Headline
RHSA-2023:2650: Red Hat Security Advisory: curl security update
An update for curl is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-27535: A flaw was found in the Curl package. Libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several FTP settings were left out from the configuration match checks, making them match too easily. The problematic settings are
CURLOPT_FTP_ACCOUNT
,CURLOPT_FTP_ALTERNATIVE_TO_USER
,CURLOPT_FTP_SSL_CCC
andCURLOPT_USE_SSL
level.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2023-05-09
Updated:
2023-05-09
RHSA-2023:2650 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: curl security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for curl is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.
Security Fix(es):
- curl: FTP too eager connection reuse (CVE-2023-27535)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 9 x86_64
- Red Hat Enterprise Linux for IBM z Systems 9 s390x
- Red Hat Enterprise Linux for Power, little endian 9 ppc64le
- Red Hat Enterprise Linux for ARM 64 9 aarch64
Fixes
- BZ - 2179073 - CVE-2023-27535 curl: FTP too eager connection reuse
Red Hat Enterprise Linux for x86_64 9
SRPM
curl-7.76.1-23.el9_2.1.src.rpm
SHA-256: 37353e78488ca51366551e86b7a4e10fecd9f629ff1343fbb43e436baeb808ef
x86_64
curl-7.76.1-23.el9_2.1.x86_64.rpm
SHA-256: c75c05f5a24a3c9699d0758a24b3a71d2a664cb840ed835d5003df3574baa0d9
curl-debuginfo-7.76.1-23.el9_2.1.i686.rpm
SHA-256: 9bf94bc6d196bcd391038523e2f94aacc55bcb8bc5ff464513578607877fdb73
curl-debuginfo-7.76.1-23.el9_2.1.i686.rpm
SHA-256: 9bf94bc6d196bcd391038523e2f94aacc55bcb8bc5ff464513578607877fdb73
curl-debuginfo-7.76.1-23.el9_2.1.x86_64.rpm
SHA-256: 5747af3bd01b40b687b2b3e9df37483c5134a8483c30ba0e853b1cf4f1af35f5
curl-debuginfo-7.76.1-23.el9_2.1.x86_64.rpm
SHA-256: 5747af3bd01b40b687b2b3e9df37483c5134a8483c30ba0e853b1cf4f1af35f5
curl-debugsource-7.76.1-23.el9_2.1.i686.rpm
SHA-256: 97f1d4f6f496ce843dd3bb8e63b2ac33f0cbee8eb9dfb127e44cf302ba945dad
curl-debugsource-7.76.1-23.el9_2.1.i686.rpm
SHA-256: 97f1d4f6f496ce843dd3bb8e63b2ac33f0cbee8eb9dfb127e44cf302ba945dad
curl-debugsource-7.76.1-23.el9_2.1.x86_64.rpm
SHA-256: c68b713a0c60ef55b83bc01e021a3ca7ff5080e8c0604c740e2618326e6bf90b
curl-debugsource-7.76.1-23.el9_2.1.x86_64.rpm
SHA-256: c68b713a0c60ef55b83bc01e021a3ca7ff5080e8c0604c740e2618326e6bf90b
curl-minimal-7.76.1-23.el9_2.1.x86_64.rpm
SHA-256: cbdf84af5df0d41d4193e61e212e55b6843cf812b50f1d6e63bc62359b35890f
curl-minimal-debuginfo-7.76.1-23.el9_2.1.i686.rpm
SHA-256: 7197c4d7f0e53f9ce06dd20b2f32514fb7164740841d8f220ce9de52af020fc3
curl-minimal-debuginfo-7.76.1-23.el9_2.1.i686.rpm
SHA-256: 7197c4d7f0e53f9ce06dd20b2f32514fb7164740841d8f220ce9de52af020fc3
curl-minimal-debuginfo-7.76.1-23.el9_2.1.x86_64.rpm
SHA-256: 900daf1fb2c1a3658673c907bcdcdad3c5578b8d6b90b742678575d3a22f9186
curl-minimal-debuginfo-7.76.1-23.el9_2.1.x86_64.rpm
SHA-256: 900daf1fb2c1a3658673c907bcdcdad3c5578b8d6b90b742678575d3a22f9186
libcurl-7.76.1-23.el9_2.1.i686.rpm
SHA-256: 4e7aa421c3033a9edcd6025ad5374fdc1cb65114bb4acadde092300ac5dafd7c
libcurl-7.76.1-23.el9_2.1.x86_64.rpm
SHA-256: 13a621858c75e6fe5d0ec411ab1cd1fbf9383d42115e8923016c2dc8f05cf885
libcurl-debuginfo-7.76.1-23.el9_2.1.i686.rpm
SHA-256: 925acc64f2ef7115ec78362ec9b427ae0a9c7918260864a6f49705f3e0034f9e
libcurl-debuginfo-7.76.1-23.el9_2.1.i686.rpm
SHA-256: 925acc64f2ef7115ec78362ec9b427ae0a9c7918260864a6f49705f3e0034f9e
libcurl-debuginfo-7.76.1-23.el9_2.1.x86_64.rpm
SHA-256: 7cf12e0a3b972d5009b0746bc7bc9dff7716be894c6040ca2cd6d8c66615df75
libcurl-debuginfo-7.76.1-23.el9_2.1.x86_64.rpm
SHA-256: 7cf12e0a3b972d5009b0746bc7bc9dff7716be894c6040ca2cd6d8c66615df75
libcurl-devel-7.76.1-23.el9_2.1.i686.rpm
SHA-256: 00dd4196268cf0894c7223cedfb3d422ef9dde1e4b7146a6605d7955d7b4c98e
libcurl-devel-7.76.1-23.el9_2.1.x86_64.rpm
SHA-256: 1d39da3a3407b7c5ae01ea656ce1ba82ad64e7084784b134d02477e89bd56326
libcurl-minimal-7.76.1-23.el9_2.1.i686.rpm
SHA-256: a39fff6a657b11960dd5c8f9b2da08b39cf64303f376b5e208dae6c3bf393db7
libcurl-minimal-7.76.1-23.el9_2.1.x86_64.rpm
SHA-256: 28dab9f011569806f4b03709994bebd9958745fb7c9d284bbcf361de69a79055
libcurl-minimal-debuginfo-7.76.1-23.el9_2.1.i686.rpm
SHA-256: 99f6e1bc0ed6a7a1a8b8b7fa2e95a601b280823444c0112f082328758cf3015a
libcurl-minimal-debuginfo-7.76.1-23.el9_2.1.i686.rpm
SHA-256: 99f6e1bc0ed6a7a1a8b8b7fa2e95a601b280823444c0112f082328758cf3015a
libcurl-minimal-debuginfo-7.76.1-23.el9_2.1.x86_64.rpm
SHA-256: afd045fa266608391629e3be8e66d7e934a236ba3fc7c26063afcc373a217949
libcurl-minimal-debuginfo-7.76.1-23.el9_2.1.x86_64.rpm
SHA-256: afd045fa266608391629e3be8e66d7e934a236ba3fc7c26063afcc373a217949
Red Hat Enterprise Linux for IBM z Systems 9
SRPM
curl-7.76.1-23.el9_2.1.src.rpm
SHA-256: 37353e78488ca51366551e86b7a4e10fecd9f629ff1343fbb43e436baeb808ef
s390x
curl-7.76.1-23.el9_2.1.s390x.rpm
SHA-256: 3b365481c3e2abff5f5c5718e062dfef1c9efb2d37f59435e0efe9f49c5d89f9
curl-debuginfo-7.76.1-23.el9_2.1.s390x.rpm
SHA-256: 3a96f2c451fa3314f7dd9c1f1d0a5e520970b74fd85c51710d38a20159df48a9
curl-debuginfo-7.76.1-23.el9_2.1.s390x.rpm
SHA-256: 3a96f2c451fa3314f7dd9c1f1d0a5e520970b74fd85c51710d38a20159df48a9
curl-debugsource-7.76.1-23.el9_2.1.s390x.rpm
SHA-256: bcacc37cfaa94dcaab7dbcf8f2c22cf5c124b2d5f32f8f978614b3fe51e92a2e
curl-debugsource-7.76.1-23.el9_2.1.s390x.rpm
SHA-256: bcacc37cfaa94dcaab7dbcf8f2c22cf5c124b2d5f32f8f978614b3fe51e92a2e
curl-minimal-7.76.1-23.el9_2.1.s390x.rpm
SHA-256: 2e639396402492d9dcede4a7efc395468e318043b9c94c8fcf10d5b2cdedfcd7
curl-minimal-debuginfo-7.76.1-23.el9_2.1.s390x.rpm
SHA-256: f1c66861e9eadb384e757840113ea40f6309da67bfdc6961ffa3afc4baaa80e3
curl-minimal-debuginfo-7.76.1-23.el9_2.1.s390x.rpm
SHA-256: f1c66861e9eadb384e757840113ea40f6309da67bfdc6961ffa3afc4baaa80e3
libcurl-7.76.1-23.el9_2.1.s390x.rpm
SHA-256: 7a537956113751a9b91e88182a2acaf40a885c5dadb4a5a58d9e3e2e5716b3d9
libcurl-debuginfo-7.76.1-23.el9_2.1.s390x.rpm
SHA-256: 14dc848ae09412fb686e2ba531fd0dd77d665f7a7f3e57076fc44be729a57ffb
libcurl-debuginfo-7.76.1-23.el9_2.1.s390x.rpm
SHA-256: 14dc848ae09412fb686e2ba531fd0dd77d665f7a7f3e57076fc44be729a57ffb
libcurl-devel-7.76.1-23.el9_2.1.s390x.rpm
SHA-256: 3fd64d59b355f0014449999d7914c4bf19223e1fb984da7b5e89bc5f8f08e76c
libcurl-minimal-7.76.1-23.el9_2.1.s390x.rpm
SHA-256: 18a02a6df42582279bf5e5b3659a8b144447097b96fef102c6b6088ecc18553b
libcurl-minimal-debuginfo-7.76.1-23.el9_2.1.s390x.rpm
SHA-256: c571c5ce724194f792a24f6a597af8ded7740d21f28113425394e4cefb0fa49a
libcurl-minimal-debuginfo-7.76.1-23.el9_2.1.s390x.rpm
SHA-256: c571c5ce724194f792a24f6a597af8ded7740d21f28113425394e4cefb0fa49a
Red Hat Enterprise Linux for Power, little endian 9
SRPM
curl-7.76.1-23.el9_2.1.src.rpm
SHA-256: 37353e78488ca51366551e86b7a4e10fecd9f629ff1343fbb43e436baeb808ef
ppc64le
curl-7.76.1-23.el9_2.1.ppc64le.rpm
SHA-256: 011492281d4d92d0d0ca3b652cb3ca7c4a1e87cf80534fb73a0643cdeb224803
curl-debuginfo-7.76.1-23.el9_2.1.ppc64le.rpm
SHA-256: 75a4e33ecaf475302bad08098482b6894c81d01bdd1ba0920a5c6581710a6ebf
curl-debuginfo-7.76.1-23.el9_2.1.ppc64le.rpm
SHA-256: 75a4e33ecaf475302bad08098482b6894c81d01bdd1ba0920a5c6581710a6ebf
curl-debugsource-7.76.1-23.el9_2.1.ppc64le.rpm
SHA-256: d64addf9d958b463208de586936b2cef5b51594ef9dd06df0034f9a37e912dad
curl-debugsource-7.76.1-23.el9_2.1.ppc64le.rpm
SHA-256: d64addf9d958b463208de586936b2cef5b51594ef9dd06df0034f9a37e912dad
curl-minimal-7.76.1-23.el9_2.1.ppc64le.rpm
SHA-256: 00f834292abfb38463b7a3ddaa8c83c47603702a9222a7788c7f51225528fc47
curl-minimal-debuginfo-7.76.1-23.el9_2.1.ppc64le.rpm
SHA-256: 5fe29bfd41ff237a50411c46c3a258f34857a9b00734a5cb749748b0e0360aa6
curl-minimal-debuginfo-7.76.1-23.el9_2.1.ppc64le.rpm
SHA-256: 5fe29bfd41ff237a50411c46c3a258f34857a9b00734a5cb749748b0e0360aa6
libcurl-7.76.1-23.el9_2.1.ppc64le.rpm
SHA-256: ed33f045b4a85b45118c970e9c36e1ef0c4fc59024faf9c6d3328a69f0c06696
libcurl-debuginfo-7.76.1-23.el9_2.1.ppc64le.rpm
SHA-256: c62d3d01d922ddc6af830568468e80ba5e9df254d8dc0caa1a6f1c324df3a199
libcurl-debuginfo-7.76.1-23.el9_2.1.ppc64le.rpm
SHA-256: c62d3d01d922ddc6af830568468e80ba5e9df254d8dc0caa1a6f1c324df3a199
libcurl-devel-7.76.1-23.el9_2.1.ppc64le.rpm
SHA-256: 4f30cdd3520f7379f107300700968a3d1977695b9442ca6206965678d6c0ac42
libcurl-minimal-7.76.1-23.el9_2.1.ppc64le.rpm
SHA-256: 61428cba617db846aaf555f2390ca273cc3cee959225b0ac9040bd8c1f49034a
libcurl-minimal-debuginfo-7.76.1-23.el9_2.1.ppc64le.rpm
SHA-256: 7760ee58fc5420ec15bb06ec795389b67297ff6e935ffb3eba7c5f854f48fec6
libcurl-minimal-debuginfo-7.76.1-23.el9_2.1.ppc64le.rpm
SHA-256: 7760ee58fc5420ec15bb06ec795389b67297ff6e935ffb3eba7c5f854f48fec6
Red Hat Enterprise Linux for ARM 64 9
SRPM
curl-7.76.1-23.el9_2.1.src.rpm
SHA-256: 37353e78488ca51366551e86b7a4e10fecd9f629ff1343fbb43e436baeb808ef
aarch64
curl-7.76.1-23.el9_2.1.aarch64.rpm
SHA-256: 9edf88cd65220ec746300042b306c3bb0d54b52e623a98f2c2c5c1de37f1d468
curl-debuginfo-7.76.1-23.el9_2.1.aarch64.rpm
SHA-256: 1f08f8b52144ed56dd8cd51f2b6647a29a8ae3c31f429e64d012110c871deed9
curl-debuginfo-7.76.1-23.el9_2.1.aarch64.rpm
SHA-256: 1f08f8b52144ed56dd8cd51f2b6647a29a8ae3c31f429e64d012110c871deed9
curl-debugsource-7.76.1-23.el9_2.1.aarch64.rpm
SHA-256: e2ad03e076dc075f3ca0dd3f0dba817eda5d1571e95f3622b77f480c86da3105
curl-debugsource-7.76.1-23.el9_2.1.aarch64.rpm
SHA-256: e2ad03e076dc075f3ca0dd3f0dba817eda5d1571e95f3622b77f480c86da3105
curl-minimal-7.76.1-23.el9_2.1.aarch64.rpm
SHA-256: 40d8c65590572127ca88552f96225f8d092d3a1fa233edd2f07af71ba40e54b1
curl-minimal-debuginfo-7.76.1-23.el9_2.1.aarch64.rpm
SHA-256: 560a96461e79c5e1b79c1fada10f13e564f5cd0b4c1ef3d6236bd7ce7f46ade2
curl-minimal-debuginfo-7.76.1-23.el9_2.1.aarch64.rpm
SHA-256: 560a96461e79c5e1b79c1fada10f13e564f5cd0b4c1ef3d6236bd7ce7f46ade2
libcurl-7.76.1-23.el9_2.1.aarch64.rpm
SHA-256: b63ef39c61494a302078b41893c4cc2abaaaab6ced13c612669819ba5a91132c
libcurl-debuginfo-7.76.1-23.el9_2.1.aarch64.rpm
SHA-256: 9138736d322e55665140dde1e67b48579fad01e3f1e2a243d0d2cc69fb81812e
libcurl-debuginfo-7.76.1-23.el9_2.1.aarch64.rpm
SHA-256: 9138736d322e55665140dde1e67b48579fad01e3f1e2a243d0d2cc69fb81812e
libcurl-devel-7.76.1-23.el9_2.1.aarch64.rpm
SHA-256: 08b6b3208631add71a9a91dec6d67d47be15da38452eca9c6cc71004ea69f0ea
libcurl-minimal-7.76.1-23.el9_2.1.aarch64.rpm
SHA-256: 544ff9022215e6c38de047682c2292e351cf700992c6150d501741f1c5a86309
libcurl-minimal-debuginfo-7.76.1-23.el9_2.1.aarch64.rpm
SHA-256: e059e83b271f7a350d15959994e64657ea143ee6145b7cff161698125446f7b8
libcurl-minimal-debuginfo-7.76.1-23.el9_2.1.aarch64.rpm
SHA-256: e059e83b271f7a350d15959994e64657ea143ee6145b7cff161698125446f7b8
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Gentoo Linux Security Advisory 202310-12 - Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. Versions greater than or equal to 8.3.0-r2 are affected.
Secondary Scheduler Operator for Red Hat OpenShift 1.1.2 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24532: A flaw was found in the crypto/internal/nistec golang library. The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars, such as a scalar larger than the order of the curve. This does not impact usages of crypto/ecdsa or crypto/ecdh. * CVE-2023-24534: A flaw was found in Golang Go...
Red Hat Security Advisory 2023-4575-01 - VolSync is a Kubernetes operator that enables asynchronous replication of persistent volumes within a cluster, or across clusters.
cert-manager Operator for Red Hat OpenShift 1.10.3 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specia...
Red Hat Security Advisory 2023-4472-01 - Version 1.29.1 of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.10, 4.11, 4.12, and 4.13. This release includes security and bug fixes, and enhancements.
Red Hat OpenShift Serverless version 1.29.1 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated. * CVE-2023-24539: A flaw was found in golang where angle brackets (<>) were not considered dangerous characters when inserted into CSS contexts. Templates containin...
Red Hat Security Advisory 2023-4286-01 - Red Hat OpenShift Dev Spaces provides a cloud developer workspace server and a browser-based IDE built for teams and organizations. Dev Spaces runs in OpenShift and is well-suited for container-based development.
Red Hat Security Advisory 2023-4238-01 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform.
Red Hat Security Advisory 2023-4025-01 - Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers. Issues addressed include a bypass vulnerability.
An update for mtr-operator-bundle-container, mtr-operator-container, mtr-web-container, and mtr-web-executor-container is now available for Migration Toolkit for Runtimes 1 on RHEL 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4492: A flaw was found in undertow. The undertow client is not checking the server identity the server certificate presents in HTTPS connections. This is a compulsory step ( that should at least be performed by default) in HTTPS and in http/2...
Dell VxRail, version(s) 8.0.100 and earlier contain a denial-of-service vulnerability in the upgrade functionality. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to degraded performance and system malfunction.
An update for ztp-site-generate-container, topology-aware-lifecycle-manager and bare-metal-event-relay is now available for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM identities and roles may be manipulate...
Release of Bug Advisories for the OpenShift Jenkins image and Jenkins agent base image. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-2880: A flaw was found in the golang package, where reques...
Red Hat Security Advisory 2023-3645-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-3624-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Service Mesh Containers for 2.4.0 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24540: A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
The Migration Toolkit for Containers (MTC) 1.7.10 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24534: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in HTTP and MIME header parsing. By sending a specially crafted request, a remote attacker can cause a denial of service. * CVE-2023-24536: A flaw was found in Golang Go, where it is vulnerable to a denial of service cause...
Red Hat Security Advisory 2023-3495-01 - Logging Subsystem 5.7.2 - Red Hat OpenShift. Issues addressed include cross site scripting and denial of service vulnerabilities.
Logging Subsystem 5.7.2 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2023-27539: A denial of service vulnerability was found in rubygem-rack in how it parses headers. A carefully crafted input can cause header parsing to take an unexpe...
OpenShift Serverless version 1.29.0 contains a moderate security impact. The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker ...
Red Hat Security Advisory 2023-3379-01 - Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes security fixes. This release of RHACS includes a fix for CVE-2023-24540 by building RHACS with updated Golang.
Red Hat Security Advisory 2023-3356-01 - Red Hat Advanced Cluster Management for Kubernetes 2.5.9 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
Dell SCG 5.14 contains an information disclosure vulnerability during the SRS to SCG upgrade path. A remote low privileged malicious user could potentially exploit this vulnerability to retrieve the plain text.
An update for mtr-operator-bundle-container, mtr-operator-container, mtr-web-container, and mtr-web-executor-container is now available for Migration Toolkit for Runtimes 1 on RHEL 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46877: A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. * CVE-2022-41854: Those using Sn...
Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes security fixes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24540: A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions...
Red Hat Security Advisory 2023-3326-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.6 images. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
Red Hat Security Advisory 2023-3325-01 - Multicluster Engine for Kubernetes 2.1.7 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Multicluster Engine for Kubernetes 2.1.7 General Availability release images, which address security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a ho...
Red Hat Security Advisory 2023-3296-01 - Multicluster Engine for Kubernetes 2.2.4 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Red Hat Security Advisory 2023-3297-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.4 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
Red Hat Advanced Cluster Management for Kubernetes 2.7.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbo...
Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...
Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.12.3 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23539: A flaw was found in the jsonwebtoken package. The affected versions of the `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. *...
An update for curl is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-27535: A flaw was found in the Curl package. Libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several FTP settings were left out from the configuration match checks, making them match too easily. The problematic settings are `CURLOPT_FTP_ACCOUNT`, `CURLOPT_FTP_ALTERN...
An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.
Ubuntu Security Notice 5964-1 - Harry Sintonen discovered that curl incorrectly handled certain TELNET connection options. Due to lack of proper input scrubbing, curl could pass on user name and telnet options to the server as provided, contrary to expectations. Harry Sintonen discovered that curl incorrectly handled special tilde characters when used with SFTP paths. A remote attacker could possibly use this issue to circumvent filtering.