Headline
RHSA-2023:0833: Red Hat Security Advisory: python3 security update
An update for python3 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2020-10735: A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int(“text”), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.
- CVE-2021-28861: A vulnerability was found in python. This security flaw causes an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of the URI path. This issue may lead to information disclosure.
- CVE-2022-45061: A vulnerability was discovered in Python. A quadratic algorithm exists when processing inputs to the IDNA (RFC 3490) decoder, such that a crafted unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor, which could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied hostname.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- OpenShift Dev Spaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2023-02-21
Updated:
2023-02-21
RHSA-2023:0833 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: python3 security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for python3 is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.
Security Fix(es):
- python: int() type in PyLong_FromString() does not limit amount of digits converting text to int leading to DoS (CVE-2020-10735)
- python: open redirection vulnerability in lib/http/server.py may lead to information disclosure (CVE-2021-28861)
- Python: CPU denial of service via inefficient IDNA decoder (CVE-2022-45061)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 8 x86_64
- Red Hat Enterprise Linux for IBM z Systems 8 s390x
- Red Hat Enterprise Linux for Power, little endian 8 ppc64le
- Red Hat Enterprise Linux for ARM 64 8 aarch64
Fixes
- BZ - 1834423 - CVE-2020-10735 python: int() type in PyLong_FromString() does not limit amount of digits converting text to int leading to DoS
- BZ - 2120642 - CVE-2021-28861 python: open redirection vulnerability in lib/http/server.py may lead to information disclosure
- BZ - 2144072 - CVE-2022-45061 Python: CPU denial of service via inefficient IDNA decoder
Red Hat Enterprise Linux for x86_64 8
SRPM
python3-3.6.8-48.el8_7.1.src.rpm
SHA-256: 76312e85356fb1091503750e8cc4c1a3ffd80f5ae6426659f22f5780e8a3ed6f
x86_64
platform-python-3.6.8-48.el8_7.1.i686.rpm
SHA-256: 25de034dd5dd4adffd0363d9c3038181391fad28625ec9ae11459df1f8e05edb
platform-python-3.6.8-48.el8_7.1.x86_64.rpm
SHA-256: 23c80a9f871e04af2469353566585e3fc558b37f0606c5106844763f0289e506
platform-python-debug-3.6.8-48.el8_7.1.i686.rpm
SHA-256: 450a0be472a82e62abc477c3a5e31f0157b4a0ec71a216059e9e314e4cd985aa
platform-python-debug-3.6.8-48.el8_7.1.x86_64.rpm
SHA-256: ae5650ee64e5a47e0ad68d8a547d92d04fd7378ddda9fcae077e149ae618f966
platform-python-devel-3.6.8-48.el8_7.1.i686.rpm
SHA-256: 6d2635cda828b28f3f1a4de2a86817cc43bb02dff1432616b90f314080b1b6de
platform-python-devel-3.6.8-48.el8_7.1.x86_64.rpm
SHA-256: 5d42fc6c27770a167626d7828b37b898ddcc9ec9cd1ef60539d15b7a720f855c
python3-debuginfo-3.6.8-48.el8_7.1.i686.rpm
SHA-256: 7dfaab609407e068e3d59d08c9caf61c75cf5f89f0cdceafc5cfc55e60b56352
python3-debuginfo-3.6.8-48.el8_7.1.i686.rpm
SHA-256: 7dfaab609407e068e3d59d08c9caf61c75cf5f89f0cdceafc5cfc55e60b56352
python3-debuginfo-3.6.8-48.el8_7.1.x86_64.rpm
SHA-256: e96c15b123b723a1a2a8642e8c4accb3a7e5eb70cf26c0be180c5b84de8eb022
python3-debuginfo-3.6.8-48.el8_7.1.x86_64.rpm
SHA-256: e96c15b123b723a1a2a8642e8c4accb3a7e5eb70cf26c0be180c5b84de8eb022
