Headline
RHSA-2022:7464: Red Hat Security Advisory: protobuf security update
An update for protobuf is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2021-22570: protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference
Synopsis
Moderate: protobuf security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for protobuf is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The protobuf packages provide Protocol Buffers, Google’s data interchange format. Protocol Buffers can encode structured data in an efficient yet extensible format, and provide a flexible, efficient, and automated mechanism for serializing structured data.
Security Fix(es):
- protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference (CVE-2021-22570)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.7 Release Notes linked from the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 8 x86_64
- Red Hat Enterprise Linux for IBM z Systems 8 s390x
- Red Hat Enterprise Linux for Power, little endian 8 ppc64le
- Red Hat Enterprise Linux for ARM 64 8 aarch64
- Red Hat CodeReady Linux Builder for x86_64 8 x86_64
- Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le
- Red Hat CodeReady Linux Builder for ARM 64 8 aarch64
- Red Hat CodeReady Linux Builder for IBM z Systems 8 s390x
Fixes
- BZ - 2049429 - CVE-2021-22570 protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference
References
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.7_release_notes/index
Red Hat Enterprise Linux for x86_64 8
SRPM
protobuf-3.5.0-15.el8.src.rpm
SHA-256: 79e67ed4a6e4df49ec1a0df4c678f87d21a7270897854fe25573dc40b95992d0
x86_64
protobuf-3.5.0-15.el8.i686.rpm
SHA-256: 942a6d97981b3bb6c949dbeba6d3eea0700273069f36f2f9ad333a0ff627608b
protobuf-3.5.0-15.el8.x86_64.rpm
SHA-256: a86f1309b026b7c6d2b3acc31f4829b838c46f11a981b20ee393f2a31d9d24a0
protobuf-compiler-3.5.0-15.el8.i686.rpm
SHA-256: ae9165abc1ce59256c38f8e993a33806ca292ad4f9a02033b5c910aad661b9c7
protobuf-compiler-3.5.0-15.el8.x86_64.rpm
SHA-256: 468f8368c01d014468a563775fd7d80c0c6661ff75bd4dc570fac58e452bfa88
protobuf-compiler-debuginfo-3.5.0-15.el8.i686.rpm
SHA-256: 1091fa85c851541fb4beb3ef470b5a1032518bda1350b2110a461d79fdc814e3
protobuf-compiler-debuginfo-3.5.0-15.el8.x86_64.rpm
SHA-256: 79ba85bc4a984bcff70788eb5eda1fcb738e4a6dfda61b6bf2c26b52bd7cb121
protobuf-debuginfo-3.5.0-15.el8.i686.rpm
SHA-256: 4ce48e6c020f89979a6f7fef3db04de7ff890a96edac4081025a6223ef1dd5fa
protobuf-debuginfo-3.5.0-15.el8.x86_64.rpm
SHA-256: 8039fa16623234201c1f14b2ae21e5664ea6a9946b2814d4c21fe5ac862da795
protobuf-debugsource-3.5.0-15.el8.i686.rpm
SHA-256: c814d8039a84d18257066da0b0235694a63ae1d6849b899967d207a004e0b12b
protobuf-debugsource-3.5.0-15.el8.x86_64.rpm
SHA-256: 042a3911c323c339d7f6b343f448684731ce8f980948e3865e3411f528f70a18
protobuf-lite-3.5.0-15.el8.i686.rpm
SHA-256: 1a89adcefd8f42fb3f1e317d0f5715efe01cee5f2b36f2f3aea251c82606ee40
protobuf-lite-3.5.0-15.el8.x86_64.rpm
SHA-256: 1d0fddece1334bcaa22ff1dc000a54d43541eb4a1fd81f9a41f6cbfe58fe26db
protobuf-lite-debuginfo-3.5.0-15.el8.i686.rpm
SHA-256: 971b1fd6168a411465f2d791fe113e4a8d94935f17378b375e9c7d0ab10bc64b
protobuf-lite-debuginfo-3.5.0-15.el8.x86_64.rpm
SHA-256: 1d51b6f76103a17aae612ec2102c1836740e289bc1b8d0c2406258fc4a4105e6
python3-protobuf-3.5.0-15.el8.noarch.rpm
SHA-256: 1ed0d6c262fc0711f8d5f13d6234090b08a9753128a49aa73046c2d69d9ef404
Red Hat Enterprise Linux for IBM z Systems 8
SRPM
protobuf-3.5.0-15.el8.src.rpm
SHA-256: 79e67ed4a6e4df49ec1a0df4c678f87d21a7270897854fe25573dc40b95992d0
s390x
protobuf-3.5.0-15.el8.s390x.rpm
SHA-256: 94e0fa77af629505010955b6fd1d913fd3752b894d590dd2a3168753e4f23414
protobuf-compiler-3.5.0-15.el8.s390x.rpm
SHA-256: d901a98799c6c82cb0ce575a2fce2a6bde0d42228bf626a12b1b24b7448d4ede
protobuf-compiler-debuginfo-3.5.0-15.el8.s390x.rpm
SHA-256: 9c2cbd6b3800721917a66b778099220e9892036a06770bf919cb3962f26dbbf4
protobuf-debuginfo-3.5.0-15.el8.s390x.rpm
SHA-256: 040984ba8921eb4d6d11d7ffd897d211b00dcb53b1c67b4e91b510a5946776af
protobuf-debugsource-3.5.0-15.el8.s390x.rpm
SHA-256: 840e215738ba46d40f5215562920e6bd8975cbf5011f43ba78febe33cb286a6e
protobuf-lite-3.5.0-15.el8.s390x.rpm
SHA-256: bcf2e4aeee243aab8031dcd67beca3a1ac0d795ea0f060a4d3c673c3097c03c6
protobuf-lite-debuginfo-3.5.0-15.el8.s390x.rpm
SHA-256: d655f19a3704033e3e601d927c310cd312c2e406ff90952f172a527480c91c34
python3-protobuf-3.5.0-15.el8.noarch.rpm
SHA-256: 1ed0d6c262fc0711f8d5f13d6234090b08a9753128a49aa73046c2d69d9ef404
Red Hat Enterprise Linux for Power, little endian 8
SRPM
protobuf-3.5.0-15.el8.src.rpm
SHA-256: 79e67ed4a6e4df49ec1a0df4c678f87d21a7270897854fe25573dc40b95992d0
ppc64le
protobuf-3.5.0-15.el8.ppc64le.rpm
SHA-256: 6de525a9f409364b89e9ad3450ee681241d21a2aa83faab2b53b2263cbd82709
protobuf-compiler-3.5.0-15.el8.ppc64le.rpm
SHA-256: 9acb57b21d9376d1abb7b0a626f897b8631eaca912d393aa70388f3304676a5c
protobuf-compiler-debuginfo-3.5.0-15.el8.ppc64le.rpm
SHA-256: a3ba16c5e24ffbb3c8e36f04ed33bdfc527f5a3aa925b2f1c32e5a50605b164f
protobuf-debuginfo-3.5.0-15.el8.ppc64le.rpm
SHA-256: 2a5b836a198fa1812728dff295352d199655d6a69b0d43c799aebcb7714781f8
protobuf-debugsource-3.5.0-15.el8.ppc64le.rpm
SHA-256: a48fa67fb389efd7c664850d7709b37696ebc26d98780b1c4d5aa101b146b0ca
protobuf-lite-3.5.0-15.el8.ppc64le.rpm
SHA-256: 45460e23b6298b3a8d5ec0ef6b9da7cc79afcc659e191038193e056f7535727f
protobuf-lite-debuginfo-3.5.0-15.el8.ppc64le.rpm
SHA-256: 4ddedacefc52fd47a14db6660ac30c20870053e9657476dd9adc0de160611521
python3-protobuf-3.5.0-15.el8.noarch.rpm
SHA-256: 1ed0d6c262fc0711f8d5f13d6234090b08a9753128a49aa73046c2d69d9ef404
Red Hat Enterprise Linux for ARM 64 8
SRPM
protobuf-3.5.0-15.el8.src.rpm
SHA-256: 79e67ed4a6e4df49ec1a0df4c678f87d21a7270897854fe25573dc40b95992d0
aarch64
protobuf-3.5.0-15.el8.aarch64.rpm
SHA-256: da104c59254b60f093034924e21a7aabdeb1515d4b39e29aae60937257f71398
protobuf-compiler-3.5.0-15.el8.aarch64.rpm
SHA-256: 7d23ac84f7e7d3a13978d9e476b2fa87dba2abedf89a0c8241978ab213fdee20
protobuf-compiler-debuginfo-3.5.0-15.el8.aarch64.rpm
SHA-256: 6d3f5d42a266356de5eea5d1a23bb40a8b853e124f743864ee6c2d8171ca186d
protobuf-debuginfo-3.5.0-15.el8.aarch64.rpm
SHA-256: 007acf1d54ce9b57be8b042175946d07d233f95a6efcab4ba12ecec576a841d0
protobuf-debugsource-3.5.0-15.el8.aarch64.rpm
SHA-256: 643525d00b7b89a7ef059e5367697cf1cc8e26df24f40e47d618c5f73f3b227a
protobuf-lite-3.5.0-15.el8.aarch64.rpm
SHA-256: c4f14f0a23b56dc01f4913bbbcbd035b2177f8f5b68811b8bd2fc473d689d9dd
protobuf-lite-debuginfo-3.5.0-15.el8.aarch64.rpm
SHA-256: 9de2be5b3720deeec042f24c6066181000986bc866aa69d2293aec12758acd7a
python3-protobuf-3.5.0-15.el8.noarch.rpm
SHA-256: 1ed0d6c262fc0711f8d5f13d6234090b08a9753128a49aa73046c2d69d9ef404
Red Hat CodeReady Linux Builder for x86_64 8
SRPM
x86_64
protobuf-compiler-debuginfo-3.5.0-15.el8.i686.rpm
SHA-256: 1091fa85c851541fb4beb3ef470b5a1032518bda1350b2110a461d79fdc814e3
protobuf-compiler-debuginfo-3.5.0-15.el8.x86_64.rpm
SHA-256: 79ba85bc4a984bcff70788eb5eda1fcb738e4a6dfda61b6bf2c26b52bd7cb121
protobuf-debuginfo-3.5.0-15.el8.i686.rpm
SHA-256: 4ce48e6c020f89979a6f7fef3db04de7ff890a96edac4081025a6223ef1dd5fa
protobuf-debuginfo-3.5.0-15.el8.x86_64.rpm
SHA-256: 8039fa16623234201c1f14b2ae21e5664ea6a9946b2814d4c21fe5ac862da795
protobuf-debugsource-3.5.0-15.el8.i686.rpm
SHA-256: c814d8039a84d18257066da0b0235694a63ae1d6849b899967d207a004e0b12b
protobuf-debugsource-3.5.0-15.el8.x86_64.rpm
SHA-256: 042a3911c323c339d7f6b343f448684731ce8f980948e3865e3411f528f70a18
protobuf-devel-3.5.0-15.el8.i686.rpm
SHA-256: 21755eebceeb8250823898b1fe22a2b8acadd5033189b46612721b0737df8d7e
protobuf-devel-3.5.0-15.el8.x86_64.rpm
SHA-256: d85ddaa317ea62882e77bf7d471598ddd1b5e112838c6cd39e8fcaaecf26d122
protobuf-lite-debuginfo-3.5.0-15.el8.i686.rpm
SHA-256: 971b1fd6168a411465f2d791fe113e4a8d94935f17378b375e9c7d0ab10bc64b
protobuf-lite-debuginfo-3.5.0-15.el8.x86_64.rpm
SHA-256: 1d51b6f76103a17aae612ec2102c1836740e289bc1b8d0c2406258fc4a4105e6
protobuf-lite-devel-3.5.0-15.el8.i686.rpm
SHA-256: 85f388d247cf69c0ccbf95e01a4dda549c5f62458032904c63114705c9ecbbd1
protobuf-lite-devel-3.5.0-15.el8.x86_64.rpm
SHA-256: 6a3791cb27df2c835574c82c7fb635d0a5bb8021e04d211a6255626fc67469c6
Red Hat CodeReady Linux Builder for Power, little endian 8
SRPM
ppc64le
protobuf-compiler-debuginfo-3.5.0-15.el8.ppc64le.rpm
SHA-256: a3ba16c5e24ffbb3c8e36f04ed33bdfc527f5a3aa925b2f1c32e5a50605b164f
protobuf-debuginfo-3.5.0-15.el8.ppc64le.rpm
SHA-256: 2a5b836a198fa1812728dff295352d199655d6a69b0d43c799aebcb7714781f8
protobuf-debugsource-3.5.0-15.el8.ppc64le.rpm
SHA-256: a48fa67fb389efd7c664850d7709b37696ebc26d98780b1c4d5aa101b146b0ca
protobuf-devel-3.5.0-15.el8.ppc64le.rpm
SHA-256: 2ab0a424498b7ad3e4f8156da954bbab118b2679c9ab31b59d6e48df300434de
protobuf-lite-debuginfo-3.5.0-15.el8.ppc64le.rpm
SHA-256: 4ddedacefc52fd47a14db6660ac30c20870053e9657476dd9adc0de160611521
protobuf-lite-devel-3.5.0-15.el8.ppc64le.rpm
SHA-256: 02757dbce97058de68e8fdf22c29549099867079053a6769f194f76ddf99836d
Red Hat CodeReady Linux Builder for ARM 64 8
SRPM
aarch64
protobuf-compiler-debuginfo-3.5.0-15.el8.aarch64.rpm
SHA-256: 6d3f5d42a266356de5eea5d1a23bb40a8b853e124f743864ee6c2d8171ca186d
protobuf-debuginfo-3.5.0-15.el8.aarch64.rpm
SHA-256: 007acf1d54ce9b57be8b042175946d07d233f95a6efcab4ba12ecec576a841d0
protobuf-debugsource-3.5.0-15.el8.aarch64.rpm
SHA-256: 643525d00b7b89a7ef059e5367697cf1cc8e26df24f40e47d618c5f73f3b227a
protobuf-devel-3.5.0-15.el8.aarch64.rpm
SHA-256: 35328cebce0f4e95eae7ef09d405ebe6de151ab384963ce903ce67d72475ed64
protobuf-lite-debuginfo-3.5.0-15.el8.aarch64.rpm
SHA-256: 9de2be5b3720deeec042f24c6066181000986bc866aa69d2293aec12758acd7a
protobuf-lite-devel-3.5.0-15.el8.aarch64.rpm
SHA-256: a1a918534023e10e76f0c58b7bc2a3dac1bc528c893f25abc34f8ff14b8a3093
Red Hat CodeReady Linux Builder for IBM z Systems 8
SRPM
s390x
protobuf-compiler-debuginfo-3.5.0-15.el8.s390x.rpm
SHA-256: 9c2cbd6b3800721917a66b778099220e9892036a06770bf919cb3962f26dbbf4
protobuf-debuginfo-3.5.0-15.el8.s390x.rpm
SHA-256: 040984ba8921eb4d6d11d7ffd897d211b00dcb53b1c67b4e91b510a5946776af
protobuf-debugsource-3.5.0-15.el8.s390x.rpm
SHA-256: 840e215738ba46d40f5215562920e6bd8975cbf5011f43ba78febe33cb286a6e
protobuf-devel-3.5.0-15.el8.s390x.rpm
SHA-256: 5b9627df15f7546db15575dbcfc6bbdd44777544e26a62f4a0981c037039113c
protobuf-lite-debuginfo-3.5.0-15.el8.s390x.rpm
SHA-256: d655f19a3704033e3e601d927c310cd312c2e406ff90952f172a527480c91c34
protobuf-lite-devel-3.5.0-15.el8.s390x.rpm
SHA-256: b29043cda776ea196392edd416367739ec7bb53d58bbc023ed15c7346afa6364
Related news
Red Hat Security Advisory 2024-3433-03 - An update for protobuf is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.
Ubuntu Security Notice 5945-1 - It was discovered that Protocol Buffers did not properly validate field com.google.protobuf.UnknownFieldSet in protobuf-java. An attacker could possibly use this issue to perform a denial of service attack. This issue only affected protobuf Ubuntu 22.04 LTS and Ubuntu 22.10. It was discovered that Protocol Buffers did not properly parse certain symbols. An attacker could possibly use this issue to cause a denial of service or other unspecified impact.
Red Hat Security Advisory 2022-7399-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.0. Issues addressed include denial of service, memory leak, and out of bounds read vulnerabilities.
Red Hat OpenShift Container Platform release 4.12.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-2879: golang: arc...
Red Hat Security Advisory 2022-8893-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.20.
Red Hat OpenShift Container Platform release 4.11.20 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27191: golang: crash in a golang.org/x/crypto/ssh server
Red Hat Security Advisory 2022-8847-01 - An update for protobuf is now available for Red Hat OpenStack Platform 16.2.4 (Train).
An update for protobuf is now available for Red Hat OpenStack Platform 16.1.9 (Train) for Red Hat Enterprise Linux (RHEL) 8.2. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-22570: protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference
An update for protobuf is now available for Red Hat OpenStack Platform 16.2.4 (Train). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-22570: protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference
Red Hat Security Advisory 2022-7970-01 - The protobuf packages provide Protocol Buffers, Google's data interchange format. Protocol Buffers can encode structured data in an efficient yet extensible format, and provide a flexible, efficient, and automated mechanism for serializing structured data.
An update for protobuf is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-22570: protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference
Red Hat Security Advisory 2022-7464-01 - The protobuf packages provide Protocol Buffers, Google's data interchange format. Protocol Buffers can encode structured data in an efficient yet extensible format, and provide a flexible, efficient, and automated mechanism for serializing structured data.
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service ...
Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.