Red Hat Security Advisory 2023-4341-01 - Red Hat OpenShift bug fix and security update. Red Hat Product Security has rated this update as having a security impact of Low. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: Logging Subsystem 5.7.4 - Red Hat OpenShift bug fix and security update  
Advisory ID:       RHSA-2023:4341-01  
Product:           Logging Subsystem for Red Hat OpenShift  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4341  
Issue date:        2023-08-02  
CVE Names:         CVE-2022-25883 CVE-2023-22796   
=====================================================================

1. Summary:

Logging Subsystem 5.7.4 - Red Hat OpenShift

Red Hat Product Security has rated this update as having a security impact  
of Low. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Logging Subsystem 5.7.4 - Red Hat OpenShift

Security Fix(es):

* nodejs-semver: Regular expression denial of service (CVE-2022-25883)

* rubygem-activesupport: Regular Expression Denial of Service  
(CVE-2023-22796)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2164736 - CVE-2023-22796 rubygem-activesupport: Regular Expression Denial of Service  
2216475 - CVE-2022-25883 nodejs-semver: Regular expression denial of service

5. JIRA issues fixed (https://issues.redhat.com/):

LOG-2701 - [Vector] [Cloudwatch] namespaceUUID is not added to logGroupName when forwarding logs to Cloudwatch.  
LOG-3880 - Deprecated `curation` and `forwarder` are displayed in the console when creating clusterlogging via `Form view`.   
LOG-4015 - [Vector][Loki] vector_component_sent_bytes_total metric for Loki sink not exposed by vector.  
LOG-4073 - Invalid link to doc from installed operator in OpenShift Web Console  
LOG-4237 - Regression with Red Hat OpenShift Logging 5.7.2   
LOG-4242 - Vector pods raise `Configuration error` when forwarding to cloudwatch/googlecloudlogging with tlsSecurityProfile configured.  
LOG-4275 - [release-5.7] Vector pods going into a panic state   
LOG-4302 - CLO raises error message "URL not secure: , but output gcp-logging has TLS configuration parameters" if add tls.securityProfile to CLF when forwarding to googlecloudlogging/cloudwatch.  
LOG-4361 - [release-5.7] Setting custom options on the application tenant removes user-alertmanager configuration  
LOG-4368 - [release-5.7] sts cloudwatch issues after upgrading from 5.5  
LOG-4389 - [release-5.7] Query Label Values from Loki return duplicate values.

6. References:

https://access.redhat.com/security/cve/CVE-2022-25883  
https://access.redhat.com/security/cve/CVE-2023-22796  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkymZDAAoJENzjgjWX9erEOvsP/1qyYiieOWJY/r4PPOJ6nYDH  
t+CegcwyG9rGlMn0+UibYtmmuiH4iYRV+iWDcU9h1yeGWt1Xp1BYS1lOTZ2+1rao  
FmiTGZoOLJXeBhy2ZTMm6JG6HCCazUVlLLlQyXU2SZ24l/2fi9OZ4zl/1Dn6tibZ  
YW7EHpuJRv5WqJHOrYZi4AoMj1DZYHsAuZDF/eqT92liwypJD2dsYt8FM19BeiTG  
9hSEV0YSU+BG+41sLs5dP/sUp1SE1vm31/zRCZPxSRaQPnABapTMpvnrPHIUgSa0  
iPTzYcTLiBsLL7wEz7zrvtKvLcZyyY/O59Id/n1qLP4RXUFgmYKe2x63fOxLVbX5  
n4aY9tfmEuyWqji90NTHvtKI+HAHmJoKZRLm6alBDXQuotId/IWrY8/XipIQWEtC  
CZC4eZ/DjtBeacO1coRhUc6uNigxik/nEmZ+F4v3MyooTm82RBbVOcEyQH2H/cZ4  
902EYa2kmLJSj4EndkV0KWlWUHf12nEF3rvpX8CtVlaGvs8a+76eGEQjEH7oZS1D  
rWw6IWxkd9wqnzIqv++qOwW2VTKkgpUDR1AwoJ+kxqewoYZj3W821m2HAskuVqGj  
xjSFyFNZOtQhvMEy6rgZA3seSaoK+RiP7KcrOAfq+Ay8LYZYLkkjwt8DI5B5Au8G  
FFwpxI/YB+KCwc2hUxVH  
=hBt4  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4341-01

Red Hat Security Advisory 2023-4429-01 - The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: mod_auth_openidc:2.3 security update  
Advisory ID:       RHSA-2023:4429-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4429  
Issue date:        2023-08-02  
CVE Names:         CVE-2023-37464   
=====================================================================

1. Summary:

An update for the mod_auth_openidc:2.3 module is now available for Red Hat  
Enterprise Linux 8.1 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.1) - aarch64, ppc64le, s390x, x86_64

3. Description:

The mod_auth_openidc is an OpenID Connect authentication module for Apache  
HTTP Server. It enables an Apache HTTP Server to operate as an OpenID  
Connect Relying Party and/or OAuth 2.0 Resource Server.

