Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:1701: Red Hat Security Advisory: curl security update

An update for curl is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2023-23916: A flaw was found in the Curl package. A malicious server can insert an unlimited number of compression steps. This decompression chain could result in out-of-memory errors.
Red Hat Security Data
#vulnerability#web#linux#red_hat#dos#nodejs#js#java#kubernetes#ldap#aws#ibm

Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager

All Products

Issued:

2023-04-11

Updated:

2023-04-11

RHSA-2023:1701 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: curl security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for curl is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.

Security Fix(es):

  • curl: HTTP multi-header compression denial of service (CVE-2023-23916)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected Products

  • Red Hat Enterprise Linux for x86_64 9 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 9 s390x
  • Red Hat Enterprise Linux for Power, little endian 9 ppc64le
  • Red Hat Enterprise Linux for ARM 64 9 aarch64

Fixes

  • BZ - 2167815 - CVE-2023-23916 curl: HTTP multi-header compression denial of service

Red Hat Enterprise Linux for x86_64 9

SRPM

curl-7.76.1-19.el9_1.2.src.rpm

SHA-256: ad52652b5f16a0f9ed719fe9f87000762639764fa00d9158f865b30c40404838

x86_64

curl-7.76.1-19.el9_1.2.x86_64.rpm

SHA-256: 214f3cd97336be7ce64a2c6e1cc6cd49ba86a672e5a83ff3671d693a4d6a3d85

curl-debuginfo-7.76.1-19.el9_1.2.i686.rpm

SHA-256: 503925a4ed105a9e1b8b7f685722feefc80e5ba5b4ca35cd59408893d8a7f16e

curl-debuginfo-7.76.1-19.el9_1.2.i686.rpm

SHA-256: 503925a4ed105a9e1b8b7f685722feefc80e5ba5b4ca35cd59408893d8a7f16e

curl-debuginfo-7.76.1-19.el9_1.2.x86_64.rpm

SHA-256: 50a6e63c61c215b111c6168e0feac7e0e573736cb1a485d3e92fe0b693602423

curl-debuginfo-7.76.1-19.el9_1.2.x86_64.rpm

SHA-256: 50a6e63c61c215b111c6168e0feac7e0e573736cb1a485d3e92fe0b693602423

curl-debugsource-7.76.1-19.el9_1.2.i686.rpm

SHA-256: 1462b5c94d98f049e8fe8d6ff0719181fa37f0b0665d43f7ca58e88388a0cfc6

curl-debugsource-7.76.1-19.el9_1.2.i686.rpm

SHA-256: 1462b5c94d98f049e8fe8d6ff0719181fa37f0b0665d43f7ca58e88388a0cfc6

curl-debugsource-7.76.1-19.el9_1.2.x86_64.rpm

SHA-256: e636b7060d41ab81edff8804066f62218141c39606faf5ebf66975b8c2d185f5

curl-debugsource-7.76.1-19.el9_1.2.x86_64.rpm

SHA-256: e636b7060d41ab81edff8804066f62218141c39606faf5ebf66975b8c2d185f5

curl-minimal-7.76.1-19.el9_1.2.x86_64.rpm

SHA-256: 6e7991691adb27bf0c3c5d09888334f5f1b9354fb088babe75aa98d834e5d141

curl-minimal-debuginfo-7.76.1-19.el9_1.2.i686.rpm

SHA-256: 83774f91e7a0f19fab606a245db61638872256364ae7824242b73aa6898f0e47

