Ubuntu Security Notice 6451-1 - It was discovered that ncurses could be made to read out of bounds. An attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6451-1  
October 24, 2023

ncurses vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

ncurses could be made to crash if it opened a specially crafted  
file.

Software Description:  
- ncurses: shared libraries for terminal handling

Details:

It was discovered that ncurses could be made to read out of bounds.  
An attacker could possibly use this issue to cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   lib32ncurses5                   6.1-1ubuntu1.18.04.1+esm1  
   lib32ncursesw5                  6.1-1ubuntu1.18.04.1+esm1  
   lib32tinfo5                     6.1-1ubuntu1.18.04.1+esm1  
   lib64ncurses5                   6.1-1ubuntu1.18.04.1+esm1  
   lib64tinfo5                     6.1-1ubuntu1.18.04.1+esm1  
   libncurses5                     6.1-1ubuntu1.18.04.1+esm1  
   libncursesw5                    6.1-1ubuntu1.18.04.1+esm1  
   libtinfo5                       6.1-1ubuntu1.18.04.1+esm1  
   libx32ncurses5                  6.1-1ubuntu1.18.04.1+esm1  
   libx32ncursesw5                 6.1-1ubuntu1.18.04.1+esm1  
   libx32tinfo5                    6.1-1ubuntu1.18.04.1+esm1  
   ncurses-bin                     6.1-1ubuntu1.18.04.1+esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   lib32ncurses5                   6.0+20160213-1ubuntu1+esm4  
   lib32ncursesw5                  6.0+20160213-1ubuntu1+esm4  
   lib32tinfo5                     6.0+20160213-1ubuntu1+esm4  
   lib64ncurses5                   6.0+20160213-1ubuntu1+esm4  
   lib64tinfo5                     6.0+20160213-1ubuntu1+esm4  
   libncurses5                     6.0+20160213-1ubuntu1+esm4  
   libncursesw5                    6.0+20160213-1ubuntu1+esm4  
   libtinfo5                       6.0+20160213-1ubuntu1+esm4  
   libx32ncurses5                  6.0+20160213-1ubuntu1+esm4  
   libx32ncursesw5                 6.0+20160213-1ubuntu1+esm4  
   libx32tinfo5                    6.0+20160213-1ubuntu1+esm4  
   ncurses-bin                     6.0+20160213-1ubuntu1+esm4

Ubuntu 14.04 LTS (Available with Ubuntu Pro):  
   lib32ncurses5                   5.9+20140118-1ubuntu1+esm4  
   lib32ncursesw5                  5.9+20140118-1ubuntu1+esm4  
   lib32tinfo5                     5.9+20140118-1ubuntu1+esm4  
   lib64ncurses5                   5.9+20140118-1ubuntu1+esm4  
   lib64tinfo5                     5.9+20140118-1ubuntu1+esm4  
   libncurses5                     5.9+20140118-1ubuntu1+esm4  
   libncursesw5                    5.9+20140118-1ubuntu1+esm4  
   libtinfo5                       5.9+20140118-1ubuntu1+esm4  
   libx32ncurses5                  5.9+20140118-1ubuntu1+esm4  
   libx32ncursesw5                 5.9+20140118-1ubuntu1+esm4  
   libx32tinfo5                    5.9+20140118-1ubuntu1+esm4  
   ncurses-bin                     5.9+20140118-1ubuntu1+esm4

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6451-1  
   CVE-2020-19189

Ubuntu Security Notice USN-6451-1

Ubuntu Security Notice 6362-2 - USN-6362-1 fixed vulnerabilities in .Net. It was discovered that the fix for [CVE-2023-36799] was incomplete. This update fixes the problem. Kevin Jones discovered that .NET did not properly process certain X.509 certificates. An attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6362-2  
October 25, 2023

.Net regressions  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.04 LTS

Summary:

An incomplete fix was discovered in .Net.

Software Description:  
- dotnet6: dotNET CLI tools and runtime  
- dotnet7: dotNET CLI tools and runtime

Details:

USN-6362-1 fixed vulnerabilities in .Net. It was discovered that the fix  
for [CVE-2023-36799](https://ubuntu.com/security/CVE-2023-36799) was incomplete. This update fixes the problem.