python3-debugsource-3.6.8-48.el8_7.1.i686.rpm
SHA-256: defc3a1026cee3f5cc84c25890b5e74d01f24990fcc0e9362393166966d3435d
python3-debugsource-3.6.8-48.el8_7.1.i686.rpm
SHA-256: defc3a1026cee3f5cc84c25890b5e74d01f24990fcc0e9362393166966d3435d
python3-debugsource-3.6.8-48.el8_7.1.x86_64.rpm
SHA-256: 9e9668233593a258b1177ca1b4cde69520a1367024766dc64815004fdb54c497
python3-debugsource-3.6.8-48.el8_7.1.x86_64.rpm
SHA-256: 9e9668233593a258b1177ca1b4cde69520a1367024766dc64815004fdb54c497
python3-idle-3.6.8-48.el8_7.1.i686.rpm
SHA-256: 02dae75ad2bbca11e35d687e2304e1fe0e7663a4d068386457370be79540ff02
python3-idle-3.6.8-48.el8_7.1.x86_64.rpm
SHA-256: 492224968688146e03da61bdbf0c45aa0e7819f0e6f681e9f26b2fc45bcbb9fa
python3-libs-3.6.8-48.el8_7.1.i686.rpm
SHA-256: e755cd7bfcbf5b56839254474806b785afda2269f8727d3fc43f313debf93457
python3-libs-3.6.8-48.el8_7.1.x86_64.rpm
SHA-256: f8fb7a9737ab931c1d84c28d0ee0b021619959a023ca2b768c97a88bec631a5d
python3-test-3.6.8-48.el8_7.1.i686.rpm
SHA-256: 2c3e50d0e20222c6785ca11b422eb20db3320228787a87c81bab13eade4bd290
python3-test-3.6.8-48.el8_7.1.x86_64.rpm
SHA-256: e7949f8373c51a86b6349e1521533bdbc74a5901461dabed1c9d1bea52bdbe20
python3-tkinter-3.6.8-48.el8_7.1.i686.rpm
SHA-256: 78eff45a307e69282df03f293239cfdafd35010a8ed57c622251ecb94e1303a8
python3-tkinter-3.6.8-48.el8_7.1.x86_64.rpm
SHA-256: 7024511d15815af5b8e98c4018c90e5c6c3d63fcce2e99664c7db82e149680fd
Red Hat Enterprise Linux for IBM z Systems 8
SRPM
python3-3.6.8-48.el8_7.1.src.rpm
SHA-256: 76312e85356fb1091503750e8cc4c1a3ffd80f5ae6426659f22f5780e8a3ed6f
s390x
platform-python-3.6.8-48.el8_7.1.s390x.rpm
SHA-256: 15b5a6480f35476c8f227caf771e9894a7ea982d7383c6a89a7d4187349b47e0
platform-python-debug-3.6.8-48.el8_7.1.s390x.rpm
SHA-256: eb78a9885878fcc1300d4c087a6ebb9fffffc68c1cf9acf67b3b15bdde3f1fb2
platform-python-devel-3.6.8-48.el8_7.1.s390x.rpm
SHA-256: c8394da62efd9f7e9e0a41c23818cf03b6dcbe3ae01cad949c4a6afd6ae5f00a
python3-debuginfo-3.6.8-48.el8_7.1.s390x.rpm
SHA-256: ae2b5044b94bf31204c9051615724e9f30554597f26ee37038771ddfc9f77796
python3-debuginfo-3.6.8-48.el8_7.1.s390x.rpm
SHA-256: ae2b5044b94bf31204c9051615724e9f30554597f26ee37038771ddfc9f77796
python3-debugsource-3.6.8-48.el8_7.1.s390x.rpm
SHA-256: 7769582a5c80f87646f66b902da5f6e46b93f275bd600dc122bcbc70454bdf89
python3-debugsource-3.6.8-48.el8_7.1.s390x.rpm
SHA-256: 7769582a5c80f87646f66b902da5f6e46b93f275bd600dc122bcbc70454bdf89
python3-idle-3.6.8-48.el8_7.1.s390x.rpm
SHA-256: e6eeac4ccaf76798d2f75d4c2a5234854484f813806a9a7f74f15480a638a105
python3-libs-3.6.8-48.el8_7.1.s390x.rpm
SHA-256: 6713894d9ee4c57131915c001a2558c5cdad8de5b8c5743c7f970cba67f1840a
python3-test-3.6.8-48.el8_7.1.s390x.rpm
SHA-256: a696e61270b389eb744183f4a4fe7e9433996c64da0ed3d3c043a08951138909
python3-tkinter-3.6.8-48.el8_7.1.s390x.rpm
SHA-256: 3924231e3224612401fb4f41431f4864965a38230a9185f2fc2a7d43b52606ed
Red Hat Enterprise Linux for Power, little endian 8
SRPM
python3-3.6.8-48.el8_7.1.src.rpm
SHA-256: 76312e85356fb1091503750e8cc4c1a3ffd80f5ae6426659f22f5780e8a3ed6f
ppc64le
platform-python-3.6.8-48.el8_7.1.ppc64le.rpm
SHA-256: 11e97cb9cc0cc5fc4b8f64c37f393ac67c9875c4a646db224a3de01c966a42fa
platform-python-debug-3.6.8-48.el8_7.1.ppc64le.rpm
SHA-256: 4821ac52a79eda6096480224c26ef437cc97dfd55400961210f70c944cf675e2
platform-python-devel-3.6.8-48.el8_7.1.ppc64le.rpm
SHA-256: 37f10e2d2e5b2d969a8a3b98aaba362d77e7e15d13f36689794a777960cd8c95
