Headline
RHSA-2022:8361: Red Hat Security Advisory: e2fsprogs security update
An update for e2fsprogs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-1304: e2fsprogs: out-of-bounds read/write via crafted filesystem
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2022-11-15
Updated:
2022-11-15
RHSA-2022:8361 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: e2fsprogs security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for e2fsprogs is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The e2fsprogs packages provide a number of utilities for creating, checking, modifying, and correcting the ext2, ext3, and ext4 file systems.
Security Fix(es):
- e2fsprogs: out-of-bounds read/write via crafted filesystem (CVE-2022-1304)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 9 x86_64
- Red Hat Enterprise Linux for IBM z Systems 9 s390x
- Red Hat Enterprise Linux for Power, little endian 9 ppc64le
- Red Hat Enterprise Linux for ARM 64 9 aarch64
Fixes
- BZ - 2069726 - CVE-2022-1304 e2fsprogs: out-of-bounds read/write via crafted filesystem
References
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
Red Hat Enterprise Linux for x86_64 9
SRPM
e2fsprogs-1.46.5-3.el9.src.rpm
SHA-256: 57fadd719eb1fd62e2194a928c4ba8d2460a22603c7a4a22a41ab6b167748814
x86_64
e2fsprogs-1.46.5-3.el9.x86_64.rpm
SHA-256: b72bd553293c7d9e53d9f264f625b0c6c4ec46b4bd15538bcf59829e182204af
e2fsprogs-debuginfo-1.46.5-3.el9.i686.rpm
SHA-256: e4817f061975ef7916e7bd32192c4b965d8d15bdf9a864c0d7dae1e16a7e87c9
e2fsprogs-debuginfo-1.46.5-3.el9.i686.rpm
SHA-256: e4817f061975ef7916e7bd32192c4b965d8d15bdf9a864c0d7dae1e16a7e87c9
e2fsprogs-debuginfo-1.46.5-3.el9.x86_64.rpm
SHA-256: 08cb9ed183b62c5cb59fdcf6fc86e1383b2ddf0ce14d34eb2628b708d8dd3a64
e2fsprogs-debuginfo-1.46.5-3.el9.x86_64.rpm
SHA-256: 08cb9ed183b62c5cb59fdcf6fc86e1383b2ddf0ce14d34eb2628b708d8dd3a64
e2fsprogs-debugsource-1.46.5-3.el9.i686.rpm
SHA-256: b4f6bce919f0bd168175a44990b81da1891b1ce7fa3663ec1fd627e3e9999257
e2fsprogs-debugsource-1.46.5-3.el9.i686.rpm
SHA-256: b4f6bce919f0bd168175a44990b81da1891b1ce7fa3663ec1fd627e3e9999257
e2fsprogs-debugsource-1.46.5-3.el9.x86_64.rpm
SHA-256: cc16ba6ea84184262283b25aba710ee1d476742a74bb712c45707f697c50fcdf
e2fsprogs-debugsource-1.46.5-3.el9.x86_64.rpm
SHA-256: cc16ba6ea84184262283b25aba710ee1d476742a74bb712c45707f697c50fcdf
e2fsprogs-devel-1.46.5-3.el9.i686.rpm
SHA-256: d5b9553100c37d566284b6c52e667c1f8f46ad14061be68cf096746002054e4c
e2fsprogs-devel-1.46.5-3.el9.x86_64.rpm
SHA-256: 3b5934acdd8d5eee9ef0dc29a7a11a28183806adc6ef02ff5224c1de821c125b
e2fsprogs-libs-1.46.5-3.el9.i686.rpm
SHA-256: d057313b915506ca5839f3274987056ca42a1acdc90013dcf7e859bbb6b473e3
e2fsprogs-libs-1.46.5-3.el9.x86_64.rpm
SHA-256: 80fadaa3c82e156ae8977136ff16b10a6dee28778c96ae5803c153ad717a265c
e2fsprogs-libs-debuginfo-1.46.5-3.el9.i686.rpm
