Red Hat Security Advisory 2024-1640-03

Ubuntu Security Notice 6991-1 - It was discovered that AIOHTTP did not properly restrict file access when the 'follow_symlinks' option was set to True. A remote attacker could possibly use this issue to access unauthorized files on the system.

Red Hat Security Advisory 2024-5662-03 - An update is now available for Red Hat Satellite 6.15 for RHEL 8.

Red Hat Security Advisory 2024-5314-03 - Red Hat OpenShift Virtualization release 4.13.10 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Security Advisory 2024-4762-03 - An update for runc is now available for Red Hat Enterprise Linux 9. Issues addressed include a memory leak vulnerability.

Red Hat Security Advisory 2024-4761-03 - An update for containernetworking-plugins is now available for Red Hat Enterprise Linux 9. Issues addressed include a memory leak vulnerability.

Red Hat Security Advisory 2024-4591-03 - Updated images that include numerous enhancements, security, and bug fixes are now available for Red Hat OpenShift Data Foundation 4.16.0 on Red Hat Enterprise Linux 9. Issues addressed include denial of service, memory leak, and resource exhaustion vulnerabilities.

Red Hat Security Advisory 2024-4581-03 - An update for podman is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include a memory leak vulnerability.

Red Hat Security Advisory 2024-4455-03 - Red Hat OpenShift Virtualization release 4.16.0 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Security Advisory 2024-4269-03 - Red Hat OpenShift Virtualization release 4.12.12 is now available with updates to packages and images that fix several bugs and add enhancements.

Gentoo Linux Security Advisory 202407-6 - Multiple vulnerabilities have been discovered in cryptography, the worst of which could lead to a denial of service. Versions greater than or equal to 42.0.4 are affected.

Red Hat Security Advisory 2024-4146-03 - An update for golang is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include denial of service and memory leak vulnerabilities.

Red Hat Security Advisory 2024-3989-03 - Migration Toolkit for Applications 6.2.3 release. Issues addressed include denial of service, memory leak, and password leak vulnerabilities.

Red Hat Security Advisory 2024-3927-03 - A new container image for Red Hat Ceph Storage 7.1 is now available in the Red Hat Ecosystem Catalog.

Red Hat Security Advisory 2024-3920-03 - Migration Toolkit for Runtimes 1.2.6 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include a password leak vulnerability.

Red Hat Security Advisory 2024-3781-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include HTTP request smuggling, buffer overflow, code execution, cross site scripting, denial of service, memory exhaustion, null pointer, and password leak vulnerabilities.

Red Hat Security Advisory 2024-3473-03 - Red Hat OpenShift Virtualization release 4.14.6 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Security Advisory 2024-3352-03 - An update for etcd is now available for Red Hat OpenStack Platform 16.2. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-2010-03 - An update is now available for Red Hat Satellite 6.15. The release contains a new version of Satellite and important security fixes for various components. Issues addressed include HTTP request smuggling, crlf injection, denial of service, file disclosure, and traversal vulnerabilities.

Red Hat Security Advisory 2024-1878-03 - An updated version of Red Hat Update Infrastructure is now available. RHUI 4.8 fixes several security an operational bugs, adds some new features and upgrades the underlying Pulp to a newer version. Issues addressed include HTTP request smuggling, crlf injection, denial of service, and traversal vulnerabilities.

Red Hat Security Advisory 2024-1859-03 - OpenShift API for Data Protection 1.3.1 is now available. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-1646-03 - An update for grafana is now available for Red Hat Enterprise Linux 8. Issues addressed include a memory leak vulnerability.

Red Hat Security Advisory 2024-1644-03 - An update for grafana-pcp is now available for Red Hat Enterprise Linux 8. Issues addressed include a memory leak vulnerability.

Red Hat Security Advisory 2024-1574-03 - Red Hat OpenShift Container Platform release 4.12.54 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a memory leak vulnerability.

Red Hat Security Advisory 2024-1563-03 - Red Hat OpenShift Container Platform release 4.15.6 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a memory leak vulnerability.

Red Hat Security Advisory 2024-1561-03 - Red Hat build of MicroShift release 4.15.6 is now available with updates to packages and images that fix several bugs.

Red Hat Security Advisory 2024-1518-03 - An update for python-twisted is now available for Red Hat OpenStack Platform 16.2.

Red Hat Security Advisory 2024-1516-03 - An update for python-twisted is now available for Red Hat OpenStack Platform 16.1.

Red Hat Security Advisory 2024-1502-03 - An update for grafana-pcp is now available for Red Hat Enterprise Linux 9. Issues addressed include a memory leak vulnerability.

