Headline
RHSA-2022:7970: Red Hat Security Advisory: protobuf security update
An update for protobuf is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2021-22570: protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference
Synopsis
Moderate: protobuf security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for protobuf is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The protobuf packages provide Protocol Buffers, Google’s data interchange format. Protocol Buffers can encode structured data in an efficient yet extensible format, and provide a flexible, efficient, and automated mechanism for serializing structured data.
Security Fix(es):
- protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference (CVE-2021-22570)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 9 x86_64
- Red Hat Enterprise Linux for IBM z Systems 9 s390x
- Red Hat Enterprise Linux for Power, little endian 9 ppc64le
- Red Hat Enterprise Linux for ARM 64 9 aarch64
- Red Hat CodeReady Linux Builder for x86_64 9 x86_64
- Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le
- Red Hat CodeReady Linux Builder for ARM 64 9 aarch64
- Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x
Fixes
- BZ - 2049429 - CVE-2021-22570 protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference
References
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
Red Hat Enterprise Linux for x86_64 9
SRPM
protobuf-3.14.0-13.el9.src.rpm
SHA-256: e1c0d70aaf82009015a6cb843a95f9643f18303d0d404e6611e42f7b46c0d7df
x86_64
protobuf-3.14.0-13.el9.i686.rpm
SHA-256: 6d6ce39471ef091b67c5ae828b7eaaf0a5915e66e855e72186eabee0fdb115d2
protobuf-3.14.0-13.el9.x86_64.rpm
SHA-256: 671f257fce903bd5c3dfb7316daa2efc7d8f5aa7de5c9dafc5a8883e246afc7e
protobuf-compiler-debuginfo-3.14.0-13.el9.i686.rpm
SHA-256: bfb355bf9f1417912eb84e36047b41232e2f9741edf400e00adec12bc1bffa03
protobuf-compiler-debuginfo-3.14.0-13.el9.x86_64.rpm
SHA-256: ce9ad186a45622d3255022ddf2a9cb2dba6844d582e74002987d87d0e1347db6
protobuf-debuginfo-3.14.0-13.el9.i686.rpm
SHA-256: dde149f57a1880ae90c6f33f5b6fadbb4475078a4f422b5dccf5acf3922b79b7
protobuf-debuginfo-3.14.0-13.el9.x86_64.rpm
SHA-256: 656e1e6d2f0487cda5f6a8670ebcd1097031d2fe6005c61701ea134b4364f1a1
protobuf-debugsource-3.14.0-13.el9.i686.rpm
SHA-256: 6c7da93517700a181e44fea00c56a3617ce924e0fdf5e8dc097c76102f07e9c5
protobuf-debugsource-3.14.0-13.el9.x86_64.rpm
SHA-256: ff52e35b956ab78f0b1a1877fb9659254d3d6e31c83d80b261a55db6e0b18b00
protobuf-lite-3.14.0-13.el9.i686.rpm
SHA-256: ce83d2d37a0cc3905d93e472235bac9b0185c020d834a3022720b46ee488a908
protobuf-lite-3.14.0-13.el9.x86_64.rpm
SHA-256: da089f8396948269b6b774c3db64b17277af9c057186ca7c23778117f348c2a5
protobuf-lite-debuginfo-3.14.0-13.el9.i686.rpm
SHA-256: 1c7f89a634998c9afd066efbe11c1c74bba60a4daedd445ff4ec82ec8467285a
protobuf-lite-debuginfo-3.14.0-13.el9.x86_64.rpm
SHA-256: f208969ed6802b90a01fcbb4c6c0580892a84275687a43a4decbaa02a53673f0
python3-protobuf-3.14.0-13.el9.noarch.rpm
SHA-256: a715af6e01218d8d4986a7f6ac2c8a84ecd45d0f670c574393e2f5d6db72d237
Red Hat Enterprise Linux for IBM z Systems 9
SRPM
protobuf-3.14.0-13.el9.src.rpm
SHA-256: e1c0d70aaf82009015a6cb843a95f9643f18303d0d404e6611e42f7b46c0d7df
s390x
protobuf-3.14.0-13.el9.s390x.rpm