Security Fix(es):

* cjose: AES GCM decryption uses the Tag length from the actual  
Authentication Tag provided in the JWE (CVE-2023-37464)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2223295 - CVE-2023-37464 cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.1):

Source:  
cjose-0.6.1-3.module+el8.1.0+19504+b2d26fa1.src.rpm  
mod_auth_openidc-2.3.7-4.module+el8.1.0+19504+b2d26fa1.3.src.rpm

aarch64:  
cjose-0.6.1-3.module+el8.1.0+19504+b2d26fa1.aarch64.rpm  
cjose-debuginfo-0.6.1-3.module+el8.1.0+19504+b2d26fa1.aarch64.rpm  
cjose-debugsource-0.6.1-3.module+el8.1.0+19504+b2d26fa1.aarch64.rpm  
cjose-devel-0.6.1-3.module+el8.1.0+19504+b2d26fa1.aarch64.rpm  
mod_auth_openidc-2.3.7-4.module+el8.1.0+19504+b2d26fa1.3.aarch64.rpm  
mod_auth_openidc-debuginfo-2.3.7-4.module+el8.1.0+19504+b2d26fa1.3.aarch64.rpm  
mod_auth_openidc-debugsource-2.3.7-4.module+el8.1.0+19504+b2d26fa1.3.aarch64.rpm

ppc64le:  
cjose-0.6.1-3.module+el8.1.0+19504+b2d26fa1.ppc64le.rpm  
cjose-debuginfo-0.6.1-3.module+el8.1.0+19504+b2d26fa1.ppc64le.rpm  
cjose-debugsource-0.6.1-3.module+el8.1.0+19504+b2d26fa1.ppc64le.rpm  
cjose-devel-0.6.1-3.module+el8.1.0+19504+b2d26fa1.ppc64le.rpm  
mod_auth_openidc-2.3.7-4.module+el8.1.0+19504+b2d26fa1.3.ppc64le.rpm  
mod_auth_openidc-debuginfo-2.3.7-4.module+el8.1.0+19504+b2d26fa1.3.ppc64le.rpm  
mod_auth_openidc-debugsource-2.3.7-4.module+el8.1.0+19504+b2d26fa1.3.ppc64le.rpm

s390x:  
cjose-0.6.1-3.module+el8.1.0+19504+b2d26fa1.s390x.rpm  
cjose-debuginfo-0.6.1-3.module+el8.1.0+19504+b2d26fa1.s390x.rpm  
cjose-debugsource-0.6.1-3.module+el8.1.0+19504+b2d26fa1.s390x.rpm  
cjose-devel-0.6.1-3.module+el8.1.0+19504+b2d26fa1.s390x.rpm  
mod_auth_openidc-2.3.7-4.module+el8.1.0+19504+b2d26fa1.3.s390x.rpm  
mod_auth_openidc-debuginfo-2.3.7-4.module+el8.1.0+19504+b2d26fa1.3.s390x.rpm  
mod_auth_openidc-debugsource-2.3.7-4.module+el8.1.0+19504+b2d26fa1.3.s390x.rpm

x86_64:  
cjose-0.6.1-3.module+el8.1.0+19504+b2d26fa1.x86_64.rpm  
cjose-debuginfo-0.6.1-3.module+el8.1.0+19504+b2d26fa1.x86_64.rpm  
cjose-debugsource-0.6.1-3.module+el8.1.0+19504+b2d26fa1.x86_64.rpm  
cjose-devel-0.6.1-3.module+el8.1.0+19504+b2d26fa1.x86_64.rpm  
mod_auth_openidc-2.3.7-4.module+el8.1.0+19504+b2d26fa1.3.x86_64.rpm  
mod_auth_openidc-debuginfo-2.3.7-4.module+el8.1.0+19504+b2d26fa1.3.x86_64.rpm  
mod_auth_openidc-debugsource-2.3.7-4.module+el8.1.0+19504+b2d26fa1.3.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-37464  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkyhHXAAoJENzjgjWX9erEET0P/1Zf3Hqw8FREW5SGFRdIWXsd  
0DjIB8hMzoKTvnGI7hoSF4HQDweOBSM0d42N3JabuIL4XTZLjFtO4ETC5tBtsCzt  
iydq14FM52SF0vMhxh9SoM5bhOzdYfZM+QXMyEjG8s8EIDdSWcBjdZajPtIWEdJZ  
enQG5sNp/d2ihOUIU+xwRVURY7CPWAjGhJMiB3hWH4GYSeycyaovZKGnRsbvrrqq  
s9NG8IsI/lg3ioWcPkVuPx8WQ8BREKF1LxejJVHpF2nV0xRLUy7dQC9rqj4aU4Eb  
p9y++j93dfPogVTK0O2hijeNIxpagmFr367EDHu3HLGTmrVYNbXeotimXU3zL/8C  
APfL9mipxOjwOgy/8/r6WoOqPiCIYUCvKd8/xX/d/a8ms8dF1B7FbIiJMG/WKd47  
LWT8UtTttjPo7HVhkk6srCPXoDfpYzkuARhe2TFfq+sH3ieZEoVCtXdtnkFRrSg5  
4xqvHFzG0j4y+tWqRh+a8IGxauJNRV8GbPfxq4C+5SPjZVXLGENMUoveVAi3FC/9  
E1Piop/5go7tMNXehBqpMla8/WUOuuZGmofy+NgkMCVyCKzVx/7iYkBQ15hFgPZA  
May/Hte3Cn34itundJZUZvHr++fq31XefXXyWvAW+Abhh8j2y/sbTHHVXa2sx73p  
iT4iCjimO0lNTyPm1TWa  
=PmOx  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4429-01

Joomla JLex GuestBook extension version 1.6.4 suffers from a cross site scripting vulnerability.

    # Exploit Title: JLex GuestBook 1.6.4 - Reflected XSS# Exploit Author: CraCkEr# Date: 01/08/2023# Vendor: JLexArt# Vendor Homepage: https://jlexart.com/# Software Link: https://extensions.joomla.org/extension/contacts-and-feedback/guest-book/jlex-guestbook/# Demo: https://jlexguestbook.jlexart.com/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site ## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka  CryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /u/perry-705GET parameter 'q' is vulnerable to XSShttp://website/u/perry-705?q=[XSS]&wl=1XSS Payloads:db8ck"onfocus="confirm(1)"autofocus="xwu0k[-] Done

Joomla JLex GuestBook 1.6.4 Cross Site Scripting

Red Hat Security Advisory 2023-4428-01 - OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Issues addressed include a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: openssh security update  
Advisory ID:       RHSA-2023:4428-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4428  
Issue date:        2023-08-02  
CVE Names:         CVE-2023-38408   
=====================================================================

1. Summary:

An update for openssh is now available for Red Hat Enterprise Linux 6  
Extended Lifecycle Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server (v. 6 ELS) - i386, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 6 ELS) - i386, s390x, x86_64

3. Description:

OpenSSH is an SSH protocol implementation supported by a number of Linux,  
UNIX, and similar operating systems. It includes the core files necessary  
for both the OpenSSH client and server.

Security Fix(es):

* openssh: Remote code execution in ssh-agent PKCS#11 support  
(CVE-2023-38408)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the OpenSSH server daemon (sshd) will be  
restarted automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

2224173 - CVE-2023-38408 openssh: Remote code execution in ssh-agent PKCS#11 support

6. Package List:

Red Hat Enterprise Linux Server (v. 6 ELS):

Source:  
openssh-5.3p1-125.el6_10.src.rpm

i386:  
openssh-5.3p1-125.el6_10.i686.rpm  
openssh-askpass-5.3p1-125.el6_10.i686.rpm  
openssh-clients-5.3p1-125.el6_10.i686.rpm  
openssh-debuginfo-5.3p1-125.el6_10.i686.rpm  
openssh-server-5.3p1-125.el6_10.i686.rpm

s390x:  
openssh-5.3p1-125.el6_10.s390x.rpm  
openssh-askpass-5.3p1-125.el6_10.s390x.rpm  
openssh-clients-5.3p1-125.el6_10.s390x.rpm  
openssh-debuginfo-5.3p1-125.el6_10.s390x.rpm  
openssh-server-5.3p1-125.el6_10.s390x.rpm

x86_64:  
openssh-5.3p1-125.el6_10.x86_64.rpm  
openssh-askpass-5.3p1-125.el6_10.x86_64.rpm  
openssh-clients-5.3p1-125.el6_10.x86_64.rpm  
openssh-debuginfo-5.3p1-125.el6_10.x86_64.rpm  
openssh-server-5.3p1-125.el6_10.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 6 ELS):

i386:  
openssh-debuginfo-5.3p1-125.el6_10.i686.rpm  
openssh-ldap-5.3p1-125.el6_10.i686.rpm  
pam_ssh_agent_auth-0.9.3-125.el6_10.i686.rpm

s390x:  
openssh-debuginfo-5.3p1-125.el6_10.s390.rpm  
openssh-debuginfo-5.3p1-125.el6_10.s390x.rpm  
openssh-ldap-5.3p1-125.el6_10.s390x.rpm  
pam_ssh_agent_auth-0.9.3-125.el6_10.s390.rpm  
pam_ssh_agent_auth-0.9.3-125.el6_10.s390x.rpm

x86_64:  
openssh-debuginfo-5.3p1-125.el6_10.i686.rpm  
openssh-debuginfo-5.3p1-125.el6_10.x86_64.rpm  
openssh-ldap-5.3p1-125.el6_10.x86_64.rpm  
pam_ssh_agent_auth-0.9.3-125.el6_10.i686.rpm  
pam_ssh_agent_auth-0.9.3-125.el6_10.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-38408  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkyhHIAAoJENzjgjWX9erEyKQP/3Qfu9Y6bUpoq+STXpRiIRB/  
QZ35/gRqOWYX7sqKwdxtXpuVmP2GzSObQCglq9aqY0BXa92xJGJ6aKxize6wC0Rf  
1kxZr46Jlgc1irPsPqy2hZCnFBuE+lgEWlKnIKXNQdGp/sF2T4CQeqrSIANZ+rHf  
vVdbq01idsVoiTcqt8LK/zMkXvRG4z14TkufcZw8nyaGyApmJydALitey1pn9WXF  
HHrsoUmr8AkhETTitN1a0SX7qVgs8BdlWoWdpY1JWPYiIHSoSbUDOQdcqK5sGZYK  
0xkS+QeQmcNeEXESbEz7o1IThXdHiBjM6NhntoDikN1Oc7/SftG5vm8i8C5JQJY7  
odbYEFF1BYWlQ1i4ulaZSmybJRvQ5S/WrqzkoXetqoCir/FrJ68RaUi5j/awtkG9  
ekOaNH2jAszXCZnAX8VivOht0v/itIYnBsSza2h/kmOHo8MDZqSlrmg4z5rn6Cbw  
pGXn8sntaE3Us/qvedRLZXzaTYtX9QeUEj/eWuqFTPf8V4PSjTaz44TWKDp0/GQk  
2p7inDh0sVQhlkLyvNT0h6aQ0wn2RUASs1RrKefIy7wedX73vUn2EEoeFJTrBjUE  
Bl04+dTjfjzDQ97MgdoPnAQxTPHH/i4Hz5rVxuya++QnLCCp2uD6ESahB2Gg9gI7  
7ZJPejaTEhXGOUdrAylm  
=VfOr  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4428-01

EmpowerID versions 7.205.0.0 suffers from a vulnerability that allows an attacker to change a second factor flow armed with only the login and password for an account.

