Headline
Red Hat Security Advisory 2022-7927-01
Red Hat Security Advisory 2022-7927-01 - KSBA is a library to make X.509 certificates as well as the CMS easily accessible by other applications. Both specifications are building blocks of S/MIME and TLS. Issues addressed include code execution and integer overflow vulnerabilities.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Important: libksba security update
Advisory ID: RHSA-2022:7927-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:7927
Issue date: 2022-11-14
CVE Names: CVE-2022-3515
====================================================================
- Summary:
An update for libksba is now available for Red Hat Enterprise Linux 8.4
Extended Update Support.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat CodeReady Linux Builder EUS (v. 8.4) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux BaseOS EUS (v.8.4) - aarch64, ppc64le, s390x, x86_64
- Description:
KSBA (pronounced Kasbah) is a library to make X.509 certificates as well as
the CMS easily accessible by other applications. Both specifications are
building blocks of S/MIME and TLS.
Security Fix(es):
- libksba: integer overflow may lead to remote code execution
(CVE-2022-3515)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
- Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2135610 - CVE-2022-3515 libksba: integer overflow may lead to remote code execution
- Package List:
Red Hat Enterprise Linux BaseOS EUS (v.8.4):
Source:
libksba-1.3.5-8.el8_4.src.rpm
aarch64:
libksba-1.3.5-8.el8_4.aarch64.rpm
libksba-debuginfo-1.3.5-8.el8_4.aarch64.rpm
libksba-debugsource-1.3.5-8.el8_4.aarch64.rpm
ppc64le:
libksba-1.3.5-8.el8_4.ppc64le.rpm
libksba-debuginfo-1.3.5-8.el8_4.ppc64le.rpm
libksba-debugsource-1.3.5-8.el8_4.ppc64le.rpm
s390x:
libksba-1.3.5-8.el8_4.s390x.rpm
libksba-debuginfo-1.3.5-8.el8_4.s390x.rpm
libksba-debugsource-1.3.5-8.el8_4.s390x.rpm
x86_64:
libksba-1.3.5-8.el8_4.i686.rpm
libksba-1.3.5-8.el8_4.x86_64.rpm
libksba-debuginfo-1.3.5-8.el8_4.i686.rpm
libksba-debuginfo-1.3.5-8.el8_4.x86_64.rpm
libksba-debugsource-1.3.5-8.el8_4.i686.rpm
libksba-debugsource-1.3.5-8.el8_4.x86_64.rpm
Red Hat CodeReady Linux Builder EUS (v. 8.4):
aarch64:
libksba-debuginfo-1.3.5-8.el8_4.aarch64.rpm
libksba-debugsource-1.3.5-8.el8_4.aarch64.rpm
libksba-devel-1.3.5-8.el8_4.aarch64.rpm
ppc64le:
libksba-debuginfo-1.3.5-8.el8_4.ppc64le.rpm
libksba-debugsource-1.3.5-8.el8_4.ppc64le.rpm
libksba-devel-1.3.5-8.el8_4.ppc64le.rpm
s390x:
libksba-debuginfo-1.3.5-8.el8_4.s390x.rpm
libksba-debugsource-1.3.5-8.el8_4.s390x.rpm
libksba-devel-1.3.5-8.el8_4.s390x.rpm
x86_64:
libksba-debuginfo-1.3.5-8.el8_4.i686.rpm
libksba-debuginfo-1.3.5-8.el8_4.x86_64.rpm
libksba-debugsource-1.3.5-8.el8_4.i686.rpm
libksba-debugsource-1.3.5-8.el8_4.x86_64.rpm
libksba-devel-1.3.5-8.el8_4.i686.rpm
libksba-devel-1.3.5-8.el8_4.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-3515
https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY3I6xtzjgjWX9erEAQgIqQ/+MihsJWSSwPhPmCV2TvOun35p83LSJur6
rgdf9Jl7toLptN1aK7tgffgLskX2SLbv7XqLvkQiebkonXp2zfRajPvR3JHnDpgV
NrhABfLdcA0GXlceSR6DZWrFELXMkxb97H9lDYlv+dDkF2+tqfP1ZszcqCTuySdn
rZtllxPwBbq1fGRrtv0HdwroWUKDES0lAEyDUnp3KCGp5+456z9CnAui8T8na5jJ
SD38E1w/r6R9v9hH55Lg6RJz2u3MhOnFBwrWzY29iBWbe2eqynBEPhsAjONhVj6w
FtQgH9PVS7Q5DNGC+KvrjVGXa7zIbjEGyS6HdVnWR2UDJYjFi2RXM+XeyqfTEd43
Erjjhjsz/gDQbZD3XvnubThcQ0XXjrJKUGS0yj17ZpWTDtBVFktD+6WryMnPYb3/
BCaUnJcZ6hFD0mMgHN2nV7UDk43a2IX/zhhfq/YkxCWPm3dRqsmevU56NG+uDUmv
QSkiDwL7G5M+oHfKfjBrh9NRrSkt6R/7YsiRyOe36PNGJ5LC+cQx734TbMBFaMYo
KqEvlFnzBXO9NryisDMq9db1aj2EV1N/gwzNXynm0c4vxhMHPyEpbQd62sFYQ/bH
3tvLXNE1hrdXU9UW/h3c1HgRUD1WRr/49DU5zVgNunlFTc2WOz59xRF2fiQDvF1s
YW0G0pPZhVw=Wx01
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
Red Hat Security Advisory 2023-3742-02 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. Issues addressed include bypass, denial of service, and remote SQL injection vulnerabilities.
Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.
Red Hat Security Advisory 2023-0795-01 - Submariner 0.13.3 packages that fix various bugs and add various enhancements that are now available for Red Hat Advanced Cluster Management for Kubernetes version 2.6.
Submariner 0.14 packages that fix various bugs and add various enhancements that are now available for Red Hat Advanced Cluster Management for Kubernetes version 2.7 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go ...
Red Hat OpenShift Service Mesh 2.3.1 Containers Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-3962: kiali: error message spoofing in kiali UI * CVE-2022-27664: golang: ...
A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment.
Red Hat Security Advisory 2022-8938-01 - Version 1.26.0 of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.8, 4.9, 4.10, and 4.11. This release includes security and bug fixes, and enhancements.
Logging Subsystem 5.5.5 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36518: jackson-databind: denial of service via a large depth of nested objects * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-32189: golang: math/b...
Red Hat OpenShift Virtualization release 4.11.1 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-24921: golang: regexp: stack exhaustion via a deeply nested expression * CVE-2022-28327: golang: crypto/elliptic: panic caus...
Red Hat Security Advisory 2022-8609-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 4.9.7 images. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2022-7435-01 - An update is now available for Logging subsystem for Red Hat OpenShift 5.4. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-7434-01 - A Red Hat OpenShift security update has been provided for the Logging Subsystem.
Logging Subsystem 5.5.4 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32149: golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags
Red Hat Security Advisory 2022-7313-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.2 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Issues addressed include denial of service and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2022-7201-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.12. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2022-7276-01 - Red Hat Advanced Cluster Management for Kubernetes 2.4.8 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. Issues addressed include denial of service, server-side request forgery, and remote SQL injection vulnerabilities.
Red Hat Advanced Cluster Management for Kubernetes 2.4.8 General Availability release images, which fix security issues. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2238: search-api: SQL injection leads to remote denial of service * CVE-2022-25858: terser: insecure use of regular expressions leads to ReDoS * CVE-2022-31129: moment: inefficient parsing algorithm resulting in DoS * CVE-2022-35948: nodejs: undici vulnerable to CRLF via content headers * CVE-2022-35949: n...
Red Hat Security Advisory 2022-7209-01 - KSBA is a library to make X.509 certificates as well as the CMS easily accessible by other applications. Both specifications are building blocks of S/MIME and TLS. Issues addressed include code execution and integer overflow vulnerabilities.
Ubuntu Security Notice 5688-2 - USN-5688-1 fixed vulnerabilities in Libksba. This update provides the corresponding update for Ubuntu 22.10. It was discovered that an integer overflow could be triggered in Libksba when decoding certain data. An attacker could use this issue to cause a denial of service or possibly execute arbitrary code.
An update for libksba is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3515: libksba: integer overflow may lead to remote code execution
An update for libksba is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3515: libksba: integer overflow may lead to remote code execution