Headline
RHSA-2022:8252: Red Hat Security Advisory: yajl security update
An update for yajl is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-24795: yajl: heap-based buffer overflow when handling large inputs due to an integer overflow
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2022-11-15
Updated:
2022-11-15
RHSA-2022:8252 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: yajl security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for yajl is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Yet Another JSON Library (YAJL) is a small event-driven (SAX-style) JSON parser written in ANSI C, and a small validating JSON generator.
Security Fix(es):
- yajl: heap-based buffer overflow when handling large inputs due to an integer overflow (CVE-2022-24795)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 9 x86_64
- Red Hat Enterprise Linux for IBM z Systems 9 s390x
- Red Hat Enterprise Linux for Power, little endian 9 ppc64le
- Red Hat Enterprise Linux for ARM 64 9 aarch64
- Red Hat CodeReady Linux Builder for x86_64 9 x86_64
- Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le
- Red Hat CodeReady Linux Builder for ARM 64 9 aarch64
- Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x
Fixes
- BZ - 2072912 - CVE-2022-24795 yajl: heap-based buffer overflow when handling large inputs due to an integer overflow
References
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
Red Hat Enterprise Linux for x86_64 9
SRPM
yajl-2.1.0-21.el9.src.rpm
SHA-256: c9afd27c459cbc278d45c28ce447b302db7876601794422037c821e2aa314027
x86_64
yajl-2.1.0-21.el9.i686.rpm
SHA-256: e69584488ad7cfc6907da8cd5dc0816da5e0aeb49114f1c2206ba420ea7da2e9
yajl-2.1.0-21.el9.x86_64.rpm
SHA-256: 69d721b451dc548595d838c60e06c771942ed05bd96ad0661f221c3403d304c5
yajl-debuginfo-2.1.0-21.el9.i686.rpm
SHA-256: fbd9220b786836c77f8808a484286bddcc4cec525410e308027f5f04b7f24952
yajl-debuginfo-2.1.0-21.el9.x86_64.rpm
SHA-256: c14f329f783e8da92ffc20aee7829ac75027a978dfd4d45e8c31126f8df58016
yajl-debugsource-2.1.0-21.el9.i686.rpm
SHA-256: 167625d43cd275c39e7057166915a48d884843bdd2a3ac40cf0e6407f41b51c0
yajl-debugsource-2.1.0-21.el9.x86_64.rpm
SHA-256: 44198667c238f96ab91613f91fb691affdbb4a92a05cca859c0eed7ef076ba19
Red Hat Enterprise Linux for IBM z Systems 9
SRPM
yajl-2.1.0-21.el9.src.rpm
SHA-256: c9afd27c459cbc278d45c28ce447b302db7876601794422037c821e2aa314027
s390x
yajl-2.1.0-21.el9.s390x.rpm
SHA-256: f0a4741d333206dbdd11cdad8aa7a37258cad6169900f26d4d1f9c864624cadc
yajl-debuginfo-2.1.0-21.el9.s390x.rpm
SHA-256: f70fed9a58d4c76f31efee88e395533b8f86fa690cf7df142a378dd62bab9b49
yajl-debugsource-2.1.0-21.el9.s390x.rpm
SHA-256: 6616d47c48af0c1f7b46dc225777166624e1ab4d117b5253b555a3ddf8b64e32
Red Hat Enterprise Linux for Power, little endian 9
SRPM
yajl-2.1.0-21.el9.src.rpm
SHA-256: c9afd27c459cbc278d45c28ce447b302db7876601794422037c821e2aa314027
ppc64le
yajl-2.1.0-21.el9.ppc64le.rpm
SHA-256: c3cc8003f1fe13b1e6d1637d5af08f39e9c14c19f3cb8bf5f311d16ac5064048
yajl-debuginfo-2.1.0-21.el9.ppc64le.rpm
SHA-256: b8416ad3f976860e7be779705c3f595923bc3e03c5090cdb25ed09d3010840f6
yajl-debugsource-2.1.0-21.el9.ppc64le.rpm
SHA-256: 52d87413d1e96dc37e98dc9dff79e8737b95b9983fd3012042a256beb57bfc79
Red Hat Enterprise Linux for ARM 64 9
SRPM
yajl-2.1.0-21.el9.src.rpm
SHA-256: c9afd27c459cbc278d45c28ce447b302db7876601794422037c821e2aa314027
aarch64
yajl-2.1.0-21.el9.aarch64.rpm
SHA-256: 80c1d608109867cbcb0f69f9c6fbd21cf623726052636ac5e3ba4a9b00886b9d
yajl-debuginfo-2.1.0-21.el9.aarch64.rpm
SHA-256: 9e1b5afb7fc0240b8516878ade5087adf749805e1365374ac57318b61b856c2f
yajl-debugsource-2.1.0-21.el9.aarch64.rpm
SHA-256: 4a48ad711fb72f578a902960b1d68589f3497eefc51af8da3ee354b28869e519
Red Hat CodeReady Linux Builder for x86_64 9
SRPM
x86_64
yajl-debuginfo-2.1.0-21.el9.i686.rpm
SHA-256: fbd9220b786836c77f8808a484286bddcc4cec525410e308027f5f04b7f24952
yajl-debuginfo-2.1.0-21.el9.x86_64.rpm
SHA-256: c14f329f783e8da92ffc20aee7829ac75027a978dfd4d45e8c31126f8df58016
yajl-debugsource-2.1.0-21.el9.i686.rpm
SHA-256: 167625d43cd275c39e7057166915a48d884843bdd2a3ac40cf0e6407f41b51c0
yajl-debugsource-2.1.0-21.el9.x86_64.rpm
SHA-256: 44198667c238f96ab91613f91fb691affdbb4a92a05cca859c0eed7ef076ba19
yajl-devel-2.1.0-21.el9.i686.rpm
SHA-256: ac717092e76809aa42aa28c3aa0e3520aaf1a6bc16c144dca93bb8b4fba655d7
yajl-devel-2.1.0-21.el9.x86_64.rpm
SHA-256: 3f6de043889c089de458e96dc5e01ad0bd07429241a0039a4a6408a00881a867
Red Hat CodeReady Linux Builder for Power, little endian 9
SRPM
ppc64le
yajl-debuginfo-2.1.0-21.el9.ppc64le.rpm
SHA-256: b8416ad3f976860e7be779705c3f595923bc3e03c5090cdb25ed09d3010840f6
yajl-debugsource-2.1.0-21.el9.ppc64le.rpm
SHA-256: 52d87413d1e96dc37e98dc9dff79e8737b95b9983fd3012042a256beb57bfc79
yajl-devel-2.1.0-21.el9.ppc64le.rpm
SHA-256: 7a00fe55a5bc7c8b8fe90831c2cf50a15ce58f87267fbbd2f58229901898de8e
Red Hat CodeReady Linux Builder for ARM 64 9
SRPM
aarch64
yajl-debuginfo-2.1.0-21.el9.aarch64.rpm
SHA-256: 9e1b5afb7fc0240b8516878ade5087adf749805e1365374ac57318b61b856c2f
yajl-debugsource-2.1.0-21.el9.aarch64.rpm
SHA-256: 4a48ad711fb72f578a902960b1d68589f3497eefc51af8da3ee354b28869e519
yajl-devel-2.1.0-21.el9.aarch64.rpm
SHA-256: 6fb0db6755c9dff630cdebea9ed404e2e20b1cc69f74cba722abb8d056ea606d
Red Hat CodeReady Linux Builder for IBM z Systems 9
SRPM
s390x
yajl-debuginfo-2.1.0-21.el9.s390x.rpm
SHA-256: f70fed9a58d4c76f31efee88e395533b8f86fa690cf7df142a378dd62bab9b49
yajl-debugsource-2.1.0-21.el9.s390x.rpm
SHA-256: 6616d47c48af0c1f7b46dc225777166624e1ab4d117b5253b555a3ddf8b64e32
yajl-devel-2.1.0-21.el9.s390x.rpm
SHA-256: 50b4e09a229d12e35937b8d9052d715dec288827e9a9e4a5c7fc351a717904e8
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Red Hat Security Advisory 2024-2063-03 - An update for yajl is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include buffer overflow, integer overflow, and memory leak vulnerabilities.
Ubuntu Security Notice 6233-2 - USN-6233-1 fixed vulnerabilities in YAJL. This update provides the corresponding updates for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04. It was discovered that YAJL was not properly performing bounds checks when decoding a string with escape sequences. If a user or automated system using YAJL were tricked into processing specially crafted input, an attacker could possibly use this issue to cause a denial of service .
Ubuntu Security Notice 6233-1 - It was discovered that YAJL was not properly performing bounds checks when decoding a string with escape sequences. If a user or automated system using YAJL were tricked into processing specially crafted input, an attacker could possibly use this issue to cause a denial of service. It was discovered that YAJL was not properly handling memory allocation when dealing with large inputs, which could lead to heap memory corruption. If a user or automated system using YAJL were tricked into running a specially crafted large input, an attacker could possibly use this issue to cause a denial of service.
Red Hat Security Advisory 2023-0408-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. Issues addressed include denial of service and out of bounds read vulnerabilities.
Red Hat OpenShift Virtualization release 4.12 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2021-44716: golang: net/http: limit growth of header canonicalization cache * CVE-2021-44717: golang: syscall: don't close fd 0 on ForkExec error * CVE-2022-1705: golang: net/http: improper sanitizat...
Red Hat Security Advisory 2022-8750-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. Issues addressed include denial of service and out of bounds read vulnerabilities.
Red Hat OpenShift Virtualization release 4.11.1 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-24921: golang: regexp: stack exhaustion via a deeply nested expression * CVE-2022-28327: golang: crypto/elliptic: panic caus...
An update for yajl is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24795: yajl: heap-based buffer overflow when handling large inputs due to an integer overflow
yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf->alloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available an...