     Severity: HighDescription:An identified security flaw is present in EmpowerID versions V7.205.0.0 and prior versions, causing the system to mistakenly send Multi-Factor Authentication (MFA) codes to unintended email addresses. To exploit this vulnerability, an attacker would need to have access to valid and breached login details, including a username and password.This vulnerability's root cause lies in insufficient verification of previously registered MFA during the process of delivering MFA codes. A bad actor possessing the correct login details for an EmpowerID user account can abuse this weakness by changing the email address associated with the user's account to an alternate one under their control. Consequently, the MFA codes that should be sent to the legitimate user are instead delivered to the malicious party's email.By successfully taking advantage of this vulnerability, an attacker could circumvent MFA safeguards and potentially gain unpermitted access to the victim's account. Such a security breach could enable unauthorized activities, data breaches, or the exposure of confidential information within the impacted EmpowerID system.Affected Versions:  *   EmpowerID versions V7.205.0.0 and earlier.Actions Performed:EmpowerID has released a patch to version V7.205.0.1 and older versions, which addresses this vulnerability. EmpowerID has contacted customers which are known to use EmpowerID's MFA. It is highly recommended that all customers upgrade to the latest version immediately to mitigate the risk, or contact EmpowerID for patch details.[signature_889433285]<http://empowerid.com/>   Nirav Patel   [signature_1232658466]    nirav.patel@empowerID.com<mailto:nirav.patel@empowerID.com>   [signature_1909062425]    www.empowerID.com<http://empowerid.com/>   [signature_729000866] <http://www.youtube.com/user/empowerID>   [signature_2001009733] <https://twitter.com/EmpowerID>   [signature_1070999265] <https://www.facebook.com/220903377569>   [signature_679156352] <https://www.linkedin.com/company/85780>

EmpowerID 7.205.0.0 Authentication Bypass

Red Hat Security Advisory 2023-4312-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.11.46.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: OpenShift Container Platform 4.11.46 security update  
Advisory ID:       RHSA-2023:4312-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4312  
Issue date:        2023-08-02  
CVE Names:         CVE-2023-1260   
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.11.46 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.11.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 4.11 - aarch64, ppc64le, s390x, x86_64

3. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container  
Platform 4.11.46. See the following advisory for the container images for  
this release:

https://access.redhat.com/errata/RHSA-2023:4310

Security Fix(es):

* kube-apiserver: PrivEsc (CVE-2023-1260)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All OpenShift Container Platform 4.11 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

4. Solution:

For OpenShift Container Platform 4.11 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

5. Bugs fixed (https://bugzilla.redhat.com/):

2176267 - CVE-2023-1260 kube-apiserver: PrivEsc

6. Package List:

Red Hat OpenShift Container Platform 4.11:

Source:  
cri-o-1.24.6-4.rhaos4.11.git4bfe15a.el8.src.rpm  
openshift-4.11.0-202307200925.p0.ga9da4a8.assembly.stream.el8.src.rpm  
openshift-clients-4.11.0-202307200522.p0.g7e1b2fb.assembly.stream.el8.src.rpm

aarch64:  
cri-o-1.24.6-4.rhaos4.11.git4bfe15a.el8.aarch64.rpm  
cri-o-debuginfo-1.24.6-4.rhaos4.11.git4bfe15a.el8.aarch64.rpm  
cri-o-debugsource-1.24.6-4.rhaos4.11.git4bfe15a.el8.aarch64.rpm  
openshift-clients-4.11.0-202307200522.p0.g7e1b2fb.assembly.stream.el8.aarch64.rpm  
openshift-hyperkube-4.11.0-202307200925.p0.ga9da4a8.assembly.stream.el8.aarch64.rpm

ppc64le:  
cri-o-1.24.6-4.rhaos4.11.git4bfe15a.el8.ppc64le.rpm  
cri-o-debuginfo-1.24.6-4.rhaos4.11.git4bfe15a.el8.ppc64le.rpm  
cri-o-debugsource-1.24.6-4.rhaos4.11.git4bfe15a.el8.ppc64le.rpm  
openshift-clients-4.11.0-202307200522.p0.g7e1b2fb.assembly.stream.el8.ppc64le.rpm  
openshift-hyperkube-4.11.0-202307200925.p0.ga9da4a8.assembly.stream.el8.ppc64le.rpm

s390x:  
cri-o-1.24.6-4.rhaos4.11.git4bfe15a.el8.s390x.rpm  
cri-o-debuginfo-1.24.6-4.rhaos4.11.git4bfe15a.el8.s390x.rpm  
cri-o-debugsource-1.24.6-4.rhaos4.11.git4bfe15a.el8.s390x.rpm  
openshift-clients-4.11.0-202307200522.p0.g7e1b2fb.assembly.stream.el8.s390x.rpm  
openshift-hyperkube-4.11.0-202307200925.p0.ga9da4a8.assembly.stream.el8.s390x.rpm

x86_64:  
cri-o-1.24.6-4.rhaos4.11.git4bfe15a.el8.x86_64.rpm  
cri-o-debuginfo-1.24.6-4.rhaos4.11.git4bfe15a.el8.x86_64.rpm  
cri-o-debugsource-1.24.6-4.rhaos4.11.git4bfe15a.el8.x86_64.rpm  
openshift-clients-4.11.0-202307200522.p0.g7e1b2fb.assembly.stream.el8.x86_64.rpm  
openshift-clients-redistributable-4.11.0-202307200522.p0.g7e1b2fb.assembly.stream.el8.x86_64.rpm  
openshift-hyperkube-4.11.0-202307200925.p0.ga9da4a8.assembly.stream.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-1260  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkyb4HAAoJENzjgjWX9erEJ0AP/0bylhEuVp+lLAItzJ57OvJi  
B4t8aruA+zIVJYLPjPVGkh49JkFsGZR8Ga/7Yd/6EjCJ59PYR5eU3O5x62lIogp2  
lRje18obND5ZDfSLg690JU0vHIsCoW92LYvAvI5i6BMErLR4gBnOBdxS51Pfg1DP  
m7aPcpu8g/cguGZJPPi6kcQwj6/xsFjj9c+TcCDW8IGZgcZkATQBQMDsAC/vhLL3  
ohBZYPl+yqljNbKe8LqOx312dYdnqrGERcBqJTxAoDTrYRz6cbrDE51/SbOlo8fU  
5129uXdpXQb1/sYH9l1nZ/Tw1oB048NQhicgHCQqZ7dLmEDd3eQIrHEQF/gAFTVF  
iaaaWANOXrY429M7XAYYMWMJDDZu0jFusSKH/iqTEnpQ25IGqo9hg5wsu00YiFgq  
Qv4xeVfHfiFP9KUFLkgtYJXocjmQbSfvat7Rg3ERm7PcLdkMtjv4ZOwq9bNfVPA9  
jTkvWSpvZqPQUNrM+LnDHoJDbyaktSJ5tAQo2OqXcjqPwP2obhYz9JkfHLtuAyJk  
BB3x7W5APudHBSUZtnVuAkvqlZV0kTmqZefsGNxpVvLnkSMhnFEDh7ulfaiRchRx  
uhFWIYHYRfLXTUntK2nlSCKLzmQ1q4ZjUA1Cn9Q9iyzQOW985xHjmBIiAy7UsZV9  
tDKzlhlP6hDTq8oRr66P  
=GO42  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4312-01

Red Hat Security Advisory 2023-4310-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.46. Issues addressed include denial of service and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.11.46 security update  
Advisory ID:       RHSA-2023:4310-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4310  
Issue date:        2023-08-02  
CVE Names:         CVE-2021-38561 CVE-2022-4304 CVE-2023-0215   
                   CVE-2023-0286 CVE-2023-2828 CVE-2023-24329   
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.11.46 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.11.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container  
Platform 4.11.46. See the following advisory for the RPM packages for this  
release:

https://access.redhat.com/errata/RHSA-2023:4312

Space precludes documenting all of the container images in this advisory.  
See the following Release Notes documentation, which will be updated  
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

Security Fix(es):  
* golang: out-of-bounds read in golang.org/x/text/language leads to DoS  
(CVE-2021-38561)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All OpenShift Container Platform 4.11 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.11 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

You can download the oc tool and use it to inspect release image metadata  
for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests  
can be found at  
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.

The sha values for the release are:

(For x86_64 architecture)  
The image digest is  
sha256:88583eeaddcda4fbfdcf21f4dad86b01ff09bb010357c51f08fb24eb07fdb602

(For s390x architecture)  
The image digest is  
sha256:9626db69fc59699669497c95e67d8d3ae66d2374d9949ca7031bb25fa9ac188c

(For ppc64le architecture)  
The image digest is  
sha256:10b9e45b7bd97eca6f4ae7b0ed3deac843d6c1474152a40206be851363eb56e8

(For aarch64 architecture)  
The image digest is  
sha256:37433b71c073c6cbfc8173ec7ab2d99032c8e6d6fe29de06e062d85e33e34531

All OpenShift Container Platform 4.11 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS

5. JIRA issues fixed (https://issues.redhat.com/):

OCPBUGS-15506 - [release-4.11] gather podDisruptionBudget only from openshift namespaces  
OCPBUGS-15539 - IngressVIP getting attach to two nodes at once  
OCPBUGS-15876 - 4.11 ovn-k unit tests failing  
OCPBUGS-16037 - TuneD reverts node level profiles on termination  
OCPBUGS-16126 - Redhat-operators are failing regularly due to startup probe timing out which in turn increases CPU/Mem usage on Master nodes  
OCPBUGS-16152 - Placeholder bug for OCP 4.11.0 extras release  
OCPBUGS-5708 - Bootstraps' pivot service races with bootkube

