libexif-debugsource-0.6.22-150000.5.9.1 libexif-devel-0.6.22-150000.5.9.1 libexif12-0.6.22-150000.5.9.1 libexif12-debuginfo-0.6.22-150000.5.9.1 o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): libexif-debugsource-0.6.22-150000.5.9.1 libexif-devel-0.6.22-150000.5.9.1 libexif12-0.6.22-150000.5.9.1 libexif12-debuginfo-0.6.22-150000.5.9.1 o SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libexif-debugsource-0.6.22-150000.5.9.1 libexif-devel-0.6.22-150000.5.9.1 libexif12-0.6.22-150000.5.9.1 libexif12-debuginfo-0.6.22-150000.5.9.1 o SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libexif-debugsource-0.6.22-150000.5.9.1 libexif-devel-0.6.22-150000.5.9.1 libexif12-0.6.22-150000.5.9.1 libexif12-debuginfo-0.6.22-150000.5.9.1 o SUSE Enterprise Storage 7 (aarch64 x86_64): libexif-debugsource-0.6.22-150000.5.9.1 libexif-devel-0.6.22-150000.5.9.1 libexif12-0.6.22-150000.5.9.1 libexif12-debuginfo-0.6.22-150000.5.9.1 o SUSE Enterprise Storage 6 (aarch64 x86_64): libexif-debugsource-0.6.22-150000.5.9.1 libexif-devel-0.6.22-150000.5.9.1 libexif12-0.6.22-150000.5.9.1 libexif12-debuginfo-0.6.22-150000.5.9.1 o SUSE CaaS Platform 4.0 (x86_64): libexif-debugsource-0.6.22-150000.5.9.1 libexif-devel-0.6.22-150000.5.9.1 libexif12-0.6.22-150000.5.9.1 libexif12-debuginfo-0.6.22-150000.5.9.1 References: o https://www.suse.com/security/cve/CVE-2020-0181.html o https://www.suse.com/security/cve/CVE-2020-0198.html o https://www.suse.com/security/cve/CVE-2020-0452.html o https://bugzilla.suse.com/1172768 o https://bugzilla.suse.com/1172802 o https://bugzilla.suse.com/1178479 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYVtONLKJtyKPYoAQi1zg/7BrXCWRoOzLJpQYuYgtB/6IdirldokGk9 foJtiVbjQj+s51P43yL76+LL2Q+h0zS5Cq3KX2Ju4xRyEpJacB/fZ5fWd/8LeN/W aZpgH3XKIoa2qFs+aPEvMIVOVAzWcIxvIlVsj6uPcOOBheQTXOCQLwPFZY9meY/O S9BMG8CvMY75qUd+zAsycavasBgrraQCYWDFEfV7eBJAkKo0KHL2CgPQv3nIfNLZ ffviy2MGkXFbFLM3hNIT2WdUFgWt6/JGLzmak9S6i/M5BPF3KQPQoF7dLgFi2ntu GIBfnxoLnUhgpMOVQNZ2O8JtfDWDwzbl/cMQiFrW+ofX6dSCeXDKqds1vCxlhW0B Gbx+vc+oAq49V5xQw/6GVHHepnZydCDCccwJj6fumed6YTfm/Rt86KP6527JjzLh RxmGQLRyl6X/IPggOwG2dv0gFszIhjKYTZT8ifpQypl1MvdvBMukXYh0epE6FTD3 IUIgqPYhsXmanlwCGL6WKz949Ich7Stcb1ZJqpfXOwyr2cdELgKwXzXYudH6hd89 zj0wKMB/havWz/CvfkGqE8CgFO7TZ0gZEPtLEYYvO/hxXsWsg2yTVXnuc6dlShca VmRfeFY50wy0zNrH+0rb9vOpZm3dyXs/TcXlo1z4E3mzuZ7elR6Gu24crnmwIHpi qXl+hYLSl8E= =I1D+ -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1581 - [SUSE] go1.16: CVSS (Max): 7.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1581 Security update for go1.16 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: go1.16 Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2022-24921 Original Bulletin: https://www.suse.com/support/update/announcement/2022/suse-su-20221164-1 Comment: CVSS (Max): 7.5 CVE-2022-24921 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for go1.16 ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:1164-1 Rating: important References: #1182345 #1183043 #1196732 Cross-References: CVE-2022-24921 Affected Products: SUSE Enterprise Storage 7 SUSE Linux Enterprise Desktop 15-SP3 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS SUSE Linux Enterprise High Performance Computing 15-SP3 SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Realtime Extension 15-SP2 SUSE Linux Enterprise Server 15-SP2-BCL SUSE Linux Enterprise Server 15-SP2-LTSS SUSE Linux Enterprise Server 15-SP3 SUSE Linux Enterprise Server for SAP 15-SP2 SUSE Linux Enterprise Server for SAP Applications 15-SP3 SUSE Manager Proxy 4.1 SUSE Manager Proxy 4.2 SUSE Manager Retail Branch Server 4.1 SUSE Manager Server 4.1 SUSE Manager Server 4.2 openSUSE Leap 15.3 openSUSE Leap 15.4 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update for go1.16 fixes the following issues: Update to version 1.16.15 (bsc#1182345): - CVE-2022-24921: Fixed a potential denial of service via large regular expressions (bsc#1196732). Non-security fixes: - Fixed an issue with v2 modules (go#51331). - Fixed an issue when building source in riscv64 (go#51198). - Increased compatibility for the DNS protocol in the net module (go#51161). - Fixed an issue with histograms in the runtime/metrics module (go#50733). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o openSUSE Leap 15.4: zypper in -t patch openSUSE-SLE-15.4-2022-1164=1 o openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2022-1164=1 o SUSE Manager Server 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-1164=1 o SUSE Manager Retail Branch Server 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-1164=1 o SUSE Manager Proxy 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-1164=1 o SUSE Linux Enterprise Server for SAP 15-SP2: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-1164=1 o SUSE Linux Enterprise Server 15-SP2-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-1164=1 o SUSE Linux Enterprise Server 15-SP2-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-1164=1 o SUSE Linux Enterprise Realtime Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-1164=1 o SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2022-1164=1 o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-1164=1 o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-1164=1 o SUSE Enterprise Storage 7: zypper in -t patch SUSE-Storage-7-2022-1164=1 Package List: o openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64): go1.16-1.16.15-150000.1.46.1 go1.16-doc-1.16.15-150000.1.46.1 o openSUSE Leap 15.4 (aarch64 x86_64): go1.16-race-1.16.15-150000.1.46.1 o openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): go1.16-1.16.15-150000.1.46.1 go1.16-doc-1.16.15-150000.1.46.1 o openSUSE Leap 15.3 (aarch64 x86_64): go1.16-race-1.16.15-150000.1.46.1 o SUSE Manager Server 4.1 (ppc64le s390x x86_64): go1.16-1.16.15-150000.1.46.1 go1.16-doc-1.16.15-150000.1.46.1 o SUSE Manager Server 4.1 (x86_64): go1.16-race-1.16.15-150000.1.46.1 o SUSE Manager Retail Branch Server 4.1 (x86_64): go1.16-1.16.15-150000.1.46.1 go1.16-doc-1.16.15-150000.1.46.1 go1.16-race-1.16.15-150000.1.46.1 o SUSE Manager Proxy 4.1 (x86_64): go1.16-1.16.15-150000.1.46.1 go1.16-doc-1.16.15-150000.1.46.1 go1.16-race-1.16.15-150000.1.46.1 o SUSE Linux Enterprise Server for SAP 15-SP2 (ppc64le x86_64): go1.16-1.16.15-150000.1.46.1 go1.16-doc-1.16.15-150000.1.46.1 o SUSE Linux Enterprise Server for SAP 15-SP2 (x86_64): go1.16-race-1.16.15-150000.1.46.1 o SUSE Linux Enterprise Server 15-SP2-LTSS (aarch64 ppc64le s390x x86_64): go1.16-1.16.15-150000.1.46.1 go1.16-doc-1.16.15-150000.1.46.1 o SUSE Linux Enterprise Server 15-SP2-LTSS (aarch64 x86_64): go1.16-race-1.16.15-150000.1.46.1 o SUSE Linux Enterprise Server 15-SP2-BCL (x86_64): go1.16-1.16.15-150000.1.46.1 go1.16-doc-1.16.15-150000.1.46.1 go1.16-race-1.16.15-150000.1.46.1 o SUSE Linux Enterprise Realtime Extension 15-SP2 (x86_64): go1.16-1.16.15-150000.1.46.1 go1.16-doc-1.16.15-150000.1.46.1 go1.16-race-1.16.15-150000.1.46.1 o SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 ppc64le s390x x86_64): go1.16-1.16.15-150000.1.46.1 go1.16-doc-1.16.15-150000.1.46.1 o SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 x86_64): go1.16-race-1.16.15-150000.1.46.1 o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (aarch64 x86_64): go1.16-1.16.15-150000.1.46.1 go1.16-doc-1.16.15-150000.1.46.1 go1.16-race-1.16.15-150000.1.46.1 o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (aarch64 x86_64): go1.16-1.16.15-150000.1.46.1 go1.16-doc-1.16.15-150000.1.46.1 go1.16-race-1.16.15-150000.1.46.1 o SUSE Enterprise Storage 7 (aarch64 x86_64): go1.16-1.16.15-150000.1.46.1 go1.16-doc-1.16.15-150000.1.46.1 go1.16-race-1.16.15-150000.1.46.1 References: o https://www.suse.com/security/cve/CVE-2022-24921.html o https://bugzilla.suse.com/1182345 o https://bugzilla.suse.com/1183043 o https://bugzilla.suse.com/1196732 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYVpeNLKJtyKPYoAQjcdQ//YrVOWvSYADOaFFY5cexk0Uw7qin3mzZ4 Rk+dVAgEpw2Bt9HJCsXYuq2Bebz0Nhgjv8yIAgtAxKglU3SLzDq8qr5STaaFJxkS bt5wPSrTjxEzoN4s2xEvBZqnSwfHUChMRNal9aFjGtJjwOswsHtdyBkkMxQaHOej tqU0FWDpTgdsxeMrch+964pHh7JxfIkhlDmlxeZqQlQI9wezuRxys8ixUPFloct/ JWH0kIW/+h1mDTWzYN2mKdQThNcIN3SqalZXmJ+pNhQJTIkWY7u8MtAfZC1lw9mz ZrLKvh3JKTQpw8YVJxakyXRVEoX+bNhQuhSkrjR63uil0eX1Ewr/Nol85YV7xvuK rV+0kpscnNY2Rq3fM8v/ShRml5Xr2TyGBKubuL5WA3DnLkHDn2J26OmhLWdkzDiW byboLeAS4mwo6ICF7LBUBdlPm9+eLFlv7izWSkZOBAIo8PlBQEgTojwl2ZAqUVaM cD/SFxV0aPINjMHy1xP7mBy+ollZki3dFZ+vQILptULbmkSzzVjWOaOFoM0zl5kj BJG7lfARQTWLpTxzL/Fkk59nlVQZ/S0x6CBdjoOJJoIOxZid+FZbswEBSjgKykhi TzvWRIU6YFp7aWgM1fLedAzDNqbMTYWJl39UGHLEJpNZZf4LLxeDqDr2pee9Akil ehOGvXEyeys= =ARCl -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1580 - [RedHat] Red Hat OpenShift Serverless: CVSS (Max): 9.