Security
Headlines
HeadlinesLatestCVEs

Headline

Red Hat Security Advisory 2022-6921-01

Red Hat Security Advisory 2022-6921-01 - Expat is a C library for parsing XML documents. Issues addressed include a use-after-free vulnerability.

Packet Storm
#vulnerability#linux#red_hat#js

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Important: expat security update
Advisory ID: RHSA-2022:6921-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:6921
Issue date: 2022-10-12
CVE Names: CVE-2022-40674
====================================================================

  1. Summary:

An update for expat is now available for Red Hat Enterprise Linux 6
Extended Lifecycle Support.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

  1. Relevant releases/architectures:

Red Hat Enterprise Linux Server (v. 6 ELS) - i386, s390x, x86_64

  1. Description:

Expat is a C library for parsing XML documents.

Security Fix(es):

  • expat: a use-after-free in the doContent function in xmlparse.c
    (CVE-2022-40674)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

  1. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, applications using the Expat library
must be restarted for the update to take effect.

  1. Bugs fixed (https://bugzilla.redhat.com/):

2130769 - CVE-2022-40674 expat: a use-after-free in the doContent function in xmlparse.c

  1. Package List:

Red Hat Enterprise Linux Server (v. 6 ELS):

Source:
expat-2.0.1-15.el6_10.src.rpm

i386:
expat-2.0.1-15.el6_10.i686.rpm
expat-debuginfo-2.0.1-15.el6_10.i686.rpm
expat-devel-2.0.1-15.el6_10.i686.rpm

s390x:
expat-2.0.1-15.el6_10.s390.rpm
expat-2.0.1-15.el6_10.s390x.rpm
expat-debuginfo-2.0.1-15.el6_10.s390.rpm
expat-debuginfo-2.0.1-15.el6_10.s390x.rpm
expat-devel-2.0.1-15.el6_10.s390.rpm
expat-devel-2.0.1-15.el6_10.s390x.rpm

x86_64:
expat-2.0.1-15.el6_10.i686.rpm
expat-2.0.1-15.el6_10.x86_64.rpm
expat-debuginfo-2.0.1-15.el6_10.i686.rpm
expat-debuginfo-2.0.1-15.el6_10.x86_64.rpm
expat-devel-2.0.1-15.el6_10.i686.rpm
expat-devel-2.0.1-15.el6_10.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

  1. References:

https://access.redhat.com/security/cve/CVE-2022-40674
https://access.redhat.com/security/updates/classification/#important

  1. Contact:

The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY0bVodzjgjWX9erEAQi1rA/+L5xp0XGX2BYxBgdx2lCqLs7R4/Cwut7P
qfanGm1E7uDsZufFtsm4uNXIb4iCVpOPYKb25nTuztFTUazOde/YQOtScdieUZqw
R1eLmXnP7GmgMDg4JONtFi49bx3XdBQYi24u5GkKuQ4c7pQhDJAeq3/+qrxip/yc
/wuc63W1d30JJsyW9VBs8Jjbu8fktZqtfYEn+THnYnwXkvOVLZKfXnLlSD4u9zCw
uyiijMuWkvgyKFZ65DMYE9gss/jylsBARni1dIZxvEnRymqKNaqhc5hG20sN+5tz
Vag1LKGRp8X/8v+Hv8/spcSTpd0VKXYqBdcHS8LRMkF2QwW74l0FSPQT0fHzSmbA
8uNMc2Pp9AA5odklJunIyasyO1k/a18PvSIwhkf3Ah/s1b4vRyAJtkD/GzVlW+vO
oTZNpvo+LCYXs7GI/ZwgfPvXwaPiUOk2coyjjAsH7JcLmSh3+6vfOPhVAawMtZCH
iZA6l/spdD1mT8JKyAH3JIsWuCN48AgeocZehgdkeCzzWmUHI/VUxFs5H/TwYz7n
KV0SFXp0pikEw7+gehkbFhrJZ6ivRFmLF9Wm9EmzEnAXg5yCU/VejnIjvTZd1Abg
lLnLRwBX9y1Yinj+DEc8TQtfKujHbV06WRQeCiznM/Mt20C5D9xtjIZOVNCTC5k/
4nDmzyC1heo=Y2Td
-----END PGP SIGNATURE-----

RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Related news

CVE-2023-23694: DSA-2023-071: Dell VxRail Security Update for Multiple Third-Party Component Vulnerabilities – 7.0.450

Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.

Ubuntu Security Notice USN-5638-4

Ubuntu Security Notice 5638-4 - USN-5638-1 fixed several vulnerabilities in Expat. This update provides the corresponding update for Ubuntu 14.04 ESM. Rhodri James discovered that Expat incorrectly handled memory when processing certain malformed XML files. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

RHSA-2023:0408: Red Hat Security Advisory: OpenShift Virtualization 4.12.0 Images security update

Red Hat OpenShift Virtualization release 4.12 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2021-44716: golang: net/http: limit growth of header canonicalization cache * CVE-2021-44717: golang: syscall: don't close fd 0 on ForkExec error * CVE-2022-1705: golang: net/http: improper sanitizat...

RHSA-2022:8841: Red Hat Security Advisory: Red Hat JBoss Core Services Apache HTTP Server 2.4.51 SP1 security update

An update is now available for Red Hat JBoss Core Services. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1292: openssl: c_rehash script allows command injection * CVE-2022-2068: openssl: the c_rehash script allows command injection * CVE-2022-22721: httpd: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody * CVE-2022-23943: httpd: mod_sed: Read/write beyond bounds * CVE-2022-26377: httpd: mod_proxy_ajp: Possible request smuggling * CVE-2...

Red Hat Security Advisory 2022-8609-01

Red Hat Security Advisory 2022-8609-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 4.9.7 images. Issues addressed include a bypass vulnerability.

Ubuntu Security Notice USN-5638-2

Ubuntu Security Notice 5638-2 - USN-5638-1 fixed a vulnerability in Expat. This update provides the corresponding updates for Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. Rhodri James discovered that Expat incorrectly handled memory when processing certain malformed XML files. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

RHSA-2022:7434: Red Hat Security Advisory: Logging Subsystem 5.5.4 - Red Hat OpenShift security update

Logging Subsystem 5.5.4 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32149: golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags

RHSA-2022:7313: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.6.2 security update and bug fixes

Red Hat Advanced Cluster Management for Kubernetes 2.6.2 General Availability release images, which fix bugs and update container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2238: search-api: SQL injection leads to remote denial of service * CVE-2022-25858: terser: insecure use of regular expressions leads to ReDoS * CVE-2022-25887: sanitize-html: insecure global regular expression replacement logic may lead to ReDoS * CVE-2022-25896: passport: incorrect ses...

Red Hat Security Advisory 2022-7261-01

Red Hat Security Advisory 2022-7261-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2022-7019-01

Red Hat Security Advisory 2022-7019-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.3.0 ESR. Issues addressed include a use-after-free vulnerability.

Red Hat Security Advisory 2022-7022-01

Red Hat Security Advisory 2022-7022-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.3.0 ESR. Issues addressed include a use-after-free vulnerability.

Red Hat Security Advisory 2022-6995-01

Red Hat Security Advisory 2022-6995-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.3.0. Issues addressed include a use-after-free vulnerability.

RHSA-2022:7025: Red Hat Security Advisory: firefox security update

An update for firefox is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40674: expat: a use-after-free in the doContent function in xmlparse.c

RHSA-2022:7024: Red Hat Security Advisory: firefox security update

An update for firefox is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40674: expat: a use-after-free in the doContent function in xmlparse.c

RHSA-2022:7020: Red Hat Security Advisory: firefox security update

An update for firefox is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40674: expat: a use-after-free in the doContent function in xmlparse.c

Red Hat Security Advisory 2022-6967-01

Red Hat Security Advisory 2022-6967-01 - Expat is a C library for parsing XML documents. Issues addressed include a use-after-free vulnerability.

RHSA-2022:6995: Red Hat Security Advisory: thunderbird security update

An update for thunderbird is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40674: expat: a use-after-free in the doContent function in xmlparse.c

RHSA-2022:6997: Red Hat Security Advisory: firefox security update

An update for firefox is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40674: expat: a use-after-free in the doContent function in xmlparse.c

Red Hat Security Advisory 2022-6878-01

Red Hat Security Advisory 2022-6878-01 - Expat is a C library for parsing XML documents. Issues addressed include a use-after-free vulnerability.

RHSA-2022:6878: Red Hat Security Advisory: expat security update

An update for expat is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40674: expat: a use-after-free in the doContent function in xmlparse.c

Red Hat Security Advisory 2022-6831-01

Red Hat Security Advisory 2022-6831-01 - Expat is a C library for parsing XML documents. Issues addressed include a use-after-free vulnerability.

Red Hat Security Advisory 2022-6832-01

Red Hat Security Advisory 2022-6832-01 - Expat is a C library for parsing XML documents. Issues addressed include a use-after-free vulnerability.

Red Hat Security Advisory 2022-6834-01

Red Hat Security Advisory 2022-6834-01 - Expat is a C library for parsing XML documents. Issues addressed include a use-after-free vulnerability.

Red Hat Security Advisory 2022-6833-01

Red Hat Security Advisory 2022-6833-01 - Expat is a C library for parsing XML documents. Issues addressed include a use-after-free vulnerability.

RHSA-2022:6838: Red Hat Security Advisory: expat security update

An update for expat is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40674: expat: a use-after-free in the doContent function in xmlparse.c

RHSA-2022:6834: Red Hat Security Advisory: expat security update

An update for expat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40674: expat: a use-after-free in the doContent function in xmlparse.c

Ubuntu Security Notice USN-5638-1

Ubuntu Security Notice 5638-1 - Rhodri James discovered that Expat incorrectly handled memory when processing certain malformed XML files. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

CVE-2022-40674: Ensure raw tagnames are safe exiting internalEntityParser by RMJ10 · Pull Request #629 · libexpat/libexpat

libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution