Security
Headlines
HeadlinesLatestCVEs

Headline

Red Hat Security Advisory 2023-1079-01

Red Hat Security Advisory 2023-1079-01 - An update for osp-director-downloader-container, osp-director-agent-container and osp-director-operator-container is now available for Red Hat OpenStack Platform 16.2 (Train).

Packet Storm
#vulnerability#red_hat#js#jira

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat OpenStack Platform 16.2 (osp-director-downloader-container, osp-director-agent-container and osp-director-operator-container) security update
Advisory ID: RHSA-2023:1079-01
Product: Red Hat OpenStack Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2023:1079
Issue date: 2023-03-06
CVE Names: CVE-2021-46848 CVE-2022-2879 CVE-2022-4415
CVE-2022-35737 CVE-2022-40303 CVE-2022-40304
CVE-2022-41715 CVE-2022-41717 CVE-2022-47629
====================================================================

  1. Summary:

An update for osp-director-downloader-container,
osp-director-agent-container and osp-director-operator-container is now
available for Red Hat OpenStack Platform 16.2 (Train).

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

  1. Description:

Security Fix(es):

  • archive/tar: unbounded memory consumption when reading headers
    (CVE-2022-2879)

  • regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)

  • net/http: An attacker can cause excessive memory growth in a Go server
    accepting HTTP/2 requests (CVE-2022-41717)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.

  1. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

  1. Bugs fixed (https://bugzilla.redhat.com/):

2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests

  1. JIRA issues fixed (https://issues.jboss.org/):

OSPK8-664 - Unexpected “unassigned” hostRefs in OSBMS halt further reconcile loops

  1. References:

https://access.redhat.com/security/cve/CVE-2021-46848
https://access.redhat.com/security/cve/CVE-2022-2879
https://access.redhat.com/security/cve/CVE-2022-4415
https://access.redhat.com/security/cve/CVE-2022-35737
https://access.redhat.com/security/cve/CVE-2022-40303
https://access.redhat.com/security/cve/CVE-2022-40304
https://access.redhat.com/security/cve/CVE-2022-41715
https://access.redhat.com/security/cve/CVE-2022-41717
https://access.redhat.com/security/cve/CVE-2022-47629
https://access.redhat.com/security/updates/classification/#moderate

  1. Contact:

The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZAYw69zjgjWX9erEAQhpKw/+IoljDi48GfOED0GN7xDhf0dClmlzuPnM
ozrwsuBpcFWlY62saZacWkG4UBfLTubkMEdkuWlNrP0TNxSFOzWRDBZpsp6KHzsg
5t8doz9jHTsPP60q/PEOni6Jw8Z5zCN9qVRprNPObEAZdoHaPZpQI6dJkZMSd6Pf
q40hJkI0nu+GEknlJtUbJqaCf7sED6/Tn2uGrFYuL+uKEcw7Dh8Up0c3QFYjHxCH
H4kTOyiBCsbQNztdDhR+/hBEezSFSw/WgXynvzS2SyP4gQ/AhV5af53KJ0nJieC7
KnH9RKVR2h5PkRRGiH3yBG/Vl4Y13P4fh3rwjUWZGCp4LhjzS0pqjsyYzBnFJODT
GjX+nEi5z15OMuxO6YrignuDfMMisz2OUY1XZa2M9CQUDBkQyikwSOdMfDk2LVS+
dznlfqNejn7CDA4mUwkpQ1NsQXi9MEVI9UhN5sf/SASoIj1uGG20fot1w1gQyEka
kFpwz2FyvXA8xGruJbRmV6QuWLxZmXeosjRWQZhJL9KcuuAdQgVSfqFQYHrEGOxa
oJbqdOv1GAauwPPhH49eoShzi3jwRyzuEQIsxwz73nY+TSOHmTdnynn+nSSREXb0
qNkHwGMi9RsC+HmXj/qzmwge5BjChwLQxLsAj+6FOCwFvtyU9jbr/y4hq8CAmGFa
eAniE3J/0sc=r2R4
-----END PGP SIGNATURE-----

RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Related news

Ubuntu Security Notice USN-6038-2

Ubuntu Security Notice 6038-2 - USN-6038-1 fixed several vulnerabilities in Go 1.18. This update provides the corresponding updates for Go 1.13 and Go 1.16. CVE-2022-29526 and CVE-2022-30630 only affected Go 1.16. It was discovered that the Go net/http module incorrectly handled Transfer-Encoding headers in the HTTP/1 client. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack.

Red Hat Security Advisory 2023-4290-01

Red Hat Security Advisory 2023-4290-01 - OpenShift sandboxed containers 1.4.1 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.

RHSA-2023:4091: Red Hat Security Advisory: OpenShift Container Platform 4.13.5 security update

Red Hat OpenShift Container Platform release 4.13.5 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server c...

RHSA-2023:3914: Red Hat Security Advisory: Red Hat OpenShift Enterprise security update

Red Hat OpenShift Container Platform release 4.11.44 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23772: A flaw was found in the big package of the math library in golang. The Rat.SetString could cause an overflow, and if left unhandled, it could lead to excessive memory use. This issu...

RHSA-2023:3742: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.13.0 security and bug fix update

Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...

Red Hat Security Advisory 2023-3664-01

Red Hat Security Advisory 2023-3664-01 - Release of Security Advisory for the OpenShift Jenkins image and Jenkins agent base image.

Red Hat Security Advisory 2023-3624-01

Red Hat Security Advisory 2023-3624-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a denial of service vulnerability.

RHSA-2023:3645: Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.2.7 security update

Red Hat OpenShift Service Mesh 2.2.7 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-20329: A flaw was found in Mongo. Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshaling Go objects into BSON. This flaw allows a malicious user to use a Go object with a specific string to inject additional fields into marshaled documents. * CVE-2021-43138: A vulnerability was found in the async package. This flaw allows a malicious user to obtai...

RHSA-2023:3624: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.10 security and bug fix update

The Migration Toolkit for Containers (MTC) 1.7.10 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24534: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in HTTP and MIME header parsing. By sending a specially crafted request, a remote attacker can cause a denial of service. * CVE-2023-24536: A flaw was found in Golang Go, where it is vulnerable to a denial of service cause...

CVE-2023-23694: DSA-2023-071: Dell VxRail Security Update for Multiple Third-Party Component Vulnerabilities – 7.0.450

Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.

Red Hat Security Advisory 2023-3205-01

Red Hat Security Advisory 2023-3205-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 4.13.0 images. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-1327-01

Red Hat Security Advisory 2023-1327-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.0.

RHSA-2023:2780: Red Hat Security Advisory: Image Builder security, bug fix, and enhancement update

An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, ...

Red Hat Security Advisory 2023-2283-01

Red Hat Security Advisory 2023-2283-01 - The skopeo command lets you inspect images from container image registries, get images and image layers, and use signatures to create and verify files.

Red Hat Security Advisory 2023-2367-01

Red Hat Security Advisory 2023-2367-01 - The Container Network Interface project consists of a specification and libraries for writing plug-ins for configuring network interfaces in Linux containers, along with a number of supported plug-ins. CNI concerns itself only with network connectivity of containers and removing allocated resources when the container is deleted.

RHSA-2023:2357: Red Hat Security Advisory: git-lfs security and bug fix update

An update for git-lfs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by r...

RHSA-2023:2367: Red Hat Security Advisory: containernetworking-plugins security and bug fix update

An update for containernetworking-plugins is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-30629: A flaw was found in the crypto/tls golang package. When session tickets are generated by crypto/tls, it is missing the ticket expiration. This issue may allow an attacker to observe the TLS handshakes to correlate successive connections during session resumption. * CVE-2022-41717: A flaw was found in the net/http library of th...

RHSA-2023:2104: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.5.8 security updates and bug fixes

Red Hat Advanced Cluster Management for Kubernetes 2.5.8 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server.

Red Hat Security Advisory 2023-2083-01

Red Hat Security Advisory 2023-2083-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.5 General Availability release images, which fix bugs and security updates container images. Issues addressed include denial of service and server-side request forgery vulnerabilities.

Red Hat Security Advisory 2023-2061-01

Red Hat Security Advisory 2023-2061-01 - Multicluster Engine for Kubernetes 2.1.6 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Issues addressed include a denial of service vulnerability.