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1580 Release of OpenShift Serverless 1.21.1 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat OpenShift Serverless Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-22963 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:1292 Comment: CVSS (Max): 9.8 CVE-2022-22963 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Low: Release of OpenShift Serverless 1.21.1 Advisory ID: RHSA-2022:1292-01 Product: Red Hat OpenShift Serverless Advisory URL: https://access.redhat.com/errata/RHSA-2022:1292 Issue date: 2022-04-11 CVE Names: CVE-2022-22963 ===================================================================== 1. Summary: Release of OpenShift Serverless 1.21.1 Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: This version of the OpenShift Serverless Operator, which is supported on Red Hat OpenShift Container Platform versions 4.6, 4.7, 4.8, 4.9, and 4.10, includes a security fix. For more information, see the documentation listed in the References section. Security Fix(es): * spring-cloud-function: Remote code execution by malicious Spring Expression (CVE-2022-22963) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: See the Red Hat OpenShift Container Platform 4.6 documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless/index See the Red Hat OpenShift Container Platform 4.7 documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index See the Red Hat OpenShift Container Platform 4.8 documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index See the Red Hat OpenShift Container Platform 4.9 documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index See the Red Hat OpenShift Container Platform 4.10 documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index 4. Bugs fixed (https://bugzilla.redhat.com/): 2070668 - CVE-2022-22963 spring-cloud-function: Remote code execution by malicious Spring Expression 5. References: https://access.redhat.com/security/cve/CVE-2022-22963 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/security/vulnerabilities/RHSB-2022-003 https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless/index https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYlVRTdzjgjWX9erEAQgR4hAAh66FM9+lM2X7d2l44qBtnX52PqWkNIMd 7DnRFFp+bqHyh3Hx7taxlcb6av9yVwmb6WnxOF9gqyJnq0UrprauaDIz/EOjFiNK y3blJVaR7cbBlvbBLoQZcWcMLoKWkW8yyNiMDKjgHTN+HQLXPTnfGtaaAPR6CxIl VIxCO048FAH+eGSZ7UdO7JpCO2RndjZum2gCHL6nKRB4bSGkMok7zoZskPdnZL89 gtJVo5zmd74Q9/3Mhwv3W1pi82dxQF+FlMQeo9LeGVtCE7Cs0Jq58cl0/Jt8axsW 0w+QQ1ZMZkXgc2qY1N7gpAGqsKt738ZcC/LKRbpKRhk7Y81JYnyT7y+rZCWQfGH/ v1sKtKnULhEHiVWVNYnyTif8E1RXbZFJEO6RaDYersgCaS0qR9VscWogT/m6Vmk9 /rXQdyghyA08derh0UTEcbVwUZvzqSmSo7KcUtGeTP3Jy9xd76hK3+/hiJL45gyT 0I8HwyQprwrNXjijD3EY0a1U4ke4ufyDqhHgQzNAkyhwFZGtjE5dYnaYckZVG0h0 iw/BCa9v/PvJ62vAEEeKmuLxd9OY8J1RvkxLI41TDWs1OICEiTytBoKcbtkhgfVN h/PwbrbMWPH/5N5QS0yNxASDnvNZ9EuQTBizwEQkHYArXoSIBKQWdqODqpRD6u2X i8LdSrRG05U= =vkMk - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYVAuNLKJtyKPYoAQjsvA//bLHzoBji9WLq34TGJFlxWg9Rkjp7BaEk sBgy/XTAPhfKSLN9F7xahHUiAbvORJGHlZAQ2CKaQGskuMA1WNPWIj/s1UkONYrr zAC7KnpgS3cX1aNMaTz2jWfw68KktGP7QYpWiHN7TUckPWRQsu2MMf/f4Slp7hJ5 Kiw7KiZnjiOQEq+ZTuMx69H05ojseu5SizHq9CEFa3B3YmKlRjN3MnCGod3sF0FC w8OTbltLcsoL5uA+MBk8YmTFILVDWB4zV2Nz2xaLDG98l0+DtY4cLpbp39Pn/yUZ G7zk5hw4GNPHF2NNvuv2xiPWOFtZpK3OFYH1iEA6OuqiA6zBljrhXg+WZXNB2/ct onEYOV2Ai603/FlyfaYYFA1lpyv3RVEm38N+twTSCJoCQaiE8/0KkTCN3O7eMCP/ 2lA5d0PmUS26DIgwl6yeoCzZ/SDA5Kxm1dP0kTsj260RZgsJZqaN2gNo2AGcDNtM 8djiOZMc64Jj84TWqar783K+jcCSGTN/tO0YGRDaU1QYNkhS/OMkF+ilzQEj/aBQ WC++AkqVT6JkVlKukufBhn47iDO7cXtXZWXFyshe18WhG9KzYQhPNSnH7oOqbLGM L9zyW/Hxhu5LlB+oIXtjDAXAgzLEEqGyHJQ2UqNOIXDtC6KugEomnpEMqTz29rNg GecVpuCCUqI= =tPDV -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1579 - [RedHat] expat: CVSS (Max): 9.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1579 expat security update 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: expat Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-25315 CVE-2022-25236 CVE-2022-25235 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:1309 Comment: CVSS (Max): 9.8 CVE-2022-25315 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: expat security update Advisory ID: RHSA-2022:1309-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:1309 Issue date: 2022-04-11 CVE Names: CVE-2022-25235 CVE-2022-25236 CVE-2022-25315 ===================================================================== 1. Summary: An update for expat is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server (v. 6 ELS) - i386, s390x, x86_64 3. Description: Expat is a C library for parsing XML documents. Security Fix(es): * expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution (CVE-2022-25235) * expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution (CVE-2022-25236) * expat: Integer overflow in storeRawNames() (CVE-2022-25315) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the updated packages, applications using the Expat library must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 2056363 - CVE-2022-25315 expat: Integer overflow in storeRawNames() 2056366 - CVE-2022-25235 expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution 2056370 - CVE-2022-25236 expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution 6. Package List: Red Hat Enterprise Linux Server (v. 6 ELS): Source: expat-2.0.1-14.el6_10.src.rpm i386: expat-2.0.1-14.el6_10.i686.rpm expat-debuginfo-2.0.1-14.el6_10.i686.rpm expat-devel-2.0.1-14.el6_10.i686.rpm s390x: expat-2.0.1-14.el6_10.s390.rpm expat-2.0.1-14.el6_10.s390x.rpm expat-debuginfo-2.0.1-14.el6_10.s390.rpm expat-debuginfo-2.0.1-14.el6_10.s390x.rpm expat-devel-2.0.1-14.el6_10.s390.rpm expat-devel-2.0.1-14.el6_10.s390x.rpm x86_64: expat-2.0.1-14.el6_10.i686.rpm expat-2.0.1-14.el6_10.x86_64.rpm expat-debuginfo-2.0.1-14.el6_10.i686.rpm expat-debuginfo-2.0.1-14.el6_10.x86_64.rpm expat-devel-2.0.1-14.el6_10.i686.rpm expat-devel-2.0.1-14.el6_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-25235 https://access.redhat.com/security/cve/CVE-2022-25236 https://access.redhat.com/security/cve/CVE-2022-25315 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYlWl4dzjgjWX9erEAQiRRRAAgD1A54DPBKn5oG7KWsoaAYzJ21cE3Vmn c3aISch04WQ+jdXrkuSqI8iipOTNzrlIrqvFcyC02t7YnGGmmsaIhV09EFAiJXaK lGerb79oWEEXI2GstS1K2lkXDB4YZ9EDAX5wYY3INqIxzrEx4mayZfjsTEELX/a9 StGIr1sumJpuR/GSwzvnul4XJfBjm5kMdkWtD0jL9/Z/04eJHD8COu1YV8bmom6Q bDiSMrBGGoPlwfzgmC1KUqisOJc+WnerHbHbvjNkzgZ3zZAw0EpiaWJKZKScDb3g /rtOGLwL2yn15WSqKyfDjVz9U5k3/v+lq8l1zzhP7GTrCl5YZ9LJlk1d5/LNKIvE K6TcfQh1Uo8gS7rcSPAMjCQCQsrQB3O1Ew5n27mCKq0Kq+RqgXxypPvG4zSgXQ6F Qvt/HpIedRumjsvJgvuSJ1Ef0Mec2cWwIq5xaAAjbCp1PXTSiXo6SrHax0lRpNJo xotvDi7lSwbuI7DQuTTf8HrY4SAZjXvN9FIj4H6l6Aswx5zmDJ5IR2MU4o7KTmiY ebzLltQMYlwK6onaFvCkAphIQbg/gCJUO6ifLtO3IUp766v4fUT4LUtQuEFkVxgw tQz2Q8Cvik4nMqBDPnxvRTF/WwyvX3O74x0Mezmi45UK1d7+TzWDjFQtTwe+FpPB LprhWJEc5pc= =EBBS - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYU8+NLKJtyKPYoAQjgTw//XiqB8CiypFfw4J6jmbpF2VltYB7tr6Y0 oQx3VqOCDTcyI8bP+ZSNtzbgN/dDBOk8PpAcsWc+fHbk2jd3MV7upGux22WbOzx+ vDioNE745CKSNhawXlT7TqcXqfwvZlAuFip2w+4Q6zhStgF0fUdlxeu9S9LIUYEZ kwsM0P1neyg9X9TAWHCXIpcnVGb8ApgyHyrGM0R67vnCpjafuk+Jom2QfYrmRViS zZp9nZ7OC6FLs1+QZB8tvc5cfhtlNGJz6KTuS2oiEMF6RzxEso4ZTYD9Sb/iOl8J jmdbCnVzXzrZxyEUV+MiNcF6PtPXk2/GHpdhEnqJTj6PGo50K+A+yUFgmO1JOYTo Eu12vkY1hWXQJQdnLodi4G3pytztbOEPvhA6IlnMHjraCW/HqDMEUz78z0cQWaq5 mANndOjURUlUoUjy52/oy9kPIIKE+4r06iSkExmx5zz5SDPbEiREJlfsPt82CCnx 7TM8BL2Wv97j2U1kE5WjRShHvcIh9Z4+37ekY43gyfU0UM95xXGHoRK3/i8T8O0V jT39meF8jCLuG/UHrbfsqtn9om3rOzQxXiwfejnMBmbsqnISXlNgqXW/KCOzEJKN KFPnKeKbxfc8BZOeIUBlRFgg58a5GVTd61BO96KKJic9uhzQDIVcC1YyXkR5Xnbf J8ylTJPLkDQ= =0x7m -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1578 - [RedHat] OpenShift Container Platform 4.8.36: CVSS (Max): 7.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1578 OpenShift Container Platform 4.8.36 security update 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenShift Container Platform 4.8.36 Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-0567 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:1154 Comment: CVSS (Max): 7.5 CVE-2022-0567 (CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 4.8.36 security update Advisory ID: RHSA-2022:1154-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2022:1154 Issue date: 2022-04-11 CVE Names: CVE-2022-0567 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.8.36 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.8.36. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHSA-2022:1153 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html Security Fix(es): * ovn-kubernetes: Ingress network policy can be overruled by egress network policy on another pod (CVE-2022-0567) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. You may download the oc tool and use it to inspect release image metadata as follows: (For x86_64 architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.8.36-x86_64 The image digest is sha256:faf1f5ae9636ef79c6027cd1ca68b0a93607f8ccc12e8e537f8f8bc21d7dfb15 (For s390x architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.8.36-s390x The image digest is sha256:a12f7b0736d8a4cbf201d95899712b448b977eaae4b3178b04adb565cb6b636a (For ppc64le architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.8.36-ppc64le The image digest is sha256:f90df1f857eec5ac6c40ccb50bfd1c4a4e962a89b1ae4da354094385c6c130fc All OpenShift Container Platform 4.8 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html 3. Solution: For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 2026110 - Altering the Schedule Profile configurations doesn't affect the placement of the pods 2043808 - No way to verify if IPs with leading zeros are still valid in the apiserver 2052097 - global pull secret not working in OCP4.7.4+ for additional private registries 2053122 - Build is not recognizing the USER group from an s2i image 2053326 - CVE-2022-0567 ovn-kubernetes: Ingress network policy can be overruled by egress network policy on another pod 2057557 - Services of type loadbalancer do not work if the traffic reaches the node from an interface different from br-ex 2060450 - Overview page does not load from openshift console for some set of users after upgrading to 4.7.19 2063836 - [4.8z] High cpu load on Juniper Qfx5120 Network switches after upgrade to Openshift 4.8.26 2064634 - MachineSet is not scaling up due to an OpenStack error trying to create multiple ports with the same MAC address 2065311 - [4.8z] Network policies are not implemented or updated by OVN-Kubernetes 2066302 - Ingress Operator is not closing TCP connections. 