Original advisory details:

 Kevin Jones discovered that .NET did not properly process certain  
 X.509 certificates. An attacker could possibly use this issue to  
 cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
  aspnetcore-runtime-6.0          6.0.124-0ubuntu1~23.04.1  
  aspnetcore-runtime-7.0          7.0.113-0ubuntu1~23.04.1  
  dotnet-host                     6.0.124-0ubuntu1~23.04.1  
  dotnet-host-7.0                 7.0.113-0ubuntu1~23.04.1  
  dotnet-hostfxr-6.0              6.0.124-0ubuntu1~23.04.1  
  dotnet-hostfxr-7.0              7.0.113-0ubuntu1~23.04.1  
  dotnet-runtime-6.0              6.0.124-0ubuntu1~23.04.1  
  dotnet-runtime-7.0              7.0.113-0ubuntu1~23.04.1  
  dotnet-sdk-6.0                  6.0.124-0ubuntu1~23.04.1  
  dotnet-sdk-7.0                  7.0.113-0ubuntu1~23.04.1  
  dotnet6                         6.0.124-0ubuntu1~23.04.1  
  dotnet7                         7.0.113-0ubuntu1~23.04.1

Ubuntu 22.04 LTS:  
  aspnetcore-runtime-6.0          6.0.124-0ubuntu1~22.04.1  
  aspnetcore-runtime-7.0          7.0.113-0ubuntu1~22.04.1  
  dotnet-host                     6.0.124-0ubuntu1~22.04.1  
  dotnet-host-7.0                 7.0.113-0ubuntu1~22.04.1  
  dotnet-hostfxr-6.0              6.0.124-0ubuntu1~22.04.1  
  dotnet-hostfxr-7.0              7.0.113-0ubuntu1~22.04.1  
  dotnet-runtime-6.0              6.0.124-0ubuntu1~22.04.1  
  dotnet-runtime-7.0              7.0.113-0ubuntu1~22.04.1  
  dotnet-sdk-6.0                  6.0.124-0ubuntu1~22.04.1  
  dotnet-sdk-7.0                  7.0.113-0ubuntu1~22.04.1  
  dotnet6                         6.0.124-0ubuntu1~22.04.1  
  dotnet7                         7.0.113-0ubuntu1~22.04.1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6362-2  
  https://ubuntu.com/security/notices/USN-6362-1  
  CVE-2023-36799, https://launchpad.net/bugs/2040207, https://launchpad.net/bugs/2040208

Package Information:  
  https://launchpad.net/ubuntu/+source/dotnet6/6.0.124-0ubuntu1~23.04.1  
  https://launchpad.net/ubuntu/+source/dotnet7/7.0.113-0ubuntu1~23.04.1  
  https://launchpad.net/ubuntu/+source/dotnet6/6.0.124-0ubuntu1~22.04.1  
  https://launchpad.net/ubuntu/+source/dotnet7/7.0.113-0ubuntu1~22.04.1

Ubuntu Security Notice USN-6362-2

Ubuntu Security Notice 6438-2 - USN-6438-1 fixed vulnerabilities in .Net. It was discovered that the fix for [CVE-2023-36799] was incomplete. This update fixes the problem. Kevin Jones discovered that .NET did not properly process certain X.509 certificates. An attacker could possibly use this issue to cause a denial of service. It was discovered that the .NET Kestrel web server did not properly handle HTTP/2 requests. A remote attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6438-2  
October 25, 2023

.Net regressions  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10

Summary:

An incomplete fix was discovered in .Net.

Software Description:  
- dotnet6: dotNET CLI tools and runtime  
- dotnet7: dotNET CLI tools and runtime

Details:

USN-6438-1 fixed vulnerabilities in .Net. It was discovered that the fix  
for [CVE-2023-36799](https://ubuntu.com/security/CVE-2023-36799) was incomplete. This update fixes the problem.

Original advisory details:

 Kevin Jones discovered that .NET did not properly process certain  
 X.509 certificates. An attacker could possibly use this issue to  
 cause a denial of service. (CVE-2023-36799)

