Headline
Red Hat Security Advisory 2022-4991-01
Red Hat Security Advisory 2022-4991-01 - XZ Utils is an integrated collection of user-space file compression utilities based on the Lempel-Ziv-Markov chain algorithm, which performs lossless data compression. The algorithm provides a high compression ratio while keeping the decompression time short.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: xz security update
Advisory ID: RHSA-2022:4991-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:4991
Issue date: 2022-06-13
CVE Names: CVE-2022-1271
=====================================================================
- Summary:
An update for xz is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64
- Description:
XZ Utils is an integrated collection of user-space file compression
utilities based on the Lempel-Ziv-Markov chain algorithm (LZMA), which
performs lossless data compression. The algorithm provides a high
compression ratio while keeping the decompression time short.
Security Fix(es):
- gzip: arbitrary-file-write vulnerability (CVE-2022-1271)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
- Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2073310 - CVE-2022-1271 gzip: arbitrary-file-write vulnerability
- Package List:
Red Hat Enterprise Linux BaseOS (v. 8):
Source:
xz-5.2.4-4.el8_6.src.rpm
aarch64:
xz-5.2.4-4.el8_6.aarch64.rpm
xz-debuginfo-5.2.4-4.el8_6.aarch64.rpm
xz-debugsource-5.2.4-4.el8_6.aarch64.rpm
xz-devel-5.2.4-4.el8_6.aarch64.rpm
xz-libs-5.2.4-4.el8_6.aarch64.rpm
xz-libs-debuginfo-5.2.4-4.el8_6.aarch64.rpm
xz-lzma-compat-debuginfo-5.2.4-4.el8_6.aarch64.rpm
ppc64le:
xz-5.2.4-4.el8_6.ppc64le.rpm
xz-debuginfo-5.2.4-4.el8_6.ppc64le.rpm
xz-debugsource-5.2.4-4.el8_6.ppc64le.rpm
xz-devel-5.2.4-4.el8_6.ppc64le.rpm
xz-libs-5.2.4-4.el8_6.ppc64le.rpm
xz-libs-debuginfo-5.2.4-4.el8_6.ppc64le.rpm
xz-lzma-compat-debuginfo-5.2.4-4.el8_6.ppc64le.rpm
s390x:
xz-5.2.4-4.el8_6.s390x.rpm
xz-debuginfo-5.2.4-4.el8_6.s390x.rpm
xz-debugsource-5.2.4-4.el8_6.s390x.rpm
xz-devel-5.2.4-4.el8_6.s390x.rpm
xz-libs-5.2.4-4.el8_6.s390x.rpm
xz-libs-debuginfo-5.2.4-4.el8_6.s390x.rpm
xz-lzma-compat-debuginfo-5.2.4-4.el8_6.s390x.rpm
x86_64:
xz-5.2.4-4.el8_6.x86_64.rpm
xz-debuginfo-5.2.4-4.el8_6.i686.rpm
xz-debuginfo-5.2.4-4.el8_6.x86_64.rpm
xz-debugsource-5.2.4-4.el8_6.i686.rpm
xz-debugsource-5.2.4-4.el8_6.x86_64.rpm
xz-devel-5.2.4-4.el8_6.i686.rpm
xz-devel-5.2.4-4.el8_6.x86_64.rpm
xz-libs-5.2.4-4.el8_6.i686.rpm
xz-libs-5.2.4-4.el8_6.x86_64.rpm
xz-libs-debuginfo-5.2.4-4.el8_6.i686.rpm
xz-libs-debuginfo-5.2.4-4.el8_6.x86_64.rpm
xz-lzma-compat-debuginfo-5.2.4-4.el8_6.i686.rpm
xz-lzma-compat-debuginfo-5.2.4-4.el8_6.x86_64.rpm
Red Hat CodeReady Linux Builder (v. 8):
aarch64:
xz-debuginfo-5.2.4-4.el8_6.aarch64.rpm
xz-debugsource-5.2.4-4.el8_6.aarch64.rpm
xz-libs-debuginfo-5.2.4-4.el8_6.aarch64.rpm
xz-lzma-compat-5.2.4-4.el8_6.aarch64.rpm
xz-lzma-compat-debuginfo-5.2.4-4.el8_6.aarch64.rpm
ppc64le:
xz-debuginfo-5.2.4-4.el8_6.ppc64le.rpm
xz-debugsource-5.2.4-4.el8_6.ppc64le.rpm
xz-libs-debuginfo-5.2.4-4.el8_6.ppc64le.rpm
xz-lzma-compat-5.2.4-4.el8_6.ppc64le.rpm
xz-lzma-compat-debuginfo-5.2.4-4.el8_6.ppc64le.rpm
s390x:
xz-debuginfo-5.2.4-4.el8_6.s390x.rpm
xz-debugsource-5.2.4-4.el8_6.s390x.rpm
xz-libs-debuginfo-5.2.4-4.el8_6.s390x.rpm
xz-lzma-compat-5.2.4-4.el8_6.s390x.rpm
xz-lzma-compat-debuginfo-5.2.4-4.el8_6.s390x.rpm
x86_64:
xz-debuginfo-5.2.4-4.el8_6.x86_64.rpm
xz-debugsource-5.2.4-4.el8_6.x86_64.rpm
xz-libs-debuginfo-5.2.4-4.el8_6.x86_64.rpm
xz-lzma-compat-5.2.4-4.el8_6.x86_64.rpm
xz-lzma-compat-debuginfo-5.2.4-4.el8_6.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-1271
https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYqcmhtzjgjWX9erEAQjwbg/+OcStevSwAAQYrQ7adHq4Ggde4sQKJE5V
cMK3nf+6Rz/lRpuaHA70av9RBUxcT4a3OqRjPXMs9JJNFH2uPjZ8nQi4+LbJ7Wii
/sKotuFyF8Ec6ZLozvS/AQ5TudW5hwEbE7VYIFaTX+YL/bqM+ywqDSPBwBxfEB4u
PYwjo5I3TkRlUHSf5vbCsQTh/itepfxPUYrKjbJ2lJTfp+JF+b4B10hST/uS8rO+
dH7Xp5dq1t2CXb18FAMHp7hJ43xaPRtJR+BQZ9XtEJvtEo72kwIummsYhoaZlbZ3
HJ+aYHW3vguzSV/0LbgH8yQjn3c3OntBhptDZtR9dYGacHqCIJH/dmByz8GlqpVg
O8PgFcHApBy1185PXOgM4ceaYWD9kxlsEtY4O7RcGqgADydBhxS09XnjBh8oxPG3
9jvr1ZroJ0pvOPq4XyeSt41esV6t6JXeh7SH3E/SpvFA+2ECB45g/lo/hXT765p0
qP9LDx5VL1JAt2gf6L129hndTim5CaRdr23l3i/uqvRRMoVmGUtNpMj14j89lBvp
HO0FsVDLF1bStYSnhFy/YZxCPiPPDTBQZgV28ps1wM30rMlVB5SF+H9xjVqm5nhl
4YUEV+xIEtJ64pDD30J1+BiQO9461bIFz+F4e37j0f1tFEwVrxB6QWAS4kAE6M63
h72rLGWrdVE=
=IUb8
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
Red Hat Security Advisory 2023-4053-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.45. Issues addressed include a code execution vulnerability.
Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...