6. References:

https://access.redhat.com/security/cve/CVE-2021-38561  
https://access.redhat.com/security/cve/CVE-2022-4304  
https://access.redhat.com/security/cve/CVE-2023-0215  
https://access.redhat.com/security/cve/CVE-2023-0286  
https://access.redhat.com/security/cve/CVE-2023-2828  
https://access.redhat.com/security/cve/CVE-2023-24329  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkyb3nAAoJENzjgjWX9erEjCMQAKfdfW6FdwjH/Fk+eipVjRmg  
U/JxPlmwI4G/6MNDjDZNv8D0NyyTRi3Gc0spRh6CmEJpDUT3HNR3LbY0IaRDMrzq  
bUjVegFYxFbmjlrcIprEPp4RuUDV9G4POrX5gIuq+v1P/qOE6IWL9L3tRnVLxZsT  
DGXFIajpwbVoXf9mgMkv3kEWHDDN1t+Tt2/w2yYMzqPeHppovByZgF2/jczsQZYT  
QpKSSTm1rLuVr9aFX2dObxbiOQ0eKf+58GibhZRn/lFXpD9kMoV5v6iMwY6kyO70  
umyCRD8ZG/OiY3WsXiiYBFPB/LofRwQGqlIPibIKFcVFzLEvMG8BCBbz60owHmuY  
DMEdg4atBFMjf+dSPFWeOL+dewHuH2mysE0ve3N5wE65Z0m28sZJS7/CYmsNEqQw  
NuZyI75Sb6mQMbyR+BZ7HhX6F0cxezFS66QB10OHnNFamAkz/GU+/GhPc/qpJE+z  
KMLrDsxl8KzirGbD7Vkg/bggAZEbyPuwsLlxLY18aPVLj7q7EI3RZYnQegA7weCM  
FXCG/DifAt9Q/HF2xiMd9rWKEFxXu19jKl4M5pePwmD+aCuTcpxnJDGTnilUW/cA  
SEHKW8/UuzWWGROf5D1bHKMkIP6Bl9SuZTPBhBSosenx1j63mCSP8pscpVelQYPd  
AgASZ/NNiQj1zg2kBgug  
=rThL  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4310-01

Red Hat Security Advisory 2023-4417-01 - CJose is C library implementing the Javascript Object Signing and Encryption.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: cjose security update  
Advisory ID:       RHSA-2023:4417-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4417  
Issue date:        2023-08-01  
CVE Names:         CVE-2023-37464   
=====================================================================

1. Summary:

An update for cjose is now available for Red Hat Enterprise Linux 9.0  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.9.0) - aarch64, ppc64le, s390x, x86_64

3. Description:

CJose is C library implementing the Javascript Object Signing and  
Encryption (JOSE).

Security Fix(es):

* cjose: AES GCM decryption uses the Tag length from the actual  
Authentication Tag provided in the JWE (CVE-2023-37464)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2223295 - CVE-2023-37464 cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.9.0):

Source:  
cjose-0.6.1-13.el9_0.src.rpm

aarch64:  
cjose-0.6.1-13.el9_0.aarch64.rpm  
cjose-debuginfo-0.6.1-13.el9_0.aarch64.rpm  
cjose-debugsource-0.6.1-13.el9_0.aarch64.rpm

ppc64le:  
cjose-0.6.1-13.el9_0.ppc64le.rpm  
cjose-debuginfo-0.6.1-13.el9_0.ppc64le.rpm  
cjose-debugsource-0.6.1-13.el9_0.ppc64le.rpm

s390x:  
cjose-0.6.1-13.el9_0.s390x.rpm  
cjose-debuginfo-0.6.1-13.el9_0.s390x.rpm  
cjose-debugsource-0.6.1-13.el9_0.s390x.rpm

x86_64:  
cjose-0.6.1-13.el9_0.i686.rpm  
cjose-0.6.1-13.el9_0.x86_64.rpm  
cjose-debuginfo-0.6.1-13.el9_0.i686.rpm  
cjose-debuginfo-0.6.1-13.el9_0.x86_64.rpm  
cjose-debugsource-0.6.1-13.el9_0.i686.rpm  
cjose-debugsource-0.6.1-13.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-37464  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkyWl9AAoJENzjgjWX9erEqvcP/R5BKB67az6ZMnARR/AVk0BW  
4OOVs1g1JPCsaqu8oVolYl2cobJt7XzqrxuXLoGwA5rxcJU/kaK3kLXE3Eq05hXW  
kO6C+qL8dHwm266VaRSWZCVoriYQF1kH7P6mJUU99Z0x15Oh0UNG8hTyQh16JAtv  
Rdgpe7DDpy44VwnGD8rtjTsHybYC9YuRJ7qyTpIHp30QoIYNrXVQwkCMeDvOPwD+  
FooRZcv9ItfBJSXJlGiB4MJ872uWGjqCP/SX/uAE88KBYk++SFxg91MDm0mlEMFf  
+52AtQE09f+Hq5Iu3cDGj6IsHrTxzyawGjIaJZGhISk6268u9zUq55kGsYdOIPB0  
0puaDwWIu58Gwyy4YrOhcr+TGv4ShmNufotGgpV2dV8USsz6nrGd9WWZrapwq38J  
IHuCRS5H4edrv/HkyzXytDUQhFTjJGKEf9L0yTK8D99wpFT+voIfFo6yT8pYEw76  
bnkfypUsdLkyLnMiuLCsv6CY9INydP+wmiRoWrKotJ0d/i1HDH8MFZ3il1MGazXF  
sxtszOQwwRKMy+uZxBV5S+dVo2GYhorpq946Nd1gyvG2xhjOQAhrrUUr9++2dOfX  
AJ5fz9wylbQ0E8Wn5u383TtIny+vszCHjPtkd8jyKyAt8HcPdbd7Eik/eOf/f3Tw  
PYoTlkixsRgXhamJTYvG  
=Yz/C  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4417-01

