Headline
RHSA-2023:3106: Red Hat Security Advisory: curl security and bug fix update
An update for curl is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-27535: A flaw was found in the Curl package. Libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several FTP settings were left out from the configuration match checks, making them match too easily. The problematic settings are
CURLOPT_FTP_ACCOUNT
,CURLOPT_FTP_ALTERNATIVE_TO_USER
,CURLOPT_FTP_SSL_CCC
andCURLOPT_USE_SSL
level.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2023-05-16
Updated:
2023-05-16
RHSA-2023:3106 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: curl security and bug fix update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for curl is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.
Security Fix(es):
- curl: FTP too eager connection reuse (CVE-2023-27535)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- Cannot upload files to Jscape SFTP server: file gets created empty (BZ#2188029)
Affected Products
- Red Hat Enterprise Linux for x86_64 8 x86_64
- Red Hat Enterprise Linux for IBM z Systems 8 s390x
- Red Hat Enterprise Linux for Power, little endian 8 ppc64le
- Red Hat Enterprise Linux for ARM 64 8 aarch64
Fixes
- BZ - 2179073 - CVE-2023-27535 curl: FTP too eager connection reuse
- BZ - 2188029 - Cannot upload files to Jscape SFTP server: file gets created empty [rhel-8.8.0.z]
Red Hat Enterprise Linux for x86_64 8
SRPM
curl-7.61.1-30.el8_8.2.src.rpm
SHA-256: abefe0c99d2e505ee3dc6e41aabc8bb5a218aea2e0582ecf294253bc33ec1ef3
x86_64
curl-7.61.1-30.el8_8.2.x86_64.rpm
SHA-256: 925c984f4ba9b2789a98cf657a466064c283bfded4d935b8c522b4767c3fdd7c
curl-debuginfo-7.61.1-30.el8_8.2.i686.rpm
SHA-256: c3c6b0ffce2b494415fa773e13f1f495a99403e0e93975df7c734c3ab31880d0
curl-debuginfo-7.61.1-30.el8_8.2.x86_64.rpm
SHA-256: 369b3b5372a90c549f8ed7ec9f56be94beb3a24d2395ef1b31d60a3ca7d2f009
curl-debugsource-7.61.1-30.el8_8.2.i686.rpm
SHA-256: 0fbfbaf9a23ceacb8a85e242989f913bf3fcfb8ab202c8f45b9f36ca73aa5479
curl-debugsource-7.61.1-30.el8_8.2.x86_64.rpm
SHA-256: 42f661392927a8adc0c602e09dbe3fcdba3c68bc8c27e65d94bf0ffcca4f3022
curl-minimal-debuginfo-7.61.1-30.el8_8.2.i686.rpm
SHA-256: 0dc7a83ca5f318a7d9867cd931124bddc3cf11e342028c88e7e091b9ebd739e8
curl-minimal-debuginfo-7.61.1-30.el8_8.2.x86_64.rpm
SHA-256: f77e8a4276677e4b1c7b1689f04cc5195d45fe2c5ba1a7dabe4ea57cfaf15e59
libcurl-7.61.1-30.el8_8.2.i686.rpm
SHA-256: 77c8fda6c84566663d392635280bce43973ffb1c3589b5c92578c9b18104a109
libcurl-7.61.1-30.el8_8.2.x86_64.rpm
SHA-256: 3600b7fe6efaacf23b1be068dbcf987f33915944d3e5e6a3514e378b62337c42
libcurl-debuginfo-7.61.1-30.el8_8.2.i686.rpm
SHA-256: 19e2965eca1394dce1499d52ee5cfae6ffe166e789219cef41e5c10ca0d5535a
libcurl-debuginfo-7.61.1-30.el8_8.2.x86_64.rpm
SHA-256: 4740e766f1fb268598e7d10b7ae9b8f9162a3de2ad328fe5144b3adfd370746c