Red Hat Security Advisory 2024-1501-03 - An update for grafana is now available for Red Hat Enterprise Linux 9. Issues addressed include a memory leak vulnerability.

Red Hat Security Advisory 2024-1472-03 - An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a memory leak vulnerability.

Red Hat Security Advisory 2024-1468-03 - An update for go-toolset-1.19-golang is now available for Red Hat Developer Tools. Issues addressed include a memory leak vulnerability.

Red Hat Security Advisory 2024-1462-03 - An update for golang is now available for Red Hat Enterprise Linux 9. Issues addressed include a memory leak vulnerability.

Using crafted public RSA keys which are not compliant with SP 800-56B can cause a small memory leak when encrypting and verifying payloads. An attacker can leverage this flaw to gradually erode available memory to the point where the host crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service.

Red Hat Security Advisory 2024-1434-03 - Red Hat OpenShift distributed tracing 3.1.1. Issues addressed include a denial of service vulnerability.

In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.

Red Hat Security Advisory 2024-1155-03 - An update for fence-agents is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

Red Hat Security Advisory 2024-1131-03 - An update for golang is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

Ubuntu Security Notice 6674-2 - USN-6674-1 fixed a vulnerability in Django. This update provides the corresponding update for Ubuntu 18.04 LTS. Seokchan Yoon discovered that the Django Truncator function incorrectly handled very long HTML input. A remote attacker could possibly use this issue to cause Django to consume resources, leading to a denial of service.

Ubuntu Security Notice 6674-1 - Seokchan Yoon discovered that the Django Truncator function incorrectly handled very long HTML input. A remote attacker could possibly use this issue to cause Django to consume resources, leading to a denial of service.

Red Hat Security Advisory 2024-1078-03 - An update is now available for Service Telemetry Framework 1.5.4. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-1057-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include crlf injection and denial of service vulnerabilities.

Red Hat Security Advisory 2024-1057-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include crlf injection and denial of service vulnerabilities.

Red Hat Security Advisory 2024-1057-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include crlf injection and denial of service vulnerabilities.

Red Hat Security Advisory 2024-1041-03 - An update for go-toolset-1.19-golang is now available for Red Hat Developer Tools. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-0269-03 - An update for run-once-duration-override-container, run-once-duration-override-operator-bundle-container, and run-once-duration-override-operator-container is now available for RODOO-1.1-RHEL-9. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-0887-03 - An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-0695-03 - Logging 5.6.16 - Red Hat OpenShift. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-0694-03 - Logging Subsystem 5.7.11 - Red Hat OpenShift. Issues addressed include a denial of service vulnerability.

Ubuntu Security Notice 6623-1 - It was discovered that Django incorrectly handled certain inputs that uses intcomma template filter. An attacker could possibly use this issue to cause a denial of service.

An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.

### Summary Improperly configuring static resource resolution in aiohttp when used as a web server can result in the unauthorized reading of arbitrary files on the system. ### Details When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if a given file path is within the root directory.This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. i.e. An application is only vulnerable with setup code like: ``` app.router.add_routes([ web.static("/static", "static/", follow_symlinks=True), # Remove follow_symlinks to avoid the vulnerability ]) ``` ### Impact This is a directory traversal vulnerability with CWE I...

### Summary Security-sensitive parts of the *Python HTTP parser* retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input. ### Details These problems are rooted in pattern matching protocol elements, previously improved by PR #3235 and GHSA-gfw2-4jvh-wgfg: 1. The expression `HTTP/(\d).(\d)` lacked another backslash to clarify that the separator should be a literal dot, not just *any* Unicode code point (result: `HTTP/(\d)\.(\d)`). 2. The HTTP version was permitting Unicode digits, where only ASCII digits are standards-compliant. 3. Distinct regular expressions for validating HTTP Method and Header field names were used - though both should (at least) apply the common restrictions of rfc9110 `token`. ### PoC `GET / HTTP/...

Ubuntu Security Notice 6599-1 - Yeting Li discovered that Jinja incorrectly handled certain regex. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. It was discovered that Jinja incorrectly handled certain HTML passed with xmlatter filter. An attacker could inject arbitrary HTML attributes keys and values potentially leading to XSS.

Red Hat Security Advisory 2024-0530-03 - An update is now available for the Red Hat build of Cryostat 2 on RHEL 8. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-0322-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include a local file inclusion vulnerability.

Red Hat Security Advisory 2024-0322-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include a local file inclusion vulnerability.

Red Hat Security Advisory 2024-0215-03 - An update for GitPython is now available for Red Hat OpenStack Platform 17.1. Issues addressed include a local file inclusion vulnerability.

Red Hat Security Advisory 2024-0190-03 - An update for GitPython is now available for Red Hat OpenStack Platform 17.1. Issues addressed include a local file inclusion vulnerability.

Ubuntu Security Notice 6575-1 - It was discovered that Twisted incorrectly escaped host headers in certain 404 responses. A remote attacker could possibly use this issue to perform HTML and script injection attacks. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that Twisted incorrectly handled response order when processing multiple HTTP requests. A remote attacker could possibly use this issue to delay responses and manipulate the responses of second requests.

The `xmlattr` filter in affected versions of Jinja accepts keys containing spaces. XML/HTML attributes cannot contain spaces, as each would then be interpreted as a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. Note that accepting keys as user input is not common or a particularly intended use case of the `xmlattr` filter, and an application doing so should already be verifying what keys are provided regardless of this fix.

Red Hat Security Advisory 2023-7851-03 - Updated Satellite 6.14 packages that fixes Important security bugs and several regular bugs are now available for Red Hat Satellite. Issues addressed include cross site scripting and local file inclusion vulnerabilities.

Ubuntu Security Notice 6539-1 - It was discovered that the python-cryptography Cipher.update_into function would incorrectly accept objects with immutable buffers. This would result in corrupted output, contrary to expectations. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04. It was discovered that python-cryptography incorrectly handled loading certain PKCS7 certificates. A remote attacker could possibly use this issue to cause python-cryptography to crash, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10.

Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.

### Summary Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. ### PoC Here is a Python code that triggers the issue: ```python from cryptography.hazmat.primitives.serialization.pkcs7 import load_der_pkcs7_certificates, load_pem_pkcs7_certificates pem_p7 = b""" -----BEGIN PKCS7----- MAsGCSqGSIb3DQEHAg== -----END PKCS7----- """ der_p7 = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02" load_pem_pkcs7_certificates(pem_p7) load_der_pkcs7_certificates(der_p7) ``` ### Impact Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability.

# Summary The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when `AIOHTTP_NO_EXTENSIONS` is enabled (or not using a prebuilt wheel). # Details ## Bug 1: Bad parsing of `Content-Length` values ### Description RFC 9110 says this: > `Content-Length = 1*DIGIT` AIOHTTP does not enforce this rule, presumably because of an incorrect usage of the builtin `int` constructor. Because the `int` constructor accepts `+` and `-` prefixes, and digit-separating underscores, using `int` to parse CL values leads AIOHTTP to significant misinterpretation. ### Examples ``` GET / HTTP/1.1\r\n Content-Length: -0\r\n \r\n X ``` ``` GET / HTTP/1.1\r\n Content-Length: +0_1\r\n \r\n X ``` ### Suggested action Verify that a `Content-Length` value consists only of ASCII digits before parsing, as the standard requires. ## Bug 2: Improper handling of NUL, CR, and LF in header values ### Description RFC 9110 says this: > Field ...

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in commit `d5c12ba89` which has been included in release version 3.8.6. Users are advised to upgrade. There are no known workarounds for these issues.

An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

### Summary When sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. ### Details There's an example faulty program: ```python from twisted.internet import reactor, endpoints from twisted.web import server from twisted.web.proxy import ReverseProxyResource from twisted.web.resource import Resource class Second(Resource): isLeaf = True def render_GET(self, request): return b'SECOND\n' class First(Resource): isLeaf = True def render_GET(self, request): def send_response(): request.write(b'FIRST DELAYED\n') request.finish() reactor.callLater(0.5, send_response) return server.NOT_DONE_YET root = Resource() root.putChild(b'second', Second()) root.putChild(b'first', First()) endpoint = endpoints.TCP4ServerEndpoint(reactor, 8080) endpoint.listen(server.Site(root)) reactor.run() ``` When two requests for `/first` and `/second` ...

Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue.

GitPython is a python library used to interact with Git repositories. In order to resolve some git references, GitPython reads files from the `.git` directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the `.git` directory. This allows an attacker to make GitPython read any file from the system. This vulnerability is present in https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175. That code joins the base directory with a user given string without checking if the final path is located outside the base directory. This vulnerability cannot be used to read the contents of files but could in theory be used to trigger a denial of service for the program. This issue has not yet been addressed.

### Summary In order to resolve some git references, GitPython reads files from the `.git` directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the `.git` directory. This allows an attacker to make GitPython read any file from the system. ### Details This vulnerability is present in https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175 That code joins the base directory with a user given string without checking if the final path is located outside the base directory. I was able to exploit it from three places, but there may be more code paths that lead to it: https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/repo/base.py#L605 https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/repo/base.py#L620 https://github.com/gitpython-d...