2066675 - AWS io2 machine fails due to no iops despite it being configured 2066760 - `oc debug node` does not meet compliance requirement 2067107 - co/image-registry is degrade because ImagePrunerDegraded: Job has reached the specified backoff limit 2068509 - ovnkube-masters suddenly stop processing add/del events for pods 2068895 - PodDisruptionBudgetAtLimit alert fired in SNO cluster 5. References: https://access.redhat.com/security/cve/CVE-2022-0567 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYlWl6dzjgjWX9erEAQgfhhAAmvaAvmjDJ5b5sC8koswYGmHaupFmec45 cnZLFJoduhthbumGBBPMytYerZ9+jwXGXaZXtnZ9PnMSxbuSuAMox8qtqJq9SyjV GYT52RliREDdntC1Tuxy2DuDvcPfGJs5Jx30WLUrCiGjZ4Dz0NNbAk1xG3Jm86t1 imKsRR9r1gwPZPsjZn8ILTyMqqTL0gaowOLQbf6vhcAWzoH1t40JaJuHsnYEQdE6 40nvB9E29mivmtXrq42pBfg+u8sbwNRwazBPNqAcoqUhi99tEyX4vjE81x3RAst/ bVJaf23bWZzNxnhILflzGMKk2NRSdD/fUxKttax9z3d2zDCjDJxKrm352Cn61FyA YTc7SrZZr5N+Jct+nnrOdNu1ESeqXwF7tSwsJPPuWbKj9K9ySLIXuNNE4fXbFvUV 35VQa5FC0iF5wPSMngjyhR6Ua8xylcm/pL92iKw74BdBxwMScUoyqHKKl6powy2D 62JvZNAxdbhEwLT8PNEVp14+plcaj8XzM+AT8x5ViklDTacUnCn8vxvV2x2GKJxK cqS46zuAE8QaxhNF5YtzbwypvruH2mcqgDZay9VpzunDWAdthrhML/+ZvkNiJQhr QllOwM6ZLFp2+dgZCkA6ccF03+RnqdZd0Z/9uHYQeJmU15nObR/Z9BSsivpQeSp9 whbBvLBKO3c= =7WWR - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYU7ONLKJtyKPYoAQjxfA/8DHjRrGFEnpC91St5hGazj+hH2yZFtcVe 1QUAdQn1UF5UPpMwNCc43qaZPojbGB27RjvUbtO23LTw6UC7LryJNAKLENIHTpZT JS4Otgskcr/3NZ9PrXkUtVNL8oe61xd+kq/ngYKqz/01Pp6bQlhMaPGFJwGXmNUt 259TxQjw6PmvzYkBpfMqZyLiY96N6dN1cWhqpNA/8cmHPbsNnPuPsUY/wwYoKDRP APRU5JhYWcyMK+RNJQYUhQJp9FaiC9XsUyyi7H+nSNJI4O/v49RX+s+9k81Hd5w9 +VnCxad22lzXwVh0qqHs5Vm5LI930x5rinu932vXzyP+4UivT4UtCvUp0hahkUNp 1IOz9jeXxQeDJt/mV1sWkUhWjtmKrf6DOEXdi/O0lT6kXiyYiikcbYapBd02FROR gGdx+AtT2+bpw5asNKBc1bcEH91h94yrUtrI8fd7+pGGWcvUrlPzQ3GM2hP04bjV +km/GdDUulg1cxlo9qWmJtusiIQ/CjCsCtwZ1o7yxdy01YvLvb+R3DsnWscwCQD4 z49laePksZAfjnqNZJsKNVicmuzdM5AYozh0Ke2AZpEgU7103+yIEkJRY+IyWlgk 08/2Ojw5DcLJhlYNIi1UP94uCuS0Vke4cdjbrpoBCa2tAgJeGtPljH5aD6eNnQy7 FnlJ0A+lTIk= =wrea -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1577 - [RedHat] thunderbird: CVSS (Max): 7.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1577 thunderbird security update 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: thunderbird Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-28289 CVE-2022-28286 CVE-2022-28285 CVE-2022-28282 CVE-2022-28281 CVE-2022-24713 CVE-2022-1197 CVE-2022-1196 CVE-2022-1097 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:1326 Comment: CVSS (Max): 7.5 CVE-2022-28289 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: thunderbird security update Advisory ID: RHSA-2022:1326-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:1326 Issue date: 2022-04-12 CVE Names: CVE-2022-1097 CVE-2022-1196 CVE-2022-1197 CVE-2022-24713 CVE-2022-28281 CVE-2022-28282 CVE-2022-28285 CVE-2022-28286 CVE-2022-28289 ===================================================================== 1. Summary: An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream EUS (v. 8.2) - aarch64, ppc64le, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.8.0. Security Fix(es): * Mozilla: Use-after-free in NSSToken objects (CVE-2022-1097) * Mozilla: Out of bounds write due to unexpected WebAuthN Extensions (CVE-2022-28281) * Mozilla: Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8 (CVE-2022-28289) * Mozilla: Use-after-free after VR Process destruction (CVE-2022-1196) * Mozilla: OpenPGP revocation information was ignored (CVE-2022-1197) * Mozilla: Use-after-free in DocumentL10n::TranslateDocument (CVE-2022-28282) * Mozilla: Incorrect AliasSet used in JIT Codegen (CVE-2022-28285) * Mozilla: Denial of Service via complex regular expressions (CVE-2022-24713) * Mozilla: iframe contents could be rendered outside the border (CVE-2022-28286) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Thunderbird must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 2072559 - CVE-2022-1097 Mozilla: Use-after-free in NSSToken objects 2072560 - CVE-2022-28281 Mozilla: Out of bounds write due to unexpected WebAuthN Extensions 2072561 - CVE-2022-1196 Mozilla: Use-after-free after VR Process destruction 2072562 - CVE-2022-28282 Mozilla: Use-after-free in DocumentL10n::TranslateDocument 2072563 - CVE-2022-28285 Mozilla: Incorrect AliasSet used in JIT Codegen 2072564 - CVE-2022-28286 Mozilla: iframe contents could be rendered outside the border 2072565 - CVE-2022-24713 Mozilla: Denial of Service via complex regular expressions 2072566 - CVE-2022-28289 Mozilla: Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8 2072963 - CVE-2022-1197 Mozilla: OpenPGP revocation information was ignored 6. Package List: Red Hat Enterprise Linux AppStream EUS (v. 8.2): Source: thunderbird-91.8.0-1.el8_2.src.rpm aarch64: thunderbird-91.8.0-1.el8_2.aarch64.rpm thunderbird-debuginfo-91.8.0-1.el8_2.aarch64.rpm thunderbird-debugsource-91.8.0-1.el8_2.aarch64.rpm ppc64le: thunderbird-91.8.0-1.el8_2.ppc64le.rpm thunderbird-debuginfo-91.8.0-1.el8_2.ppc64le.rpm thunderbird-debugsource-91.8.0-1.el8_2.ppc64le.rpm x86_64: thunderbird-91.8.0-1.el8_2.x86_64.rpm thunderbird-debuginfo-91.8.0-1.el8_2.x86_64.rpm thunderbird-debugsource-91.8.0-1.el8_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-1097 https://access.redhat.com/security/cve/CVE-2022-1196 https://access.redhat.com/security/cve/CVE-2022-1197 https://access.redhat.com/security/cve/CVE-2022-24713 https://access.redhat.com/security/cve/CVE-2022-28281 https://access.redhat.com/security/cve/CVE-2022-28282 https://access.redhat.com/security/cve/CVE-2022-28285 https://access.redhat.com/security/cve/CVE-2022-28286 https://access.redhat.com/security/cve/CVE-2022-28289 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYlWl2tzjgjWX9erEAQjtsQ//TJr3sdrdIE7JwSx7n2IiYbBl6GOU8C7o dMatcSRZ7aF6UqTFJmY9dWD9By16CKVyID8Tof6GNajYSUBUzH17vccd/ron4V4i Ch0WlRZN8dwKmuYUKuuxjU+AhZL1umsrb4AjT/kRa7IrpIPIO+0BUSKPxiEAKs16 sAf8mpRxgZEMSruEwQIeFbqA+FT2/+jLCWkb14k3pvglkSCT0A/V9bFMpXFQHSub S2bQPJa+RALY0KAOKWfi4CO3a5B+vMdnOaAr7JXFRvTVAu5F+G2uPXjXvWsMu2uC en4UfUTPGyQ2Q7TaHJ8mcLghfoFg8eSkYrjP3oMAiu/VRdqARn5afAVwh80SIdU0 TQOlSnWzLAhHC1Y4zr6WGohC0UC3tLxWzlPMnzOqNNoezXuhPkwbTm1ykRG0zLQq RQ9ZLR9LskIKv+vVcr7p8fS15Ffk/Qa2z/UV89LdKA44xh8rcYRfGVTGYiVDyaKE 9EllAWaNEMbT9Bopln6Wz+QTKlydfz5tGmOYvK+3jwAgPCrbT0yiIHNar/73wEPi H0eBJqTjnOuzRoD5SnUnODN6PT0wNxk6Jv3i3TqN4DXHNPz7LSWV4yZkyhg/2X2v 06ujzfbYiKUzMZJW6EvOmm3OKF4nktnYbWHIyiQsEK/W8JF7ADFnnzN5gv116S6u oGyMFntDWto= =igYT - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYU5uNLKJtyKPYoAQh43RAAo5ofUO1tWI3moZU2cSFdCp+UIRxm8p3z 0bhXwbb5nJS5iQ9z2tciAuErQCe7QKMjkWtGB1I3BqbTgB857rKL0fEHVXWxzWpT qfzafeeyonc9ppxxth86kau86AOekX9OGW0QpqZAF1n/USIC2TAVdpodwVaVgBq0 fU4m4LdTMpikuISjQVA3CxV4eKOWxuSgFfF8o9Hywm63MlemxbkFS1gBwZf3H1GI t2I1xHmB7FoQhHxmTo6svQn8LYoxTYr9mHKcnDyJV2AR5VSbJ+EnLrqqKDWg5ijL Rq0I8KMhyEA7VqudIM0CmXM8kwHXxJDJTCilV/hZbYPJ/++HX8cj+yvIULp6NPgJ GZwc+vGmoOCCnumZJAuenmve6CH0GOfMgk/vV0ewL46cOx7256JzebkYM/pUZdVa zK+MTuIOGgaKUgjYuT3OtG61ayZGNS97NbhyppEf+ST5PwBg+0zvk67+oaArsqpn UWpGdsZPIUdTVcb/pY/jSi4niAvKaZgNL0jzbm9ORF/+6GppJNVfkxSeKZbXNUeu XsDJ29Feon2i0SXQDybY/3vYxzQwwqr4l9gb6+7A1Iu4S9wRjv75mNkVL4jj03SN q5xkNYhpuBVq+U41oUOnMemKlEAK7leLsHctRI27TOPF4+utWpYt+KdINfUGk4SN d3TJAIlqOaI= =NWC/ -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1576 - [RedHat] kernel: CVSS (Max): 7.4

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1576 kernel security and bug fix update 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: kernel Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-22942 CVE-2021-4083 CVE-2021-4028 CVE-2021-0920 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:1324 Comment: CVSS (Max): 7.4 CVE-2021-4083 (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: kernel security and bug fix update Advisory ID: RHSA-2022:1324-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:1324 Issue date: 2022-04-12 CVE Names: CVE-2021-0920 CVE-2021-4028 CVE-2021-4083 CVE-2022-22942 ===================================================================== 1. Summary: An update for kernel is now available for Red Hat Enterprise Linux 7.7 Advanced Update Support, Red Hat Enterprise Linux 7.7 Telco Extended Update Support, and Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server AUS (v. 7.7) - noarch, x86_64 Red Hat Enterprise Linux Server E4S (v. 7.7) - noarch, ppc64le, x86_64 Red Hat Enterprise Linux Server Optional AUS (v. 7.7) - x86_64 Red Hat Enterprise Linux Server Optional E4S (v. 7.7) - ppc64le, x86_64 Red Hat Enterprise Linux Server Optional TUS (v. 7.7) - x86_64 Red Hat Enterprise Linux Server TUS (v. 7.7) - noarch, x86_64 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * kernel: Use After Free in unix_gc() which could result in a local privilege escalation (CVE-2021-0920) * kernel: use-after-free in RDMA listen() (CVE-2021-4028) * kernel: fget: check that the fd still exists after getting a ref to it (CVE-2021-4083) * kernel: failing usercopy allows for use-after-free exploitation (CVE-2022-22942) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * guest using rtl8139 can not connect to network (BZ#2063889) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The system must be rebooted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 2027201 - CVE-2021-4028 kernel: use-after-free in RDMA listen() 2029923 - CVE-2021-4083 kernel: fget: check that the fd still exists after getting a ref to it 2031930 - CVE-2021-0920 kernel: Use After Free in unix_gc() which could result in a local privilege escalation 2044809 - CVE-2022-22942 kernel: failing usercopy allows for use-after-free exploitation 6. Package List: Red Hat Enterprise Linux Server AUS (v. 7.7): Source: kernel-3.10.0-1062.66.1.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-1062.66.1.el7.noarch.rpm kernel-doc-3.10.0-1062.66.1.el7.noarch.rpm x86_64: bpftool-3.10.0-1062.66.1.el7.x86_64.rpm bpftool-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm kernel-3.10.0-1062.66.1.el7.x86_64.rpm kernel-debug-3.10.0-1062.66.1.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm kernel-debug-devel-3.10.0-1062.66.1.el7.x86_64.rpm kernel-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-1062.66.1.el7.x86_64.rpm kernel-devel-3.10.0-1062.66.1.el7.x86_64.rpm kernel-headers-3.10.0-1062.66.1.el7.x86_64.rpm kernel-tools-3.10.0-1062.66.1.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm kernel-tools-libs-3.10.0-1062.66.1.el7.x86_64.rpm perf-3.10.0-1062.66.1.el7.x86_64.rpm perf-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm python-perf-3.10.0-1062.66.1.el7.x86_64.rpm python-perf-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm Red Hat Enterprise Linux Server E4S (v. 7.7): Source: kernel-3.10.0-1062.66.1.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-1062.66.1.el7.noarch.rpm kernel-doc-3.10.0-1062.66.1.el7.noarch.rpm ppc64le: bpftool-3.10.0-1062.66.1.el7.ppc64le.rpm bpftool-debuginfo-3.10.0-1062.66.1.el7.ppc64le.rpm kernel-3.10.0-1062.66.1.el7.ppc64le.rpm kernel-bootwrapper-3.10.0-1062.66.1.el7.ppc64le.rpm kernel-debug-3.10.0-1062.66.1.el7.ppc64le.rpm kernel-debug-debuginfo-3.10.0-1062.66.1.el7.ppc64le.rpm kernel-debuginfo-3.10.0-1062.66.1.el7.ppc64le.rpm kernel-debuginfo-common-ppc64le-3.10.0-1062.66.1.el7.ppc64le.rpm kernel-devel-3.10.0-1062.66.1.el7.ppc64le.rpm kernel-headers-3.10.0-1062.66.1.el7.ppc64le.rpm kernel-tools-3.10.0-1062.66.1.el7.ppc64le.rpm kernel-tools-debuginfo-3.10.0-1062.66.1.el7.ppc64le.rpm kernel-tools-libs-3.10.0-1062.66.1.el7.ppc64le.rpm perf-3.10.0-1062.66.1.el7.ppc64le.rpm perf-debuginfo-3.10.0-1062.66.1.el7.ppc64le.rpm python-perf-3.10.0-1062.66.1.el7.ppc64le.rpm python-perf-debuginfo-3.10.0-1062.66.1.el7.ppc64le.rpm x86_64: bpftool-3.10.0-1062.66.1.el7.x86_64.rpm bpftool-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm kernel-3.10.0-1062.66.1.el7.x86_64.rpm kernel-debug-3.10.0-1062.66.1.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm kernel-debug-devel-3.10.0-1062.66.1.el7.x86_64.rpm kernel-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-1062.66.1.el7.x86_64.rpm kernel-devel-3.10.0-1062.66.1.el7.x86_64.rpm kernel-headers-3.10.0-1062.66.1.el7.x86_64.rpm kernel-tools-3.10.0-1062.66.1.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm kernel-tools-libs-3.10.0-1062.66.1.el7.x86_64.rpm perf-3.10.0-1062.66.1.el7.x86_64.rpm perf-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm python-perf-3.10.0-1062.66.1.el7.x86_64.rpm python-perf-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm Red Hat Enterprise Linux Server TUS (v. 7.7): Source: kernel-3.10.0-1062.66.1.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-1062.66.1.el7.noarch.rpm kernel-doc-3.10.0-1062.66.1.el7.noarch.rpm x86_64: bpftool-3.10.0-1062.66.1.el7.x86_64.rpm bpftool-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm kernel-3.10.0-1062.66.1.el7.x86_64.rpm kernel-debug-3.10.0-1062.66.1.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm kernel-debug-devel-3.10.0-1062.66.1.el7.x86_64.rpm kernel-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-1062.66.1.el7.x86_64.rpm kernel-devel-3.10.0-1062.66.1.el7.x86_64.rpm kernel-headers-3.10.0-1062.66.1.el7.x86_64.rpm kernel-tools-3.10.0-1062.66.1.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm kernel-tools-libs-3.10.0-1062.66.1.el7.x86_64.rpm perf-3.10.0-1062.66.1.el7.x86_64.rpm perf-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm python-perf-3.10.0-1062.66.1.el7.x86_64.rpm python-perf-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional AUS (v. 7.7): x86_64: bpftool-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm kernel-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-1062.66.1.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-1062.66.1.el7.x86_64.rpm perf-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm python-perf-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional E4S (v. 7.7): ppc64le: bpftool-debuginfo-3.10.0-1062.66.1.el7.ppc64le.rpm kernel-debug-debuginfo-3.10.0-1062.66.1.el7.ppc64le.rpm kernel-debug-devel-3.10.0-1062.66.1.el7.ppc64le.rpm kernel-debuginfo-3.10.0-1062.66.1.el7.ppc64le.rpm kernel-debuginfo-common-ppc64le-3.10.0-1062.66.1.el7.ppc64le.rpm kernel-tools-debuginfo-3.10.0-1062.66.1.el7.ppc64le.rpm kernel-tools-libs-devel-3.10.0-1062.66.1.el7.ppc64le.rpm perf-debuginfo-3.10.0-1062.66.1.el7.ppc64le.rpm python-perf-debuginfo-3.10.0-1062.66.1.el7.ppc64le.rpm x86_64: bpftool-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm kernel-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-1062.66.1.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-1062.66.1.el7.x86_64.rpm perf-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm python-perf-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional TUS (v. 7.7): x86_64: bpftool-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm kernel-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-1062.66.1.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-1062.66.1.el7.x86_64.rpm perf-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm python-perf-debuginfo-3.10.0-1062.66.1.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-0920 https://access.redhat.com/security/cve/CVE-2021-4028 https://access.redhat.com/security/cve/CVE-2021-4083 https://access.redhat.com/security/cve/CVE-2022-22942 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYlWl0dzjgjWX9erEAQjNoBAAkg59cuZJknFcK2kCfOAjviIxo0Fzm+rB Ka7UFBEqzzz/CAq8rrokGWpjR8Q5vRleaegGdmbWJ0QaBWjAIjJzJ5qqYQxIZfh8 p5SuDollpjb8v9Yi6OYNAcnkmBPR7G/K//z6NOhnXfpxTX1p8QcvqTWDt4qXGKPQ JkuzE8Zw/u0K+87aIn4gZVwTAtHrfGLKpZKnprVDKt81pg9zgSXJcpUYtKYOjF/M Z9b8dUMl5r8d7Xy5mDlhhBHNVyeL+Hf1ucAHpflWxJXCXXM7IFefxQhWEL5mSK3/ KcjFu2RjG5dVKf8+ILQrdULW/1WxIPJEXAQY799sAsgSy+XdgG8FhU5D0ETentGB NB4eGPwlzEbdZMHkrj8W9GidaKYjGGEZJsnFdpQndB29B3UFEQfeCLwR/BZhy5Jc AilViTRyn+WMRFrO+uz4/vECCM3FkM89pl8vQK5UZX0XwjNzxAKH9he2FznJlK+k pZml1TTPnaAPUrWvSGWO967a8lxYm3faaOYFUqhRJzv+BoUoVpzZOrLaiDqIJxPX bEB/x/sJaPOjqVKM2Y5Ltzm+/LSFT0kZFI/nWhTVbk4VL0YMosYjg1d4EaN2NWTo OnbA92GYBIBsQE+0SsACkuYXrQua71jQV/3xYqdk7KD7QdOIG4LqXYpIwF4BHoQ7 PwbfLaK67DM= =v3P6 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYU3ONLKJtyKPYoAQjcQhAAh96O5oj35AlswvUeVzFT0vvaHAOLTDfl 3HGM2PA0UsdZadeVmZ1JmVPVyO5dKlDIaKW3b5idFxn2U1A9Mvf0zzIp2UMH4un3 BGdahapZdN7qu9y2UKl/9dQRtU3I0c73Oqun0mAaRdzy0YHWzwnnMmouJ3g2vW6w 3DahOhFCKACpY2Ox/Di00UUI1UDVCdH6HDSJwguoU4Fa5rLchavIW12D/Sis3A/O eumpeVVVGwsAQ3YppHd3TpSuVIpqRKQT2Z7eNn48X5GsvVrQ66V5TOHVRadGvYuq 2z1TY8uOas7L6+y+KQURYEoQg0TbfkV0UuNZ9RBNCHRxl3e3T3qXAy98UHduWZfw sEoFzRLLa5CG0fHyFHCQi8YdpZUUn2RwQiHHsluTTC4MJ2oyAFWFC3PfMxAN4NNR 8/p8kO1lvq7t65k8tEisPmLCNrDCuRljlrgQcK99t8QTzwY+iHIkUAdi7ODYxK+l kiEuIEdsh50+XydLCBce/oDjz4eiWgCIp/amDfAhQ2IY9YUFSDIfO/pnPCKQHZdP 0QNUopSsKwYMi9QeJXz7ALgBncvuUFR4DiSXtAF1jNBx9XUNZ9xLowd2DdBl4Xcn ctHArnGEgzOWzCjYj4agZdLjws+4iY94nhjG3808gHTfGnNLUJ2u/Mgs3c5NCre5 /5ZClhL/crM= =jS5e -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1575 - [RedHat] OpenShift Virtualization 4.8.5 RPMs: CVSS (Max): 7.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1575 OpenShift Virtualization 4.8.5 RPMs security update 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenShift Virtualization 4.8.5 RPMs Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2021-34558 CVE-2021-33198 CVE-2021-33197 CVE-2021-33195 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:1329 Comment: CVSS (Max): 7.5 CVE-2021-33198 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Virtualization 4.8.5 RPMs security update Advisory ID: RHSA-2022:1329-01 Product: cnv Advisory URL: https://access.redhat.com/errata/RHSA-2022:1329 Issue date: 2022-04-12 CVE Names: CVE-2021-33195 CVE-2021-33197 CVE-2021-33198 CVE-2021-34558 ===================================================================== 1. Summary: Red Hat OpenShift Virtualization release 4.8.5 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: CNV 4.8 for RHEL 7 - x86_64 CNV 4.8 for RHEL 8 - x86_64 3. Description: OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 4.8.5 RPMs. Security Fix(es): * golang: net: lookup functions may return invalid host names (CVE-2021-33195) * golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197) * golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198) * golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic 1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names 1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty 1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents 2044050 - 4.8.5 rpms 6. Package List: CNV 4.8 for RHEL 7: Source: kubevirt-4.8.5-278.el7.src.rpm x86_64: kubevirt-virtctl-4.8.5-278.el7.x86_64.rpm kubevirt-virtctl-redistributable-4.8.5-278.el7.x86_64.rpm CNV 4.8 for RHEL 8: Source: kubevirt-4.8.5-278.el8.src.rpm x86_64: kubevirt-virtctl-4.8.5-278.el8.x86_64.rpm kubevirt-virtctl-redistributable-4.8.5-278.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-33195 https://access.redhat.com/security/cve/CVE-2021-33197 https://access.redhat.com/security/cve/CVE-2021-33198 https://access.redhat.com/security/cve/CVE-2021-34558 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYlWlsdzjgjWX9erEAQjiAA//aMWeXha6TgTtIhczZPKQygKrInDUmR/D NWWzbXGlhTqUewWc18GlRV9u8m+S2Zs9Yq5apfOMv5pnqEDeWrLEcyzhx/mJryfD vk3Q59vI2a8pBl6VJYUt5zKwmmTVPPxwy0tK7J8UbA+Ub4+kII5fi7vC3UKRYuas 5Bk3UvXZFOk7OhuNxuyRbNblGExAiBG3lfBA/Taye64yKOVznXFRUJ6HEhEAbtTD 1q6yDgkgWJgHegw7hrnd34H3EVP9MFutbkWCMTXZB7draj1ziGUDwO16kdLCO05f 47UMc2CAq588XtumXob9+QMHp7Zwdh64SEbG11o9o2UXxH+w3+iLnkTj2mQzgF2t izyvKgHgHsgtyPSDlTOU160jv7rTe05HeA9QoZpQYGCTGoMvQZuvls5+MBrkEXf5 xV/TVfpQxaRbWTw4UmuIuNoNsZUQgLetbtJDLjJBtD7ko2+pMHK1VbfKQ6x2bpuT mRN3IpokYZpEptnoLdVJuadSuUKppmWT0TYsB+Fu5Z1orONRJ0oiJg258hW0sSut wD6G0ucWsEvpbuVaY+pu9OrYQ0yESfiVqap+PbqgAFt9d3CHZTQwQjf4gxH84x5l n5zkJyLrvg6h389bAKAPzY2sHi+utlW9GfyXRyA5F17udf5qO0WjnOwrjkO9imj5 VzyXMOf0wiM= =we3S - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYU1+NLKJtyKPYoAQg02g/+L3fPQhGcKIUSY6V5sdxTDYfPRUjUhk/G YVv9nYTENqFoCBdP6+sYPoEPO7PMLRrdvkj+TDtLLTpGck/eqoJxNXmCa/XLA7HY lJ7LmPPrIU6v1tFLZme1k8rsv2mSBcKbfV6RRZDsbPLagKR/uMkl71MU21+/lW3c OopxVOcVr87yd1kOs9GMIu/DNNsss2wxoCvmciBRlTYqExmrWu78Y8ThDK74p1sL LBcX+Z5wPCpjQmSsjX3mNQGsK6PGEbUkDx7nc6Q40MK8aD7OrxNylmeKSntPMLIq APwWoCG1oIidlfd6Jl+TEz6wvvTZbMl3JZKiXsUyZX4t5FDYvp53J7Swindi8+KQ kPt1xyO/FGiiExNI+GbQ69+6IOSM/xoXTBvpSoaBJy8zLD9jEUuObR0FDY2YYhPs t+C5M8QyeTctQAgT8XbdO/L3y+6kxvE0rnEKv1DfoiGVAnWU4zOrVWu51C7+0zhd JQpTAq+sHJTWXBq1+QrUpaCtqHta6gHhZMM7tQTV0S9HSxb7y52fVpz2RM3rf+c7 ZEs2VkDz0hDLaQsumvv1Yai1TUu7Ko0w3hUY9UkUefraNGCgXBMlILZ6F0M72x9K VVMCwfI4n2mHZa2VkIe957uICXEz96NuKWXN5zPQVNjUT7n42NVOnuENemDu7ZcU 1+HUhFPNnq0= =wF4n -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1574 - [RedHat] Red Hat OpenShift Application Runtimes: CVSS (Max): 7.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1574 Red Hat support for Spring Boot 2.5.10 update 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat OpenShift Application Runtimes Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2021-42340 CVE-2021-41079 CVE-2021-33037 CVE-2021-30640 CVE-2021-20289 CVE-2021-3859 CVE-2021-3642 CVE-2021-3629 CVE-2021-3597 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:1179 Comment: CVSS (Max): 7.5 CVE-2021-42340 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat support for Spring Boot 2.5.10 update Advisory ID: RHSA-2022:1179-01 Product: Red Hat OpenShift Application Runtimes Advisory URL: https://access.redhat.com/errata/RHSA-2022:1179 Issue date: 2022-04-12 CVE Names: CVE-2021-3597 CVE-2021-3629 CVE-2021-3642 CVE-2021-3859 CVE-2021-20289 CVE-2021-30640 CVE-2021-33037 CVE-2021-41079 CVE-2021-42340 ===================================================================== 1. Summary: An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section. 2. Description: Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform. This release of Red Hat support for Spring Boot 2.5.10 serves as a replacement for Red Hat support for Spring Boot 2.4.9, and includes bug fixes and enhancements. For more information, see the release notes listed in the References section. Security Fix(es): * undertow: client side invocation timeout raised when calling over HTTP2 (CVE-2021-3859) * tomcat: Infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine (CVE-2021-41079) * tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS (CVE-2021-42340) * undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS (CVE-2021-3597) * undertow: potential security issue in flow control over HTTP/2 may lead to DOS (CVE-2021-3629) * wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642) * tomcat: HTTP request smuggling when used with a reverse proxy (CVE-2021-33037) * resteasy: Error message exposes endpoint class information (CVE-2021-20289) * tomcat: JNDI realm authentication weakness (CVE-2021-30640) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in to download the update. 4. Bugs fixed (https://bugzilla.redhat.com/): 1935927 - CVE-2021-20289 resteasy: Error message exposes endpoint class information 1970930 - CVE-2021-3597 undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS 1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS 1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer 1981533 - CVE-2021-33037 tomcat: HTTP request smuggling when used with a reverse proxy 1981544 - CVE-2021-30640 tomcat: JNDI realm authentication weakness 2004820 - CVE-2021-41079 tomcat: Infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine 2010378 - CVE-2021-3859 undertow: client side invocation timeout raised when calling over HTTP2 2014356 - CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS 5. References: https://access.redhat.com/security/cve/CVE-2021-3597 https://access.redhat.com/security/cve/CVE-2021-3629 https://access.redhat.com/security/cve/CVE-2021-3642 https://access.redhat.com/security/cve/CVE-2021-3859 https://access.redhat.com/security/cve/CVE-2021-20289 https://access.redhat.com/security/cve/CVE-2021-30640 https://access.redhat.com/security/cve/CVE-2021-33037 https://access.redhat.com/security/cve/CVE-2021-41079 https://access.redhat.com/security/cve/CVE-2021-42340 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.spring.boot&version=2.5.10 https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.5/html/release_notes_for_spring_boot_2.5/index 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYlX6EdzjgjWX9erEAQg9yA/+P1/lTMOi1yV6LLfSX3BdGGK82PYJsuO5 mafisp3yqeixCcljWGYZTjGeptsYoVqDPR1KqYJ2RKJyHcFYdI0DvdrmUHODIVAN jgmXaeM+i5HfuSX7o+qsH5ZGkuSVT/H6MCTahZo4QwyzNjT2Zmri1jV0D/LA9fW9 pQd91GVrDeVfL0YzOJkdPaaIqaF/suOcH3saCeuABJ5H0qehRBQdlvh0z4ZjZTek g8knA+/X83ggC1DLlCj9AmHT+RTlD1VrlUgXqrygcCgA58+JK5vM12/mMIslkEL6 +iNCkgpV6nYEW/N0G2CfH9sTk8JYpoY78Yx7V2hT1AxkEPaeReyVjTYcqfV1LenU 2Beo4J1WU4+T5CUao4P/2+MLSsDJDSadfEXM1sGJayULONl61bSCB/+Z/CMA7I/P sLLhvN4TvMQB1dAfFmj9MFSArQQnxbrzkhp5/rPqWSHTfb1d0sSFU7SpqC4HYH+z LCcLfC4ItUd5eBLRMtcJQdnFsPqL/3UdoqHyh5CKjJgTVXs/2Q8vKVdIFihon8GB bPl7YGZT7zyhuSDi26nC0ThjanbE0LVG7Y2MUYNEyQz3gqXU8+HJKBRpKOwihqwM RFJnNFSPqP3eHfbOMBGQpAzdkT7iLRCuyEGUesN6IplndYdn4fepDep/rdqeGk14 lGgYrqQ7rUU= =fUW+ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYUweNLKJtyKPYoAQgOsw//dT29ikqu9kMfhibATlpzv3apMjR4xtPw kakGpyYw9h2DE8xCYP4RqlqVl1ZBNNJQe76mQcK5xREaTqYLbcz3ZwCouaAExKOS UcIKASSm6APobAOPU8fddxdQKyURpWrVj1Lidj9QykhFeGROL6jttFH5rYxfXn/S qruNaW2sUDn/jPv7UZsjW7l0HQeTHyUrc5Fv9KG7OcromxJf03zdpk7XgqRypwBW /5O0ONE8tE5WiZQpYmgt5IPA++fJ9qaIEm9fw+pPKGkYd0gb0NcUHBIFvuUigDLp 4Imr3yO1lHGbCXHhUkgx0G//S4D5ZLVeqJHo3Z4AYbsL2jDmh4ZssAz0dw1OuwVZ jUsvWbIKtB4EP4kCVaWG9miRORK4FBnVJLSX4i4OHRq3LzzOMNxa9Y4xrlbGiBHP PyUJ2ChK9ixWqgYAlYklwK/kKQ/d04MEsQmbeuXhG0AIwA96B5icSwAJ9dVZTj6n eESxSrojejsqOvvwFjvbnglKpfosMYwTWxwOg3Gd0kTj1TOJCwoZalOgTax+gb0V 0woG2Za598lY1g/wFkW3O5K2lrdiQMTFC6Pw2A1+b8nIS/BGzARdbun85ODz4Bqu d+bsuc9DFKjsonGO9n4bYsEtdMPQTnAL/3v212TA8NWoi10YGTEyr3hBR3Vweurh y4sKNDXliiQ= =67OQ -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1573 - [Win][UNIX/Linux] Ruby: CVSS (Max): None

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1573 CVE-2022-28739: Buffer overrun in String-to-Float conversion 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Ruby Publisher: Ruby Operating System: UNIX variants (UNIX, Linux, OSX) Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-28739 Original Bulletin: https://www.ruby-lang.org/en/news/2022/04/12/buffer-overrun-in-string-to-float-cve-2022-28739/ Comment: CVSS (Max): None available when published - --------------------------BEGIN INCLUDED TEXT-------------------- CVE-2022-28739: Buffer overrun in String-to-Float conversion Posted by mame on 12 Apr 2022 A buffer-overrun vulnerability is discovered in a conversion algorithm from a String to a Float. This vulnerability has been assigned the CVE identifier CVE-2022-28739 . We strongly recommend upgrading Ruby. Details Due to a bug in an internal function that converts a String to a Float, some convertion methods like Kernel#Float and String#to_f could cause buffer over-read. A typical consequence is a process termination due to segmentation fault, but in a limited circumstances, it may be exploitable for illegal memory read. Please update Ruby to 2.6.10, 2.7.6, 3.0.4, or 3.1.2. Affected versions o ruby 2.6.9 or prior o ruby 2.7.5 or prior o ruby 3.0.3 or prior o ruby 3.1.1 or prior Credits Thanks to piao for discovering this issue. History o Originally published at 2022-04-12 12:00:00 (UTC) - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYNnuNLKJtyKPYoAQilLRAAlHjBVdgR92lQPsbYfRVOEcds9kY3E1aF SJ0wtOd2/JYmCtqOfYNxdtD7UookLfml+dU/k0lzYe/xCOtlTS0/65Ef2l2Hhx6T ysfrnGnm+fzA0UGhkKaovbkZADDw+NIraXkblYY+VkLa9hKruPIRU9o0brg67gIT uJNVbInTckl969C08xfoM0J0bVU2ml2qrRBhsjBZmORVtgN/zQ5WBn9c866cwkQZ Oy6bKf/FsvKnpmv8+pLm9by1Z0/blHX9tjdZGZpnFR332+XPiimmcl7WkvlDjozo XPVKG7Kb+uJ/rdZA2QGKNbAnXAJhO17CzRvK1sTpFEph2UkxWGBGf5BCAqw4+qqq /Uas1BlFCh0570ro8zGqcgQfcZ3/KUF5RlN2AMYnxAUzJUk2mMI66qgnYSy8Iyi3 ki7J07dt59R2zKYn3bi4PIa2BIy1TbziOYrUqY3nj9AyAD1oJPAGzRGfWNjY6v/I 7vOsgNKFE6HLKGQvS8bkvO1mtQ683+nbDQ1yBxaN1z3ARrQs1TBDTvMAVtzK9aas DVWWr5EPfKqN0iJpG48uDjcgCsd6aXBi2IjM1ha9jADHYRdxqkSpIamqs3vIROZD CZwpAQYE+v1Wkbai/V4ulON0bH92Uc6rzqtFJ7J058UuqKL3tkzFKPFqKN/qysKe ouFZXyljUY0= =JjsO -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1572 - [Win][UNIX/Linux] Ruby: CVSS (Max): None

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1572 CVE-2022-28738: Double free in Regexp compilation 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Ruby Publisher: Ruby Operating System: UNIX variants (UNIX, Linux, OSX) Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-28738 Original Bulletin: https://www.ruby-lang.org/en/news/2022/04/12/double-free-in-regexp-compilation-cve-2022-28738/ Comment: CVSS (Max): None available when published - --------------------------BEGIN INCLUDED TEXT-------------------- CVE-2022-28738: Double free in Regexp compilation Posted by mame on 12 Apr 2022 A double-free vulnerability is discovered in Regexp compilation. This vulnerability has been assigned the CVE identifier CVE-2022-28738 . We strongly recommend upgrading Ruby. Details Due to a bug in the Regexp compilation process, creating a Regexp object with a crafted source string could cause the same memory to be freed twice. This is known as a double free vulnerability. Note that, in general, it is considered unsafe to create and use a Regexp object generated from untrusted input. In this case, however, following a comprehensive assessment, we treat this issue as a vulnerability. Please update Ruby to 3.0.4, or 3.1.2. Affected versions o ruby 3.0.3 or prior o ruby 3.1.1 or prior Note that ruby 2.6 series and 2.7 series are not affected. Credits Thanks to piao for discovering this issue. History o Originally published at 2022-04-12 12:00:00 (UTC) - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYNlONLKJtyKPYoAQiE+xAAnhy0UZV828OtgdI4ZciBksEgCFTq1VNX ky08aQ90bVQI5TbdKZE1sa0xzFPACbJ/CLFtHb/UpOaIvjcDSckaeMD6T//hxJFB wBneIPPCyOIp5tf5Mu3tIiHG+sFN8QmH+z0H7A/tnwb549IhwZtK/BTYFykLReoq blbQINyeoKYmi0KMoO3VD1hLi3IQnZ7nxjhfOnPTfQ7IDLcvwswD8WPKqxEbKbVd iXw31HFkBI1hpjh8F8UibGwQzJTT7fMp3pb3DOkJqkkZwQ//XK/3lUZniZSyJN3Z AGglprY7XDVrroV9MJBK/acFy2exQldkZoSP9uc2gqlzPLVj4MWFi4JWkjEFz0Lj bB9eegZHW6Hedlqspasm41QlLbvIJfY/G0I8WNjunKnECv0D8Hp4by89e7dRQgiP y0ys436BrU+Xhi69vI/6dytEq0QjqjRFkIEeCdOCnqnXI7sfCpQfpGZZ4+PyOEXa oepv+Yj5/r3bfDSJp9JobeKaS0Pc4jZoqWvsDgaQQurNag+T3UYbPrWwcr9WiEXh oV4DXrvG2pmEnIszFDXZR7BJ/l49zovpJYyhaxLe04dqY9KC/hHHvsG5tFrTswpt 33vpJvH+YCTrdh0jIBH0dE2GK78cIJ8kHtCD+7+xFv+DtZB/MmOF6aO3BX7rBPMQ YJQ8OxGuf28= =G/uG -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1571 - [Appliance] Aethon TUG Home Base Server: CVSS (Max): 9.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1571 Advisory (icsa-22-102-05) Aethon TUG Home Base Server 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Aethon TUG Home Base Server Publisher: ICS-CERT Operating System: Network Appliance Resolution: Mitigation CVE Names: CVE-2022-27494 CVE-2022-26423 CVE-2022-1070 CVE-2022-1066 CVE-2022-1059 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-102-05 Comment: CVSS (Max): 9.8 CVE-2022-1070 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-102-05) Aethon TUG Home Base Server Original release date: April 12, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 9.8 o ATTENTION: Exploitable remotely/low attack complexity o Vendor: Aethon (owned by ST Engineering) o Equipment: TUG Home Base Server o Vulnerabilities: Missing Authorization, Channel Accessible by Non-endpoint, Cross-site Scripting 2. RISK EVALUATION Successful exploitation of these vulnerabilities could cause a denial-of-service condition, allow full control of robot functions, or expose sensitive information. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Aethon reports these vulnerabilities affect the following versions of TUG Home Base Server, a server used to control and communicate with autonomous mobile robots in hospitals: o All versions prior to Version 24 3.2 VULNERABILITY OVERVIEW 3.2.1 MISSING AUTHORIZATION CWE-862 An unauthenticated attacker can arbitrarily add new users with administrative privileges and delete or modify existing users. CVE-2022-1066 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:H/A:N ). 3.2.2 MISSING AUTHORIZATION CWE-862 An unauthenticated attacker can freely access hashed user credentials. CVE-2022-26423 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:H/A:N ). 3.2.3 CHANNEL ACCESSIBLE BY NON-ENDPOINT CWE-300 An unauthenticated attacker can connect to the TUG Home Base Server websocket to take control of TUG robots. CVE-2022-1070 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.4 CROSS-SITE SCRIPTING CWE-79 The "Reports" tab of the Fleet Management Console is vulnerable to stored cross-site scripting attacks when new reports are created or edited. CVE-2022-27494 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:U/ C:L/I:H/A:L ). 3.2.5 CROSS-SITE SCRIPTING CWE-79 The "Load" tab of the Fleet Management Console is vulnerable to reflected cross-site scripting attacks. CVE-2022-1059 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:U/ C:L/I:H/A:L ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health o COUNTRIES/AREAS DEPLOYED: East Asia, United States o COMPANY HEADQUARTERS LOCATION: Singapore 3.4 RESEARCHER Asher Brass and Daniel Brodie of Cynerio reported these vulnerabilities to CISA. 4. MITIGATIONS Aethon has implemented a mitigation plan to address these vulnerabilities. Aethon has checked all locations where this product is in use to ensure firewalls are active and to update systems to the newest software (Version 24). For more information about these issues and the associated mitigation practices, please contact Aethon . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: o Do not click web links or open unsolicited attachments in email messages. o Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. o Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploits specifically target these vulnerabilities. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYNieNLKJtyKPYoAQhqQQ/+PatpC8KqzXHzdy5CJ/M8QwcNMqbTrH4J 14C+/RP2gBfmpydryCneDHELmlumkXJUckdp4EAD9Eo8cqlwB3Hx6eqJHSF+ewFZ cEQQyAbGr4T2PBcWJ0xpxyDdn9LIW3QRLwgMoVQ0E6s1vnKPsIYfAKcNgxTgd3lr u68MZqo3r44MUIVhOeW9/nw6kbAxVytvvJ/At86drZj6jnmYNn0inP9NF4lrsukS O83v8r39T9qQsAfldcptgz8mUos7Bg/+n7lUb6WSjv+B2/CPqsDUR2ik+pAydedu HifpxMjKI54hLDGQ+7KG36GrAy47yjZdukIxooDNCKmBS3Lnhd7gVQ1jjM+fqYEr j2FVTB5AsvAoRtbdcMO8ETdkUW6c6xm/tlu/rlijcMP9jV2m2GWSp+7iCyBmqI/N LrcMu2n+0xFB3cmgc9RoTsN2+2bdnX5FvJuEahLZOIRFv0WRxCva8ytScOn5za1M jlbV3/Ymy/pHAAXJj6YguV9kAt204JC9rS5tdjRbVjejFw3Qce5BoA4r9oreChb/ P++CEB1y9v7+BSvVCdJf/8Zl/EVZD4g4BXQRf5GX2qeSebukzYrB1SUOsCOrDPLU esyhwywWH10nOi4B4gaRr0nrFkIfuq5UVQCXDGBaawj2ZZ+lwahFTfnxb9OWN59C jD2c4I1Hrl0= =HB+A -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1570 - [Appliance] Mitsubishi Electric GT25-WLAN: CVSS (Max): 6.5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1570 Advisory (icsa-22-102-04) Mitsubishi Electric GT25-WLAN 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mitsubishi Electric GT25-WLAN Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2020-26146 CVE-2020-26144 CVE-2020-26143 CVE-2020-26140 CVE-2020-24588 CVE-2020-24587 CVE-2020-24586 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-102-04 Comment: CVSS (Max): 6.5 CVE-2020-26143 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-102-04) Mitsubishi Electric GT25-WLAN Original release date: April 12, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 6.5 o ATTENTION: Exploitable remotely o Vendor: Mitsubishi Electric o Equipment: Wireless LAN communication unit GT25-WLAN in GOT2000 Series GT25 or GT27 o Vulnerabilities: Improper Removal of Sensitive Information Before Storage or Transfer, Inadequate Encryption Strength, Missing Authentication for Critical Function, Injection, Improper Input Validation 2. RISK EVALUATION There are multiple vulnerabilities due to design flaws in the frame fragmentation functionality and the frame aggregation functionality in the Wireless Communication Standards IEEE 802.11. These vulnerabilities could allow an attacker to steal communication contents or inject unauthorized packets. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Wireless LAN communication unit GT25-WLAN in GOT2000 Series GT25 or GT27, are affected: o GT25-WLAN: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER REMOVAL OF SENSITIVE INFORMATION BEFORE STORAGE OR TRANSFER CWE-212 The affected product is vulnerable to a fragment cache attack as it does not clear fragments from memory when (re)connecting. This may allow an attacker to steal communication contents or inject unauthorized packets. CVE-2020-24586 has been assigned to this vulnerability. A CVSS v3 base score of 3.5 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:R/S:U/C:L/ I:N/A:N ). 