python3-debuginfo-3.6.8-48.el8_7.1.ppc64le.rpm
SHA-256: 0c87fa83795796519fac32829bd5aa50277cdde2a688a70173d624faa7b4f5ca
python3-debuginfo-3.6.8-48.el8_7.1.ppc64le.rpm
SHA-256: 0c87fa83795796519fac32829bd5aa50277cdde2a688a70173d624faa7b4f5ca
python3-debugsource-3.6.8-48.el8_7.1.ppc64le.rpm
SHA-256: 6fff2816dfa7d338997fe7340bae0affe6e591fec982259657dc1b576ff1887a
python3-debugsource-3.6.8-48.el8_7.1.ppc64le.rpm
SHA-256: 6fff2816dfa7d338997fe7340bae0affe6e591fec982259657dc1b576ff1887a
python3-idle-3.6.8-48.el8_7.1.ppc64le.rpm
SHA-256: 2e0233034f2c0fe1a2c4e9b0da70b90cd0482175240b220c36da5eef047b786f
python3-libs-3.6.8-48.el8_7.1.ppc64le.rpm
SHA-256: b3eba33b3a0985668a282284b2544adeb926f97f01830885c3330716ca0159af
python3-test-3.6.8-48.el8_7.1.ppc64le.rpm
SHA-256: 6dfaacdeeee145064949adb1cef6a57bdb161556a5b1d9c428a5ebf12d547450
python3-tkinter-3.6.8-48.el8_7.1.ppc64le.rpm
SHA-256: 295fba29ea82e004953048467fbf0848ea8a4ff8cd2aad3bb8a1bc1d12502594
Red Hat Enterprise Linux for ARM 64 8
SRPM
python3-3.6.8-48.el8_7.1.src.rpm
SHA-256: 76312e85356fb1091503750e8cc4c1a3ffd80f5ae6426659f22f5780e8a3ed6f
aarch64
platform-python-3.6.8-48.el8_7.1.aarch64.rpm
SHA-256: fd9d655a53b5a1dc0f00afb9af27e678bd7de3e791effa569a2e07dc2b8db4c5
platform-python-debug-3.6.8-48.el8_7.1.aarch64.rpm
SHA-256: 7e028058b8aca039816424a3d2a1da680b41d84b0bb510bfc056c6e1846fa6b9
platform-python-devel-3.6.8-48.el8_7.1.aarch64.rpm
SHA-256: 1e7c691beeb9d218683f35ca41b0d7edc35bf0e5fac1042866e7774f77423f92
python3-debuginfo-3.6.8-48.el8_7.1.aarch64.rpm
SHA-256: 776fc8cce7f9dff440a64b6ffeeace0dcb346aaf4b440d36e22b067e68855b40
python3-debuginfo-3.6.8-48.el8_7.1.aarch64.rpm
SHA-256: 776fc8cce7f9dff440a64b6ffeeace0dcb346aaf4b440d36e22b067e68855b40
python3-debugsource-3.6.8-48.el8_7.1.aarch64.rpm
SHA-256: 0515d4d6dde114e029776563f2fae1a73cf7e131734066a0790d420a7b01f253
python3-debugsource-3.6.8-48.el8_7.1.aarch64.rpm
SHA-256: 0515d4d6dde114e029776563f2fae1a73cf7e131734066a0790d420a7b01f253
python3-idle-3.6.8-48.el8_7.1.aarch64.rpm
SHA-256: 43ec7ec1c08a65ab614f2cbd0adc3bbb0ae82aa120add893427400468abd65c8
python3-libs-3.6.8-48.el8_7.1.aarch64.rpm
SHA-256: 49af3f9f3955e8040a49454e20e8207f13cd09c6bf5a9537a7fc0c4ecdebedb4
python3-test-3.6.8-48.el8_7.1.aarch64.rpm
SHA-256: 82dd40337c3b98d7540064ebcbed61bbc8221ac5556d31f58e26a8177800d3c4
python3-tkinter-3.6.8-48.el8_7.1.aarch64.rpm
SHA-256: 7f1a34a53a7cd0d3a0723a89446e80acf17222baf3560b9f1a7640a5e692f46b
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Ubuntu Security Notice 6891-1 - It was discovered that Python incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 18.04 LTS. It was discovered that Python incorrectly used regular expressions vulnerable to catastrophic backtracking. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS.
Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).
Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.
Red Hat Security Advisory 2023-3742-02 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. Issues addressed include bypass, denial of service, and remote SQL injection vulnerabilities.
Dell PowerStore versions prior to 3.5 contain an improper verification of cryptographic signature vulnerability. An attacker can trick a high privileged user to install a malicious binary by bypassing the existing cryptographic signature checks
Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.