libcurl-devel-7.61.1-30.el8_8.2.i686.rpm
SHA-256: e7bca60459b0fd1e05059d087c8a46689899fb13c633d3ed875ac36504bc9f89
libcurl-devel-7.61.1-30.el8_8.2.x86_64.rpm
SHA-256: ed1623c68623321963a648be58699805e9de1b432462a726e26c9d1d1b40b96f
libcurl-minimal-7.61.1-30.el8_8.2.i686.rpm
SHA-256: f447b979b5fc847d28c14fb375e90f1573f7f4ac0b97648cafc8174b4ea8545f
libcurl-minimal-7.61.1-30.el8_8.2.x86_64.rpm
SHA-256: 5705615f95c0fc22e11de667b0985566ecdcb8df366e1eb976469d2f0184de42
libcurl-minimal-debuginfo-7.61.1-30.el8_8.2.i686.rpm
SHA-256: 9b9eadc57774e80fa219fcd89c2399f51486e2d5c34b2f3b41e87a5f4f71be44
libcurl-minimal-debuginfo-7.61.1-30.el8_8.2.x86_64.rpm
SHA-256: 20cea61fbe680a3baa0ad60693a2a2e52f2a5e8b78fc6e6858e81b2ff2038208
Red Hat Enterprise Linux for IBM z Systems 8
SRPM
curl-7.61.1-30.el8_8.2.src.rpm
SHA-256: abefe0c99d2e505ee3dc6e41aabc8bb5a218aea2e0582ecf294253bc33ec1ef3
s390x
curl-7.61.1-30.el8_8.2.s390x.rpm
SHA-256: 9edd005a2fe81e427a4a916d2610267f8d34bc1c54152c39a2a98f7e8e4305d3
curl-debuginfo-7.61.1-30.el8_8.2.s390x.rpm
SHA-256: 2153ea79dc791001b4145eb90b1c338e663c362b17a22ae86ca223b2c062f74e
curl-debugsource-7.61.1-30.el8_8.2.s390x.rpm
SHA-256: 9a108eeb16207bb048c6c6bef0fffaf9a27d3c018bb2bb48a2598b024ff34d1e
curl-minimal-debuginfo-7.61.1-30.el8_8.2.s390x.rpm
SHA-256: 80cc18b37cdb4b0717dd3feefddda8acf3f9343864ff42488fe28009d6ea96dd
libcurl-7.61.1-30.el8_8.2.s390x.rpm
SHA-256: 6bd213a7247b4d93ceff3f8966be0fbbd528b80ef3e5e1449f9aa6d62071220e
libcurl-debuginfo-7.61.1-30.el8_8.2.s390x.rpm
SHA-256: 1dd964550301b29966b41f64f0e7e69ea50eccf3a3cef3bc38527719873b42ee
libcurl-devel-7.61.1-30.el8_8.2.s390x.rpm
SHA-256: d5572787ab11da80f11e81184cce6995c06da8efddad5b0123327d8a9451e7c6
libcurl-minimal-7.61.1-30.el8_8.2.s390x.rpm
SHA-256: 9427e4f055eff5f2952c38a7d8313796d45d8104b9fb3176a985f64eb86a39bb
libcurl-minimal-debuginfo-7.61.1-30.el8_8.2.s390x.rpm
SHA-256: 38df1461f4b1951f1dea6c2635bfc409c9bc3f725916e9acf0d7398078c52c2c
Red Hat Enterprise Linux for Power, little endian 8
SRPM
curl-7.61.1-30.el8_8.2.src.rpm
SHA-256: abefe0c99d2e505ee3dc6e41aabc8bb5a218aea2e0582ecf294253bc33ec1ef3
ppc64le
curl-7.61.1-30.el8_8.2.ppc64le.rpm
SHA-256: ed4cad86e735a32c4f41b3d10ac94cb1c9606d088879de73dff4ab5b0c0c43a0
curl-debuginfo-7.61.1-30.el8_8.2.ppc64le.rpm
SHA-256: 64153baf744dec009ef6822e118f0a06f1597ed9e22273b4c4e03c88d05e22da
curl-debugsource-7.61.1-30.el8_8.2.ppc64le.rpm
SHA-256: 6cec202effc3f22f7fae2f5fdff0952edbe5197251f5cc327badf87151db36cd
curl-minimal-debuginfo-7.61.1-30.el8_8.2.ppc64le.rpm
SHA-256: 4fa11edb7a72cc84b658153303be2a9ec39620f216c10e344f457d74d11746d4
libcurl-7.61.1-30.el8_8.2.ppc64le.rpm
SHA-256: b2697c2daa76fe12a0db1299e323222439c4d5b85667f11cb0e8d1be387b105b
libcurl-debuginfo-7.61.1-30.el8_8.2.ppc64le.rpm
SHA-256: 1c72e11a289ee81166cec01fc76ae9cdc34d290e1a2097008880901b7a6c27bf