RHSA-2023:2041: Red Hat Security Advisory: Migration Toolkit for Applications security and bug fix update

Migration Toolkit for Applications 6.1.0 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3782: A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect ...

Red Hat Security Advisory 2023-1816-01

Red Hat Security Advisory 2023-1816-01 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform.

Red Hat Security Advisory 2023-1893-01

Red Hat Security Advisory 2023-1893-01 - Red Hat Multicluster Engine Hotfix Security Update for Console. Red Hat Product Security has rated this update as having a security impact of Critical.

CVE-2023-1802: Docker Desktop release notes

In Docker Desktop 4.17.x the Artifactory Integration falls back to sending registry credentials over plain HTTP if the HTTPS health check has failed. A targeted network sniffing attack can lead to a disclosure of sensitive information. Only users who have Access Experimental Features enabled and have logged in to a private registry are affected.

Red Hat Security Advisory 2023-1310-01

Red Hat Security Advisory 2023-1310-01 - An update is now available for Logging Subsystem for Red Hat OpenShift - 5.5.9. Red Hat Product Security has rated this update as having a security impact of Moderate.

Red Hat Security Advisory 2023-1448-01

Red Hat Security Advisory 2023-1448-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release.

Red Hat Security Advisory 2023-1454-01

Red Hat Security Advisory 2023-1454-01 - An update is now available for Red Hat OpenShift GitOps 1.7. Red Hat Product Security has rated this update as having a security impact of Moderate.

RHSA-2023:1454: Red Hat Security Advisory: Red Hat OpenShift GitOps security update

An update is now available for Red Hat OpenShift GitOps 1.7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41354: An information disclosure flaw was found in Argo CD. This issue may allow unauthorized users to enumerate application names by inspecting API error messages and could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant ...

RHSA-2023:1453: Red Hat Security Advisory: Red Hat OpenShift GitOps security update

An update is now available for Red Hat OpenShift GitOps 1.6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41354: An information disclosure flaw was found in Argo CD. This issue may allow unauthorized users to enumerate application names by inspecting API error messages and could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant ...

Red Hat Security Advisory 2023-1276-01

Red Hat Security Advisory 2023-1276-01 - Collectd plugin for gathering resource usage statistics from containers created with the libpod library.

RHSA-2023:1286: Red Hat Security Advisory: Migration Toolkit for Runtimes security bug fix and enhancement update

Migration Toolkit for Runtimes 1.0.2 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-31690: A flaw was found in the Spring Security framework. Spring Security could allow a remote attacker to gain elevated privileges on the system. By modifying a request initiated by the Client (via the browser) to the Authorization Server, an attacker can gain elevated privileges on the system. * CVE-2022-41966: A flaw was found in the xstream package. This flaw allows an atta...

RHSA-2023:1275: Red Hat Security Advisory: Red Hat OpenStack Platform (etcd) security update

An update for etcd is now available for Red Hat OpenStack Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by rev...

Red Hat Security Advisory 2023-1181-01

Red Hat Security Advisory 2023-1181-01 - OpenShift Serverless version 1.27.1 contains a moderate security impact. This release includes security and bug fixes, and enhancements.

Red Hat Security Advisory 2023-1174-01

Red Hat Security Advisory 2023-1174-01 - OpenShift API for Data Protection (OADP) 1.1.2 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate.

Red Hat Security Advisory 2023-0931-01

Red Hat Security Advisory 2023-0931-01 - Update information for Logging Subsystem 5.4.12 in Red Hat OpenShift. Red Hat Product Security has rated this update as having a security impact of Moderate.

Red Hat Security Advisory 2023-1170-01

Red Hat Security Advisory 2023-1170-01 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform.

Red Hat Security Advisory 2023-0930-01

Red Hat Security Advisory 2023-0930-01 - Update information for Logging Subsystem 5.5.8 in Red Hat OpenShift. Red Hat Product Security has rated this update as having a security impact of Moderate.

RHSA-2023:0931: Red Hat Security Advisory: Logging Subsystem 5.4.12 - Red Hat OpenShift

Logging Subsystem 5.4.12 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to alloc...

