Headline
Red Hat Security Advisory 2022-6854-01
Red Hat Security Advisory 2022-6854-01 - The gnutls packages provide the GNU Transport Layer Security library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS. Nettle is a cryptographic library that is designed to fit easily in almost any context: In crypto toolkits for object-oriented languages, such as C++, Python, or Pike, in applications like LSH or GNUPG, or even in kernel space. Issues addressed include a double free vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: gnutls and nettle security, bug fix, and enhancement update
Advisory ID: RHSA-2022:6854-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:6854
Issue date: 2022-10-11
CVE Names: CVE-2022-2509
====================================================================
- Summary:
An update for gnutls and nettle is now available for Red Hat Enterprise
Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, s390x, x86_64
- Description:
The gnutls packages provide the GNU Transport Layer Security (GnuTLS)
library, which implements cryptographic algorithms and protocols such as
SSL, TLS, and DTLS.
Nettle is a cryptographic library that is designed to fit easily in almost
any context: In crypto toolkits for object-oriented languages, such as C++,
Python, or Pike, in applications like LSH or GNUPG, or even in kernel
space.
The following packages have been upgraded to a later upstream version:
gnutls (3.7.6), nettle (3.8).
Security Fix(es):
- gnutls: Double free during gnutls_pkcs7_verify. (CVE-2022-2509)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Bug Fix(es):
- [IBM 9.1] [P10] POWER10 performance enhancements for cryptography: nettle
- incremental work (BZ#2102589)
Allow enabling KTLS in RHEL 9.1 (BZ#2108532)
DES-CBC bag is decryptable under FIPS (BZ#2115314)
allow signature verification using RSA keys <2k in FIPS mode (BZ#2119770)
- Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2076626 - FIPS module name should not contain the .0 from the /etc/os-release [rhel-9.0.0.z]
2108635 - Input size for AES-GCM is not limited [rhel-9.0.0.z]
2108977 - CVE-2022-2509 gnutls: Double free during gnutls_pkcs7_verify
2119770 - allow signature verification using RSA keys <2k in FIPS mode [rhel-9.0.0.z]
- Package List:
Red Hat Enterprise Linux AppStream (v. 9):
aarch64:
gnutls-c+±3.7.6-12.el9_0.aarch64.rpm
gnutls-c+±debuginfo-3.7.6-12.el9_0.aarch64.rpm
gnutls-dane-3.7.6-12.el9_0.aarch64.rpm
gnutls-dane-debuginfo-3.7.6-12.el9_0.aarch64.rpm
gnutls-debuginfo-3.7.6-12.el9_0.aarch64.rpm
gnutls-debugsource-3.7.6-12.el9_0.aarch64.rpm
gnutls-devel-3.7.6-12.el9_0.aarch64.rpm
gnutls-utils-3.7.6-12.el9_0.aarch64.rpm
gnutls-utils-debuginfo-3.7.6-12.el9_0.aarch64.rpm
nettle-debuginfo-3.8-3.el9_0.aarch64.rpm
nettle-debugsource-3.8-3.el9_0.aarch64.rpm
nettle-devel-3.8-3.el9_0.aarch64.rpm
ppc64le:
gnutls-c+±3.7.6-12.el9_0.ppc64le.rpm
gnutls-c+±debuginfo-3.7.6-12.el9_0.ppc64le.rpm
gnutls-dane-3.7.6-12.el9_0.ppc64le.rpm
gnutls-dane-debuginfo-3.7.6-12.el9_0.ppc64le.rpm
gnutls-debuginfo-3.7.6-12.el9_0.ppc64le.rpm
gnutls-debugsource-3.7.6-12.el9_0.ppc64le.rpm
gnutls-devel-3.7.6-12.el9_0.ppc64le.rpm
gnutls-utils-3.7.6-12.el9_0.ppc64le.rpm
gnutls-utils-debuginfo-3.7.6-12.el9_0.ppc64le.rpm
