RHSA-2021:4409: Red Hat Security Advisory: libgcrypt security and bug fix update

An update for jasper is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.JasPer is an implementation of Part 1 of the JPEG 2000 image compression standard. Security Fix(es): * jasper: Heap-based buffer overflow in cp_create() in jpc_enc.c (CVE-2020-27828) * jasper: Heap-based buffer over-read in jp2_decode() in jp2_dec.c (CVE-2021-3272) * jasper: Out of bounds read in jp2_decode() in jp2_dec.c (CVE-2021-26926) * jasper: NULL pointer dereference in jp2_decode() in jp2_dec.c (CVE-2021-26927) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on cha...

An update for tcpdump is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The tcpdump packages contain the tcpdump utility for monitoring network traffic. The tcpdump utility can capture and display the packet headers on a particular network interface or on all interfaces. Security Fix(es): * tcpdump: ppp decapsulator can be convinced to allocate a large amount of memory (CVE-2020-8037) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section. R...

An update for grilo is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Grilo is a framework that provides access to different sources of multimedia content, using a pluggable system. The grilo package contains the core library and elements. Security Fix(es): * grilo: missing TLS certificate verification (CVE-2021-39365) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section. Related CVEs: * CVE-2021-39365: grilo: missing TLS certificate ...

An update for file-roller is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.File Roller is an application for creating and viewing archives files, such as tar or zip files. Security Fix(es): * file-roller: directory traversal via directory symlink pointing outside of the target directory (incomplete fix for CVE-2020-11736) (CVE-2020-36314) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section. Related CVEs: * CVE-2020-36314: file-roller: di...

An update for curl is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es): * curl: Leak of authentication credentials in URL via automatic Referer (CVE-2021-22876) * curl: TELNET stack contents disclosure (CVE-2021-22898) * curl: Incorrect fix for CVE-2021-22898 TELNET stack contents disclosure (CVE-2021-22925) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in th...

An update for spamassassin is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The SpamAssassin tool provides a way to reduce unsolicited commercial email (spam) from incoming email. Security Fix(es): * spamassassin: Malicious rule configuration files can be configured to run system commands (CVE-2020-1946) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section. Related CVEs: * CVE-2020-1946: spamassassin: Malicious rule configuration fil...

An update for autotrace is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.AutoTrace is a program for converting bitmaps to vector graphics. Security Fix(es): * autotrace: bitmap double free in main.c allows attackers to cause an unspecified impact (CVE-2019-19005) * autotrace: integer overflow in input-bmp.c (CVE-2019-19004) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section. Related CVEs: * CVE-2019-19004: autotrace: integer overfl...

An update for zziplib is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The zziplib is a lightweight library to easily extract data from zip files. Security Fix(es): * zziplib: infinite loop via the return value of zzip_file_read() as used in unzzip_cat_file() (CVE-2020-18442) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section. Related CVEs: * CVE-2020-18442: zziplib: infinite loop via the return value of zzip_file_read() as used in unzz...

An update for libX11 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The libX11 packages contain the core X11 protocol client library. Security Fix(es): * libX11: missing request length checks (CVE-2021-31535) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section. Related CVEs: * CVE-2021-31535: libX11: missing request length checks

An update for libsolv is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The libsolv packages provide a library for resolving package dependencies using a satisfiability algorithm. Security Fix(es): * libsolv: heap-based buffer overflow in testcase_read() in src/testcase.c (CVE-2021-3200) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section. Related CVEs: * CVE-2021-3200: libsolv: heap-based buffer overflow in testcase_read() in src/testcas...

An update for libssh is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.libssh is a library which implements the SSH protocol. It can be used to implement client and server applications. Security Fix(es): * libssh: NULL pointer dereference in sftpserver.c if ssh_buffer_new returns NULL (CVE-2020-16135) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section. Related CVEs: * CVE-2020-16135: libssh: NULL pointer dereference in sftpserver.c if ss...

An update for file is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The file command is used to identify a particular file according to the type of data the file contains. It can identify many different file types, including Executable and Linkable Format (ELF) binary files, system libraries, RPM packages, and different graphics formats. Security Fix(es): * file: heap-based buffer overflow in cdf_read_property_info in cdf.c (CVE-2019-18218) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterpris...

An update for bind is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * bind: Broken inbound incremental zone update (IXFR) can cause named to terminate unexpectedly (CVE-2021-25214) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on change...