RHSA-2023:0930: Red Hat Security Advisory: Logging Subsystem 5.5.8 - Red Hat OpenShift

Logging Subsystem 5.5.8 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24999: qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&...

RHSA-2023:1170: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.12.1 security bug fix update

Red Hat OpenShift Data Foundation 4.12.1 Bug Fix Update Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: A flaw was found in goutils where randomly generated alphanumeric strings contain significantly less entropy than expected. Both the `RandomAlphaNumeric` and `CryptoRandomAlphaNumeric` functions always return strings containing at least one digit from 0 to 9. This issue significantly reduces the amount of entropy generated in short strings by these functions.

RHSA-2023:0932: Red Hat Security Advisory: Logging Subsystem 5.6.3 - Red Hat OpenShift

Logging Subsystem 5.6.3 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24999: qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&...

Ubuntu Security Notice USN-5928-1

Ubuntu Security Notice 5928-1 - It was discovered that systemd did not properly validate the time and accuracy values provided to the format_timespan function. An attacker could possibly use this issue to cause a buffer overrun, leading to a denial of service attack. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. It was discovered that systemd did not properly manage the fs.suid_dumpable kernel configurations. A local attacker could possibly use this issue to expose sensitive information. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 22.10.

RHSA-2023:1079: Red Hat Security Advisory: Red Hat OpenStack Platform 16.2 (osp-director-downloader-container, osp-director-agent-container and osp-director-operator-container) security update

An update for osp-director-downloader-container, osp-director-agent-container and osp-director-operator-container is now available for Red Hat OpenStack Platform 16.2 (Train). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to c...

RHSA-2023:1079: Red Hat Security Advisory: Red Hat OpenStack Platform 16.2 (osp-director-downloader-container, osp-director-agent-container and osp-director-operator-container) security update

An update for osp-director-downloader-container, osp-director-agent-container and osp-director-operator-container is now available for Red Hat OpenStack Platform 16.2 (Train). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to c...

Red Hat Security Advisory 2023-1047-01

Red Hat Security Advisory 2023-1047-01 - A new image is available for Red Hat Single Sign-On 7.6.2, running on Red Hat OpenShift Container Platform from the release of 3.11 up to the release of 4.12.0. Issues addressed include code execution, cross site scripting, denial of service, deserialization, html injection, memory exhaustion, server-side request forgery, and traversal vulnerabilities.

RHSA-2023:1047: Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 for OpenShift image security and enhancement update

A new image is available for Red Hat Single Sign-On 7.6.2, running on Red Hat OpenShift Container Platform from the release of 3.11 up to the release of 4.12.0. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-14040: In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. * CVE-2018-14042: In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. * CVE-2019-11358: A Prototype Pollution vulnerability was found in jque...

Red Hat Security Advisory 2023-0899-01

Red Hat Security Advisory 2023-0899-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.53.

RHSA-2023:0899: Red Hat Security Advisory: OpenShift Container Platform 4.10.53 bug fix and security update

Red Hat OpenShift Container Platform release 4.10.53 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: A flaw was found in goutils where randomly generated alphanumeric strings contain significantly less entropy than expected. Both the `RandomAlphaNumeric` and `CryptoRandomAlphaNumeri...

Red Hat Security Advisory 2023-0977-01

Red Hat Security Advisory 2023-0977-01 - Red Hat OpenShift Data Science 1.22.1 security update. Issues addressed include an improper authorization vulnerability.

RHSA-2023:0977: Red Hat Security Advisory: Red Hat OpenShift Data Science 1.22.1 security update

An update for kubeflow, dashboard, deployer is now available for Red Hat OpenShift Data Science 1.22. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0923: A flaw was found in the Kubernetes service for notebooks in RHODS, where it does not prevent pods from other namespaces and applications from making requests to the Jupyter API. This flaw can lead to file content exposure and other issues.

RHSA-2023:0954: Red Hat Security Advisory: systemd security update

An update for systemd is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4415: A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting. * CVE-2022-45873: A flaw was found in the systemd-coredump utility of systemd. When an application crashes, the systemd-coredump utility is called twice, once by the kernel and the ...

Red Hat Security Advisory 2023-0918-01

Red Hat Security Advisory 2023-0918-01 - Service Binding manages the data plane for applications and backing services.

Red Hat Security Advisory 2023-0918-01

Red Hat Security Advisory 2023-0918-01 - Service Binding manages the data plane for applications and backing services.

Red Hat Security Advisory 2023-0778-01

Red Hat Security Advisory 2023-0778-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.9.56.

RHSA-2023:0778: Red Hat Security Advisory: OpenShift Container Platform 4.9.56 security update

Red Hat OpenShift Container Platform release 4.9.56 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3064: A flaw was found in go-yaml. This issue causes the consumption of excessive amounts of CPU or memory when attempting to parse a large or maliciously crafted YAML document.

Red Hat Security Advisory 2023-0774-01

Red Hat Security Advisory 2023-0774-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.28. Issues addressed include denial of service and out of bounds read vulnerabilities.

Red Hat Security Advisory 2023-0774-01

Red Hat Security Advisory 2023-0774-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.28. Issues addressed include denial of service and out of bounds read vulnerabilities.

Red Hat Security Advisory 2023-0774-01

Red Hat Security Advisory 2023-0774-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.28. Issues addressed include denial of service and out of bounds read vulnerabilities.

Red Hat Security Advisory 2023-0837-01

Red Hat Security Advisory 2023-0837-01 - The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. Issues addressed include an information leakage vulnerability.

Red Hat Security Advisory 2023-0769-01

Red Hat Security Advisory 2023-0769-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

Red Hat Security Advisory 2023-0769-01

Red Hat Security Advisory 2023-0769-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

RHSA-2023:0837: Red Hat Security Advisory: systemd security and bug fix update

An update for systemd is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4415: A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting.

Red Hat Security Advisory 2023-0802-01

Red Hat Security Advisory 2023-0802-01 - An update is now available for Red Hat OpenShift GitOps 1.6. Red Hat Product Security has rated this update as having a security impact of Important.

Red Hat Security Advisory 2023-0728-01

Red Hat Security Advisory 2023-0728-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.3.

Red Hat Security Advisory 2023-0727-01

Red Hat Security Advisory 2023-0727-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.3.

RHSA-2023:0802: Red Hat Security Advisory: Red Hat OpenShift GitOps security update

An update is now available for Red Hat OpenShift GitOps 1.6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: A flaw was found in goutils where randomly generated alphanumeric strings contain significantly less entropy than expected. Both the `RandomAlphaNumeric` and `CryptoRandomAlphaNumeric` functions always return strings containing at least one digit from 0 to 9. This issue significantly reduces the amount of entropy generated in short strings by these functio...

RHSA-2023:0728: Red Hat Security Advisory: OpenShift Container Platform 4.12.3 security update

Red Hat OpenShift Container Platform release 4.12.3 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: A flaw was found in goutils where randomly generated alphanumeric strings contain significantly less entropy than expected. Both the `RandomAlphaNumeric` and `CryptoRandomAlphaNumeric...

Red Hat Security Advisory 2023-0633-01

Red Hat Security Advisory 2023-0633-01 - Logging Subsystem 5.5.7 - Red Hat OpenShift.

Red Hat Security Advisory 2023-0633-01

Red Hat Security Advisory 2023-0633-01 - Logging Subsystem 5.5.7 - Red Hat OpenShift.

RHSA-2023:0794: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.6.4 bug fixes and security updates

Red Hat Advanced Cluster Management for Kubernetes 2.6.4 General Availability release images, which fix bugs and update container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24999: qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload i...

Red Hat Security Advisory 2023-0632-01

Red Hat Security Advisory 2023-0632-01 - Logging Subsystem 5.4.11 - Red Hat OpenShift.

RHSA-2023:0632: Red Hat Security Advisory: Red Hat OpenShift (Logging Subsystem) security update

An update is now available for the Logging subsystem for Red Hat OpenShift 5.4. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-30123: A flaw was found in ruby gem-rack. This flaw allows a malicious actor to craft requests that can cause shell escape sequences to be written to the terminal via rack's `Lint` middleware and `CommonLogger` middleware. This issue can leverage these escape sequences to execute commands in the victim's terminal. * CVE-2022-41717: A flaw was f...