nettle-debuginfo-3.8-3.el9_0.ppc64le.rpm
nettle-debugsource-3.8-3.el9_0.ppc64le.rpm
nettle-devel-3.8-3.el9_0.ppc64le.rpm
s390x:
gnutls-c+±3.7.6-12.el9_0.s390x.rpm
gnutls-c+±debuginfo-3.7.6-12.el9_0.s390x.rpm
gnutls-dane-3.7.6-12.el9_0.s390x.rpm
gnutls-dane-debuginfo-3.7.6-12.el9_0.s390x.rpm
gnutls-debuginfo-3.7.6-12.el9_0.s390x.rpm
gnutls-debugsource-3.7.6-12.el9_0.s390x.rpm
gnutls-devel-3.7.6-12.el9_0.s390x.rpm
gnutls-utils-3.7.6-12.el9_0.s390x.rpm
gnutls-utils-debuginfo-3.7.6-12.el9_0.s390x.rpm
nettle-debuginfo-3.8-3.el9_0.s390x.rpm
nettle-debugsource-3.8-3.el9_0.s390x.rpm
nettle-devel-3.8-3.el9_0.s390x.rpm
x86_64:
gnutls-c+±3.7.6-12.el9_0.i686.rpm
gnutls-c+±3.7.6-12.el9_0.x86_64.rpm
gnutls-c+±debuginfo-3.7.6-12.el9_0.i686.rpm
gnutls-c+±debuginfo-3.7.6-12.el9_0.x86_64.rpm
gnutls-dane-3.7.6-12.el9_0.i686.rpm
gnutls-dane-3.7.6-12.el9_0.x86_64.rpm
gnutls-dane-debuginfo-3.7.6-12.el9_0.i686.rpm
gnutls-dane-debuginfo-3.7.6-12.el9_0.x86_64.rpm
gnutls-debuginfo-3.7.6-12.el9_0.i686.rpm
gnutls-debuginfo-3.7.6-12.el9_0.x86_64.rpm
gnutls-debugsource-3.7.6-12.el9_0.i686.rpm
gnutls-debugsource-3.7.6-12.el9_0.x86_64.rpm
gnutls-devel-3.7.6-12.el9_0.i686.rpm
gnutls-devel-3.7.6-12.el9_0.x86_64.rpm
gnutls-utils-3.7.6-12.el9_0.x86_64.rpm
gnutls-utils-debuginfo-3.7.6-12.el9_0.i686.rpm
gnutls-utils-debuginfo-3.7.6-12.el9_0.x86_64.rpm
nettle-debuginfo-3.8-3.el9_0.i686.rpm
nettle-debuginfo-3.8-3.el9_0.x86_64.rpm
nettle-debugsource-3.8-3.el9_0.i686.rpm
nettle-debugsource-3.8-3.el9_0.x86_64.rpm
nettle-devel-3.8-3.el9_0.i686.rpm
nettle-devel-3.8-3.el9_0.x86_64.rpm
Red Hat Enterprise Linux BaseOS (v. 9):
Source:
gnutls-3.7.6-12.el9_0.src.rpm
nettle-3.8-3.el9_0.src.rpm
aarch64:
gnutls-3.7.6-12.el9_0.aarch64.rpm
gnutls-c+±debuginfo-3.7.6-12.el9_0.aarch64.rpm
gnutls-dane-debuginfo-3.7.6-12.el9_0.aarch64.rpm
gnutls-debuginfo-3.7.6-12.el9_0.aarch64.rpm
gnutls-debugsource-3.7.6-12.el9_0.aarch64.rpm
gnutls-utils-debuginfo-3.7.6-12.el9_0.aarch64.rpm
nettle-3.8-3.el9_0.aarch64.rpm
nettle-debuginfo-3.8-3.el9_0.aarch64.rpm
nettle-debugsource-3.8-3.el9_0.aarch64.rpm
ppc64le:
gnutls-3.7.6-12.el9_0.ppc64le.rpm
gnutls-c+±debuginfo-3.7.6-12.el9_0.ppc64le.rpm
gnutls-dane-debuginfo-3.7.6-12.el9_0.ppc64le.rpm
gnutls-debuginfo-3.7.6-12.el9_0.ppc64le.rpm
gnutls-debugsource-3.7.6-12.el9_0.ppc64le.rpm
gnutls-utils-debuginfo-3.7.6-12.el9_0.ppc64le.rpm
nettle-3.8-3.el9_0.ppc64le.rpm
nettle-debuginfo-3.8-3.el9_0.ppc64le.rpm
nettle-debugsource-3.8-3.el9_0.ppc64le.rpm
s390x:
gnutls-3.7.6-12.el9_0.s390x.rpm
gnutls-c+±debuginfo-3.7.6-12.el9_0.s390x.rpm
gnutls-dane-debuginfo-3.7.6-12.el9_0.s390x.rpm
gnutls-debuginfo-3.7.6-12.el9_0.s390x.rpm
gnutls-debugsource-3.7.6-12.el9_0.s390x.rpm
gnutls-utils-debuginfo-3.7.6-12.el9_0.s390x.rpm
nettle-3.8-3.el9_0.s390x.rpm
nettle-debuginfo-3.8-3.el9_0.s390x.rpm
nettle-debugsource-3.8-3.el9_0.s390x.rpm
x86_64:
gnutls-3.7.6-12.el9_0.i686.rpm
gnutls-3.7.6-12.el9_0.x86_64.rpm
gnutls-c+±debuginfo-3.7.6-12.el9_0.i686.rpm
gnutls-c+±debuginfo-3.7.6-12.el9_0.x86_64.rpm
gnutls-dane-debuginfo-3.7.6-12.el9_0.i686.rpm
gnutls-dane-debuginfo-3.7.6-12.el9_0.x86_64.rpm
gnutls-debuginfo-3.7.6-12.el9_0.i686.rpm
gnutls-debuginfo-3.7.6-12.el9_0.x86_64.rpm
gnutls-debugsource-3.7.6-12.el9_0.i686.rpm