curl-minimal-debuginfo-7.76.1-19.el9_1.2.i686.rpm

SHA-256: 83774f91e7a0f19fab606a245db61638872256364ae7824242b73aa6898f0e47

curl-minimal-debuginfo-7.76.1-19.el9_1.2.x86_64.rpm

SHA-256: f48efbbab580d3cb9cc7419f95357eb6f2a457bfeb50a394559b9aecc8f8bbb1

curl-minimal-debuginfo-7.76.1-19.el9_1.2.x86_64.rpm

SHA-256: f48efbbab580d3cb9cc7419f95357eb6f2a457bfeb50a394559b9aecc8f8bbb1

libcurl-7.76.1-19.el9_1.2.i686.rpm

SHA-256: 78b25527df16a40dd19f03423e51ced6f786624bbb2674d0fa0621169c7871d7

libcurl-7.76.1-19.el9_1.2.x86_64.rpm

SHA-256: 37395a5416ae47a23ade3b4cc889d8e843934b198d7233ed0aa44afa809782b1

libcurl-debuginfo-7.76.1-19.el9_1.2.i686.rpm

SHA-256: 0b86fcac5cc161f5554d601814b766a3713c5aa9bd1fd47dae1de66d96e5a4b9

libcurl-debuginfo-7.76.1-19.el9_1.2.i686.rpm

SHA-256: 0b86fcac5cc161f5554d601814b766a3713c5aa9bd1fd47dae1de66d96e5a4b9

libcurl-debuginfo-7.76.1-19.el9_1.2.x86_64.rpm

SHA-256: 5ab32af0d35141c9bc9fceb82f622d403932e55a6c4bbc09b6d7c95ad0f1335a

libcurl-debuginfo-7.76.1-19.el9_1.2.x86_64.rpm

SHA-256: 5ab32af0d35141c9bc9fceb82f622d403932e55a6c4bbc09b6d7c95ad0f1335a

libcurl-devel-7.76.1-19.el9_1.2.i686.rpm

SHA-256: 89fa8e3d5fed29e79672e9522c541341e4dc67427c4fb2aa26ef58d5cc53eeec

libcurl-devel-7.76.1-19.el9_1.2.x86_64.rpm

SHA-256: 51a0b0a67f1d2df2e8ed60b82b36d5955eb29862e155a3620d251c9d6f1e2775

libcurl-minimal-7.76.1-19.el9_1.2.i686.rpm

SHA-256: a5b940bb2a15a9980f997185d851d2d9ff20544f073adede7855a1e08302e346

libcurl-minimal-7.76.1-19.el9_1.2.x86_64.rpm

SHA-256: 98f26b0c2661019951bd8571397fd9bde2c3eaba59988c6a0007ddb9fac29f2b

libcurl-minimal-debuginfo-7.76.1-19.el9_1.2.i686.rpm

SHA-256: 07facba8ec634cf06431973b3723cc5df9a526723d84d2bb75551b5d5852b31d

libcurl-minimal-debuginfo-7.76.1-19.el9_1.2.i686.rpm

SHA-256: 07facba8ec634cf06431973b3723cc5df9a526723d84d2bb75551b5d5852b31d

libcurl-minimal-debuginfo-7.76.1-19.el9_1.2.x86_64.rpm

SHA-256: ba12bc9431394215db2af3a0c46d4694a253040205cd800507871ea150d198f4

libcurl-minimal-debuginfo-7.76.1-19.el9_1.2.x86_64.rpm

SHA-256: ba12bc9431394215db2af3a0c46d4694a253040205cd800507871ea150d198f4

Red Hat Enterprise Linux for IBM z Systems 9

SRPM

curl-7.76.1-19.el9_1.2.src.rpm

SHA-256: ad52652b5f16a0f9ed719fe9f87000762639764fa00d9158f865b30c40404838

s390x

curl-7.76.1-19.el9_1.2.s390x.rpm

SHA-256: 793156b12f3e03b3e588a5efca9e6206a4d11cdd8b7d6e49a269cb520ce1cbb7

curl-debuginfo-7.76.1-19.el9_1.2.s390x.rpm

SHA-256: e886a05a2adb122011cf86eacdbf5a50461497865cc617b811c03bd8a0f75ce7

curl-debuginfo-7.76.1-19.el9_1.2.s390x.rpm

SHA-256: e886a05a2adb122011cf86eacdbf5a50461497865cc617b811c03bd8a0f75ce7

curl-debugsource-7.76.1-19.el9_1.2.s390x.rpm

SHA-256: 98afaabeb48ce1c320be5f72f4c737de819dafac8873784aa7da8f7a589fc58a

curl-debugsource-7.76.1-19.el9_1.2.s390x.rpm