Red Hat Security Advisory 2023-0693-01

Red Hat Security Advisory 2023-0693-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-0693-01

Red Hat Security Advisory 2023-0693-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a denial of service vulnerability.

RHSA-2023:0693: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.7 security and bug fix update

The Migration Toolkit for Containers (MTC) 1.7.7 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-43138: A vulnerability was found in the async package. This flaw allows a malicious user to obtain privileges via the mapValues() method. * CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw a...

Red Hat Security Advisory 2023-0624-01

Red Hat Security Advisory 2023-0624-01 - KSBA is a library to make X.509 certificates as well as the CMS easily accessible by other applications. Both specifications are building blocks of S/MIME and TLS. Issues addressed include code execution and integer overflow vulnerabilities.

RHSA-2023:0630: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.7.0 security and bug fix updates

Red Hat Advanced Cluster Management for Kubernetes 2.7.0 General Availability release images, which provide security updates and fix bugs. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: A vulnerability was found in the nodejs-minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service. * CVE-2022-30629: A flaw was found in the crypto/tls golang pa...

RHSA-2023:0630: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.7.0 security and bug fix updates

Red Hat Advanced Cluster Management for Kubernetes 2.7.0 General Availability release images, which provide security updates and fix bugs. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: A vulnerability was found in the nodejs-minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service. * CVE-2022-30629: A flaw was found in the crypto/tls golang pa...

RHSA-2023:0629: Red Hat Security Advisory: libksba security update

An update for libksba is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-47629: A vulnerability was found in the Libksba library, due to an integer overflow within the CRL's signature parser. This issue can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment.

RHSA-2023:0625: Red Hat Security Advisory: libksba security update

An update for libksba is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-47629: A vulnerability was found in the Libksba library, due to an integer overflow within the CRL's signature parser. This issue can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment.

RHSA-2023:0542: Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.3.1 Containers security update

Red Hat OpenShift Service Mesh 2.3.1 Containers Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-3962: kiali: error message spoofing in kiali UI * CVE-2022-27664: golang: ...

RHSA-2023:0542: Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.3.1 Containers security update

Red Hat OpenShift Service Mesh 2.3.1 Containers Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-3962: kiali: error message spoofing in kiali UI * CVE-2022-27664: golang: ...

Red Hat Security Advisory 2022-9096-01

Red Hat Security Advisory 2022-9096-01 - Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers. Issues addressed include bypass and denial of service vulnerabilities.

RHSA-2023:0530: Red Hat Security Advisory: libksba security update

An update for libksba is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-47629: libksba: integer overflow to code execution

RHSA-2022:9096: Red Hat Security Advisory: Red Hat OpenShift support for Windows Containers 7.0.0 [security update]

The components for Red Hat OpenShift support for Windows Container 7.0.0 are now available. This product release includes bug fixes and a moderate security update for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-25749: kubelet: runAsNonRoot logic bypass for Windows containers * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter *...

Red Hat Security Advisory 2023-0470-01

Red Hat Security Advisory 2023-0470-01 - An update is now available for Migration Toolkit for Runtimes (v1.0.1).

Red Hat Security Advisory 2023-0468-01

Red Hat Security Advisory 2023-0468-01 - Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.

Red Hat Security Advisory 2023-0466-01

Red Hat Security Advisory 2023-0466-01 - Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.

Red Hat Security Advisory 2023-0466-01

Red Hat Security Advisory 2023-0466-01 - Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.

RHSA-2023:0470: Red Hat Security Advisory: Migration Toolkit for Runtimes security update

An update is now available for Migration Toolkit for Runtimes (v1.0.1). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-42920: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing

RHSA-2023:0468: Red Hat Security Advisory: Red Hat OpenShift GitOps security update

An update is now available for Red Hat OpenShift GitOps 1.5.9 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-22482: ArgoCD: JWT audience claim is not verified

RHSA-2023:0467: Red Hat Security Advisory: Red Hat OpenShift GitOps security update

An update is now available for Red Hat OpenShift GitOps 1.7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-22482: ArgoCD: JWT audience claim is not verified * CVE-2023-22736: argocd: Controller reconciles apps outside configured namespaces when sharding is enabled

RHSA-2023:0343: Red Hat Security Advisory: libtasn1 security update

An update for libtasn1 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46848: libtasn1: Out-of-bound access in ETYPE_OK

RHSA-2023:0338: Red Hat Security Advisory: libxml2 security update

An update for libxml2 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40303: libxml2: integer overflows with XML_PARSE_HUGE * CVE-2022-40304: libxml2: dict corruption caused by entity reference cycles

RHSA-2023:0338: Red Hat Security Advisory: libxml2 security update

An update for libxml2 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40303: libxml2: integer overflows with XML_PARSE_HUGE * CVE-2022-40304: libxml2: dict corruption caused by entity reference cycles

Red Hat Security Advisory 2022-7399-01

Red Hat Security Advisory 2022-7399-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.0. Issues addressed include denial of service, memory leak, and out of bounds read vulnerabilities.

Red Hat Security Advisory 2022-7399-01

Red Hat Security Advisory 2022-7399-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.0. Issues addressed include denial of service, memory leak, and out of bounds read vulnerabilities.

Red Hat Security Advisory 2022-7398-02

Red Hat Security Advisory 2022-7398-02 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.0. Issues addressed include a denial of service vulnerability.

RHSA-2022:7399: Red Hat Security Advisory: OpenShift Container Platform 4.12.0 bug fix and security update

Red Hat OpenShift Container Platform release 4.12.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-2879: golang: arc...

RHSA-2022:7399: Red Hat Security Advisory: OpenShift Container Platform 4.12.0 bug fix and security update

Red Hat OpenShift Container Platform release 4.12.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-2879: golang: arc...

RHSA-2022:7398: Red Hat Security Advisory: OpenShift Container Platform 4.12.0 packages and security update

Red Hat OpenShift Container Platform release 4.12.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4235: go-yaml: Denial of Service in go-yaml * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-2995: cri-o: incorrect handlin...

RHSA-2023:0173: Red Hat Security Advisory: libxml2 security update

An update for libxml2 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40303: libxml2: integer overflows with XML_PARSE_HUGE * CVE-2022-40304: libxml2: dict corruption caused by entity reference cycles

RHSA-2023:0173: Red Hat Security Advisory: libxml2 security update

An update for libxml2 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40303: libxml2: integer overflows with XML_PARSE_HUGE * CVE-2022-40304: libxml2: dict corruption caused by entity reference cycles

Red Hat Security Advisory 2023-0116-01

Red Hat Security Advisory 2023-0116-01 - A library that provides Abstract Syntax Notation One parsing and structures management, and Distinguished Encoding Rules encoding and decoding functions.

RHSA-2023:0116: Red Hat Security Advisory: libtasn1 security update

An update for libtasn1 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46848: libtasn1: Out-of-bound access in ETYPE_OK

RHSA-2023:0110: Red Hat Security Advisory: sqlite security update

An update for sqlite is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-35737: sqlite: an array-bounds overflow if billions of bytes are used in a string argument to a C API

CVE-2022-4415: security - systemd-coredump: CVE-2022-4415: local information leak due to systemd-coredump not respecting fs.suid_dumpable kernel setting

A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting.

Scanvus now supports Vulners and Vulns.io VM Linux vulnerability detection APIs

Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]

Apple Security Advisory 2022-12-13-8

Apple Security Advisory 2022-12-13-8 - watchOS 9.2 addresses bypass, code execution, integer overflow, out of bounds write, spoofing, and use-after-free vulnerabilities.

Apple Security Advisory 2022-12-13-6

Apple Security Advisory 2022-12-13-6 - macOS Big Sur 11.7.2 addresses bypass, code execution, and integer overflow vulnerabilities.

Apple Security Advisory 2022-12-13-6

Apple Security Advisory 2022-12-13-6 - macOS Big Sur 11.7.2 addresses bypass, code execution, and integer overflow vulnerabilities.

Apple Security Advisory 2022-12-13-5

Apple Security Advisory 2022-12-13-5 - macOS Monterey 12.6.2 addresses bypass, code execution, and integer overflow vulnerabilities.

