Headline
Red Hat Security Advisory 2024-9885-03
Red Hat Security Advisory 2024-9885-03 - Red Hat Trusted Profile Analyzer 1.2.0 release Red Hat Product Security has rated this update as having a security impact of Moderate.
The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9885.jsonRed Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis: Important: Red Hat Trusted Profile Analyzer 1.2.0Advisory ID: RHSA-2024:9885-03Product: Red Hat Trusted Profile AnalyzerAdvisory URL: https://access.redhat.com/errata/RHSA-2024:9885Issue date: 2024-11-26Revision: 03CVE Names: CVE-2024-45296====================================================================Summary: Red Hat Trusted Profile Analyzer 1.2.0 release Red Hat Product Security has rated this update as having a security impact of ModerateDescription:Red Hat Trusted Profile Analyzer 1.2.0Solution:CVEs:CVE-2024-45296References:https://issues.redhat.com/browse/TC-1815https://issues.redhat.com/browse/TC-1817https://issues.redhat.com/browse/TC-1818https://issues.redhat.com/browse/TC-1841https://issues.redhat.com/browse/TC-1842https://issues.redhat.com/browse/TC-1846https://issues.redhat.com/browse/TC-1847https://issues.redhat.com/browse/TC-1855https://issues.redhat.com/browse/TC-1857https://bugzilla.redhat.com/show_bug.cgi?id=2310908https://bugzilla.redhat.com/show_bug.cgi?id=2311171https://docs.redhat.com/en/documentation/red_hat_trusted_profile_analyzer/1.2/html/release_notes/indexhttps://issues.redhat.com/browse/TC-1713https://issues.redhat.com/browse/TC-1721https://issues.redhat.com/browse/TC-1757https://issues.redhat.com/browse/TC-1769https://issues.redhat.com/browse/TC-1770https://issues.redhat.com/browse/TC-1799https://issues.redhat.com/browse/TC-1800https://issues.redhat.com/browse/TC-1810https://issues.redhat.com/browse/TC-1801
Related news
Red Hat Security Advisory 2024-8014-03 - Network Observability 1.7 for Red Hat OpenShift. Issues addressed include code execution, cross site scripting, and denial of service vulnerabilities.
Red Hat Security Advisory 2024-7599-03 - Red Hat OpenShift Container Platform release 4.16.16 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include code execution, denial of service, integer overflow, and out of bounds write vulnerabilities.
Red Hat Security Advisory 2024-7726-03 - Red Hat OpenShift Service Mesh Containers for 2.6.2. Issues addressed include code execution and denial of service vulnerabilities.
### Impact In certain cases, `path-to-regexp` will output a regular expression that can be exploited to cause poor performance. ### Patches For users of 0.1, upgrade to `0.1.10`. All other users should upgrade to `8.0.0`. Version 0.1.10 adds backtracking protection when a custom regular expression is not provided, so it's still possible to manually create a ReDoS vulnerability if you are providing custom regular expressions. Version 8.0.0 removes all features that can cause a ReDoS and stops exposing the regular expression directly. ### Workarounds All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change `/:a-:b` to `/:a-:b([^-/]+)`. If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves pe...