Red Hat Security Advisory 2023-7783-03 - An update for postgresql is now available for Red Hat Enterprise Linux 7. Issues addressed include an integer overflow vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7783.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: postgresql security updateAdvisory ID:        RHSA-2023:7783-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7783Issue date:         2023-12-13Revision:           03CVE Names:          CVE-2023-5869====================================================================Summary: An update for postgresql is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:PostgreSQL is an advanced object-relational database management system (DBMS).Security Fix(es):* postgresql: Buffer overrun from integer overflow in array modification (CVE-2023-5869)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-5869References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2247169

Red Hat Security Advisory 2023-7783-03

Red Hat Security Advisory 2023-7782-03 - An update for linux-firmware is now available for Red Hat Enterprise Linux 7.6 Advanced Update Support. Issues addressed include an information leakage vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7782.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: linux-firmware security updateAdvisory ID:        RHSA-2023:7782-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7782Issue date:         2023-12-13Revision:           03CVE Names:          CVE-2023-20569====================================================================Summary: An update for linux-firmware is now available for Red Hat Enterprise Linux 7.6 Advanced Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The linux-firmware packages contain all of the firmware files that are required by various devices to operate.Security Fix(es):* hw amd: Return Address Predictor vulnerability leading to information disclosure (CVE-2023-20569)* hw: amd: Cross-Process Information Leak (CVE-2023-20593)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-20569References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2207625https://bugzilla.redhat.com/show_bug.cgi?id=2217845

Red Hat Security Advisory 2023-7782-03

Red Hat Security Advisory 2023-7778-03 - An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Issues addressed include an integer overflow vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7778.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: postgresql:10 security updateAdvisory ID:        RHSA-2023:7778-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7778Issue date:         2023-12-13Revision:           03CVE Names:          CVE-2023-5869====================================================================Summary: An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:PostgreSQL is an advanced object-relational database management system (DBMS).Security Fix(es):* postgresql: Buffer overrun from integer overflow in array modification (CVE-2023-5869)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-5869References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2247169

Red Hat Security Advisory 2023-7778-03

Red Hat Security Advisory 2023-7720-03 - An update is now available for RHOL-5.8-RHEL-9. Issues addressed include a file disclosure vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7720.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Low: Logging Subsystem 5.8.1- Red Hat OpenShift security updateAdvisory ID:        RHSA-2023:7720-03Product:            Logging Subsystem for Red Hat OpenShiftAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7720Issue date:         2023-12-13Revision:           03CVE Names:          CVE-2023-38037====================================================================Summary: An update is now available for RHOL-5.8-RHEL-9.Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Logging Subsystem 5.8.1- Red Hat OpenShiftSecurity Fix(es):* rubygem-activesupport: File Disclosure of Locally Encrypted Files (CVE-2023-38037)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-38037References:https://access.redhat.com/security/updates/classification/#lowhttps://bugzilla.redhat.com/show_bug.cgi?id=2236261https://issues.redhat.com/browse/LOG-4452https://issues.redhat.com/browse/LOG-4480https://issues.redhat.com/browse/LOG-4612https://issues.redhat.com/browse/LOG-4655https://issues.redhat.com/browse/LOG-4683https://issues.redhat.com/browse/LOG-4706https://issues.redhat.com/browse/LOG-4741https://issues.redhat.com/browse/LOG-4768https://issues.redhat.com/browse/LOG-4780https://issues.redhat.com/browse/LOG-4791https://issues.redhat.com/browse/LOG-4811https://issues.redhat.com/browse/LOG-4815https://issues.redhat.com/browse/LOG-4821https://issues.redhat.com/browse/LOG-4828https://issues.redhat.com/browse/LOG-4836https://issues.redhat.com/browse/LOG-4841https://issues.redhat.com/browse/LOG-4852

Red Hat Security Advisory 2023-7720-03

Red Hat Security Advisory 2023-7691-03 - Red Hat OpenShift Container Platform release 4.11.55 is now available with updates to packages and images that fix several bugs and add enhancements.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7691.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.11.55 bug fix and security update  
Advisory ID:        RHSA-2023:7691-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7691  
Issue date:         2023-12-14  
Revision:           03  
CVE Names:          CVE-2023-39325  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.11.55 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.11.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.55. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2023:7693

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (Rapid Reset Attack) (CVE-2023-39325)

A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.11 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-39325

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://issues.redhat.com/browse/OCPBUGS-20122  
https://issues.redhat.com/browse/OCPBUGS-23574

Red Hat Security Advisory 2023-7691-03

Red Hat Security Advisory 2023-7690-03 - Red Hat OpenShift Container Platform release 4.11.55 is now available with updates to packages and images that fix several bugs and add enhancements.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7690.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.11.55 security update  
Advisory ID:        RHSA-2023:7690-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7690  
Issue date:         2023-12-13  
Revision:           03  
CVE Names:          CVE-2023-39325  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.11.55 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.11.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.11.55. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2023:7691

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (Rapid Reset Attack) (CVE-2023-39325)

A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.11 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

CVEs:

CVE-2023-39325

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://issues.redhat.com/browse/OCPBUGS-22907

Red Hat Security Advisory 2023-7690-03

Faraday is a tool that introduces a new concept called IPE, or Integrated Penetration-Test Environment. It is a multiuser penetration test IDE designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.

