Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2022:4994: Red Hat Security Advisory: xz security update

An update for xz is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2022-1271: gzip: arbitrary-file-write vulnerability
Red Hat Security Data
#vulnerability#web#linux#red_hat#nodejs#js#java#kubernetes#aws#sap#ssl

Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager

All Products

Issued:

2022-06-13

Updated:

2022-06-13

RHSA-2022:4994 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: xz security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for xz is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

XZ Utils is an integrated collection of user-space file compression utilities based on the Lempel-Ziv-Markov chain algorithm (LZMA), which performs lossless data compression. The algorithm provides a high compression ratio while keeping the decompression time short.

Security Fix(es):

  • gzip: arbitrary-file-write vulnerability (CVE-2022-1271)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected Products

  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.1 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.1 x86_64

Fixes

  • BZ - 2073310 - CVE-2022-1271 gzip: arbitrary-file-write vulnerability

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.1

SRPM

xz-5.2.4-4.el8_1.src.rpm

SHA-256: 10727a48787b1e4b8d1702390cfdf30ca275d5ca11d5e3451c7b7f56f1e78de7

ppc64le

xz-5.2.4-4.el8_1.ppc64le.rpm

SHA-256: 033b743bac357dc70217e7614751c99f3cef31b685ed669a465ad9af63c1fd63

xz-debuginfo-5.2.4-4.el8_1.ppc64le.rpm

SHA-256: a4bd63c2bbcad16ab4aa1e9ac4762db46eafa55abd429ee37d65a8d585e85cd6

xz-debugsource-5.2.4-4.el8_1.ppc64le.rpm

SHA-256: 5e0276bed5d6f94565db3d01b8c60b86d974deefdb972386cc067802b7082290

xz-devel-5.2.4-4.el8_1.ppc64le.rpm

SHA-256: 9fa5f3c432ccfbf0ffe73a199e6335f7c636f8b152440b912af0aae168230461

xz-libs-5.2.4-4.el8_1.ppc64le.rpm

SHA-256: 095b70c571a9a466e4cb9884335eb715e58c351a7eded9a00f6bb346eaf5c024

xz-libs-debuginfo-5.2.4-4.el8_1.ppc64le.rpm

SHA-256: 3d61551f16c25fadb9f31d7315d97a7ef7e673a4c7a12a6a8c72a6251fa0aba8

xz-lzma-compat-debuginfo-5.2.4-4.el8_1.ppc64le.rpm

SHA-256: e05b423c6acb700fdf484575dd2a0982598e90713a6af5a35bc0056c170f2c37

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.1

SRPM

xz-5.2.4-4.el8_1.src.rpm

SHA-256: 10727a48787b1e4b8d1702390cfdf30ca275d5ca11d5e3451c7b7f56f1e78de7

x86_64

xz-5.2.4-4.el8_1.x86_64.rpm

SHA-256: d93c6d2be3890cb007bddf375d0a82a843e5a89003a2d4f385ac35fc2d31793f

xz-debuginfo-5.2.4-4.el8_1.i686.rpm

SHA-256: c2a9862972d2d77f21a7a948bc1c616c8f1a22db218fd04f17864db2b73123b3

xz-debuginfo-5.2.4-4.el8_1.x86_64.rpm

SHA-256: 799b8367915e9a2d44d1e7b84477fa4fc1b9a414e05d592244624d077d14ea30

xz-debugsource-5.2.4-4.el8_1.i686.rpm

SHA-256: 8b97b980cc7f2f7aa1b7fab28328e01e7435471cf3990274bea14640c35cc09b

xz-debugsource-5.2.4-4.el8_1.x86_64.rpm

SHA-256: 52254399bf54708ef87c17c4f4729b24c3f0415757ecbfd4c31696bdd0dcdc00

xz-devel-5.2.4-4.el8_1.i686.rpm

SHA-256: daa4ba4323f9dad7e877ac54f628e2f937f173863b40ff4209308aa8688d343d

xz-devel-5.2.4-4.el8_1.x86_64.rpm

SHA-256: 7717109703d32a7e4e7f71863dcb425be442ab8dabc34d8a13f512d4192e84b8

xz-libs-5.2.4-4.el8_1.i686.rpm

SHA-256: a081158bdcbdc348aecd64950521b395e6816ebf3ca81603661336aadbded683

xz-libs-5.2.4-4.el8_1.x86_64.rpm

SHA-256: f2393385d69c0eb954dbde55e57ee955fb8930d8549a24103c19f8b5af73571c

xz-libs-debuginfo-5.2.4-4.el8_1.i686.rpm

SHA-256: 7738f23854513b08481fcec3829e0ba5c98866e7e38784b5891ae3ead67568da

xz-libs-debuginfo-5.2.4-4.el8_1.x86_64.rpm

SHA-256: b755cad5244f6613f740d11ff5fa365d4430b68a6ced7a8bc4851c3cda77fe0b

xz-lzma-compat-debuginfo-5.2.4-4.el8_1.i686.rpm

SHA-256: 6cb32d528dd867ed7f74790ff3b3730c0f59922e037291154828abb0c3bf0b73

xz-lzma-compat-debuginfo-5.2.4-4.el8_1.x86_64.rpm

SHA-256: 8ee9d9231b70dfb46fc6858be6e91f1cfcaa54773184443df5a1d885347d9fda

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

Red Hat Security Advisory 2023-4053-01

Red Hat Security Advisory 2023-4053-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.45. Issues addressed include a code execution vulnerability.

RHSA-2023:3742: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.13.0 security and bug fix update

Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...

Red Hat Security Advisory 2023-0786-01

Red Hat Security Advisory 2023-0786-01 - Network observability is an OpenShift operator that provides a monitoring pipeline to collect and enrich network flows that are produced by the Network observability eBPF agent. The operator provides dashboards, metrics, and keeps flows accessible in a queryable log store, Grafana Loki. When a FlowCollector is deployed, new dashboards are available in the Console.

Scanvus now supports Vulners and Vulns.io VM Linux vulnerability detection APIs

Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]

Red Hat Security Advisory 2022-6890-01

Red Hat Security Advisory 2022-6890-01 - Red Hat OpenShift Virtualization release 4.8.7 is now available with updates to packages and images that fix several bugs and add enhancements.

RHSA-2022:6681: Red Hat Security Advisory: OpenShift Virtualization 4.9.6 Images security and bug fix update

Red Hat OpenShift Virtualization release 4.9.6 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1798: kubeVirt: Arbitrary file read on the host from KubeVirt VMs

Red Hat Security Advisory 2022-6252-02

Red Hat Security Advisory 2022-6252-02 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 3.11.784. Issues addressed include a bypass vulnerability.

RHSA-2022:6252: Red Hat Security Advisory: OpenShift Container Platform 3.11.784 security update

Red Hat OpenShift Container Platform release 3.11.784 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-39226: grafana: Snapshot authentication bypass

CVE-2022-1271: Invalid Bug ID

An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.

RHSA-2022:5924: Red Hat Security Advisory: Service Telemetry Framework 1.4 security update

An update is now available for Service Telemetry Framework 1.4 for RHEL 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-30631: golang: compress/gzip: stack exhaustion in Reader.Read

RHSA-2022:5840: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.3 security and bug fix update

The Migration Toolkit for Containers (MTC) 1.7.3 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1365: cross-fetch: Exposure of Private Personal Information to an Unauthorized Actor * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-28327: golang: crypto/elliptic: panic caused by oversized scalar * CVE-2022-29526: golang: syscall: faccessat checks wrong group

Red Hat Security Advisory 2022-5673-01

Red Hat Security Advisory 2022-5673-01 - Red Hat OpenStack Platform 16.2 (Train) director operator containers, with several Important security fixes, are available for technology preview. Issues addressed include a code execution vulnerability.

RHSA-2022:5556: Red Hat Security Advisory: Logging Subsystem 5.4.3 - Red Hat OpenShift security update

Logging Subsystem 5.4.3 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS

Red Hat Security Advisory 2022-5439-01

Red Hat Security Advisory 2022-5439-01 - The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host. Red Hat Virtualization Hosts are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. Issues addressed include heap overflow, privilege escalation, and use-after-free vulnerabilities.

RHSA-2022:5392: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.3.11 security updates and bug fixes

Red Hat Advanced Cluster Management for Kubernetes 2.3.11 general availability release images, which provide security updates and bug fixes. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0235: node-fetch: exposure of sensitive information to an unauthorized actor * CVE-2022-0536: follow-redirects: Exposure of Sensitive Information via Authorization Header leak * CVE-2022-21803: nconf: Prototype pollution in memory store * CVE-2022-23806: golang: crypto/elliptic IsOnCurv...

Red Hat Security Advisory 2022-5189-01

Red Hat Security Advisory 2022-5189-01 - Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes bug and security fixes.

Red Hat Security Advisory 2022-5152-01

Red Hat Security Advisory 2022-5152-01 - Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications. Issues addressed include a cross site scripting vulnerability.

Red Hat Security Advisory 2022-5132-01

Red Hat Security Advisory 2022-5132-01 - Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes bug and security fixes.

Red Hat Security Advisory 2022-5006-01

Red Hat Security Advisory 2022-5006-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Issues addressed include a traversal vulnerability.

Red Hat Security Advisory 2022-4994-01

Red Hat Security Advisory 2022-4994-01 - XZ Utils is an integrated collection of user-space file compression utilities based on the Lempel-Ziv-Markov chain algorithm, which performs lossless data compression. The algorithm provides a high compression ratio while keeping the decompression time short.

RHSA-2022:4940: Red Hat Security Advisory: xz security update

An update for xz is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1271: gzip: arbitrary-file-write vulnerability

Red Hat Security Advisory 2022-4582-01

Red Hat Security Advisory 2022-4582-01 - The gzip packages contain the gzip data compression utility. gzip is used to compress regular files. It replaces them with files containing the .gz extension, while retaining ownership modes, access, and modification times.

RHSA-2022:4896: Red Hat Security Advisory: Red Hat Virtualization security, bug fix, and enhancement update [ovirt-4.5.0]

An update for imgbased, redhat-release-virtualization-host, and redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-25032: zlib: A flaw found in zlib when compressing (not decompressing) certain inputs * CVE-2021-4028: kernel: use-after-free in RDMA listen() * CVE-2021-4083: kernel: fget: check that the fd still exists after getting a ref to it * CVE-2022-0778: openssl:...

Red Hat Security Advisory 2022-2264-01

Red Hat Security Advisory 2022-2264-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.6.58.

Red Hat Security Advisory 2022-2268-01

Red Hat Security Advisory 2022-2268-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.7.51.

Red Hat Security Advisory 2022-2283-01

Red Hat Security Advisory 2022-2283-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.9.35.

RHSA-2022:4582: Red Hat Security Advisory: gzip security update

An update for gzip is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1271: gzip: arbitrary-file-write vulnerability

RHSA-2022:2191: Red Hat Security Advisory: gzip security update

An update for gzip is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1271: gzip: arbitrary-file-write vulnerability

RHSA-2022:2216: Red Hat Security Advisory: Red Hat OpenShift Logging Security and Bug update Release 5.4.1

Logging Subsystem 5.4.1 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-37136: netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data * CVE-2021-37137: netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way * CVE-2021-43797: netty: control chars in header names may lead to HTTP request smuggling * CVE-2022-21698: prometheus/client_golang: Denial of service u...

RHSA-2022:2183: Red Hat Security Advisory: Release of containers for OSP 16.2.z director operator tech preview

Red Hat OpenStack Platform 16.2 (Train) director Operator containers are available for technology preview.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2019-11253: kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service * CVE-2019-19794: golang-github-miekg-dns: predictable TXID can lead to response forgeries * CVE-2020-15257: containerd: unrestricted access to abstract Unix domain socket can lead to privileges escalation * CVE-2021-29482: ulikunitz/xz: Infinite loop in readUvarint allows for denial of service * CVE-2021-32760: containerd: pulling and extracting crafted container image may result in Unix file permission changes