Red Hat Security Advisory 2023-4413-01 - OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Issues addressed include a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: openssh security update  
Advisory ID:       RHSA-2023:4413-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4413  
Issue date:        2023-08-01  
CVE Names:         CVE-2023-38408   
=====================================================================

1. Summary:

An update for openssh is now available for Red Hat Enterprise Linux 8.6  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.6) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS EUS (v.8.6) - aarch64, ppc64le, s390x, x86_64

3. Description:

OpenSSH is an SSH protocol implementation supported by a number of Linux,  
UNIX, and similar operating systems. It includes the core files necessary  
for both the OpenSSH client and server.

Security Fix(es):

* openssh: Remote code execution in ssh-agent PKCS#11 support  
(CVE-2023-38408)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the OpenSSH server daemon (sshd) will be  
restarted automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

2224173 - CVE-2023-38408 openssh: Remote code execution in ssh-agent PKCS#11 support

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.6):

aarch64:  
openssh-askpass-8.0p1-15.el8_6.aarch64.rpm  
openssh-askpass-debuginfo-8.0p1-15.el8_6.aarch64.rpm  
openssh-cavs-debuginfo-8.0p1-15.el8_6.aarch64.rpm  
openssh-clients-debuginfo-8.0p1-15.el8_6.aarch64.rpm  
openssh-debuginfo-8.0p1-15.el8_6.aarch64.rpm  
openssh-debugsource-8.0p1-15.el8_6.aarch64.rpm  
openssh-keycat-debuginfo-8.0p1-15.el8_6.aarch64.rpm  
openssh-ldap-debuginfo-8.0p1-15.el8_6.aarch64.rpm  
openssh-server-debuginfo-8.0p1-15.el8_6.aarch64.rpm  
pam_ssh_agent_auth-debuginfo-0.10.3-7.15.el8_6.aarch64.rpm

ppc64le:  
openssh-askpass-8.0p1-15.el8_6.ppc64le.rpm  
openssh-askpass-debuginfo-8.0p1-15.el8_6.ppc64le.rpm  
openssh-cavs-debuginfo-8.0p1-15.el8_6.ppc64le.rpm  
openssh-clients-debuginfo-8.0p1-15.el8_6.ppc64le.rpm  
openssh-debuginfo-8.0p1-15.el8_6.ppc64le.rpm  
openssh-debugsource-8.0p1-15.el8_6.ppc64le.rpm  
openssh-keycat-debuginfo-8.0p1-15.el8_6.ppc64le.rpm  
openssh-ldap-debuginfo-8.0p1-15.el8_6.ppc64le.rpm  
openssh-server-debuginfo-8.0p1-15.el8_6.ppc64le.rpm  
pam_ssh_agent_auth-debuginfo-0.10.3-7.15.el8_6.ppc64le.rpm

s390x:  
openssh-askpass-8.0p1-15.el8_6.s390x.rpm  
openssh-askpass-debuginfo-8.0p1-15.el8_6.s390x.rpm  
openssh-cavs-debuginfo-8.0p1-15.el8_6.s390x.rpm  
openssh-clients-debuginfo-8.0p1-15.el8_6.s390x.rpm  
openssh-debuginfo-8.0p1-15.el8_6.s390x.rpm  
openssh-debugsource-8.0p1-15.el8_6.s390x.rpm  
openssh-keycat-debuginfo-8.0p1-15.el8_6.s390x.rpm  
openssh-ldap-debuginfo-8.0p1-15.el8_6.s390x.rpm  
openssh-server-debuginfo-8.0p1-15.el8_6.s390x.rpm  
pam_ssh_agent_auth-debuginfo-0.10.3-7.15.el8_6.s390x.rpm

x86_64:  
openssh-askpass-8.0p1-15.el8_6.x86_64.rpm  
openssh-askpass-debuginfo-8.0p1-15.el8_6.x86_64.rpm  
openssh-cavs-debuginfo-8.0p1-15.el8_6.x86_64.rpm  
openssh-clients-debuginfo-8.0p1-15.el8_6.x86_64.rpm  
openssh-debuginfo-8.0p1-15.el8_6.x86_64.rpm  
openssh-debugsource-8.0p1-15.el8_6.x86_64.rpm  
openssh-keycat-debuginfo-8.0p1-15.el8_6.x86_64.rpm  
openssh-ldap-debuginfo-8.0p1-15.el8_6.x86_64.rpm  
openssh-server-debuginfo-8.0p1-15.el8_6.x86_64.rpm  
pam_ssh_agent_auth-debuginfo-0.10.3-7.15.el8_6.x86_64.rpm

Red Hat Enterprise Linux BaseOS EUS (v.8.6):