Apple Security Advisory 2022-12-13-5

Apple Security Advisory 2022-12-13-5 - macOS Monterey 12.6.2 addresses bypass, code execution, and integer overflow vulnerabilities.

Apple Security Advisory 2022-12-13-2

Apple Security Advisory 2022-12-13-2 - iOS 15.7.2 and iPadOS 15.7.2 addresses bypass, code execution, integer overflow, out of bounds write, and spoofing vulnerabilities.

Apple Security Advisory 2022-12-13-2

Apple Security Advisory 2022-12-13-2 - iOS 15.7.2 and iPadOS 15.7.2 addresses bypass, code execution, integer overflow, out of bounds write, and spoofing vulnerabilities.

CVE-2022-46153: Release v2.9.6 · traefik/traefik

Traefik is an open source HTTP reverse proxy and load balancer. In affected versions there is a potential vulnerability in Traefik managing TLS connections. A router configured with a not well-formatted TLSOption is exposed with an empty TLSOption. For instance, a route secured using an mTLS connection set with a wrong CA file is exposed without verifying the client certificates. Users are advised to upgrade to version 2.9.6. Users unable to upgrade should check their logs to detect the error messages and fix your TLS options.

Apple Security Advisory 2022-11-09-1

Apple Security Advisory 2022-11-09-1 - iOS 16.1.1 and iPadOS 16.1.1 addresses code execution and integer overflow vulnerabilities.

Apple Security Advisory 2022-11-09-1

Apple Security Advisory 2022-11-09-1 - iOS 16.1.1 and iPadOS 16.1.1 addresses code execution and integer overflow vulnerabilities.

libxml2 xmlParseNameComplex Integer Overflow

libxml2 suffers from an integer overflow vulnerability in xmlParseNameComplex.

Debian Security Advisory 5271-1

Debian Linux Security Advisory 5271-1 - Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files.

Debian Security Advisory 5271-1

Debian Linux Security Advisory 5271-1 - Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files.

Gentoo Linux Security Advisory 202210-39

Gentoo Linux Security Advisory 202210-39 - Multiple vulnerabilities have been found in libxml2, the worst of which could result in arbitrary code execution. Versions less than 2.10.3 are affected.

Gentoo Linux Security Advisory 202210-39

Gentoo Linux Security Advisory 202210-39 - Multiple vulnerabilities have been found in libxml2, the worst of which could result in arbitrary code execution. Versions less than 2.10.3 are affected.

Ubuntu Security Notice USN-5707-1

Ubuntu Security Notice 5707-1 - It was discovered that Libtasn1 did not properly perform bounds checking. An attacker could possibly use this issue to cause a crash.

CVE-2021-46848: Out-of-bound access in ETYPE_OK (#32) · Issues · gnutls / libtasn1 · GitLab

GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.

CVE-2022-41686: en/security-disclosure/2022/2022-10.md · OpenHarmony/security - Gitee.com

OpenHarmony-v3.1.2 and prior versions, 3.0.6 and prior versions have an Out-of-bound memory read and write vulnerability in /dev/mmz_userdev device driver. The impact depends on the privileges of the attacker. The unprivileged process run on the device could read out-of-bound memory leading sensitive to information disclosure. The processes with system user UID run on the device would be able to write out-of-bound memory which could lead to unspecified memory corruption.

CVE-2022-2879: archive/tar: unbounded memory consumption when reading headers · Issue #54853 · golang/go

Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.

CVE-2022-39278: Announcing Istio 1.13.9

Istio is an open platform-independent service mesh that provides traffic management, policy enforcement, and telemetry collection. Prior to versions 1.15.2, 1.14.5, and 1.13.9, the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted or oversized message which results in the control plane crashing when the Kubernetes validating or mutating webhook service is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially external istiod topologies, this port is exposed over the public internet. Versions 1.15.2, 1.14.5, and 1.13.9 contain patches for this issue. There are no effective workarounds, beyond upgrading. This bug is due to an error in `regexp.Compile` in Go.

CVE-2021-21285: Docker Engine release notes

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.

CVE-2021-21285: Docker Engine release notes

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.

Packet Storm: Latest News

CUPS IPP Attributes LAN Remote Code Execution