Faraday 5.0.0

Debian Linux Security Advisory 5577-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5577-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonDecember 13, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-6702 CVE-2023-6703 CVE-2023-6704 CVE-2023-6705                  CVE-2023-6706 CVE-2023-6707Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the oldstable distribution (bullseye), these problems have been fixedin version 120.0.6099.109-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 120.0.6099.109-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmV6aPEACgkQZF0CR8NudjffxxAApjZFf7DiAa48F8xlGkCvACrnJA3b9hn7Xl7yvG3KSfmOj/hZE+zl5cI+NHaXy5zGigd2wLDH0JScx4cDFJSZA16n+V1lVZ1fIKowheRXIx/ZtaGhH6+jL3VhPExFoS/EbwHzcb++SsGSq3SVOEOjIms1fO6uKBPvyAWP00q8js5ztZmZyCD2RBeRt3PWsrfyARS5jxM+jNSQB1ke+nv3NMwMJ9wmAJpiruBPEUeTBRR7P9AvgRLj+pdMTmkt3E3Py9OdR0JjMrTJNDyx5/e/voR370C54hhsVDKkBvDqecR05yV0+pjy1vsTrCys20VnmaLG3+0vsi2CcJaCrS97qiFQ2PDob3y7QhC0wz4k0GNvcTPc17llM6TM86iulxEniFDR/21xNahd88N9eN5+7q2Z8+6RoysBtrYfeUaJzhBbONULtICJR8QcFdXul4rft/aMExDhsajBe98ySPlRrru3kz4WCjktm377gn/sZIhsmuDaHWuh9w/hiVav4cEdKw8RP4FAxr9lj4UVRCYx+FZwxNxF1EjSMczsG3eNJTfymlfuWvsLKI4IcFh4TAjg4GjZyVkT17HgXlkKnm8DiaF+ytnnVJNtSIOfo4fmvoJzxgYefEGbBW0s37l0TKf7ZLBaiq9tkmZnVXis501LnE/G5jyxFu4JOs5kJpQUXEY==kzAk-----END PGP SIGNATURE-----

Debian Security Advisory 5577-1

Ubuntu Security Notice 6555-2 - USN-6555-1 fixed several vulnerabilities in X.Org. This update provides the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled XKB button actions. An attacker could possibly use this issue to cause the X Server to crash, execute arbitrary code, or escalate privileges.

==========================================================================  
Ubuntu Security Notice USN-6555-2  
December 13, 2023

xorg-server vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in X.Org X Server.

Software Description:  
- xorg-server: X.Org X11 server

Details:

USN-6555-1 fixed several vulnerabilities in X.Org. This update provides  
the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.

Original advisory details:

 Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled XKB  
 button actions. An attacker could possibly use this issue to cause the X  
 Server to crash, execute arbitrary code, or escalate privileges.  
 (CVE-2023-6377)

 Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled  
 memory when processing the RRChangeOutputProperty and  
 RRChangeProviderProperty APIs. An attacker could possibly use this issue to  
 cause the X Server to crash, or obtain sensitive information.  
 (CVE-2023-6478)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
  xserver-xorg-core               2:1.19.6-1ubuntu4.15+esm3  
  xwayland                        2:1.19.6-1ubuntu4.15+esm3

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
  xserver-xorg-core               2:1.18.4-0ubuntu0.12+esm8  
  xwayland                        2:1.18.4-0ubuntu0.12+esm8

After a standard system update you need to reboot your computer to make all  
the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6555-2  
  https://ubuntu.com/security/notices/USN-6555-1  
  CVE-2023-6377, CVE-2023-6478

Ubuntu Security Notice USN-6555-2

Ubuntu Security Notice 6555-1 - Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled XKB button actions. An attacker could possibly use this issue to cause the X Server to crash, execute arbitrary code, or escalate privileges. Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled memory when processing the RRChangeOutputProperty and RRChangeProviderProperty APIs. An attacker could possibly use this issue to cause the X Server to crash, or obtain sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6555-1  
December 13, 2023

xorg-server, xwayland vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in X.Org X Server.

Software Description:  
- xorg-server: X.Org X11 server  
- xwayland: X server for running X clients under Wayland

Details:

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled XKB  
button actions. An attacker could possibly use this issue to cause the X  
Server to crash, execute arbitrary code, or escalate privileges.  
(CVE-2023-6377)

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled  
memory when processing the RRChangeOutputProperty and  
RRChangeProviderProperty APIs. An attacker could possibly use this issue to  
cause the X Server to crash, or obtain sensitive information.  
(CVE-2023-6478)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   xserver-xorg-core               2:21.1.7-3ubuntu2.4  
   xwayland                        2:23.2.0-1ubuntu0.3

Ubuntu 23.04:  
   xserver-xorg-core               2:21.1.7-1ubuntu3.4  
   xwayland                        2:22.1.8-1ubuntu1.3

Ubuntu 22.04 LTS:  
   xserver-xorg-core               2:21.1.4-2ubuntu1.7~22.04.5  
   xwayland                        2:22.1.1-1ubuntu0.9

Ubuntu 20.04 LTS:  
   xserver-xorg-core               2:1.20.13-1ubuntu1~20.04.12  
   xwayland                        2:1.20.13-1ubuntu1~20.04.12

After a standard system update you need to reboot your computer to make all  
the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6555-1  
   CVE-2023-6377, CVE-2023-6478

Package Information:  
   https://launchpad.net/ubuntu/+source/xorg-server/2:21.1.7-3ubuntu2.4  
   https://launchpad.net/ubuntu/+source/xwayland/2:23.2.0-1ubuntu0.3  
   https://launchpad.net/ubuntu/+source/xorg-server/2:21.1.7-1ubuntu3.4  
   https://launchpad.net/ubuntu/+source/xwayland/2:22.1.8-1ubuntu1.3  
   https://launchpad.net/ubuntu/+source/xorg-server/2:21.1.4-2ubuntu1.7~22.04.5  
   https://launchpad.net/ubuntu/+source/xwayland/2:22.1.1-1ubuntu0.9  
   https://launchpad.net/ubuntu/+source/xorg-server/2:1.20.13-1ubuntu1~20.04.12

Source

Packet Storm