An update for the python38:3.8 and python38-devel:3.8 modules is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-10735: A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not a...
Red Hat Advanced Cluster Management for Kubernetes 2.5.8 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server.
Red Hat Security Advisory 2023-2083-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.5 General Availability release images, which fix bugs and security updates container images. Issues addressed include denial of service and server-side request forgery vulnerabilities.
Multicluster Engine for Kubernetes 2.1.6 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server.
Red Hat Security Advisory 2023-2023-01 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform.
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...
Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.12.2 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While ...
Red Hat Security Advisory 2023-1448-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release.
Red Hat Security Advisory 2023-1453-01 - An update is now available for Red Hat OpenShift GitOps 1.6. Red Hat Product Security has rated this update as having a security impact of Moderate.
Red Hat Security Advisory 2023-1454-01 - An update is now available for Red Hat OpenShift GitOps 1.7. Red Hat Product Security has rated this update as having a security impact of Moderate.
An update is now available for Red Hat OpenShift GitOps 1.7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41354: An information disclosure flaw was found in Argo CD. This issue may allow unauthorized users to enumerate application names by inspecting API error messages and could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant ...
An update is now available for Red Hat OpenShift GitOps 1.6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41354: An information disclosure flaw was found in Argo CD. This issue may allow unauthorized users to enumerate application names by inspecting API error messages and could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant ...
Red Hat OpenShift Service Mesh Containers for 2.3.2 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server t...
The Migration Toolkit for Containers (MTC) 1.7.8 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36567: A flaw was found in gin. This issue occurs when the default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path. * CVE-2022-24999: A flaw was found in the express.js npm package. Express.js Express is vulnerable to a d...
Red Hat Security Advisory 2023-0931-01 - Update information for Logging Subsystem 5.4.12 in Red Hat OpenShift. Red Hat Product Security has rated this update as having a security impact of Moderate.
Red Hat Security Advisory 2023-0932-01 - Update information for Logging Subsystem 5.6.3 in Red Hat OpenShift. Red Hat Product Security has rated this update as having a security impact of Moderate.
Red Hat Security Advisory 2023-1170-01 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform.
Red Hat Security Advisory 2023-0930-01 - Update information for Logging Subsystem 5.5.8 in Red Hat OpenShift. Red Hat Product Security has rated this update as having a security impact of Moderate.
Logging Subsystem 5.4.12 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to alloc...
Logging Subsystem 5.5.8 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24999: qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&...
Red Hat OpenShift Data Foundation 4.12.1 Bug Fix Update Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: A flaw was found in goutils where randomly generated alphanumeric strings contain significantly less entropy than expected. Both the `RandomAlphaNumeric` and `CryptoRandomAlphaNumeric` functions always return strings containing at least one digit from 0 to 9. This issue significantly reduces the amount of entropy generated in short strings by these functions.
Logging Subsystem 5.6.3 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24999: qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&...
Dell PowerScale OneFS 9.4.0.x contains exposure of sensitive information to an unauthorized actor. A malicious authenticated local user could potentially exploit this vulnerability in certificate management, leading to a potential system takeover.
Ubuntu Security Notice 5888-1 - It was discovered that Python incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. Hamza Avvan discovered that Python incorrectly handled certain inputs. If a user or an automated system were tricked into running a specially crafted input, a remote attacker could possibly use this issue to execute arbitrary code.
An update for python3.9 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-45061: A vulnerability was discovered in Python. A quadratic algorithm exists when processing inputs to the IDNA (RFC 3490) decoder, such that a crafted unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor, which could t...
Red Hat Security Advisory 2023-0833-01 - Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Issues addressed include denial of service, information leakage, and open redirection vulnerabilities.
Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.
Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
platform_callback_stub in misc subsystem within OpenHarmony-v3.0.5 and prior versions has an authentication bypass vulnerability which allows an "SA relay attack".Local attackers can bypass authentication and attack other SAs with high privilege.
platform_callback_stub in misc subsystem within OpenHarmony-v3.0.5 and prior versions has an authentication bypass vulnerability which allows an "SA relay attack".Local attackers can bypass authentication and attack other SAs with high privilege.
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]
Ubuntu Security Notice 5767-2 - USN-5767-1 fixed a vulnerability in Python. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. It was discovered that Python incorrectly handled certain IDNA inputs. An attacker could possibly use this issue to expose sensitive information denial of service, or cause a crash.
Ubuntu Security Notice 5767-1 - Nicky Mouha discovered that Python incorrectly handled certain SHA-3 internals. An attacker could possibly use this issue to cause a crash or execute arbitrary code. It was discovered that Python incorrectly handled certain IDNA inputs. An attacker could possibly use this issue to expose sensitive information denial of service, or cause a crash.
An update for python3.9 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2015-20107: python: mailcap: findmatch() function does not sanitize the second argument * CVE-2021-28861: python: open redirection vulnerability in lib/http/server.py may lead to information disclosure
An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.
Red Hat Security Advisory 2022-7323-01 - Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Issues addressed include a denial of service vulnerability.
An update for python3.9 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-10735: python: int() type in PyLong_FromString() does not limit amount of digits converting text to int leading to DoS
OpenHarmony-v3.1.2 and prior versions, 3.0.6 and prior versions have an Out-of-bound memory read and write vulnerability in /dev/mmz_userdev device driver. The impact depends on the privileges of the attacker. The unprivileged process run on the device could read out-of-bound memory leading sensitive to information disclosure. The processes with system user UID run on the device would be able to write out-of-bound memory which could lead to unspecified memory corruption.
Red Hat Security Advisory 2022-6766-01 - Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Issues addressed include denial of service, information leakage, and open redirection vulnerabilities.
Red Hat Security Advisory 2022-6766-01 - Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Issues addressed include denial of service, information leakage, and open redirection vulnerabilities.
An update for rh-python38-python is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2015-20107: python(mailcap): findmatch() function does not sanitise the second argument * CVE-2020-10735: python: int() type in PyLong_FromString() does not limit amount of digits converting text to int leading to DoS * CVE-2021-28861: python: an open redirection vulnerability in lib/http/server.py may lead to information disclosure
An update for rh-python38-python is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2015-20107: python(mailcap): findmatch() function does not sanitise the second argument * CVE-2020-10735: python: int() type in PyLong_FromString() does not limit amount of digits converting text to int leading to DoS * CVE-2021-28861: python: an open redirection vulnerability in lib/http/server.py may lead to information disclosure
Ubuntu Security Notice 5629-1 - It was discovered that the Python http.server module incorrectly handled certain URIs. An attacker could potentially use this to redirect web traffic.
A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.
Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure.