Headline
Red Hat Security Advisory 2022-7314-01
Red Hat Security Advisory 2022-7314-01 - The zlib packages provide a general-purpose lossless data compression library that is used by many different programs. Issues addressed include buffer over-read and buffer overflow vulnerabilities.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: zlib security update
Advisory ID: RHSA-2022:7314-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:7314
Issue date: 2022-11-02
CVE Names: CVE-2022-37434
====================================================================
- Summary:
An update for zlib is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, s390x, x86_64
- Description:
The zlib packages provide a general-purpose lossless data compression
library that is used by many different programs.
Security Fix(es):
- zlib: a heap-based buffer over-read or buffer overflow in inflate in
inflate.c via a large gzip header extra field (CVE-2022-37434)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
- Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2116639 - CVE-2022-37434 zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field
- Package List:
Red Hat Enterprise Linux AppStream (v. 9):
aarch64:
minizip-compat-debuginfo-1.2.11-32.el9_0.aarch64.rpm
zlib-debuginfo-1.2.11-32.el9_0.aarch64.rpm
zlib-debugsource-1.2.11-32.el9_0.aarch64.rpm
zlib-devel-1.2.11-32.el9_0.aarch64.rpm
ppc64le:
minizip-compat-debuginfo-1.2.11-32.el9_0.ppc64le.rpm
zlib-debuginfo-1.2.11-32.el9_0.ppc64le.rpm
zlib-debugsource-1.2.11-32.el9_0.ppc64le.rpm
zlib-devel-1.2.11-32.el9_0.ppc64le.rpm
s390x:
minizip-compat-debuginfo-1.2.11-32.el9_0.s390x.rpm
zlib-debuginfo-1.2.11-32.el9_0.s390x.rpm
zlib-debugsource-1.2.11-32.el9_0.s390x.rpm
zlib-devel-1.2.11-32.el9_0.s390x.rpm
x86_64:
minizip-compat-debuginfo-1.2.11-32.el9_0.i686.rpm
minizip-compat-debuginfo-1.2.11-32.el9_0.x86_64.rpm
zlib-debuginfo-1.2.11-32.el9_0.i686.rpm
zlib-debuginfo-1.2.11-32.el9_0.x86_64.rpm
zlib-debugsource-1.2.11-32.el9_0.i686.rpm
zlib-debugsource-1.2.11-32.el9_0.x86_64.rpm
zlib-devel-1.2.11-32.el9_0.i686.rpm
zlib-devel-1.2.11-32.el9_0.x86_64.rpm
Red Hat Enterprise Linux BaseOS (v. 9):
Source:
zlib-1.2.11-32.el9_0.src.rpm
aarch64:
minizip-compat-debuginfo-1.2.11-32.el9_0.aarch64.rpm
zlib-1.2.11-32.el9_0.aarch64.rpm
zlib-debuginfo-1.2.11-32.el9_0.aarch64.rpm
zlib-debugsource-1.2.11-32.el9_0.aarch64.rpm
ppc64le:
minizip-compat-debuginfo-1.2.11-32.el9_0.ppc64le.rpm
zlib-1.2.11-32.el9_0.ppc64le.rpm
zlib-debuginfo-1.2.11-32.el9_0.ppc64le.rpm
zlib-debugsource-1.2.11-32.el9_0.ppc64le.rpm
s390x:
minizip-compat-debuginfo-1.2.11-32.el9_0.s390x.rpm
zlib-1.2.11-32.el9_0.s390x.rpm
zlib-debuginfo-1.2.11-32.el9_0.s390x.rpm
zlib-debugsource-1.2.11-32.el9_0.s390x.rpm
x86_64:
minizip-compat-debuginfo-1.2.11-32.el9_0.i686.rpm
minizip-compat-debuginfo-1.2.11-32.el9_0.x86_64.rpm
zlib-1.2.11-32.el9_0.i686.rpm
zlib-1.2.11-32.el9_0.x86_64.rpm
zlib-debuginfo-1.2.11-32.el9_0.i686.rpm
zlib-debuginfo-1.2.11-32.el9_0.x86_64.rpm
zlib-debugsource-1.2.11-32.el9_0.i686.rpm
zlib-debugsource-1.2.11-32.el9_0.x86_64.rpm
Red Hat CodeReady Linux Builder (v. 9):
aarch64:
minizip-compat-debuginfo-1.2.11-32.el9_0.aarch64.rpm
zlib-debuginfo-1.2.11-32.el9_0.aarch64.rpm
zlib-debugsource-1.2.11-32.el9_0.aarch64.rpm
zlib-static-1.2.11-32.el9_0.aarch64.rpm
ppc64le:
minizip-compat-debuginfo-1.2.11-32.el9_0.ppc64le.rpm
zlib-debuginfo-1.2.11-32.el9_0.ppc64le.rpm
zlib-debugsource-1.2.11-32.el9_0.ppc64le.rpm
zlib-static-1.2.11-32.el9_0.ppc64le.rpm
s390x:
minizip-compat-debuginfo-1.2.11-32.el9_0.s390x.rpm
zlib-debuginfo-1.2.11-32.el9_0.s390x.rpm
zlib-debugsource-1.2.11-32.el9_0.s390x.rpm
zlib-static-1.2.11-32.el9_0.s390x.rpm
x86_64:
minizip-compat-debuginfo-1.2.11-32.el9_0.i686.rpm
minizip-compat-debuginfo-1.2.11-32.el9_0.x86_64.rpm
zlib-debuginfo-1.2.11-32.el9_0.i686.rpm
zlib-debuginfo-1.2.11-32.el9_0.x86_64.rpm
zlib-debugsource-1.2.11-32.el9_0.i686.rpm
zlib-debugsource-1.2.11-32.el9_0.x86_64.rpm
zlib-static-1.2.11-32.el9_0.i686.rpm
zlib-static-1.2.11-32.el9_0.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-37434
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/security/updates/classification#moderate
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY2K9ItzjgjWX9erEAQiHfxAAlO5bDXesPL2aHyX6C15K0NCSqYYSugpc
jh5XWHtBDSf0tFLDI7D0ru2cDe98WRoQ0MJNZA2HNwCx1tznW6jJX4cnYHlnCeC4
/thKFW1MfXV/n40Fu7Boq8BmrLCHixTwe/pGuz19YYIJeKexdDmN5mf5tYp01BXW
uDwCfC0VgwU0zFcG4TXvHZdI+CDTFr/azkC/aXpFCVyTMZAw5ZiTRgu1WL/UKyrU
prhsHcxXoICqJbJYu5gql3QGaXwGXYP/N7RMlfaSI60FL6trDE5+1f7eJTugsxwv
jyaarOy7AWlno/lEMrffQ7/9k9xUpowt8Qt0LDjuTP3tPlGULkyb1DYQOUkttniD
b4X4k/DY5PBwZTOeGsPBbFcvliwcwgMVqmGfZHZcsRc7VSsGzrGsyowVxvxJqasP
VPjOMOKeQVEf3Kpl0Nvfd5D2k24NlqgXpiLpSevwkJTi6c7VWUPrGGCTmL5XUy8T
4ISiB+bDwlmI5LxhqOyVdHLeVnNaeR6wxEfQ855CDCXMAeElHodi+KxGvqrWceVQ
pEinvfduBT1Y8HO8ztDWYJ6KM1r/9JOTiACpMoKGw5KqSQnSrPwCuoZIwlXK6fiE
C26HKcnaq3GK0IDkT+LaVUtl4k8Ja8V4Rv0OMwU1JgbwTUTI/iQweKDAldn8/cbA
NVQfk+Oscic=3u2M
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
IBM Security Guardium 11.3 could allow an authenticated user to cause a denial of service due to improper input validation. IBM X-Force ID: 240903.
Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...
The bundle management subsystem within OpenHarmony-v3.1.4 and prior versions has a null pointer reference vulnerability which local attackers can exploit this vulnerability to cause a DoS attack to the system when installing a malicious HAP package.
Red Hat Security Advisory 2023-1095-01 - The zlib packages provide a general-purpose lossless data compression library that is used by many different programs. Issues addressed include a buffer over-read vulnerability.
Red Hat Security Advisory 2023-0795-01 - Submariner 0.13.3 packages that fix various bugs and add various enhancements that are now available for Red Hat Advanced Cluster Management for Kubernetes version 2.6.
Red Hat OpenShift Service Mesh 2.3.1 Containers Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-3962: kiali: error message spoofing in kiali UI * CVE-2022-27664: golang: ...
An update is now available for Migration Toolkit for Runtimes (v1.0.1). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-42920: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing
Red Hat Advanced Cluster Management for Kubernetes 2.6.3 General Availability release images, which provide security updates, fix bugs, and update container images. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-41912: crewjam/saml: Authentication bypass when processing SAML responses containing multiple Assertion elements
Red Hat Security Advisory 2022-8964-01 - The rh-sso-7/sso76-openshift-rhel8 container image and rh-sso-7/sso7-rhel8-operator operator has been updated for RHEL-8 based Middleware Containers to address the following security issues. Issues addressed include a traversal vulnerability.
Red Hat Security Advisory 2022-8841-01 - Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.51 Service Pack 1 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.51, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include buffer over-read, buffer overflow, bypass, code execution, denial of service, double free, integer overflow, out of bounds read, and use-after-free vulnerabilities.
An update is now available for Red Hat JBoss Core Services. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1292: openssl: c_rehash script allows command injection * CVE-2022-2068: openssl: the c_rehash script allows command injection * CVE-2022-22721: httpd: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody * CVE-2022-23943: httpd: mod_sed: Read/write beyond bounds * CVE-2022-26377: httpd: mod_proxy_ajp: Possible request smuggling * CVE-2...
Red Hat Security Advisory 2022-8750-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. Issues addressed include denial of service and out of bounds read vulnerabilities.
OpenShift API for Data Protection (OADP) 1.1.1 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27191: golang: crash in a golang.org/x/crypto/ssh server * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-30632: golang: path/filepath: stack exhaustion in Glob * CVE-2022-30635: golang: encoding/gob: stack exhaustion in Decoder.Decode * CVE-2022-32190: golang: net/url: JoinPath does not strip relative path components i...
Red Hat Security Advisory 2022-8291-01 - The rsync utility enables the users to copy and synchronize files locally or across a network. Synchronization with rsync is fast because rsync only sends the differences in files over the network instead of sending whole files. The rsync utility is also used as a mirroring tool. Issues addressed include a buffer over-read vulnerability.
Red Hat Security Advisory 2022-7434-01 - A Red Hat OpenShift security update has been provided for the Logging Subsystem.
Red Hat Security Advisory 2022-6882-01 - Openshift Logging 5.3.13 security and bug fix release.
An update for rsync is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-37434: zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field
Red Hat Security Advisory 2022-7407-01 - Service Binding Operator 1.3.1 is now available for OpenShift Developer Tools and Services for OCP 4.9 +.
Red Hat Security Advisory 2022-7276-01 - Red Hat Advanced Cluster Management for Kubernetes 2.4.8 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. Issues addressed include denial of service, server-side request forgery, and remote SQL injection vulnerabilities.
An update for zlib is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-37434: zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field
Red Hat OpenShift Container Platform release 4.11.12 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-26945: go-getter: command injection vulnerability * CVE-2022-30321: go-getter: unsafe download (issue 1 of 3) * CVE-2022-30322: go-getter: unsafe download (issue 2 of 3) * CVE-2022-30323: go-getter: unsafe download (issue 3 of 3)
A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 15.7.1 and iPadOS 15.7.1, iOS 15.7 and iPadOS 15.7, iOS 16.1 and iPadOS 16. An app may be able to access iOS backups.
This issue was addressed with improved entitlements. This issue is fixed in iOS 16.1 and iPadOS 16. An app may be able to record audio using a pair of connected AirPods.
Gentoo Linux Security Advisory 202210-42 - A buffer overflow in zlib might allow an attacker to cause remote code execution. Versions less than 1.2.12-r3 are affected.
Apple Security Advisory 2022-10-27-12 - watchOS 9.1 addresses code execution, out of bounds write, and spoofing vulnerabilities.
Ubuntu Security Notice 5570-2 - USN-5570-1 fixed a vulnerability in zlib. This update provides the corresponding update for Ubuntu 22.04 LTS and Ubuntu 20.04 LTS. Evgeny Legerov discovered that zlib incorrectly handled memory when performing certain inflate operations. An attacker could use this issue to cause zlib to crash, resulting in a denial of service, or possibly execute arbitrary code.
OpenHarmony-v3.1.2 and prior versions have a heap overflow vulnerability. Local attackers can trigger a heap overflow and get network sensitive information.
Ubuntu Security Notice 5573-1 - Evgeny Legerov discovered that zlib incorrectly handled memory when performing certain inflate operations. An attacker could use this issue to cause rsync to crash, resulting in a denial of service, or possibly execute arbitrary code.