libcurl-devel-7.61.1-30.el8_8.2.ppc64le.rpm
SHA-256: 79899cefd05c576c3023307c2193da78379c957a1cd9310181e399ed09909ae3
libcurl-minimal-7.61.1-30.el8_8.2.ppc64le.rpm
SHA-256: b0a3ff9a6be676e302ac05c5e4d39a2f723183841fc13401f980d43a60d07364
libcurl-minimal-debuginfo-7.61.1-30.el8_8.2.ppc64le.rpm
SHA-256: 818221fe1e0bb47f17e826295d0f04fed528200b6c264e9476f15f4177285dca
Red Hat Enterprise Linux for ARM 64 8
SRPM
curl-7.61.1-30.el8_8.2.src.rpm
SHA-256: abefe0c99d2e505ee3dc6e41aabc8bb5a218aea2e0582ecf294253bc33ec1ef3
aarch64
curl-7.61.1-30.el8_8.2.aarch64.rpm
SHA-256: 020ee97b4f32b227eb8fa59281a9d42a83ac216985e182affd4549f799a526cd
curl-debuginfo-7.61.1-30.el8_8.2.aarch64.rpm
SHA-256: 321023cb2671b1a9b7bbb1aee82db00109b2f12cc6b87627c264c72fb10170fc
curl-debugsource-7.61.1-30.el8_8.2.aarch64.rpm
SHA-256: 3859bc21ba3343459062ceee6e00d9f7d9f163927578696921695e06f9ecf1db
curl-minimal-debuginfo-7.61.1-30.el8_8.2.aarch64.rpm
SHA-256: 8b9186640262dd792d3478915ce1bd4144c52dc7e4432916b080c45dcfbc4646
libcurl-7.61.1-30.el8_8.2.aarch64.rpm
SHA-256: b2a7b441b0af1636f2c16e6106e5ecd549e94378b78ba19fc8a23837ce0fe65d
libcurl-debuginfo-7.61.1-30.el8_8.2.aarch64.rpm
SHA-256: bfa0b5166f8818a24bde4063f4572380d54de73650d12defbc5fc5e2cf67fe3b
libcurl-devel-7.61.1-30.el8_8.2.aarch64.rpm
SHA-256: 49a9906696546dc440901dc546fc70a4fb778d090631bcf4bfaae0ff07404fd7
libcurl-minimal-7.61.1-30.el8_8.2.aarch64.rpm
SHA-256: 2cb4d058ba75209b30967eed64d9f91eb27ff0dfeaf5540179582ab31cce10d2
libcurl-minimal-debuginfo-7.61.1-30.el8_8.2.aarch64.rpm
SHA-256: 7b8f83cb15f0a69d5bada110236729ebf82e5820c7ef5b2ad77eccfadb631d00
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Gentoo Linux Security Advisory 202310-12 - Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. Versions greater than or equal to 8.3.0-r2 are affected.
Red Hat Security Advisory 2023-4657-01 - Secondary Scheduler Operator for Red Hat OpenShift 1.1.2. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-4576-01 - VolSync is a Kubernetes operator that enables asynchronous replication of persistent volumes within a cluster, or across clusters.
The components for Red Hat OpenShift support for Windows Containers 6.0.1 are now available. This product release includes bug fixes and security update for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27191: A broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh. This issue causes a client to fail authentication with RSA keys to servers that reject...
Gatekeeper Operator v0.2 security fixes and enhancements Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.
Red Hat Security Advisory 2023-4286-01 - Red Hat OpenShift Dev Spaces provides a cloud developer workspace server and a browser-based IDE built for teams and organizations. Dev Spaces runs in OpenShift and is well-suited for container-based development.
Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.11.9 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.
The components for Red Hat OpenShift support for Windows Containers 7.1.0 are now available. This product release includes bug fixes and security updates for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25173: A flaw was found in containerd, where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates...
Network Observability 1.3.0 for OpenShift Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24539: A flaw was found in golang where angle brackets (<>) were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in unexpectedly closing the CSS context and allowing for the injection of unexpected HMTL if executed with untrusted input. * CVE-2023-24540: A flaw was found in golang,...
An update for mtr-operator-bundle-container, mtr-operator-container, mtr-web-container, and mtr-web-executor-container is now available for Migration Toolkit for Runtimes 1 on RHEL 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4492: A flaw was found in undertow. The undertow client is not checking the server identity the server certificate presents in HTTPS connections. This is a compulsory step ( that should at least be performed by default) in HTTPS and in http/2...
Dell VxRail, version(s) 8.0.100 and earlier contain a denial-of-service vulnerability in the upgrade functionality. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to degraded performance and system malfunction.
Red Hat Security Advisory 2023-3664-01 - Release of Security Advisory for the OpenShift Jenkins image and Jenkins agent base image.
Red Hat Security Advisory 2023-3644-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release.
Red Hat Security Advisory 2023-3645-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-3609-01 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform.
Red Hat OpenShift Service Mesh 2.2.7 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-20329: A flaw was found in Mongo. Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshaling Go objects into BSON. This flaw allows a malicious user to use a Go object with a specific string to inject additional fields into marshaled documents. * CVE-2021-43138: A vulnerability was found in the async package. This flaw allows a malicious user to obtai...
Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.12.4 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3172: A security issue was discovered in kube-apiserver that allows an aggregated API server to redirect client traffic to any URL. This issue leads to the client performing unexpected actions and forwarding the client's API server credentials to third parties.
Red Hat Security Advisory 2023-3495-01 - Logging Subsystem 5.7.2 - Red Hat OpenShift. Issues addressed include cross site scripting and denial of service vulnerabilities.
Logging Subsystem 5.7.2 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2023-27539: A denial of service vulnerability was found in rubygem-rack in how it parses headers. A carefully crafted input can cause header parsing to take an unexpe...
Red Hat Security Advisory 2023-3379-01 - Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes security fixes. This release of RHACS includes a fix for CVE-2023-24540 by building RHACS with updated Golang.
An update is now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24539: A flaw was found in golang where angle brackets (<>) were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in unexpectedly closing the CSS context and allowing for the injection of unexpected HMTL if executed with untrusted inpu...
Dell SCG 5.14 contains an information disclosure vulnerability during the SRS to SCG upgrade path. A remote low privileged malicious user could potentially exploit this vulnerability to retrieve the plain text.
An update for mtr-operator-bundle-container, mtr-operator-container, mtr-web-container, and mtr-web-executor-container is now available for Migration Toolkit for Runtimes 1 on RHEL 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46877: A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. * CVE-2022-41854: Those using Sn...
Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes security fixes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24540: A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions...
Red Hat Security Advisory 2023-3326-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.6 images. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
Red Hat Security Advisory 2023-3325-01 - Multicluster Engine for Kubernetes 2.1.7 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Multicluster Engine for Kubernetes 2.1.7 General Availability release images, which address security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a ho...
Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Red Hat Security Advisory 2023-3297-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.4 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
Red Hat Advanced Cluster Management for Kubernetes 2.7.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbo...
Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...
Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.12.3 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23539: A flaw was found in the jsonwebtoken package. The affected versions of the `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. *...
An update for curl is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-27535: A flaw was found in the Curl package. Libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several FTP settings were left out from the configuration match checks, making them match too easily. The problematic settings are `CURLOPT_FTP_ACCOUNT`, `CURLOPT_FTP_ALTERN...
An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.
Ubuntu Security Notice 5964-1 - Harry Sintonen discovered that curl incorrectly handled certain TELNET connection options. Due to lack of proper input scrubbing, curl could pass on user name and telnet options to the server as provided, contrary to expectations. Harry Sintonen discovered that curl incorrectly handled special tilde characters when used with SFTP paths. A remote attacker could possibly use this issue to circumvent filtering.