An update for openssl is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Security Fix(es): * openssl: integer overflow in CipherUpdate (CVE-2021-23840) * openssl: NULL pointer dereference in X509_issuer_and_serial_hash() (CVE-2021-23841) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes link...

An update for glibc is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es): * glibc: Arbitrary read in wordexp() (CVE-2021-35942) * glibc: Use-after-free in addgetnetgrentX function in netgroupcache.c (CVE-2021-27645) * glibc: mq_notify does not handle separately allocated thread attributes (CVE-2021-33574) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, re...

An update for openssh is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Security Fix(es): * openssh: Observable discrepancy leading to an information leak in the algorithm negotiation (CVE-2020-14145) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References sect...

An update for python-psutil is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.psutil is a module providing an interface for retrieving information on all running processes and system utilization (CPU, memory, disks, network, users) in a portable way by using Python. Security Fix(es): * python-psutil: double free because of refcount mishandling (CVE-2019-18874) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section. Related CVEs: * CVE-2...

An update for pcs is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. The following packages have been upgraded to a later upstream version: pcs (0.10.10). (BZ#1935594) Security Fix(es): * jquery: Cross-site scripting (XSS) via <script> HTML tags containing whitespaces (CVE-2020-7656) * jquery: Untrusted code execution via <option> tag in HTML passed to DOM manipulation methods (CVE-2020-11023) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on ch...

An update for dnsmasq is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server. Security Fix(es): * dnsmasq: fixed outgoing port used when --server is used with an interface name (CVE-2021-3448) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section. Related CVEs: * CVE-2021-3448: dnsmasq: fixed outgoing ...

An update for samba is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix(es): * samba: Negative idmap cache entries can cause incorrect group entries in the Samba file server process token (CVE-2021-20254) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Related CVEs: * CVE-2021-20254: samba: Negative idmap cache entries can cause incorrect group entri...

An update for curl is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es): * curl: Requirement to use TLS not properly enforced for IMAP, POP3, and FTP protocols (CVE-2021-22946) * curl: Server responses received before STARTTLS processed after TLS handshake (CVE-2021-22947) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Related CVEs: * CVE-2021-22946: curl: Requirement to use TLS not properly enforced for IMAP, POP3,...

An update for samba is now available for Red Hat Enterprise Linux 7.7 Advanced Update Support, Red Hat Enterprise Linux 7.7 Telco Extended Update Support, and Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix(es): * samba: Negative idmap cache entries can cause incorrect group entries in the Samba file server process token (CVE-2021-20254) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refe...

An update for redis is now available for Red Hat OpenStack Platform 13 (Queens). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Redis is an advanced key-value store. Security Fix(es): * Lua scripts can overflow the heap-based Lua stack (CVE-2021-32626) * Integer overflow issue with Streams (CVE-2021-32627) * Integer overflow bug in the ziplist data structure (CVE-2021-32628) * Denial of service via Redis Standard Protocol (RESP) request (CVE-2021-32675) * Integer overflow issue with intsets (CVE-2021-32687) * Integer overflow issue with strings (CVE-2021-41099) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section. Related CVEs: * CVE-2021...

An update for redis is now available for Red Hat OpenStack Platform 10 (Newton). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Redis is an advanced key-value store. Security Fix(es): * Lua scripts can overflow the heap-based Lua stack (CVE-2021-32626) * Integer overflow issue with Streams (CVE-2021-32627) * Integer overflow bug in the ziplist data structure (CVE-2021-32628) * Denial of service via Redis Standard Protocol (RESP) request (CVE-2021-32675) * Integer overflow issue with intsets (CVE-2021-32687) * Integer overflow issue with strings (CVE-2021-41099) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section. Related CVEs: * CVE-2021...

Red Hat Directory Server 11.4 is now available. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Red Hat Directory Server is an LDAPv3-compliant directory server. The suite of packages includes the Lightweight Directory Access Protocol (LDAP) server, as well as command-line utilities and Web UI packages for server administration. This release provides a number of security fixes, bug fixes and enhancements. For detailed information on changes in this release, see the Red Hat Directory Server 11 Release Notes linked from the References section. Security Fix(es): * 389-ds-base: CRYPT password hash with asterisk allows any bind attempt to succeed (CVE-2021-3652) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related in...