  It was discovered that the .NET Kestrel web server did not properly  
 handle HTTP/2 requests. A remote attacker could possibly use this  
 issue to cause a denial of service. (CVE-2023-44487)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
  aspnetcore-runtime-6.0          6.0.124-0ubuntu1~23.10.1  
  aspnetcore-runtime-7.0          7.0.113-0ubuntu1~23.10.1  
  dotnet-host                     6.0.124-0ubuntu1~23.10.1  
  dotnet-host-7.0                 7.0.113-0ubuntu1~23.10.1  
  dotnet-hostfxr-6.0              6.0.124-0ubuntu1~23.10.1  
  dotnet-hostfxr-7.0              7.0.113-0ubuntu1~23.10.1  
  dotnet-runtime-6.0              6.0.124-0ubuntu1~23.10.1  
  dotnet-runtime-7.0              7.0.113-0ubuntu1~23.10.1  
  dotnet-sdk-6.0                  6.0.124-0ubuntu1~23.10.1  
  dotnet-sdk-7.0                  7.0.113-0ubuntu1~23.10.1  
  dotnet6                         6.0.124-0ubuntu1~23.10.1  
  dotnet7                         7.0.113-0ubuntu1~23.10.1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6438-2  
  https://ubuntu.com/security/notices/USN-6438-1  
  CVE-2023-36799, https://launchpad.net/bugs/2040207, https://launchpad.net/bugs/2040208

Package Information:  
  https://launchpad.net/ubuntu/+source/dotnet6/6.0.124-0ubuntu1~23.10.1  
  https://launchpad.net/ubuntu/+source/dotnet7/7.0.113-0ubuntu1~23.10.1

Ubuntu Security Notice USN-6438-2

Debian Linux Security Advisory 5532-1 - Tony Battersby reported that incorrect cipher key and IV length processing in OpenSSL, a Secure Sockets Layer toolkit, may result in loss of confidentiality for some symmetric cipher modes.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5532-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoOctober 24, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : opensslCVE ID         : CVE-2023-5363Tony Battersby reported that incorrect cipher key and IV lengthprocessing in OpenSSL, a Secure Sockets Layer toolkit, may result inloss of confidentiality for some symmetric cipher modes.Additional details can be found in the upstream advisory:https://www.openssl.org/news/secadv/20231024.txtFor the stable distribution (bookworm), this problem has been fixed inversion 3.0.11-1~deb12u2.We recommend that you upgrade your openssl packages.For the detailed security status of openssl please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/opensslFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmU4GHNfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0TXww//aymYKy2Mo+x2RSQkTt3ojSPDCR0nOfdMPy5yYVUQ0CL4NdngPvtGuTTbH2pdTOBo9RF0YJzCnVA1jCS2UBc//grcsnB3RkW2zzRZbXPTELsLow43/w/jo5lZvm4VYlxiYUiTzXS88LM4vUGPc62cDE+BzZUDOxsygvwqpqa248T+ZdhDFSoIyoCNWaTBjBmyhiqD7OMp4nv4ui6qX+srBbOrLNoiCbzStwbg03pi4WNrfCIKadIy5ibYFjLL73Uyp/mHj+C1OLotPiKV1CLkW1MsHZYhen4zTchTRNEMORsoVKHLvW/X+njEHCMmRfqIvF82EN+9fw33FGpiI70HLjyQIwVQ+NabJNLANOJG/w7NqVMPngQz7BNDddPOnKMXFpaxmlWM+LR7HBkArSOz/cUb3lpyCheL5rs07FZDGmGZZrHKcvuFKvwS4gvNoBSkNSMHMloAPcYI6SQsKk6ps62E55tzzhyAgIZChJYy4RH3azT/Ud2JohWedhN6ScXXYEOQpSePA6egfdY+2ZiH+WJnZu6yoX0WL4gbR2PQTysy/P8HMnd1QvE+OmzyfBeUPlYEBW7Wg/7u9vROGJEQWmbwbIWptV3/BBVh+b79AvegDARNvh6y+5aXVSbE5QHowfYzmwIASYIJoSggb6LQQY1h+SDVj/E6zlglxDE6qQ8==OgKn-----END PGP SIGNATURE-----

Debian Security Advisory 5532-1

Ubuntu Security Notice 6288-2 - USN-6288-1 fixed a vulnerability in MySQL. This update provides the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 5.7.43 in Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.

==========================================================================  
Ubuntu Security Notice USN-6288-2  
October 24, 2023

mysql-5.7 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in MySQL.

Software Description:  
- mysql-5.7: MySQL database

Details:

USN-6288-1 fixed a vulnerability in MySQL. This update provides  
the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.

Original advisory details:

 Multiple security issues were discovered in MySQL and this update includes  
 new upstream MySQL versions to fix these issues.

 MySQL has been updated to 5.7.43 in Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.

 In addition to security fixes, the updated packages contain bug fixes, new  
 features, and possibly incompatible changes.

 Please see the following for more information:  
 https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-43.html  
 https://www.oracle.com/security-alerts/cpujul2023.html

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
  mysql-server-5.7                5.7.43-0ubuntu0.18.04.1+esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
  mysql-server-5.7                5.7.43-0ubuntu0.16.04.1+esm1

This update uses a new upstream release, which includes additional bug  
fixes. In general, a standard system update will make all the necessary  
changes.

