RHSA-2021:4288: Red Hat Security Advisory: libjpeg-turbo security and bug fix update

An update for ncurses is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The ncurses (new curses) library routines are a terminal-independent method of updating character screens with reasonable optimization. The ncurses packages contain support utilities including a terminfo compiler tic, a decompiler infocmp, clear, tput, tset, and a termcap conversion tool captoinfo. Security Fix(es): * ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c (CVE-2019-17594) * ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c (CVE-2019-17595) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refe...

An update for kernel is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * kernel: out-of-bounds reads in pinctrl subsystem (CVE-2020-0427) * kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24502) * kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24503) * kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24504) * kernel: Fragmentation cache not cleared on reconnection (CVE-2020-24586) * kernel: Reassembling fragments encrypted under different keys (CVE-2020-24587) * kernel: wifi frame payl...

An update for bluez is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The bluez packages contain the following utilities for use in Bluetooth applications: hcitool, hciattach, hciconfig, bluetoothd, l2ping, start scripts (Red Hat), and pcmcia configuration files. Security Fix(es): * bluez: Passkey Entry protocol of the Bluetooth Core is vulnerable to an impersonation attack (CVE-2020-26558) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the Reference...

An update for linuxptp is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The linuxptp packages provide Precision Time Protocol (PTP) implementation for Linux according to IEEE standard 1588 for Linux. The dual design goals are to provide a robust implementation of the standard and to use the most relevant and modern Application Programming Interfaces (API) offered by the Linux kernel. The following packages have been upgraded to a later upstream version: linuxptp (3.1.1). (BZ#1895005) Security Fix(es): * linuxptp: wrong length of one-step follow-up in transparent clock (CVE-2021-3571) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to t...

An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es): * httpd: mod_session: NULL pointer dereference when parsing Cookie header (CVE-2021-26690) * httpd: Unexpected URL matching with 'MergeSlashes OFF' (CVE-2021-30641) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section. Related CVEs: *...

An update for kernel-rt is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es): * kernel: out-of-bounds reads in pinctrl subsystem. (CVE-2020-0427) * kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24502) * kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24503) * kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24504) * kernel: Fragmentation cache not cleared on reconnection (CVE-2020-24586) * kernel: Reassembling fragments encrypted un...

An update for thunderbird is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.3.0. Security Fix(es): * Mozilla: Use-after-free in HTTP2 Session object * Mozilla: Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3 * Mozilla: iframe sandbox rules did not apply to XSLT stylesheets (CVE-2021-38503) * Mozilla: Use-after-free in file picker dialog (CVE-2021-38504) * Mozilla: Firefox could be coaxed into going into fullscreen mode without notification or warning (CVE-2021-38506) * Mozilla: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports (CVE-2021-38...

An update for thunderbird is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.3.0. Security Fix(es): * Mozilla: Use-after-free in HTTP2 Session object * Mozilla: Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3 * Mozilla: iframe sandbox rules did not apply to XSLT stylesheets (CVE-2021-38503) * Mozilla: Use-after-free in file picker dialog (CVE-2021-38504) * Mozilla: Firefox could be coaxed into going into fullscreen mode without notification or warning (CVE-2021-38506) * Mozilla: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports (CVE-2021-38...

An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.3.0. Security Fix(es): * Mozilla: Use-after-free in HTTP2 Session object * Mozilla: Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3 * Mozilla: iframe sandbox rules did not apply to XSLT stylesheets (CVE-2021-38503) * Mozilla: Use-after-free in file picker dialog (CVE-2021-38504) * Mozilla: Firefox could be coaxed into going into fullscreen mode without notification or warning (CVE-2021-38506) * Mozilla: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted o...

An update for thunderbird is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.3.0. Security Fix(es): * Mozilla: Use-after-free in HTTP2 Session object * Mozilla: Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3 * Mozilla: iframe sandbox rules did not apply to XSLT stylesheets (CVE-2021-38503) * Mozilla: Use-after-free in file picker dialog (CVE-2021-38504) * Mozilla: Firefox could be coaxed into going into fullscreen mode without notification or warning (CVE-2021-38506) * Mozilla: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted o...

An update for firefox is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.3.0 ESR. Security Fix(es): * Mozilla: Use-after-free in HTTP2 Session object * Mozilla: Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3 * Mozilla: iframe sandbox rules did not apply to XSLT stylesheets (CVE-2021-38503) * Mozilla: Use-after-free in file picker dialog (CVE-2021-38504) * Mozilla: Firefox could be coaxed into going into fullscreen mode without notification or warning (CVE-2021-38506) * Mozilla: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy o...

An update for firefox is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.3.0 ESR. Security Fix(es): * Mozilla: Use-after-free in HTTP2 Session object * Mozilla: Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3 * Mozilla: iframe sandbox rules did not apply to XSLT stylesheets (CVE-2021-38503) * Mozilla: Use-after-free in file picker dialog (CVE-2021-38504) * Mozilla: Firefox could be coaxed into going into fullscreen mode without notification or warning (CVE-2021-38506) * Mozilla: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy o...

An update is now available for Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Security Fix(es): * kernel: Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks (CVE-2021-22543) * kernel: powerpc: KVM guest OS users can cause host OS memory corruption (CVE-2021-37576) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Related CVEs: * CVE-2021-22543: kernel: Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO ch...

An update for kernel is now available for Red Hat Enterprise Linux 7.7 Advanced Update Support, Red Hat Enterprise Linux 7.7 Telco Extended Update Support, and Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * kernel: use-after-free in drivers/infiniband/core/ucma.c ctx use-after-free (CVE-2020-36385) * kernel: Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks (CVE-2021-22543) * kernel: powerpc: KVM guest OS users can cause host OS memory corruption (CVE-2021-37576) * kernel: use-after-free in show_numa_stats function (CVE-2019-20934) * kernel: SVM nested virtualization issue in KVM (...