SHA-256: 50d82fa9b162ad05c450bc2fb22e67ec4abeae9f4a40d84fcb4f93320ea33688
e2fsprogs-libs-debuginfo-1.46.5-3.el9.i686.rpm
SHA-256: 50d82fa9b162ad05c450bc2fb22e67ec4abeae9f4a40d84fcb4f93320ea33688
e2fsprogs-libs-debuginfo-1.46.5-3.el9.x86_64.rpm
SHA-256: 6066a2b0b81173a1a9b284c2b456af7e018af67acecf4dbfe88ccc912d6f1ae1
e2fsprogs-libs-debuginfo-1.46.5-3.el9.x86_64.rpm
SHA-256: 6066a2b0b81173a1a9b284c2b456af7e018af67acecf4dbfe88ccc912d6f1ae1
libcom_err-1.46.5-3.el9.i686.rpm
SHA-256: de37e0ddbe7a2135db45cdcde896e1f0fd50c82f38feb6d23451c11116f6420c
libcom_err-1.46.5-3.el9.x86_64.rpm
SHA-256: 7f8ec907e86b63d44e1b2fcf867077c2d1c4297d860164abd6e469b3af1e91e0
libcom_err-debuginfo-1.46.5-3.el9.i686.rpm
SHA-256: eb6ef268b553950440e4d3b7bcd376ee2294963887fca8101276bc65e7d56cca
libcom_err-debuginfo-1.46.5-3.el9.i686.rpm
SHA-256: eb6ef268b553950440e4d3b7bcd376ee2294963887fca8101276bc65e7d56cca
libcom_err-debuginfo-1.46.5-3.el9.x86_64.rpm
SHA-256: 2c96d4421cedca2cc9b3fa04e57c23263671aba96cc889ec427482ef8777c750
libcom_err-debuginfo-1.46.5-3.el9.x86_64.rpm
SHA-256: 2c96d4421cedca2cc9b3fa04e57c23263671aba96cc889ec427482ef8777c750
libcom_err-devel-1.46.5-3.el9.i686.rpm
SHA-256: 19623f7e21e005759981e381d463d7187f0ec7b7c1ac9f688e73853cf258d8ac
libcom_err-devel-1.46.5-3.el9.x86_64.rpm
SHA-256: 28c7f1461670b081da2034c5847aa3c3e0179bb0c6ff8008c343e0adba52589a
libss-1.46.5-3.el9.i686.rpm
SHA-256: 4fbd0d4869804e567b630a04ab02f18eef50fd3a9b4bdbff2ff831c3bee1ec1d
libss-1.46.5-3.el9.x86_64.rpm
SHA-256: cf0662ef00d4e84727fafc79cee6941f865e0cb657332dd7448759b2f83a4809
libss-debuginfo-1.46.5-3.el9.i686.rpm
SHA-256: ba9a364e1bd7cbc4a462c55ab1258c10d897bbb1135f7c24d6bdd468c53f3366
libss-debuginfo-1.46.5-3.el9.i686.rpm
SHA-256: ba9a364e1bd7cbc4a462c55ab1258c10d897bbb1135f7c24d6bdd468c53f3366
libss-debuginfo-1.46.5-3.el9.x86_64.rpm
SHA-256: 094ae42664e7bfb3d4ed73eac482c0351fa8616a0dab9717d36e3bca06f026e0
libss-debuginfo-1.46.5-3.el9.x86_64.rpm
SHA-256: 094ae42664e7bfb3d4ed73eac482c0351fa8616a0dab9717d36e3bca06f026e0
Red Hat Enterprise Linux for IBM z Systems 9
SRPM
e2fsprogs-1.46.5-3.el9.src.rpm
SHA-256: 57fadd719eb1fd62e2194a928c4ba8d2460a22603c7a4a22a41ab6b167748814
s390x
e2fsprogs-1.46.5-3.el9.s390x.rpm
SHA-256: d204ce257e367fe5549d6c4a9323d2e3c04bbfa619a00949c500e29be72490e5
e2fsprogs-debuginfo-1.46.5-3.el9.s390x.rpm
SHA-256: cedbb4f01f482845305e15ec99204a1c74cc17c5074bafe5724827d8924fba15
e2fsprogs-debuginfo-1.46.5-3.el9.s390x.rpm
SHA-256: cedbb4f01f482845305e15ec99204a1c74cc17c5074bafe5724827d8924fba15
e2fsprogs-debugsource-1.46.5-3.el9.s390x.rpm
SHA-256: bda5727417e30148f629aacf4d564d88324692bf78f130d3864ee2ce4528b1b7
e2fsprogs-debugsource-1.46.5-3.el9.s390x.rpm
SHA-256: bda5727417e30148f629aacf4d564d88324692bf78f130d3864ee2ce4528b1b7
e2fsprogs-devel-1.46.5-3.el9.s390x.rpm
SHA-256: c9d9c767b4fb094677311f31014b7b2f4e2328482534786d359e605d0a804827
e2fsprogs-libs-1.46.5-3.el9.s390x.rpm
SHA-256: 2f17abd66b0b098da224e1f43b976619bb659581ab4f15690ac1ab45d5e7bd05
e2fsprogs-libs-debuginfo-1.46.5-3.el9.s390x.rpm
SHA-256: ee84f44cc1602ab7bffad6783a01928bca09d9b5e07001fc2b509daee92203fc
e2fsprogs-libs-debuginfo-1.46.5-3.el9.s390x.rpm
SHA-256: ee84f44cc1602ab7bffad6783a01928bca09d9b5e07001fc2b509daee92203fc
libcom_err-1.46.5-3.el9.s390x.rpm
SHA-256: e27d502a629e5e2f4ff3d459a244848015f7399188d99f9ab34f96942f6ef60d
libcom_err-debuginfo-1.46.5-3.el9.s390x.rpm
SHA-256: 310a341a4749d23cbaa7d829f9716b912c03325c5a64c16be08849356c01266d
libcom_err-debuginfo-1.46.5-3.el9.s390x.rpm
SHA-256: 310a341a4749d23cbaa7d829f9716b912c03325c5a64c16be08849356c01266d
libcom_err-devel-1.46.5-3.el9.s390x.rpm
SHA-256: 5221d52f5473cd82d63d1e3679fa8ba931c16e12c9ea630a18a4741ab1a92cb8
libss-1.46.5-3.el9.s390x.rpm
SHA-256: 17b6c01d13a6ad28c1c6a60ff5c0139e0e0477e582fa2e6e9754139694efc2f2
libss-debuginfo-1.46.5-3.el9.s390x.rpm
SHA-256: ac0de46c837abdf35eaecbe8d0fdfa961f2268c4b3979f91c1f074a970442ccc
libss-debuginfo-1.46.5-3.el9.s390x.rpm
SHA-256: ac0de46c837abdf35eaecbe8d0fdfa961f2268c4b3979f91c1f074a970442ccc
Red Hat Enterprise Linux for Power, little endian 9
SRPM
e2fsprogs-1.46.5-3.el9.src.rpm
SHA-256: 57fadd719eb1fd62e2194a928c4ba8d2460a22603c7a4a22a41ab6b167748814
ppc64le
e2fsprogs-1.46.5-3.el9.ppc64le.rpm
SHA-256: 764ffc1b2f76b5f8307b95c0c1bca458f2a961c789bd86a23907cdf7dc485684
e2fsprogs-debuginfo-1.46.5-3.el9.ppc64le.rpm
SHA-256: b58e1375bccd0a117a59d501abcbf4531e006cd71d6b09676bbca9d8865fdfd8
e2fsprogs-debuginfo-1.46.5-3.el9.ppc64le.rpm
SHA-256: b58e1375bccd0a117a59d501abcbf4531e006cd71d6b09676bbca9d8865fdfd8
e2fsprogs-debugsource-1.46.5-3.el9.ppc64le.rpm
SHA-256: 5a240f60e17fc4d6c35f6b382f8363fd6f0f060997a2b3293b5a6dbfde20de11
e2fsprogs-debugsource-1.46.5-3.el9.ppc64le.rpm
SHA-256: 5a240f60e17fc4d6c35f6b382f8363fd6f0f060997a2b3293b5a6dbfde20de11
e2fsprogs-devel-1.46.5-3.el9.ppc64le.rpm
SHA-256: 3023134c3896f8432216410262dfc838815b315ebbacc40eb6645545885ee862
e2fsprogs-libs-1.46.5-3.el9.ppc64le.rpm
SHA-256: 041724c5fd151f1946213c3cf986442dd26785e414dfb5f944df2589168119e3
e2fsprogs-libs-debuginfo-1.46.5-3.el9.ppc64le.rpm
SHA-256: 3f2f705c071f60fcf2a1abe7998ab720db51c51cfc1082c328be04f07ad855b3
e2fsprogs-libs-debuginfo-1.46.5-3.el9.ppc64le.rpm
SHA-256: 3f2f705c071f60fcf2a1abe7998ab720db51c51cfc1082c328be04f07ad855b3
libcom_err-1.46.5-3.el9.ppc64le.rpm
SHA-256: 0a538f092a0a8a7370e81567d025dfbfca442af0393ff9254003ddc7d54de7cd
libcom_err-debuginfo-1.46.5-3.el9.ppc64le.rpm
SHA-256: 738a6f4faf085373141ecf7a0da4e8654725835b3cffc919ea8504e453e20e8d
libcom_err-debuginfo-1.46.5-3.el9.ppc64le.rpm
SHA-256: 738a6f4faf085373141ecf7a0da4e8654725835b3cffc919ea8504e453e20e8d
libcom_err-devel-1.46.5-3.el9.ppc64le.rpm
SHA-256: 978cd87ecedbc0f1e30b6e7ed48b23ec87d3d455d0606f585d9b83a404294d3c
libss-1.46.5-3.el9.ppc64le.rpm
SHA-256: 294f66ab2f40519fb9166e065e8604642c5bd81dfd590c8fa8dddbf4b1ef9ac1
libss-debuginfo-1.46.5-3.el9.ppc64le.rpm
SHA-256: eb190d1da984d9db14a7cd2fbb2ac29e3c04cde83eb4bec27fbc28c702dd450d
libss-debuginfo-1.46.5-3.el9.ppc64le.rpm
SHA-256: eb190d1da984d9db14a7cd2fbb2ac29e3c04cde83eb4bec27fbc28c702dd450d
Red Hat Enterprise Linux for ARM 64 9
SRPM
e2fsprogs-1.46.5-3.el9.src.rpm
SHA-256: 57fadd719eb1fd62e2194a928c4ba8d2460a22603c7a4a22a41ab6b167748814
aarch64
e2fsprogs-1.46.5-3.el9.aarch64.rpm
SHA-256: 367feabc4a99da45c00043f50a9fc1ce7f6bf1af683418786c6bc8f9558869e5
e2fsprogs-debuginfo-1.46.5-3.el9.aarch64.rpm
SHA-256: af48b8c66e49798cef45d5fd4eb2d35ad6736a491c7198ffdd4a0bd513cc5624
e2fsprogs-debuginfo-1.46.5-3.el9.aarch64.rpm
SHA-256: af48b8c66e49798cef45d5fd4eb2d35ad6736a491c7198ffdd4a0bd513cc5624
e2fsprogs-debugsource-1.46.5-3.el9.aarch64.rpm
SHA-256: 9038855ba86c6f32328f5c1ee239aa896c3a96d090cdeddfe330adf4b5b0e55d
e2fsprogs-debugsource-1.46.5-3.el9.aarch64.rpm
SHA-256: 9038855ba86c6f32328f5c1ee239aa896c3a96d090cdeddfe330adf4b5b0e55d
e2fsprogs-devel-1.46.5-3.el9.aarch64.rpm
SHA-256: d03ac9756c7ed1424ab1587b6c3ed21f5786cf1a10029f84816569da751a023b
e2fsprogs-libs-1.46.5-3.el9.aarch64.rpm
SHA-256: 9376b2c76138825d07ec9fae2a5032014c4c1853bd9185526a06df7792f647b5
e2fsprogs-libs-debuginfo-1.46.5-3.el9.aarch64.rpm
SHA-256: f466025f0d0943a315cf41c33714f71d933588d08064f95f4e05dcbb6588b9fb
e2fsprogs-libs-debuginfo-1.46.5-3.el9.aarch64.rpm
SHA-256: f466025f0d0943a315cf41c33714f71d933588d08064f95f4e05dcbb6588b9fb
libcom_err-1.46.5-3.el9.aarch64.rpm
SHA-256: 3041937c233ead2fef4921714783004df226cf8c69c889047042b193908bd366
libcom_err-debuginfo-1.46.5-3.el9.aarch64.rpm
SHA-256: 45affa9e381d80f302a6dc0349204943a27b9061bb89805264088102d4c008a3
libcom_err-debuginfo-1.46.5-3.el9.aarch64.rpm
SHA-256: 45affa9e381d80f302a6dc0349204943a27b9061bb89805264088102d4c008a3
libcom_err-devel-1.46.5-3.el9.aarch64.rpm
SHA-256: 9f419c09407e2519f4e0cbc59db68dbae2de8cfba7e416c0e0d7096f92bf7595
libss-1.46.5-3.el9.aarch64.rpm
SHA-256: e514c787f73c236c16874b9b1ceaea42544ef663dbe82f10a8a61f3a0e993642
libss-debuginfo-1.46.5-3.el9.aarch64.rpm
SHA-256: d8089afb58c6e73f88ae28a18aba8768d509314891d2a75225c35e55b80da9b4
libss-debuginfo-1.46.5-3.el9.aarch64.rpm
SHA-256: d8089afb58c6e73f88ae28a18aba8768d509314891d2a75225c35e55b80da9b4
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Gentoo Linux Security Advisory 202402-15 - A vulnerability has been discovered in e2fsprogs which can lead to arbitrary code execution. Versions greater than or equal to 1.46.6 are affected.
Dell Unity 5.3 contain(s) an Arbitrary File Creation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by crafting arbitrary files through a request to the server.
OpenShift sandboxed containers 1.4.1 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.
Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...
Release of Bug Advisories for the OpenShift Jenkins image and Jenkins agent base image. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-2880: A flaw was found in the golang package, where reques...
The Migration Toolkit for Containers (MTC) 1.7.10 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24534: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in HTTP and MIME header parsing. By sending a specially crafted request, a remote attacker can cause a denial of service. * CVE-2023-24536: A flaw was found in Golang Go, where it is vulnerable to a denial of service cause...
Secondary Scheduler Operator for Red Hat OpenShift 1.1.1 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query ...
The bundle management subsystem within OpenHarmony-v3.1.4 and prior versions has a null pointer reference vulnerability which local attackers can exploit this vulnerability to cause a DoS attack to the system when installing a malicious HAP package.
OpenShift API for Data Protection (OADP) 1.1.2 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic. * CVE-2022...
Red Hat Security Advisory 2023-0918-01 - Service Binding manages the data plane for applications and backing services.
Red Hat Security Advisory 2023-0786-01 - Network observability is an OpenShift operator that provides a monitoring pipeline to collect and enrich network flows that are produced by the Network observability eBPF agent. The operator provides dashboards, metrics, and keeps flows accessible in a queryable log store, Grafana Loki. When a FlowCollector is deployed, new dashboards are available in the Console.
Submariner 0.13.3 packages that fix various bugs and add various enhancements that are now available for Red Hat Advanced Cluster Management for Kubernetes version 2.6 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32149: A vulnerability was found in the golang.org/x/text/language package. An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant time to parse. This issue leads to a denial of service, and can impact availability.
Network observability 1.1.0 release for OpenShift Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0813: A flaw was found in the Network Observability plugin for OpenShift console. Unless the Loki authToken configuration is set to FORWARD mode, authentication is no longer enforced, allowing any user who can connect to the OpenShift Console in an OpenShift cluster to retrieve flows without authentication.
Red Hat Security Advisory 2023-0709-01 - Version 1.27.0 of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.8, 4.9, 4.10, 4.11 and 4.12. This release includes security and bug fixes, and enhancements.
Submariner 0.14 packages that fix various bugs and add various enhancements that are now available for Red Hat Advanced Cluster Management for Kubernetes version 2.7 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go ...
Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.
Red Hat OpenShift Service Mesh 2.3.1 Containers Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-3962: kiali: error message spoofing in kiali UI * CVE-2022-27664: golang: ...
Red Hat Security Advisory 2023-0408-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. Issues addressed include denial of service and out of bounds read vulnerabilities.
An update is now available for Migration Toolkit for Runtimes (v1.0.1). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-42920: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing
Red Hat OpenShift Virtualization release 4.12 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2021-44716: golang: net/http: limit growth of header canonicalization cache * CVE-2021-44717: golang: syscall: don't close fd 0 on ForkExec error * CVE-2022-1705: golang: net/http: improper sanitizat...
Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]
The Migration Toolkit for Containers (MTC) 1.7.6 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-28131: golang: encoding/xml: stack exhaustion in Decoder.Skip * CVE-2022-30629: golang: crypto/tls: session tickets lack random ticket_age_add * CVE-2022-30630: golang: io/fs: stack exhaustion in G...
Red Hat Advanced Cluster Management for Kubernetes 2.6.3 General Availability release images, which provide security updates, fix bugs, and update container images. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-41912: crewjam/saml: Authentication bypass when processing SAML responses containing multiple Assertion elements
Red Hat Security Advisory 2022-8964-01 - The rh-sso-7/sso76-openshift-rhel8 container image and rh-sso-7/sso7-rhel8-operator operator has been updated for RHEL-8 based Middleware Containers to address the following security issues. Issues addressed include a traversal vulnerability.
Red Hat Security Advisory 2022-8938-01 - Version 1.26.0 of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.8, 4.9, 4.10, and 4.11. This release includes security and bug fixes, and enhancements.
Updated rh-sso-7/sso76-openshift-rhel8 container image and rh-sso-7/sso7-rhel8-operator-bundle image is now available for RHEL-8 based Middleware Containers. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3782: keycloak: path traversal via double URL encoding * CVE-2022-3916: keycloak: Session takeover with OIDC offline refreshtokens
Red Hat Security Advisory 2022-8889-01 - This is an Openshift Logging bug fix release. Issues addressed include a denial of service vulnerability.
Openshift Logging Bug Fix Release (5.3.14) Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36518: jackson-databind: denial of service via a large depth of nested objects * CVE-2022-42003: jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS * CVE-2022-42004: jackson-databind: use of deeply nested arrays
Red Hat Security Advisory 2022-8781-01 - Logging Subsystem for Red Hat OpenShift has a security update. Issues addressed include a denial of service vulnerability.
Logging Subsystem 5.5.5 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36518: jackson-databind: denial of service via a large depth of nested objects * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-32189: golang: math/b...
Red Hat Security Advisory 2022-8750-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. Issues addressed include denial of service and out of bounds read vulnerabilities.
Red Hat OpenShift Virtualization release 4.11.1 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-24921: golang: regexp: stack exhaustion via a deeply nested expression * CVE-2022-28327: golang: crypto/elliptic: panic caus...
Red Hat Security Advisory 2022-7435-01 - An update is now available for Logging subsystem for Red Hat OpenShift 5.4. Issues addressed include a denial of service vulnerability.
An update is now available for Logging subsystem for Red Hat OpenShift 5.4. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36518: jackson-databind: denial of service via a large depth of nested objects * CVE-2022-32149: golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags * CVE-2022-42003: jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS * CVE-2022-42004: jackson-databind: use of deeply nested arrays...
Red Hat Security Advisory 2022-7720-01 - The e2fsprogs packages provide a number of utilities for creating, checking, modifying, and correcting the ext2, ext3, and ext4 file systems. Issues addressed include an out of bounds read vulnerability.
An update for e2fsprogs is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1304: e2fsprogs: out-of-bounds read/write via crafted filesystem
Ubuntu Security Notice 5464-1 - Nils Bars discovered that e2fsprogs incorrectly handled certain file systems. A local attacker could use this issue with a crafted file system image to possibly execute arbitrary code.