SHA-256: 07df2d12cbec4ff00a5a619f85a1c202df86494cdca14af701cd0db96cec64d2
protobuf-compiler-debuginfo-3.14.0-13.el9.s390x.rpm
SHA-256: 837ade8571eca1aff5c1939b9a6c9ab5c9c0ba08def566c18675bb2bd5d9396a
protobuf-debuginfo-3.14.0-13.el9.s390x.rpm
SHA-256: 599bf753809c8cac82a3a5c3a1e389d2968ce8a9493aa10ac7e3fd0f2ef4b304
protobuf-debugsource-3.14.0-13.el9.s390x.rpm
SHA-256: e6430bc52d854385b1d09882928f265fd7580b794093f544f650a0d7fbf87650
protobuf-lite-3.14.0-13.el9.s390x.rpm
SHA-256: 13f396c89344f46a8f2425d6126dcca7a02dc2a8c0b33411fc5eb19e98979b2f
protobuf-lite-debuginfo-3.14.0-13.el9.s390x.rpm
SHA-256: 24c3e105e7c6e77db062c5a8ccf3b86e2f501549fcb3510028c1ee3851f92ffb
python3-protobuf-3.14.0-13.el9.noarch.rpm
SHA-256: a715af6e01218d8d4986a7f6ac2c8a84ecd45d0f670c574393e2f5d6db72d237
Red Hat Enterprise Linux for Power, little endian 9
SRPM
protobuf-3.14.0-13.el9.src.rpm
SHA-256: e1c0d70aaf82009015a6cb843a95f9643f18303d0d404e6611e42f7b46c0d7df
ppc64le
protobuf-3.14.0-13.el9.ppc64le.rpm
SHA-256: 5210169e4635d1d9cdba9b8345bc5f97799957c91ab2e5f6b3fe8f6017faaa12
protobuf-compiler-debuginfo-3.14.0-13.el9.ppc64le.rpm
SHA-256: 42275536b924bd55a9e2fc0da5e8b363b58de089d9d98dedea94028870085c97
protobuf-debuginfo-3.14.0-13.el9.ppc64le.rpm
SHA-256: 3e086f652973e8f551776ae48b7e49112cfb2b29a19a4d7fd326e9a3e8987734
protobuf-debugsource-3.14.0-13.el9.ppc64le.rpm
SHA-256: 4952673b73954c11cc661ff2bc89c7bf9f003a49ba7dd16b2fd5493f75612af5
protobuf-lite-3.14.0-13.el9.ppc64le.rpm
SHA-256: f045715adfa6ca3de07dbb99dc65434ca6e47d074ffc8c82ad8135118bbe373b
protobuf-lite-debuginfo-3.14.0-13.el9.ppc64le.rpm
SHA-256: 18d9a773231b6f36ebf1b7e8f2596db3405eb811a0b06f65949847fe5f00a36d
python3-protobuf-3.14.0-13.el9.noarch.rpm
SHA-256: a715af6e01218d8d4986a7f6ac2c8a84ecd45d0f670c574393e2f5d6db72d237
Red Hat Enterprise Linux for ARM 64 9
SRPM
protobuf-3.14.0-13.el9.src.rpm
SHA-256: e1c0d70aaf82009015a6cb843a95f9643f18303d0d404e6611e42f7b46c0d7df
aarch64
protobuf-3.14.0-13.el9.aarch64.rpm
SHA-256: 7f751e2ba51d9a4b62668f7181c7ca0d7a487a3ba82c2f8881a60e27921af4d9
protobuf-compiler-debuginfo-3.14.0-13.el9.aarch64.rpm
SHA-256: ae4a8aeb0936a524fab3124bacabee46394c6abdef82ea4e988e330e2fef8255
protobuf-debuginfo-3.14.0-13.el9.aarch64.rpm
SHA-256: 7fa910e54d2ae23f757ae7bdd43b1c79fc3dc9d8bacc7729ab7d3f32731e82de
protobuf-debugsource-3.14.0-13.el9.aarch64.rpm
SHA-256: 537d04ba7e52c088685f93b7379aa7f8d2e2cc84609b75e41f7a81443cb45e40
protobuf-lite-3.14.0-13.el9.aarch64.rpm
SHA-256: 615e14abc0723a49277ebc9c4069a81a4a677fb6a27a31f4124f0216509094ef
protobuf-lite-debuginfo-3.14.0-13.el9.aarch64.rpm
SHA-256: b34053f0711098250497a0f2e62c830aec09a434ff74c38e1b27dc151c10fc16
python3-protobuf-3.14.0-13.el9.noarch.rpm
SHA-256: a715af6e01218d8d4986a7f6ac2c8a84ecd45d0f670c574393e2f5d6db72d237
Red Hat CodeReady Linux Builder for x86_64 9
SRPM
x86_64
protobuf-compiler-3.14.0-13.el9.i686.rpm
SHA-256: e03d4593a13a59b673e57a63769bcfd4fa1aab8032479804ef952fc6628bd78b
protobuf-compiler-3.14.0-13.el9.x86_64.rpm
SHA-256: 5c3347d5fda16a001477b4b378c88f895488f6f0ff00432ebd302dd92f46193c
protobuf-compiler-debuginfo-3.14.0-13.el9.i686.rpm
SHA-256: bfb355bf9f1417912eb84e36047b41232e2f9741edf400e00adec12bc1bffa03
protobuf-compiler-debuginfo-3.14.0-13.el9.x86_64.rpm
SHA-256: ce9ad186a45622d3255022ddf2a9cb2dba6844d582e74002987d87d0e1347db6
