Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:3106: Red Hat Security Advisory: curl security and bug fix update

An update for curl is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2023-27535: A flaw was found in the Curl package. Libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several FTP settings were left out from the configuration match checks, making them match too easily. The problematic settings are CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC and CURLOPT_USE_SSL level.
Red Hat Security Data
#vulnerability#web#linux#red_hat#nodejs#js#java#kubernetes#ldap#aws#ibm#ssl

Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager

All Products

Issued:

2023-05-16

Updated:

2023-05-16

RHSA-2023:3106 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: curl security and bug fix update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for curl is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.

Security Fix(es):

  • curl: FTP too eager connection reuse (CVE-2023-27535)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • Cannot upload files to Jscape SFTP server: file gets created empty (BZ#2188029)

Affected Products

  • Red Hat Enterprise Linux for x86_64 8 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 8 s390x
  • Red Hat Enterprise Linux for Power, little endian 8 ppc64le
  • Red Hat Enterprise Linux for ARM 64 8 aarch64

Fixes

  • BZ - 2179073 - CVE-2023-27535 curl: FTP too eager connection reuse
  • BZ - 2188029 - Cannot upload files to Jscape SFTP server: file gets created empty [rhel-8.8.0.z]

Red Hat Enterprise Linux for x86_64 8

SRPM

curl-7.61.1-30.el8_8.2.src.rpm

SHA-256: abefe0c99d2e505ee3dc6e41aabc8bb5a218aea2e0582ecf294253bc33ec1ef3

x86_64

curl-7.61.1-30.el8_8.2.x86_64.rpm

SHA-256: 925c984f4ba9b2789a98cf657a466064c283bfded4d935b8c522b4767c3fdd7c

curl-debuginfo-7.61.1-30.el8_8.2.i686.rpm

SHA-256: c3c6b0ffce2b494415fa773e13f1f495a99403e0e93975df7c734c3ab31880d0

curl-debuginfo-7.61.1-30.el8_8.2.x86_64.rpm

SHA-256: 369b3b5372a90c549f8ed7ec9f56be94beb3a24d2395ef1b31d60a3ca7d2f009

curl-debugsource-7.61.1-30.el8_8.2.i686.rpm

SHA-256: 0fbfbaf9a23ceacb8a85e242989f913bf3fcfb8ab202c8f45b9f36ca73aa5479

curl-debugsource-7.61.1-30.el8_8.2.x86_64.rpm

SHA-256: 42f661392927a8adc0c602e09dbe3fcdba3c68bc8c27e65d94bf0ffcca4f3022

curl-minimal-debuginfo-7.61.1-30.el8_8.2.i686.rpm

SHA-256: 0dc7a83ca5f318a7d9867cd931124bddc3cf11e342028c88e7e091b9ebd739e8

curl-minimal-debuginfo-7.61.1-30.el8_8.2.x86_64.rpm

SHA-256: f77e8a4276677e4b1c7b1689f04cc5195d45fe2c5ba1a7dabe4ea57cfaf15e59

libcurl-7.61.1-30.el8_8.2.i686.rpm

SHA-256: 77c8fda6c84566663d392635280bce43973ffb1c3589b5c92578c9b18104a109

libcurl-7.61.1-30.el8_8.2.x86_64.rpm

SHA-256: 3600b7fe6efaacf23b1be068dbcf987f33915944d3e5e6a3514e378b62337c42

libcurl-debuginfo-7.61.1-30.el8_8.2.i686.rpm

SHA-256: 19e2965eca1394dce1499d52ee5cfae6ffe166e789219cef41e5c10ca0d5535a

libcurl-debuginfo-7.61.1-30.el8_8.2.x86_64.rpm

SHA-256: 4740e766f1fb268598e7d10b7ae9b8f9162a3de2ad328fe5144b3adfd370746c

libcurl-devel-7.61.1-30.el8_8.2.i686.rpm

SHA-256: e7bca60459b0fd1e05059d087c8a46689899fb13c633d3ed875ac36504bc9f89

libcurl-devel-7.61.1-30.el8_8.2.x86_64.rpm

SHA-256: ed1623c68623321963a648be58699805e9de1b432462a726e26c9d1d1b40b96f

libcurl-minimal-7.61.1-30.el8_8.2.i686.rpm

SHA-256: f447b979b5fc847d28c14fb375e90f1573f7f4ac0b97648cafc8174b4ea8545f

libcurl-minimal-7.61.1-30.el8_8.2.x86_64.rpm

SHA-256: 5705615f95c0fc22e11de667b0985566ecdcb8df366e1eb976469d2f0184de42

libcurl-minimal-debuginfo-7.61.1-30.el8_8.2.i686.rpm

SHA-256: 9b9eadc57774e80fa219fcd89c2399f51486e2d5c34b2f3b41e87a5f4f71be44

libcurl-minimal-debuginfo-7.61.1-30.el8_8.2.x86_64.rpm