SHA-256: 98afaabeb48ce1c320be5f72f4c737de819dafac8873784aa7da8f7a589fc58a

curl-minimal-7.76.1-19.el9_1.2.s390x.rpm

SHA-256: 4f344e17524523a2d21ffc3d551fbe0fd8c9a106eaaafdf5cf59bed6f531efb9

curl-minimal-debuginfo-7.76.1-19.el9_1.2.s390x.rpm

SHA-256: 4888a8dbda72c3bc929ef73544fbb11675d71d02e671fc6b681ae320c06fa48d

curl-minimal-debuginfo-7.76.1-19.el9_1.2.s390x.rpm

SHA-256: 4888a8dbda72c3bc929ef73544fbb11675d71d02e671fc6b681ae320c06fa48d

libcurl-7.76.1-19.el9_1.2.s390x.rpm

SHA-256: 4fa045d4f7568f363efde1818f70ee8a7e3d2940e4d549f5adb0e64dd3d28761

libcurl-debuginfo-7.76.1-19.el9_1.2.s390x.rpm

SHA-256: 9aa85e31ae29598e4011331c377f1cfc680a34ce43f23fcdff4b3a95b39d4ee9

libcurl-debuginfo-7.76.1-19.el9_1.2.s390x.rpm

SHA-256: 9aa85e31ae29598e4011331c377f1cfc680a34ce43f23fcdff4b3a95b39d4ee9

libcurl-devel-7.76.1-19.el9_1.2.s390x.rpm

SHA-256: 23ca77937ea61ff9c7463f5a276c263dd8e96349b3bc42d84009a2aa5795c983

libcurl-minimal-7.76.1-19.el9_1.2.s390x.rpm

SHA-256: fccebad79c92abd49c05f8ce90218394524e03c2358681e486c55d1e614f177b

libcurl-minimal-debuginfo-7.76.1-19.el9_1.2.s390x.rpm

SHA-256: 04a23d66a4e2927fa3afef57eabea937d4f772f5778fb0dcb4fb7524364be0eb

libcurl-minimal-debuginfo-7.76.1-19.el9_1.2.s390x.rpm

SHA-256: 04a23d66a4e2927fa3afef57eabea937d4f772f5778fb0dcb4fb7524364be0eb

Red Hat Enterprise Linux for Power, little endian 9

SRPM

curl-7.76.1-19.el9_1.2.src.rpm

SHA-256: ad52652b5f16a0f9ed719fe9f87000762639764fa00d9158f865b30c40404838

ppc64le

curl-7.76.1-19.el9_1.2.ppc64le.rpm

SHA-256: 5583034ab0f5c79a25167c087627c73712f049a260735d809b62c6200110caaa

curl-debuginfo-7.76.1-19.el9_1.2.ppc64le.rpm

SHA-256: 825896e7150bdd0683348b15abbc3a6be610af2b8a130f6f3d4850f6b85acc05

curl-debuginfo-7.76.1-19.el9_1.2.ppc64le.rpm

SHA-256: 825896e7150bdd0683348b15abbc3a6be610af2b8a130f6f3d4850f6b85acc05

curl-debugsource-7.76.1-19.el9_1.2.ppc64le.rpm

SHA-256: fd3af92edd2552b19999792ce6e44ee412f2823ba467183febf3023d1789722d

curl-debugsource-7.76.1-19.el9_1.2.ppc64le.rpm

SHA-256: fd3af92edd2552b19999792ce6e44ee412f2823ba467183febf3023d1789722d

curl-minimal-7.76.1-19.el9_1.2.ppc64le.rpm

SHA-256: d61428ec1895c75832c944f1777c59494cfed651b19241ee76ca42ad06bcffee

curl-minimal-debuginfo-7.76.1-19.el9_1.2.ppc64le.rpm

SHA-256: 1893bb0ad61cfcc1144d0fd5473b52349a17e3e05367bd3ecdea33e397ec363c

curl-minimal-debuginfo-7.76.1-19.el9_1.2.ppc64le.rpm

SHA-256: 1893bb0ad61cfcc1144d0fd5473b52349a17e3e05367bd3ecdea33e397ec363c

libcurl-7.76.1-19.el9_1.2.ppc64le.rpm

SHA-256: ad2fc7af1f4c6662bac05336435339c18d82c853301f9861f1e7c77e2cc36bac

libcurl-debuginfo-7.76.1-19.el9_1.2.ppc64le.rpm

SHA-256: 78eaf53ba404f2d89bab6710e6a28317ac9cba171849f2fe400890b07be79a77

libcurl-debuginfo-7.76.1-19.el9_1.2.ppc64le.rpm

SHA-256: 78eaf53ba404f2d89bab6710e6a28317ac9cba171849f2fe400890b07be79a77

libcurl-devel-7.76.1-19.el9_1.2.ppc64le.rpm

SHA-256: 1bf9e8c745095492cd944436385732b4953da97467db0ca55b67088fc15c5385

libcurl-minimal-7.76.1-19.el9_1.2.ppc64le.rpm

SHA-256: d6957ed12de8c6263231c5fbeffd63f7bc4bd4d6bb6eeda21ba19736a7358b2b

libcurl-minimal-debuginfo-7.76.1-19.el9_1.2.ppc64le.rpm

SHA-256: 306f7450670954f51f00110a99f6b1d3b5c4571b344a306e78bbbe10a8e8ec46

libcurl-minimal-debuginfo-7.76.1-19.el9_1.2.ppc64le.rpm

SHA-256: 306f7450670954f51f00110a99f6b1d3b5c4571b344a306e78bbbe10a8e8ec46

Red Hat Enterprise Linux for ARM 64 9

SRPM

curl-7.76.1-19.el9_1.2.src.rpm

SHA-256: ad52652b5f16a0f9ed719fe9f87000762639764fa00d9158f865b30c40404838

aarch64

curl-7.76.1-19.el9_1.2.aarch64.rpm

SHA-256: 037080a45277fceb1628b91f50cdec31ae653247ff7f82b43fa03763bc6d723e

curl-debuginfo-7.76.1-19.el9_1.2.aarch64.rpm

SHA-256: 8d9e7f5c9cca2a9ff690c9df6e09e27c0216a697ce100de767d3bc036fe4359b

curl-debuginfo-7.76.1-19.el9_1.2.aarch64.rpm

SHA-256: 8d9e7f5c9cca2a9ff690c9df6e09e27c0216a697ce100de767d3bc036fe4359b

curl-debugsource-7.76.1-19.el9_1.2.aarch64.rpm

SHA-256: 4722056c2f7993148e73cca71b1eac7b07d0678f5c3c9a2f38269fa732decaf2

curl-debugsource-7.76.1-19.el9_1.2.aarch64.rpm

SHA-256: 4722056c2f7993148e73cca71b1eac7b07d0678f5c3c9a2f38269fa732decaf2

curl-minimal-7.76.1-19.el9_1.2.aarch64.rpm

SHA-256: e10aa273785b04a4ecee26ea73fa71328da025a382852c3938e2ce8e5b4d64fe

curl-minimal-debuginfo-7.76.1-19.el9_1.2.aarch64.rpm

SHA-256: cbbd9a29dec5ee86f278637129998f881aac3b0ccc622fcc74f1cfc1b991e369

curl-minimal-debuginfo-7.76.1-19.el9_1.2.aarch64.rpm

SHA-256: cbbd9a29dec5ee86f278637129998f881aac3b0ccc622fcc74f1cfc1b991e369

libcurl-7.76.1-19.el9_1.2.aarch64.rpm

SHA-256: 97aa53351e054a180b7a43102c8fd9e71e8a41d73b4275ce3c8c122f3c37551b

libcurl-debuginfo-7.76.1-19.el9_1.2.aarch64.rpm

SHA-256: bb4d90d3017324438344ba87cb304c7c89443ae340fde0046e8024fc60fb0b83

libcurl-debuginfo-7.76.1-19.el9_1.2.aarch64.rpm

SHA-256: bb4d90d3017324438344ba87cb304c7c89443ae340fde0046e8024fc60fb0b83

libcurl-devel-7.76.1-19.el9_1.2.aarch64.rpm

SHA-256: a5ffb8b9813f9e34aa6694bed8f5a76e47beae7d65cfb0e37cdaa689cd9cebb1

libcurl-minimal-7.76.1-19.el9_1.2.aarch64.rpm

SHA-256: d6210706718201eabcb57e4c8f094c30877778a0c4854dd84af961a1ba9454ed

libcurl-minimal-debuginfo-7.76.1-19.el9_1.2.aarch64.rpm

SHA-256: e27ac6c6779844cf39fa8a752abd58b7e274a7c4cb412cce750231451ce49ad1

libcurl-minimal-debuginfo-7.76.1-19.el9_1.2.aarch64.rpm

SHA-256: e27ac6c6779844cf39fa8a752abd58b7e274a7c4cb412cce750231451ce49ad1

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

Gentoo Linux Security Advisory 202310-12

Gentoo Linux Security Advisory 202310-12 - Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. Versions greater than or equal to 8.3.0-r2 are affected.

RHSA-2023:4139: Red Hat Security Advisory: curl security update

An update for curl is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32221: A vulnerability was found in curl. The issue occurs when doing HTTP(S) transfers, where curl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set if it previously used the same handle to issue a `PUT` request which used that callback...

Red Hat Security Advisory 2023-3460-01

Red Hat Security Advisory 2023-3460-01 - The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Issues addressed include a denial of service vulnerability.

RHSA-2023:3354: Red Hat Security Advisory: Red Hat JBoss Core Services Apache HTTP Server 2.4.51 SP2 security update

An update is now available for Red Hat JBoss Core Services Apache HTTP Server 2.4.51 Service Pack 2 on Red Hat Enterprise Linux versions 7 and 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2006-20001: A flaw was found in the mod_dav module of httpd. A specially crafted "If:" request header can cause a memory read or write of a single zero byte due to a missing error check, resulting in a Denial of Service. * CVE-2022-4304: A timing-based side channel exists in the Open...

RHSA-2023:0584: Red Hat Security Advisory: Secondary Scheduler Operator for Red Hat OpenShift 1.1.1 security update

Secondary Scheduler Operator for Red Hat OpenShift 1.1.1 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query ...

Red Hat Security Advisory 2023-2098-01

Red Hat Security Advisory 2023-2098-01 - Multicluster Engine for Kubernetes 2.0.8 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Issues addressed include a denial of service vulnerability.

RHSA-2023:2107: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.9 security and bug fix update

The Migration Toolkit for Containers (MTC) 1.7.9 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition. * CVE-2022-41725: A flaw was found in Go, where it is vulnerable to a denial of service caused by...

RHSA-2023:2098: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.0.8 security updates and bug fixes

Multicluster Engine for Kubernetes 2.0.8 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server.

RHSA-2023:2061: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.1.6 security updates and bug fixes

Multicluster Engine for Kubernetes 2.1.6 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server.

RHSA-2023:2041: Red Hat Security Advisory: Migration Toolkit for Applications security and bug fix update

Migration Toolkit for Applications 6.1.0 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3782: A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect ...

Red Hat Security Advisory 2023-1887-01

Red Hat Security Advisory 2023-1887-01 - Multicluster Engine for Kubernetes 2.2.3 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-1816-01

Red Hat Security Advisory 2023-1816-01 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform.

CVE-2023-1731: Meinberg Security Advisory: [MBGSA-2023.02] LANTIME-Firmware V7.06.013

In LTOS versions prior to V7.06.013, the configuration file upload function would not correctly validate the input, which would allow an remote authenticated attacker with high privileges to execute arbitrary commands.

Red Hat Security Advisory 2023-1893-01

Red Hat Security Advisory 2023-1893-01 - Red Hat Multicluster Engine Hotfix Security Update for Console. Red Hat Product Security has rated this update as having a security impact of Critical.

RHSA-2023:1893: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.0 hotfix security update for console

Red Hat Multicluster Engine Hotfix Security Update for Console Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-29017: A flaw was found in vm2 where the component was not properly handling asynchronous errors. This flaw allows a remote, unauthenticated attacker to escape the restrictions of the sandbox and execute code on the host. * CVE-2023-29199: There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, al...

RHSA-2023:1887: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.2.3 security updates and bug fixes

Multicluster Engine for Kubernetes 2.2.3 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server. * CVE-2023-29017: A flaw was found in vm2 where the component...

CVE-2023-21954: Oracle Critical Patch Update Advisory - April 2023

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...

RHSA-2023:1842: Red Hat Security Advisory: curl security update

An update for curl is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-23916: A flaw was found in the Curl package. A malicious server can insert an unlimited number of compression steps. This decompression chain could result in out-of-memory errors.

Red Hat Security Advisory 2023-1448-01

Red Hat Security Advisory 2023-1448-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release.

Red Hat Security Advisory 2023-1453-01

Red Hat Security Advisory 2023-1453-01 - An update is now available for Red Hat OpenShift GitOps 1.6. Red Hat Product Security has rated this update as having a security impact of Moderate.

Red Hat Security Advisory 2023-1454-01

Red Hat Security Advisory 2023-1454-01 - An update is now available for Red Hat OpenShift GitOps 1.7. Red Hat Product Security has rated this update as having a security impact of Moderate.

RHSA-2023:1453: Red Hat Security Advisory: Red Hat OpenShift GitOps security update

An update is now available for Red Hat OpenShift GitOps 1.6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41354: An information disclosure flaw was found in Argo CD. This issue may allow unauthorized users to enumerate application names by inspecting API error messages and could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant ...

RHSA-2023:1448: Red Hat Security Advisory: Red Hat OpenShift Service Mesh Containers for 2.3.2 security update

Red Hat OpenShift Service Mesh Containers for 2.3.2 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server t...

Red Hat Security Advisory 2023-1140-01

Red Hat Security Advisory 2023-1140-01 - The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Issues addressed include a denial of service vulnerability.

RHSA-2023:1140: Red Hat Security Advisory: curl security update

An update for curl is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-23916: A flaw was found in the Curl package. A malicious server can insert an unlimited number of compression steps. This decompression chain could result in out-of-memory errors.

Debian Security Advisory 5365-1

Debian Linux Security Advisory 5365-1 - Patrick Monnerat discovered that Curl's support for "chained" HTTP compression algorithms was susceptible to denial of service.

Ubuntu Security Notice USN-5891-1

Ubuntu Security Notice 5891-1 - Harry Sintonen discovered that curl incorrectly handled HSTS support when multiple URLs are requested serially. A remote attacker could possibly use this issue to cause curl to use unencrypted connections. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 22.10. Harry Sintonen discovered that curl incorrectly handled HSTS support when multiple URLs are requested in parallel. A remote attacker could possibly use this issue to cause curl to use unencrypted connections. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 22.10.

CVE-2023-23916

An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.