protobuf-debuginfo-3.14.0-13.el9.i686.rpm
SHA-256: dde149f57a1880ae90c6f33f5b6fadbb4475078a4f422b5dccf5acf3922b79b7
protobuf-debuginfo-3.14.0-13.el9.x86_64.rpm
SHA-256: 656e1e6d2f0487cda5f6a8670ebcd1097031d2fe6005c61701ea134b4364f1a1
protobuf-debugsource-3.14.0-13.el9.i686.rpm
SHA-256: 6c7da93517700a181e44fea00c56a3617ce924e0fdf5e8dc097c76102f07e9c5
protobuf-debugsource-3.14.0-13.el9.x86_64.rpm
SHA-256: ff52e35b956ab78f0b1a1877fb9659254d3d6e31c83d80b261a55db6e0b18b00
protobuf-devel-3.14.0-13.el9.i686.rpm
SHA-256: b2a27c29f1182657c8e3d73c100d9136a7b0218d7a82ac6a44dc5b0aaf272182
protobuf-devel-3.14.0-13.el9.x86_64.rpm
SHA-256: 22e0950c16a9403005527106bb89c824c48955a64cd455d129e7d9df570ef2fb
protobuf-lite-debuginfo-3.14.0-13.el9.i686.rpm
SHA-256: 1c7f89a634998c9afd066efbe11c1c74bba60a4daedd445ff4ec82ec8467285a
protobuf-lite-debuginfo-3.14.0-13.el9.x86_64.rpm
SHA-256: f208969ed6802b90a01fcbb4c6c0580892a84275687a43a4decbaa02a53673f0
protobuf-lite-devel-3.14.0-13.el9.i686.rpm
SHA-256: 9cc43375202dd1a4dc491c87cb13b9a0b8dfc830f9958ded9febc0bb32e6e619
protobuf-lite-devel-3.14.0-13.el9.x86_64.rpm
SHA-256: c8b8f924a175717d7760168a3f3e6b1fb80d0e53978902a91c8c787ed49e8e43
Red Hat CodeReady Linux Builder for Power, little endian 9
SRPM
ppc64le
protobuf-compiler-3.14.0-13.el9.ppc64le.rpm
SHA-256: 28f8bae6a14224ac44982c12f4b51f63515652c5bb1fca11bdcb56ba672e2f9f
protobuf-compiler-debuginfo-3.14.0-13.el9.ppc64le.rpm
SHA-256: 42275536b924bd55a9e2fc0da5e8b363b58de089d9d98dedea94028870085c97
protobuf-debuginfo-3.14.0-13.el9.ppc64le.rpm
SHA-256: 3e086f652973e8f551776ae48b7e49112cfb2b29a19a4d7fd326e9a3e8987734
protobuf-debugsource-3.14.0-13.el9.ppc64le.rpm
SHA-256: 4952673b73954c11cc661ff2bc89c7bf9f003a49ba7dd16b2fd5493f75612af5
protobuf-devel-3.14.0-13.el9.ppc64le.rpm
SHA-256: 7aadafe3ba7e816ed91eb6ebf60ceeac9d544bd8e59adcdc02f5918341377505
protobuf-lite-debuginfo-3.14.0-13.el9.ppc64le.rpm
SHA-256: 18d9a773231b6f36ebf1b7e8f2596db3405eb811a0b06f65949847fe5f00a36d
protobuf-lite-devel-3.14.0-13.el9.ppc64le.rpm
SHA-256: dc311a20c992f2723db27f6dccd7905ce79d54cf91d2c4a4dbab5d606096fda5
Red Hat CodeReady Linux Builder for ARM 64 9
SRPM
aarch64
protobuf-compiler-3.14.0-13.el9.aarch64.rpm
SHA-256: cc3c8f5e340761a08a632d70a77a6afd4edc68f4ef92f6ed20dc5084d1cabb9f
protobuf-compiler-debuginfo-3.14.0-13.el9.aarch64.rpm
SHA-256: ae4a8aeb0936a524fab3124bacabee46394c6abdef82ea4e988e330e2fef8255
protobuf-debuginfo-3.14.0-13.el9.aarch64.rpm
SHA-256: 7fa910e54d2ae23f757ae7bdd43b1c79fc3dc9d8bacc7729ab7d3f32731e82de
protobuf-debugsource-3.14.0-13.el9.aarch64.rpm
SHA-256: 537d04ba7e52c088685f93b7379aa7f8d2e2cc84609b75e41f7a81443cb45e40
protobuf-devel-3.14.0-13.el9.aarch64.rpm
SHA-256: 8fa07b78f95628ce7313884d4c7e14cdcf2c6b952285d8345345c4aff9203ebf
protobuf-lite-debuginfo-3.14.0-13.el9.aarch64.rpm
SHA-256: b34053f0711098250497a0f2e62c830aec09a434ff74c38e1b27dc151c10fc16
protobuf-lite-devel-3.14.0-13.el9.aarch64.rpm
SHA-256: 74ee8482b64695173fe4cc2d7c8f027e60b6c90eb54a2f64fdaaf985d00cd91a
Red Hat CodeReady Linux Builder for IBM z Systems 9
SRPM
s390x
protobuf-compiler-3.14.0-13.el9.s390x.rpm
SHA-256: d87cc5f9e21cdf3ba95ac1917bd5134db480c57134cbbef2f5987fe164a65d17
protobuf-compiler-debuginfo-3.14.0-13.el9.s390x.rpm
SHA-256: 837ade8571eca1aff5c1939b9a6c9ab5c9c0ba08def566c18675bb2bd5d9396a
protobuf-debuginfo-3.14.0-13.el9.s390x.rpm
SHA-256: 599bf753809c8cac82a3a5c3a1e389d2968ce8a9493aa10ac7e3fd0f2ef4b304
protobuf-debugsource-3.14.0-13.el9.s390x.rpm
SHA-256: e6430bc52d854385b1d09882928f265fd7580b794093f544f650a0d7fbf87650
protobuf-devel-3.14.0-13.el9.s390x.rpm
SHA-256: 036e31c5e359c4b21407034e9d7c7fe03448e55c188a66f1fb9bc15b48289481
protobuf-lite-debuginfo-3.14.0-13.el9.s390x.rpm
SHA-256: 24c3e105e7c6e77db062c5a8ccf3b86e2f501549fcb3510028c1ee3851f92ffb
protobuf-lite-devel-3.14.0-13.el9.s390x.rpm
SHA-256: 5a5a5d962b1af5ee7f28404251f2690c817d44aa0a3fcab2c4bb644397faf1bd
Related news
Red Hat Security Advisory 2024-3433-03 - An update for protobuf is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.
Ubuntu Security Notice 5945-1 - It was discovered that Protocol Buffers did not properly validate field com.google.protobuf.UnknownFieldSet in protobuf-java. An attacker could possibly use this issue to perform a denial of service attack. This issue only affected protobuf Ubuntu 22.04 LTS and Ubuntu 22.10. It was discovered that Protocol Buffers did not properly parse certain symbols. An attacker could possibly use this issue to cause a denial of service or other unspecified impact.
Red Hat Security Advisory 2022-7399-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.0. Issues addressed include denial of service, memory leak, and out of bounds read vulnerabilities.
Red Hat OpenShift Container Platform release 4.12.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-2879: golang: arc...
Red Hat Security Advisory 2022-8893-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.20.
Red Hat OpenShift Container Platform release 4.11.20 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27191: golang: crash in a golang.org/x/crypto/ssh server
Red Hat Security Advisory 2022-8847-01 - An update for protobuf is now available for Red Hat OpenStack Platform 16.2.4 (Train).
An update for protobuf is now available for Red Hat OpenStack Platform 16.1.9 (Train) for Red Hat Enterprise Linux (RHEL) 8.2. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-22570: protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference
An update for protobuf is now available for Red Hat OpenStack Platform 16.2.4 (Train). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-22570: protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference
Red Hat Security Advisory 2022-7970-01 - The protobuf packages provide Protocol Buffers, Google's data interchange format. Protocol Buffers can encode structured data in an efficient yet extensible format, and provide a flexible, efficient, and automated mechanism for serializing structured data.
Red Hat Security Advisory 2022-7464-01 - The protobuf packages provide Protocol Buffers, Google's data interchange format. Protocol Buffers can encode structured data in an efficient yet extensible format, and provide a flexible, efficient, and automated mechanism for serializing structured data.
An update for protobuf is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-22570: protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service ...
Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.