SHA-256: 20cea61fbe680a3baa0ad60693a2a2e52f2a5e8b78fc6e6858e81b2ff2038208

Red Hat Enterprise Linux for IBM z Systems 8

SRPM

curl-7.61.1-30.el8_8.2.src.rpm

SHA-256: abefe0c99d2e505ee3dc6e41aabc8bb5a218aea2e0582ecf294253bc33ec1ef3

s390x

curl-7.61.1-30.el8_8.2.s390x.rpm

SHA-256: 9edd005a2fe81e427a4a916d2610267f8d34bc1c54152c39a2a98f7e8e4305d3

curl-debuginfo-7.61.1-30.el8_8.2.s390x.rpm

SHA-256: 2153ea79dc791001b4145eb90b1c338e663c362b17a22ae86ca223b2c062f74e

curl-debugsource-7.61.1-30.el8_8.2.s390x.rpm

SHA-256: 9a108eeb16207bb048c6c6bef0fffaf9a27d3c018bb2bb48a2598b024ff34d1e

curl-minimal-debuginfo-7.61.1-30.el8_8.2.s390x.rpm

SHA-256: 80cc18b37cdb4b0717dd3feefddda8acf3f9343864ff42488fe28009d6ea96dd

libcurl-7.61.1-30.el8_8.2.s390x.rpm

SHA-256: 6bd213a7247b4d93ceff3f8966be0fbbd528b80ef3e5e1449f9aa6d62071220e

libcurl-debuginfo-7.61.1-30.el8_8.2.s390x.rpm

SHA-256: 1dd964550301b29966b41f64f0e7e69ea50eccf3a3cef3bc38527719873b42ee

libcurl-devel-7.61.1-30.el8_8.2.s390x.rpm

SHA-256: d5572787ab11da80f11e81184cce6995c06da8efddad5b0123327d8a9451e7c6

libcurl-minimal-7.61.1-30.el8_8.2.s390x.rpm

SHA-256: 9427e4f055eff5f2952c38a7d8313796d45d8104b9fb3176a985f64eb86a39bb

libcurl-minimal-debuginfo-7.61.1-30.el8_8.2.s390x.rpm

SHA-256: 38df1461f4b1951f1dea6c2635bfc409c9bc3f725916e9acf0d7398078c52c2c

Red Hat Enterprise Linux for Power, little endian 8

SRPM

curl-7.61.1-30.el8_8.2.src.rpm

SHA-256: abefe0c99d2e505ee3dc6e41aabc8bb5a218aea2e0582ecf294253bc33ec1ef3

ppc64le

curl-7.61.1-30.el8_8.2.ppc64le.rpm

SHA-256: ed4cad86e735a32c4f41b3d10ac94cb1c9606d088879de73dff4ab5b0c0c43a0

curl-debuginfo-7.61.1-30.el8_8.2.ppc64le.rpm

SHA-256: 64153baf744dec009ef6822e118f0a06f1597ed9e22273b4c4e03c88d05e22da

curl-debugsource-7.61.1-30.el8_8.2.ppc64le.rpm

SHA-256: 6cec202effc3f22f7fae2f5fdff0952edbe5197251f5cc327badf87151db36cd

curl-minimal-debuginfo-7.61.1-30.el8_8.2.ppc64le.rpm

SHA-256: 4fa11edb7a72cc84b658153303be2a9ec39620f216c10e344f457d74d11746d4

libcurl-7.61.1-30.el8_8.2.ppc64le.rpm

SHA-256: b2697c2daa76fe12a0db1299e323222439c4d5b85667f11cb0e8d1be387b105b

libcurl-debuginfo-7.61.1-30.el8_8.2.ppc64le.rpm

SHA-256: 1c72e11a289ee81166cec01fc76ae9cdc34d290e1a2097008880901b7a6c27bf

libcurl-devel-7.61.1-30.el8_8.2.ppc64le.rpm

SHA-256: 79899cefd05c576c3023307c2193da78379c957a1cd9310181e399ed09909ae3

libcurl-minimal-7.61.1-30.el8_8.2.ppc64le.rpm

SHA-256: b0a3ff9a6be676e302ac05c5e4d39a2f723183841fc13401f980d43a60d07364

libcurl-minimal-debuginfo-7.61.1-30.el8_8.2.ppc64le.rpm

SHA-256: 818221fe1e0bb47f17e826295d0f04fed528200b6c264e9476f15f4177285dca

Red Hat Enterprise Linux for ARM 64 8

SRPM

curl-7.61.1-30.el8_8.2.src.rpm

SHA-256: abefe0c99d2e505ee3dc6e41aabc8bb5a218aea2e0582ecf294253bc33ec1ef3

aarch64

curl-7.61.1-30.el8_8.2.aarch64.rpm

SHA-256: 020ee97b4f32b227eb8fa59281a9d42a83ac216985e182affd4549f799a526cd

curl-debuginfo-7.61.1-30.el8_8.2.aarch64.rpm

SHA-256: 321023cb2671b1a9b7bbb1aee82db00109b2f12cc6b87627c264c72fb10170fc

curl-debugsource-7.61.1-30.el8_8.2.aarch64.rpm

SHA-256: 3859bc21ba3343459062ceee6e00d9f7d9f163927578696921695e06f9ecf1db

curl-minimal-debuginfo-7.61.1-30.el8_8.2.aarch64.rpm

SHA-256: 8b9186640262dd792d3478915ce1bd4144c52dc7e4432916b080c45dcfbc4646

libcurl-7.61.1-30.el8_8.2.aarch64.rpm

SHA-256: b2a7b441b0af1636f2c16e6106e5ecd549e94378b78ba19fc8a23837ce0fe65d

libcurl-debuginfo-7.61.1-30.el8_8.2.aarch64.rpm

SHA-256: bfa0b5166f8818a24bde4063f4572380d54de73650d12defbc5fc5e2cf67fe3b

libcurl-devel-7.61.1-30.el8_8.2.aarch64.rpm

SHA-256: 49a9906696546dc440901dc546fc70a4fb778d090631bcf4bfaae0ff07404fd7

libcurl-minimal-7.61.1-30.el8_8.2.aarch64.rpm

SHA-256: 2cb4d058ba75209b30967eed64d9f91eb27ff0dfeaf5540179582ab31cce10d2

libcurl-minimal-debuginfo-7.61.1-30.el8_8.2.aarch64.rpm

SHA-256: 7b8f83cb15f0a69d5bada110236729ebf82e5820c7ef5b2ad77eccfadb631d00

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

Gentoo Linux Security Advisory 202310-12

Gentoo Linux Security Advisory 202310-12 - Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. Versions greater than or equal to 8.3.0-r2 are affected.

Red Hat Security Advisory 2023-4657-01

Red Hat Security Advisory 2023-4657-01 - Secondary Scheduler Operator for Red Hat OpenShift 1.1.2. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-4576-01

Red Hat Security Advisory 2023-4576-01 - VolSync is a Kubernetes operator that enables asynchronous replication of persistent volumes within a cluster, or across clusters.

RHSA-2023:4488: Red Hat Security Advisory: Red Hat OpenShift support for Windows Containers 6.0.1[security update]

The components for Red Hat OpenShift support for Windows Containers 6.0.1 are now available. This product release includes bug fixes and security update for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27191: A broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh. This issue causes a client to fail authentication with RSA keys to servers that reject...

RHSA-2023:4475: Red Hat Security Advisory: Gatekeeper Operator v0.2 security fixes and enhancements

Gatekeeper Operator v0.2 security fixes and enhancements Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.

Red Hat Security Advisory 2023-4286-01

Red Hat Security Advisory 2023-4286-01 - Red Hat OpenShift Dev Spaces provides a cloud developer workspace server and a browser-based IDE built for teams and organizations. Dev Spaces runs in OpenShift and is well-suited for container-based development.

RHSA-2023:4238: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.11.9 security and bug fix update

Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.11.9 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.

RHSA-2023:4025: Red Hat Security Advisory: Red Hat OpenShift support for Windows Containers 7.1.0 [security update]

The components for Red Hat OpenShift support for Windows Containers 7.1.0 are now available. This product release includes bug fixes and security updates for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25173: A flaw was found in containerd, where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates...

RHSA-2023:3905: Red Hat Security Advisory: Network observability 1.3.0 for Openshift

Network Observability 1.3.0 for OpenShift Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24539: A flaw was found in golang where angle brackets (<>) were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in unexpectedly closing the CSS context and allowing for the injection of unexpected HMTL if executed with untrusted input. * CVE-2023-24540: A flaw was found in golang,...

RHSA-2023:3813: Red Hat Security Advisory: Migration Toolkit for Runtimes security update

An update for mtr-operator-bundle-container, mtr-operator-container, mtr-web-container, and mtr-web-executor-container is now available for Migration Toolkit for Runtimes 1 on RHEL 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4492: A flaw was found in undertow. The undertow client is not checking the server identity the server certificate presents in HTTPS connections. This is a compulsory step ( that should at least be performed by default) in HTTPS and in http/2...

CVE-2023-32463: DSA-2023-200: Security Update for Dell VxRail for Multiple Third-Party Component Vulnerabilities

Dell VxRail, version(s) 8.0.100 and earlier contain a denial-of-service vulnerability in the upgrade functionality. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to degraded performance and system malfunction.

Red Hat Security Advisory 2023-3664-01

Red Hat Security Advisory 2023-3664-01 - Release of Security Advisory for the OpenShift Jenkins image and Jenkins agent base image.

Red Hat Security Advisory 2023-3644-01

Red Hat Security Advisory 2023-3644-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release.

Red Hat Security Advisory 2023-3645-01

Red Hat Security Advisory 2023-3645-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-3609-01

Red Hat Security Advisory 2023-3609-01 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform.

RHSA-2023:3645: Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.2.7 security update

Red Hat OpenShift Service Mesh 2.2.7 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-20329: A flaw was found in Mongo. Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshaling Go objects into BSON. This flaw allows a malicious user to use a Go object with a specific string to inject additional fields into marshaled documents. * CVE-2021-43138: A vulnerability was found in the async package. This flaw allows a malicious user to obtai...

RHSA-2023:3609: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.12.4 security and Bug Fix update

Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.12.4 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3172: A security issue was discovered in kube-apiserver that allows an aggregated API server to redirect client traffic to any URL. This issue leads to the client performing unexpected actions and forwarding the client's API server credentials to third parties.

Red Hat Security Advisory 2023-3495-01

Red Hat Security Advisory 2023-3495-01 - Logging Subsystem 5.7.2 - Red Hat OpenShift. Issues addressed include cross site scripting and denial of service vulnerabilities.

RHSA-2023:3495: Red Hat Security Advisory: Logging Subsystem 5.7.2 - Red Hat OpenShift security update

Logging Subsystem 5.7.2 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2023-27539: A denial of service vulnerability was found in rubygem-rack in how it parses headers. A carefully crafted input can cause header parsing to take an unexpe...

Red Hat Security Advisory 2023-3379-01

Red Hat Security Advisory 2023-3379-01 - Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes security fixes. This release of RHACS includes a fix for CVE-2023-24540 by building RHACS with updated Golang.

RHSA-2023:3435: Red Hat Security Advisory: Red Hat Advanced Cluster Security 3.74 for Kubernetes security update

An update is now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24539: A flaw was found in golang where angle brackets (<>) were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in unexpectedly closing the CSS context and allowing for the injection of unexpected HMTL if executed with untrusted inpu...

CVE-2023-28043: DSA-2023-164: Dell Secure Connect Gateway Security Update for Multiple Vulnerabilities

Dell SCG 5.14 contains an information disclosure vulnerability during the SRS to SCG upgrade path. A remote low privileged malicious user could potentially exploit this vulnerability to retrieve the plain text.

RHSA-2023:3373: Red Hat Security Advisory: Migration Toolkit for Runtimes security update

An update for mtr-operator-bundle-container, mtr-operator-container, mtr-web-container, and mtr-web-executor-container is now available for Migration Toolkit for Runtimes 1 on RHEL 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46877: A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. * CVE-2022-41854: Those using Sn...

RHSA-2023:3379: Red Hat Security Advisory: Red Hat Advanced Cluster Security for Kubernetes 3.73 security update

Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes security fixes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24540: A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions...

Red Hat Security Advisory 2023-3326-01

Red Hat Security Advisory 2023-3326-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.6 images. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.

Red Hat Security Advisory 2023-3325-01

Red Hat Security Advisory 2023-3325-01 - Multicluster Engine for Kubernetes 2.1.7 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

RHSA-2023:3325: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.1.7 security fixes and container updates

Multicluster Engine for Kubernetes 2.1.7 General Availability release images, which address security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a ho...

Red Hat Security Advisory 2023-3296-01

Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.

Red Hat Security Advisory 2023-3297-01

Red Hat Security Advisory 2023-3297-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.4 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.

RHSA-2023:3297: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.7.4 security fixes and container updates

Red Hat Advanced Cluster Management for Kubernetes 2.7.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbo...

RHSA-2023:3296: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.2.4 security fixes and container updates

Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...

RHSA-2023:3265: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.12.3 Security and Bug fix update

Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.12.3 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23539: A flaw was found in the jsonwebtoken package. The affected versions of the `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. *...

RHSA-2023:2650: Red Hat Security Advisory: curl security update

An update for curl is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-27535: A flaw was found in the Curl package. Libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several FTP settings were left out from the configuration match checks, making them match too easily. The problematic settings are `CURLOPT_FTP_ACCOUNT`, `CURLOPT_FTP_ALTERN...

CVE-2023-27535

An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.

Ubuntu Security Notice USN-5964-1

Ubuntu Security Notice 5964-1 - Harry Sintonen discovered that curl incorrectly handled certain TELNET connection options. Due to lack of proper input scrubbing, curl could pass on user name and telnet options to the server as provided, contrary to expectations. Harry Sintonen discovered that curl incorrectly handled special tilde characters when used with SFTP paths. A remote attacker could possibly use this issue to circumvent filtering.