gnutls-debugsource-3.7.6-12.el9_0.x86_64.rpm
gnutls-utils-debuginfo-3.7.6-12.el9_0.i686.rpm
gnutls-utils-debuginfo-3.7.6-12.el9_0.x86_64.rpm
nettle-3.8-3.el9_0.i686.rpm
nettle-3.8-3.el9_0.x86_64.rpm
nettle-debuginfo-3.8-3.el9_0.i686.rpm
nettle-debuginfo-3.8-3.el9_0.x86_64.rpm
nettle-debugsource-3.8-3.el9_0.i686.rpm
nettle-debugsource-3.8-3.el9_0.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-2509
https://access.redhat.com/security/updates/classification/#moderate
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY0UvudzjgjWX9erEAQhEexAAgATTMTqhPJv6D78FKfvSqgh3Xiym0rzU
TNZ5y42a8sTuQit7YO89QJH6e1BEpTFL2yA9IbBFB4VaaDJ8TjuzqvZex6/5Xnxt
+ssAi7v7p++YXnC9qJmM0X2NTTJX8EWHcVa8OU0qY40EEz2kdkp/FBJlxLuwIGYH
IWJ7lHM6CqZ4GErGw+saq2hypc4vmBm/dgUAOvaUBHj2pHpWcmXmh1531gAhNgjA
DkDOiRpu4bNDEr8yHlkR4bhrLAEfvwrM/E/l9Cem153VGxK8OOr4YwpdF0AEA6cf
5kMPKFX7QrReCPeFFvQT2t/oh+gYMFIP3Fq6TQZhgT3hK0GjnpcTuiYZ+HOCIbgS
8pCkEaKu3D9M7GesHzry+Z4WVl6xWZ3gbVQhhBXxu5z6lgL7kaT6RjvSX2ZuZBsL
hVzpfaEVkvTUTtgk12iDl8PWMqCANS3fJDrRG8tDODg+HQstJzhjACUVUP0dx8yb
age1HR1mo8LBPBESm8HeG+O/dkVOwHfGT2pnbMpA6Jf4a3veikvPwquV59O9bj9h
E+PnqyxyOSm9WunMh91amh1/xtkFfv7XWIG1A3j9p+EvQAVJwbWlN83dP85Q/ahx
jBn2XP36JkcVxDq5FrqlKRu6vAWJEbtTRd0YQNxJnDiAlFJsBpFIzJm1u8E6/KpH
tDUVldzkRiA=/Kef
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
OpenShift sandboxed containers 1.4.1 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.
Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...
Red Hat OpenShift Container Platform release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4235: A flaw was found in go-yaml. This issue occurs due to unbounded alias chasing, where a maliciously crafted YAML file can cause the system to consume significant system resources. If p...
Red Hat Security Advisory 2023-0795-01 - Submariner 0.13.3 packages that fix various bugs and add various enhancements that are now available for Red Hat Advanced Cluster Management for Kubernetes version 2.6.
Submariner 0.13.3 packages that fix various bugs and add various enhancements that are now available for Red Hat Advanced Cluster Management for Kubernetes version 2.6 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32149: A vulnerability was found in the golang.org/x/text/language package. An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant time to parse. This issue leads to a denial of service, and can impact availability.
Red Hat Security Advisory 2023-0709-01 - Version 1.27.0 of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.8, 4.9, 4.10, 4.11 and 4.12. This release includes security and bug fixes, and enhancements.
Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.
Red Hat Security Advisory 2023-0470-01 - An update is now available for Migration Toolkit for Runtimes (v1.0.1).
Red Hat Security Advisory 2023-0408-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. Issues addressed include denial of service and out of bounds read vulnerabilities.
Red Hat OpenShift Virtualization release 4.12 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2021-44716: golang: net/http: limit growth of header canonicalization cache * CVE-2021-44717: golang: syscall: don't close fd 0 on ForkExec error * CVE-2022-1705: golang: net/http: improper sanitizat...
The Migration Toolkit for Containers (MTC) 1.7.6 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-28131: golang: encoding/xml: stack exhaustion in Decoder.Skip * CVE-2022-30629: golang: crypto/tls: session tickets lack random ticket_age_add * CVE-2022-30630: golang: io/fs: stack exhaustion in G...
Red Hat Security Advisory 2022-8938-01 - Version 1.26.0 of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.8, 4.9, 4.10, and 4.11. This release includes security and bug fixes, and enhancements.
Red Hat Security Advisory 2022-8889-01 - This is an Openshift Logging bug fix release. Issues addressed include a denial of service vulnerability.
Logging Subsystem 5.5.5 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36518: jackson-databind: denial of service via a large depth of nested objects * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-32189: golang: math/b...
Red Hat OpenShift Virtualization release 4.11.1 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-24921: golang: regexp: stack exhaustion via a deeply nested expression * CVE-2022-28327: golang: crypto/elliptic: panic caus...
OpenShift API for Data Protection (OADP) 1.1.1 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27191: golang: crash in a golang.org/x/crypto/ssh server * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-30632: golang: path/filepath: stack exhaustion in Glob * CVE-2022-30635: golang: encoding/gob: stack exhaustion in Decoder.Decode * CVE-2022-32190: golang: net/url: JoinPath does not strip relative path components i...
Red Hat Security Advisory 2022-7435-01 - An update is now available for Logging subsystem for Red Hat OpenShift 5.4. Issues addressed include a denial of service vulnerability.
An update is now available for Logging subsystem for Red Hat OpenShift 5.4. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36518: jackson-databind: denial of service via a large depth of nested objects * CVE-2022-32149: golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags * CVE-2022-42003: jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS * CVE-2022-42004: jackson-databind: use of deeply nested arrays...
Red Hat Security Advisory 2022-7434-01 - A Red Hat OpenShift security update has been provided for the Logging Subsystem.
Logging Subsystem 5.5.4 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32149: golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags
Red Hat Security Advisory 2022-6882-01 - Openshift Logging 5.3.13 security and bug fix release.
An update is now available for OpenShift Logging 5.3. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32149: golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags
Red Hat Security Advisory 2022-7407-01 - Service Binding Operator 1.3.1 is now available for OpenShift Developer Tools and Services for OCP 4.9 +.
An update for service-binding-operator-bundle-container and service-binding-operator-container is now available for OpenShift Developer Tools and Services for OCP 4.9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32149: golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags
Red Hat Security Advisory 2022-7313-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.2 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Issues addressed include denial of service and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2022-7201-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.12. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2022-7276-01 - Red Hat Advanced Cluster Management for Kubernetes 2.4.8 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. Issues addressed include denial of service, server-side request forgery, and remote SQL injection vulnerabilities.
Red Hat Advanced Cluster Management for Kubernetes 2.6.2 General Availability release images, which fix bugs and update container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2238: search-api: SQL injection leads to remote denial of service * CVE-2022-25858: terser: insecure use of regular expressions leads to ReDoS * CVE-2022-25887: sanitize-html: insecure global regular expression replacement logic may lead to ReDoS * CVE-2022-25896: passport: incorrect ses...
Red Hat OpenShift Container Platform release 4.11.12 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-26945: go-getter: command injection vulnerability * CVE-2022-30321: go-getter: unsafe download (issue 1 of 3) * CVE-2022-30322: go-getter: unsafe download (issue 2 of 3) * CVE-2022-30323: go-getter: unsafe download (issue 3 of 3)
Red Hat Advanced Cluster Management for Kubernetes 2.4.8 General Availability release images, which fix security issues. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2238: search-api: SQL injection leads to remote denial of service * CVE-2022-25858: terser: insecure use of regular expressions leads to ReDoS * CVE-2022-31129: moment: inefficient parsing algorithm resulting in DoS * CVE-2022-35948: nodejs: undici vulnerable to CRLF via content headers * CVE-2022-35949: n...
An update for gnutls is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2509: gnutls: Double free during gnutls_pkcs7_verify
An update for gnutls and nettle is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2509: gnutls: Double free during gnutls_pkcs7_verify
Ubuntu Security Notice 5550-1 - It was discovered that GnuTLS incorrectly handled certain memory operations. A remote attacker could possibly use this issue to cause GnuTLS to crash, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. It was discovered that GnuTLS incorrectly handled the verification of certain pkcs7 signatures. A remote attacker could use this issue to cause GnuTLS to crash, resulting in a denial of service, or possibly execute arbitrary code.
A vulnerability found in gnutls. This security flaw happens because of a double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function.