Red Hat Security Advisory 2023-0786-01 - Network observability is an OpenShift operator that provides a monitoring pipeline to collect and enrich network flows that are produced by the Network observability eBPF agent. The operator provides dashboards, metrics, and keeps flows accessible in a queryable log store, Grafana Loki. When a FlowCollector is deployed, new dashboards are available in the Console.
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]
Red Hat Security Advisory 2022-6890-01 - Red Hat OpenShift Virtualization release 4.8.7 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Security Advisory 2022-6681-01 - Red Hat OpenShift Virtualization release 4.9.6 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important.
Red Hat Security Advisory 2022-6430-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Issues addressed include a denial of service vulnerability.
OpenShift API for Data Protection (OADP) 1.0.4 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-30629: golang: crypto/tls: session ti...
An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.
Red Hat Security Advisory 2022-5069-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.0. Issues addressed include code execution, cross site scripting, denial of service, information leakage, and traversal vulnerabilities.
An update is now available for Service Telemetry Framework 1.4 for RHEL 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-30631: golang: compress/gzip: stack exhaustion in Reader.Read
The Migration Toolkit for Containers (MTC) 1.7.3 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1365: cross-fetch: Exposure of Private Personal Information to an Unauthorized Actor * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-28327: golang: crypto/elliptic: panic caused by oversized scalar * CVE-2022-29526: golang: syscall: faccessat checks wrong group
Red Hat Security Advisory 2022-5531-01 - Red Hat Advanced Cluster Management for Kubernetes 2.5.1 General Availability release images, which fix security issues and bugs.
Logging Subsystem 5.4.3 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS
An update for redhat-release-virtualization-host and redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-25032: zlib: A flaw found in zlib when compressing (not decompressing) certain inputs * CVE-2022-1271: gzip: arbitrary-file-write vulnerability * CVE-2022-1966: kernel: a use-after-free write in the netfilter subsystem can lead to privilege escalation to root * CVE-2...
Red Hat Security Advisory 2022-5153-01 - Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications. Issues addressed include a cross site scripting vulnerability.
Red Hat Security Advisory 2022-5189-01 - Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes bug and security fixes.
Red Hat Security Advisory 2022-5152-01 - Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications. Issues addressed include a cross site scripting vulnerability.
Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes bug and security fixes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1902: stackrox: Improper sanitization allows users to retrieve Notifier secrets from GraphQL API in plaintext
An update for xz is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1271: gzip: arbitrary-file-write vulnerability
An update for xz is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1271: gzip: arbitrary-file-write vulnerability
An update for xz is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1271: gzip: arbitrary-file-write vulnerability
Red Hat Security Advisory 2022-4896-01 - The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. Issues addressed include heap overflow, out of bounds write, and use-after-free vulnerabilities.
Red Hat Security Advisory 2022-2265-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.58.
Red Hat Security Advisory 2022-2264-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.6.58.
Red Hat Security Advisory 2022-2272-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.8.41.
Red Hat Security Advisory 2022-2268-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.7.51.
Red Hat OpenShift Container Platform release 4.8.41 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1677: openshift/router: route hijacking attack via crafted HAProxy configuration file
Logging Subsystem 5.4.1 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-37136: netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data * CVE-2021-37137: netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way * CVE-2021-43797: netty: control chars in header names may lead to HTTP request smuggling * CVE-2022-21698: prometheus/client_golang: Denial of service u...