3.2.2 INADEQUATE ENCRYPTION STRENGTH CWE-326 The affected product is vulnerable to a mixed key attack as it reassembles fragments encrypted under different keys. This may allow an attacker to steal communication contents. CVE-2020-24587 has been assigned to this vulnerability. A CVSS v3 base score of 2.6 has been assigned; the CVSS vector string is ( AV:A/AC:H/PR:N/UI:R/S:U/C:L/ I:N/A:N ). 3.2.3 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306 The affected product is vulnerable to an aggregation attack as it accepts non-SPP A-MSDU frames. This may allow an attacker to inject unauthorized packets. CVE-2020-24588 has been assigned to this vulnerability. A CVSS v3 base score of 3.5 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:R/S:U/C:N/ I:L/A:N ). 3.2.4 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A DOWNSTREAM COMPONENT ('INJECTION') CWE-74 The affected product can accept plaintext data frames in a protected network. This may allow an attacker to inject unauthorized packets. CVE-2020-26140 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/C:N/ I:H/A:N ). 3.2.5 IMPROPER INPUT VALIDATION CWE-20 The affected product is vulnerable to accepting fragmented plaintext data frames in a protected network. This may allow an attacker to inject unauthorized packets. CVE-2020-26143 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/C:N/ I:H/A:N ). 3.2.6 IMPROPER INPUT VALIDATION CWE-20 The affected product can accept plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL in an encrypted network. This may allow an attacker to inject unauthorized packets. CVE-2020-26144 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/C:N/ I:H/A:N ). 3.2.7 IMPROPER INPUT VALIDATION CWE-20 The affected product can reassemble encrypted fragments with non-consecutive packet numbers. This may allow an attacker to steal communication contents. CVE-2020-26146 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is ( AV:A/AC:H/PR:N/UI:N/S:U/C:N/ I:H/A:N ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Japan 3.4 RESEARCHER Mitsubishi Electric reported these vulnerabilities to CISA. 4. MITIGATIONS Mitsubishi Electric has provided the following mitigations or workarounds. When using the wireless LAN communication unit as an access point, check if the wireless LAN communication unit settings are as follows. o For the passphrase used for wireless LAN, avoid settings that can be guessed from the consecutive numbers and MAC address, and set an unpredictable passphrase combining letters and numbers. o Use WPA or WPA2 as the security authentication method for wireless LAN. o Use the IP filter function*1 to restrict the accessible IP addresses. *1- Refer to GT Designer3 (GOT2000) Screen Design Manual (SH-081220ENG) "5.4.3 Setting the IP filter" When using the wireless LAN communication unit as a station, check if the router settings are as follows: o For the passphrase used for wireless LAN, avoid settings that can be guessed from the consecutive numbers and MAC address, and set an unpredictable passphrase combining letters and numbers. o Use WPA or WPA2 as the security authentication method for wireless LAN. o If you change the router settings, hide its presence on the Internet to make it difficult for unauthorized access. (e.g., set to not respond to PING requests). o Set password for the router's Management portal, which is difficult to be identified. Check the following when using a computer or tablet, etc., on the same network. o Update Antivirus software to the latest version. o Do not open or access suspicious attachment file or linked URL. CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYNfONLKJtyKPYoAQhFMg/+NKZiU8iAMmt40NU/C/LAdyTUlZLPiH5m 82aNM+RkioOveYa2Pq/m4R6vPHsBo7VkZkIwcJU+YfGD1S2qdrEwm7zgpcc2C0i0 FG/QejmSPmSSt0NuAwy4yogTBb76CgGmF8i1d+Eo2QRqe/TI2NUSJutd6uRDoIsz W29d8yVtgvSM3TxYD0Xn4cIUq1C071Wp/9Z2BRoU9DIA4dinPQOpHGsnuSPMuerf 5lmfuUo8fdwwnASAOlZ124A9fMCDEPvDzbxDCjmXyTCrCxbsHJ7ejyUduNMLtsoO zgpU/Pa2DvStD15scHUlCVEU00GmykwhFHB0bqq+jdmErDpewQ6RoxGNAN0TLN9N LBHqgE93amE4ZtBmObQjZJqdmUGAcFgFPBVsl+DXMoVhrG7MIaeupPEji7F/soy8 vgbiYp7/l9snXgPF86DaXRwckWvVLycGC35pPqvCyWG1IYpd7KB8gSUC4FgtaFdU QTOv/OGDwvKpX0N4XH8d/uEK/O71sxlsT5Q7Y72NSlwrUx7FxHx+NK+ClZ0cuaCn IBqpkERwdDLmbCOXMmSCDCh/IDRmaKS8wmcJmKs+ZNsgxj+/PJv5K3uSCjNLvL/v 2RRCVlw+bB5dEqac9lVM5Ivi3LLx0UV3IUzxUFnzgp9LOcFnT8CAGwV4Bpkhkj9X 03Xe+s424UM= =dUgh -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1569 - [Win][UNIX/Linux] Inductive Automation Ignition: CVSS (Max): 6.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1569 Advisory (icsa-22-102-03) Inductive Automation Ignition 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Inductive Automation Ignition Publisher: ICS-CERT Operating System: UNIX variants (UNIX, Linux, OSX) Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-1264 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-102-03 Comment: CVSS (Max): 6.8 CVE-2022-1264 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-102-03) Inductive Automation Ignition Original release date: April 12, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 6.8 o ATTENTION: Exploitable remotely/low attack complexity o Vendor: Inductive Automation o Equipment: Ignition o Vulnerability: Path Traversal 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an authenticated attacker with network access to execute code by uploading a malicious zip file. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Inductive Automation Ignition software are affected: o Inductive Automation Ignition: All 8.0 versions after 8.0.4 o Inductive Automation Ignition: All 8.1 versions prior to 8.1.10 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22 The affected product may allow an attacker with access to the Ignition web configuration to run arbitrary code. CVE-2022-1264 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:H/UI:N/S:C/ C:N/I:H/A:N ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Information Technology o COUNTRIES/AREAS DEPLOYED: United States o COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Mashav Sapir of Claroty reported this vulnerability to CISA. 4. MITIGATIONS Inductive Automation recommends users upgrade the Ignition software to 8.1.10 or later. CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: o Ensure the least-privilege user principle is followed. o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: o Do not click web links or open unsolicited attachments in email messages. o Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. o Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploits specifically target this vulnerability. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYNcONLKJtyKPYoAQjk1Q//Y1vQd2rushJb8YurwPcqg4b9mpuTedzd 4BLvr5hm3+cTvZSgbDbycRTTMnMyo7wZ/RvFZFXBttHFzU9ApDhCACIMKqYGTtfo 9Mv3ucUeeo0ykpG2hkFKcpFEqLMpJ5XmoIBszXIgCtVFRAfCwSiWo6R832VE6UJp 8KnI3b96CixBH+Zd+MU51I7D+1VC+F49y3doWidiLxe26AK88GD6qUAlDFNBmX/5 yGg/M/GhA35hCzdesilARYh7ji62UpjPqMNehbaDesxiJSj8SpELYk1AIWywqvAv yj6WoiUoA+1Uzd0H3vJ/lrdTkH+Q2WdKPDI13C6J052AULdXF90Fga8+B+2QTrkp sJpT5Wm/uYHCLBAhkNBf1sJW6rD72kzjVrDES+yTEwLQ7ZJKTi1j1qkjqPldeYwN lkzOkOEutWY2vbeoghfBiItQa5s9dOwL+CH64+HIfd2L2a9ObHbKLyCtuV49rdBM rGjGVB+pKgdIWGBhAq2QZsg1za+ZRnhVvx3+iWEPPGaUI471BZU8QAXKsfwppBVc kdN2PWX3/5gKOBqhUg9N9LXanj5FBAKHUxOph3XpaRAUwH+0sRUIbDdhw3qFk8P9 65uSCueKaFGca5AdNp/epSe8OdlwllfhGTBsH44asSu5rSrXDlN1Ax18tfbgLMfB dpnC57i1sFg= =XVXB -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1568 - [Appliance] Mitsubishi Electric MELSEC-Q Series C Controller Module: CVSS (Max): 9.0

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1568 Advisory (icsa-22-102-02) Mitsubishi Electric MELSEC-Q Series C Controller Module 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mitsubishi Electric MELSEC-Q Series C Controller Module Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2021-29998 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-102-02 Comment: CVSS (Max): 9.0 CVE-2021-29998 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-102-02) Mitsubishi Electric MELSEC-Q Series C Controller Module Original release date: April 12, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 9.0 o ATTENTION: Exploitable remotely o Vendor: Mitsubishi Electric o Equipment: MELSEC-Q Series C Controller Module o Vulnerability: Heap-based Buffer Overflow 2. RISK EVALUATION Successful exploitation of this vulnerability could cause a denial-of-service condition or allow remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of MELSEC-Q Series C Controller Module using Wind River VxWorks Version 6.4 are affected: o Module Q12DCCPU-V: First 5 digits of serial number 24031 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 HEAP-BASED BUFFER OVERFLOW CWE-122 The affected product uses a vulnerable version of Wind River VxWorks that could result in a heap-based buffer overflow in the DHCP client CVE-2021-29998 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:C/ C:H/I:H/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Japan 3.4 RESEARCHER Mitsubishi Electric reported this vulnerability to CISA. 4. MITIGATIONS Mitsubishi Electric recommends the following: o Update to 24032 (first 5 digits of serial number) or later. Contact a Mitsubishi Electric representative for more information. o Disable the DHCP function in "Security Settings" of the C language controller settings/monitor tool if the product is in "Extended mode" and the DHCP client function is not required. o Update DHCP server to the latest version. o Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required. o Use within a trusted LAN that is properly divided by routers and firewalls. For more information see Mitsubishi Electric's advisory 2022-001 CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability. This vulnerability has a high attack complexity. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYNY+NLKJtyKPYoAQitUQ/9FaL556yA6F/8Wa4tu36vOZJr5qJcLQIP eEPhIZSD2sbB9Ihpno48oYypaGpDKbaPrjCpvTcPExtrUw9rLzFUhfMDxNJnGazA jnF19Oc7T3whK582/xzyV77dyPQtHAsJutejViJ+8IrlU0yNNJr95vyhilDQfMS2 Tjx0W5hGvTGgQ7BJVbg8yyz9rY+c3eNfW/KZWK/jxiz3AK6VWX2GFTbqUmTFJIJx WWpRtBBq39tNRrVSDnkPYcsh07EWk3x+cpmFM/5DzBS4PH8PxyLgvm+lBPU/yz+L ZxG0T3ITnA63o0DRvPG767J0xc+Xkq4WMaokkpZwESIj1QmRj7R82PNWNgApFK6a wQzlWgn89NZcJc5RcsTwdtiSa/tzKEAZlwmi7NCJsau7ZWRKzJlXWMpNiD0MHiN9 lkBgzl8m1guZT+eBF04kYkjdjsB1N067bPcCAQgmVamUfzwRrVcoeH5hTgkRfcnQ Dtcrk3DAlYOGsnydGa+qrHlzXRyVXx3mtNGaPzw7BVXy+X5gJxcJvyWSrHxU1E3C 90JzkOI9VDuiP04YPlM1gBiFafWvb0bTeEGovg9kexB+2bPuZ7WA8H2SRJCjCxcc mPQEeEvjMUIU4klBw9CB4ETdV9kRwDLwbSGqTQWtSOXzSZoWHhhAvUxi4Xkktj2B 1iKBTmvROwg= =d7f3 -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1567 - [Appliance] Valmet DNA: CVSS (Max): 8.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1567 Advisory (icsa-22-102-01) Valmet DNA 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Valmet DNA Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2021-26726 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-102-01 Comment: CVSS (Max): 8.8 CVE-2021-26726 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-102-01) Valmet DNA Original release date: April 12, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 8.8 o ATTENTION: Exploitable from an adjacent network /low attack complexity o Vendor: Valmet o Equipment: DNA o Vulnerability: Inadequate Encryption Strength 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to execute commands remotely with system privileges. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Valmet DNA, a distributed control system, are affected: o Valmet DNA: Versions from Collection 2012 to Collection 2021 3.2 VULNERABILITY OVERVIEW 3.2.1 INADEQUATE ENCRYPTION STRENGTH CWE-326 An unauthenticated network user can craft specific packets targeting a Valmet DNA service, listening by default on a specific TCP port. By exploiting a predictable encryption key, the attacker can remotely trigger commands to be executed with system privileges. CVE-2021-26726 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Multiple o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Finland 3.4 RESEARCHER Ivan Speziale of Nozomi Networks reported this vulnerability to Valmet. 4. MITIGATIONS Valmet recommends the following: o Update to the latest version. Contact Valmet customer service to obtain the update. o Ensure a properly configured firewall is in place to prevent unauthorized access from untrusted networks to the system. For more information see Valmet's Security Advisory . CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYNV+NLKJtyKPYoAQiUaxAAjZAhCyjM1AvzhZYERGtJSAaeZ6Ndu7wg gjDTb8FgyT0HfcVss6djB+GL3Y7r0UQbLbgE/dsQh7VA1G4KaxrlxpsOP1TUerWG TmAa0gUG+vCnnPBDwbx0e5UWD/4mfhR4MeBV6LZ6ETfdjxOsnC/OP1A2JCs3/f4K MP5aKjoXXEttA8/BmVRUEGlfcHybpbaZG8X/kZxXI5ehyL/6Qds7/Nz0WYdeZWK7 /ytbiVUsIQ79yiPHPoHbdJZ+q3fEl+86GoRHOArDpt/1NLVWStO7c6Z+NlNXX41F CglqgUBy2EXNGDc9/T54YwNVZ68oYucc9IBlHjJiQt9exBwBP7kIr//cCS8NvZfl hQb3/Sl2IePLpX8N70BiFUDvl3RRRZof5TKVDf7GVhy6ZjPnHC0tOMjVA1fKm6u6 K3q42QH6E9rlgt1xhskEIn1BTatu4il2CJ8MzzbTDHj7VHNLfAkWPGn2OujEYjck vasQsa0IOAOV4PVBIvrGYBDGzs3ggBK9RawWMQo9cyqHMTHbV8q8ZhDJMFpiHFRd cRI3T86rlVHlhuea8So8yoDn3IczV/4B25trZQ+V4XiCpSkZD62IM5oG5D+PHcSE lbtG/aLaTH0Pkz6LUMENkuj1T6HvAjNEO9GaQsqbefLyWFISPKlArgR/iJdw3wY1 eq5RKnFDKes= =NkVa -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1566 - [Win] Citrix StoreFront: CVSS (Max): None

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1566 Citrix StoreFront Security Bulletin for CVE-2022-27503 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Citrix StoreFront Publisher: Citrix Operating System: Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-27503 Original Bulletin: https://support.citrix.com/article/CTX377814 Comment: CVSS (Max): None available when published - --------------------------BEGIN INCLUDED TEXT-------------------- Citrix StoreFront Security Bulletin for CVE-2022-27503 Reference: CTX377814 Category : Medium Created : 11 April 2022 Modified : 12 April 2022 Description of Problem A reflected cross-site scripting (XSS) issue has been discovered in Citrix StoreFront when it is configured to use SAML authentication. If exploited, this issue would allow an attacker to execute client-side JavaScript in the same context as a legitimate user. This issue has the following identifier: +--------------+-----------+-----------------------+--------------------------+ |CVE-ID |Description|Type |Pre-requisites | +--------------+-----------+-----------------------+--------------------------+ | |Reflected |CWE-79: Improper |A victim user must have a | | |Cross Site |Neutralization of Input|current session on a | |CVE-2022-27503|Scripting |During Web Page |StoreFront that has been | | |(XSS) |Generation ('Cross-site|configured to use SAML | | | |Scripting') |authentication | +--------------+-----------+-----------------------+--------------------------+ The issue affects the following supported versions of Citrix StoreFront: o Citrix StoreFront 1912 LTSR up to and including CU4 (1912.0.4000) o Citrix StoreFront 3.12 for 7.15 LTSR up to and including CU8 (3.12.8000) Affected versions of Citrix Storefront are included within the following supported versions of Citrix Virtual Apps and Desktops: o Current Release (CR) versions of Citrix Virtual Apps and Desktops up to and including 2112 o Citrix Virtual Apps and Desktops 1912 LTSR up to and including CU4 o Citrix XenApp & XenDesktop 7.15 LTSR up to and including CU8 Mitigating Factors This issue only exists when Citrix StoreFront is configured to use SAML authentication. StoreFront deployments that have not been configured to use SAML authentication are unaffected. What Customers Should Do Citrix recommends that affected customers upgrade to a fixed version as their patching schedule allows. The issue has been addressed in the following supported Citrix StoreFront versions: o Citrix StoreFront 2203 LTSR (2203.0.0) and later versions o Citrix StoreFront 1912 LTSR CU5 (1912.0.5000) and later cumulative updates for 1912 LTSR The latest versions of Citrix StoreFront can be downloaded from the following location: https://www.citrix.com/downloads/storefront/ These versions of Citrix StoreFront are included within the following supported versions of Citrix Virtual Apps and Desktops: o Citrix Virtual Apps and Desktops 2203 LTSR and later versions o Citrix Virtual Apps and Desktops 1912 LTSR CU5 and later cumulative updates for 1912 LTSR The latest versions of Citrix Virtual Apps and Desktops can be downloaded from the following location: https://www.citrix.com/downloads/citrix-virtual-apps-and-desktops/ A hotfix has been released to address this issue for Citrix StoreFront 3.12 for 7.15 LTSR. The hotfix for Citrix StoreFront 3.12 for 7.15 LTSR is available at the following location: https://support.citrix.com/article/CTX446966 Acknowledgements Citrix would like to thank Michal Brzezicki and Pawel Zurek for working with us to protect Citrix customers. What Citrix is Doing Citrix is notifying customers and channel partners about this potential security issue through the publication of this security bulletin on the Citrix Knowledge Center at https://support.citrix.com/securitybulletins . Obtaining Support on This Issue If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case . Subscribe to Receive Alerts Citrix strongly recommends that all customers subscribe to receive alerts when a Citrix security bulletin is created or modified at https://support.citrix.com /user/alerts . Reporting Security Vulnerabilities to Citrix Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please see the following webpage: https://www.citrix.com/about/ trust-center/vulnerability-process.html . Disclaimer This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. Citrix reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document directly from the Citrix Knowledge Center. Changelog Date Change 2022-04-12 Initial Publication - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlYNTONLKJtyKPYoAQgZgQ//ZOLXzH4jom7dFBIeoucLvwCT1jyxwA5N I+hwY/f0oFdUppHNZ6NQYrJzhvLZ6cOVKjkVpXwI634CBx/P5GPK3k9IhWx9pGVO wGc68yTyGpa/fAShYQi3ZDm+aeIIfMPLql38KVKF37Qe9VLmjgK8iAn7b+5ReMRX 9UY7OG8NSjw4ur3u2a88GDqaRiMWN6s7p7NEI3VQ92gVowD3mfXrQSPG8/nTGdFa qxx8FDfR3pIsQNpQp3yg6p2jlgwKsui3/tHeiLbYNkThhCskZeSO2QNMe+BRn35c fsxhvxNHCFHjluXXIwMPpDTlEPtQHjYIysovnfBnAdxqTmjgdiPwx6fNC60X3j2e d/emHvD17WiSGC4hVPjWInhqsMemTkBjgmwk/HaJyj8+C3xc3Y1D+lPNRlV/NfpU NCQPJPrZGJQ3TIx2jKxRSucxlIttOMai6DbhqQNHm1Zqv6ns74pmz5GyYTNoVvOa O6PPsmFRAbv/YPXzL5yPvV29X1DI5NY9rUj+bkRN+D9/C8zDffu+VOeWq7eq6dys MDISZ9Ko3X8Kft/61vwjthCzCzkO6k0UtQzSm5ZtDFmhct87UcIu8+BVsgcE0jwL e1LAE55AEljTD7lVJiTraWlCPlVrsNg4mWpC33Mrn8fos5ThGsPUFebcjZbus3al OQ9ytK+M+oY= =t9Zh -----END PGP SIGNATURE-----