References:  
  https://ubuntu.com/security/notices/USN-6288-2  
  https://ubuntu.com/security/notices/USN-6288-1  
  CVE-2023-22053

Ubuntu Security Notice USN-6288-2

Red Hat Security Advisory 2023-6085-01 - An update is now available for Red Hat Openshift distributed tracing 2.9. Issues addressed include a denial of service vulnerability.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6085.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat OpenShift distributed tracing security update  
Advisory ID:        RHSA-2023:6085-01  
Product:            Red Hat OpenShift distributed tracing  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:6085  
Issue date:         2023-10-24  
Revision:           01  
CVE Names:          CVE-2023-29406  
====================================================================

Summary: 

An update is now available for Red Hat Openshift distributed tracing 2.9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* golang: net/http: insufficient sanitization of Host header (CVE-2023-29406)

* golang: crypto/tls: slow verification of certificate chains containing large RSA keys (CVE-2023-29409)

* golang: html/template:  improper handling of HTML-like comments within script contexts (CVE-2023-39318)

* golang: html/template: improper handling of special tags within script contexts (CVE-2023-39319)

* golang: crypto/tls: panic when processing post-handshake message on QUIC connections (CVE-2023-39321)

* golang: crypto/tls: lack of a limit on buffered post-handshake (CVE-2023-39322)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-29406

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-6085-01

Red Hat Security Advisory 2023-6084-01 - Updated images are now available for Red Hat Advanced Cluster Security. The updated image includes new features and bug fixes. Issues addressed include a denial of service vulnerability.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6084.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: RHACS 3.74 enhancement and security update  
Advisory ID:        RHSA-2023:6084-01  
Product:            Red Hat Advanced Cluster Security for Kubernetes  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:6084  
Issue date:         2023-10-24  
Revision:           01  
CVE Names:          CVE-2023-39325  
====================================================================

Summary: 

Updated images are now available for Red Hat Advanced Cluster Security. The  
updated image includes new features and bug fixes.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

This release of RHACS 3.74.7 includes fixes for the following security  
vulnerabilities:

* golang: net/http, x/net/http2: rapid stream resets can cause excessive  
work  
(CVE-2023-39325)

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS  
attack  
(Rapid Reset Attack) (CVE-2023-44487)

* Various CVEs in containers for glibc security issues

A Red Hat Security Bulletin which addresses further details about this flaw  
is  
available in the References section.

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s)  
listed in the References section.

RHACS 3.74.7 includes a new default policy called \"Rapid Reset: Denial of  
Service  
Vulnerability in HTTP/2 Protocol\". This policy alerts on deployments with  
images  
containing components that are susceptible to a Denial of Service (DoS)  
vulnerability for HTTP/2 servers, based on CVE-2023-44487 and  
CVE-2023-39325.  
This policy applies to the build or deploy life cycle stage.

Solution:

CVEs:

CVE-2023-39325

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://docs.openshift.com/acs/3.74/release_notes/374-release-notes.html

Red Hat Security Advisory 2023-6084-01

Red Hat Security Advisory 2023-5896-01 - Red Hat OpenShift Container Platform release 4.12.40 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5896.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.12.40 bug fix and security update  
Advisory ID:        RHSA-2023:5896-01  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:5896  
Issue date:         2023-10-25  
Revision:           01  
CVE Names:          CVE-2023-44487  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.12.40 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.12.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.40. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2023:5898

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

Security Fix(es):

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

CVEs:

CVE-2023-44487

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-5896-01

Red Hat Security Advisory 2023-5895-01 - Red Hat OpenShift Container Platform release 4.12.40 is now available with updates to packages and images that fix several bugs.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5895.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.12.40 security and extras update  
Advisory ID:        RHSA-2023:5895-01  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:5895  
Issue date:         2023-10-25  
Revision:           01  
CVE Names:          CVE-2023-39325  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.12.40 is now available with updates to packages and images that fix several bugs.

This release includes a security update for Red Hat OpenShift Container Platform 4.12.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.40. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2023:5896

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (Rapid Reset Attack) (CVE-2023-39325)

A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

CVEs:

CVE-2023-39325

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-5895-01

Citrix NetScaler ADC and NetScaler Gateway proof of concept exploit for the session token leakage vulnerability as described in CVE-2023-4966.

Source

Packet Storm