Source:  
openssh-8.0p1-15.el8_6.src.rpm

aarch64:  
openssh-8.0p1-15.el8_6.aarch64.rpm  
openssh-askpass-debuginfo-8.0p1-15.el8_6.aarch64.rpm  
openssh-cavs-8.0p1-15.el8_6.aarch64.rpm  
openssh-cavs-debuginfo-8.0p1-15.el8_6.aarch64.rpm  
openssh-clients-8.0p1-15.el8_6.aarch64.rpm  
openssh-clients-debuginfo-8.0p1-15.el8_6.aarch64.rpm  
openssh-debuginfo-8.0p1-15.el8_6.aarch64.rpm  
openssh-debugsource-8.0p1-15.el8_6.aarch64.rpm  
openssh-keycat-8.0p1-15.el8_6.aarch64.rpm  
openssh-keycat-debuginfo-8.0p1-15.el8_6.aarch64.rpm  
openssh-ldap-8.0p1-15.el8_6.aarch64.rpm  
openssh-ldap-debuginfo-8.0p1-15.el8_6.aarch64.rpm  
openssh-server-8.0p1-15.el8_6.aarch64.rpm  
openssh-server-debuginfo-8.0p1-15.el8_6.aarch64.rpm  
pam_ssh_agent_auth-0.10.3-7.15.el8_6.aarch64.rpm  
pam_ssh_agent_auth-debuginfo-0.10.3-7.15.el8_6.aarch64.rpm

ppc64le:  
openssh-8.0p1-15.el8_6.ppc64le.rpm  
openssh-askpass-debuginfo-8.0p1-15.el8_6.ppc64le.rpm  
openssh-cavs-8.0p1-15.el8_6.ppc64le.rpm  
openssh-cavs-debuginfo-8.0p1-15.el8_6.ppc64le.rpm  
openssh-clients-8.0p1-15.el8_6.ppc64le.rpm  
openssh-clients-debuginfo-8.0p1-15.el8_6.ppc64le.rpm  
openssh-debuginfo-8.0p1-15.el8_6.ppc64le.rpm  
openssh-debugsource-8.0p1-15.el8_6.ppc64le.rpm  
openssh-keycat-8.0p1-15.el8_6.ppc64le.rpm  
openssh-keycat-debuginfo-8.0p1-15.el8_6.ppc64le.rpm  
openssh-ldap-8.0p1-15.el8_6.ppc64le.rpm  
openssh-ldap-debuginfo-8.0p1-15.el8_6.ppc64le.rpm  
openssh-server-8.0p1-15.el8_6.ppc64le.rpm  
openssh-server-debuginfo-8.0p1-15.el8_6.ppc64le.rpm  
pam_ssh_agent_auth-0.10.3-7.15.el8_6.ppc64le.rpm  
pam_ssh_agent_auth-debuginfo-0.10.3-7.15.el8_6.ppc64le.rpm

s390x:  
openssh-8.0p1-15.el8_6.s390x.rpm  
openssh-askpass-debuginfo-8.0p1-15.el8_6.s390x.rpm  
openssh-cavs-8.0p1-15.el8_6.s390x.rpm  
openssh-cavs-debuginfo-8.0p1-15.el8_6.s390x.rpm  
openssh-clients-8.0p1-15.el8_6.s390x.rpm  
openssh-clients-debuginfo-8.0p1-15.el8_6.s390x.rpm  
openssh-debuginfo-8.0p1-15.el8_6.s390x.rpm  
openssh-debugsource-8.0p1-15.el8_6.s390x.rpm  
openssh-keycat-8.0p1-15.el8_6.s390x.rpm  
openssh-keycat-debuginfo-8.0p1-15.el8_6.s390x.rpm  
openssh-ldap-8.0p1-15.el8_6.s390x.rpm  
openssh-ldap-debuginfo-8.0p1-15.el8_6.s390x.rpm  
openssh-server-8.0p1-15.el8_6.s390x.rpm  
openssh-server-debuginfo-8.0p1-15.el8_6.s390x.rpm  
pam_ssh_agent_auth-0.10.3-7.15.el8_6.s390x.rpm  
pam_ssh_agent_auth-debuginfo-0.10.3-7.15.el8_6.s390x.rpm

x86_64:  
openssh-8.0p1-15.el8_6.x86_64.rpm  
openssh-askpass-debuginfo-8.0p1-15.el8_6.x86_64.rpm  
openssh-cavs-8.0p1-15.el8_6.x86_64.rpm  
openssh-cavs-debuginfo-8.0p1-15.el8_6.x86_64.rpm  
openssh-clients-8.0p1-15.el8_6.x86_64.rpm  
openssh-clients-debuginfo-8.0p1-15.el8_6.x86_64.rpm  
openssh-debuginfo-8.0p1-15.el8_6.x86_64.rpm  
openssh-debugsource-8.0p1-15.el8_6.x86_64.rpm  
openssh-keycat-8.0p1-15.el8_6.x86_64.rpm  
openssh-keycat-debuginfo-8.0p1-15.el8_6.x86_64.rpm  
openssh-ldap-8.0p1-15.el8_6.x86_64.rpm  
openssh-ldap-debuginfo-8.0p1-15.el8_6.x86_64.rpm  
openssh-server-8.0p1-15.el8_6.x86_64.rpm  
openssh-server-debuginfo-8.0p1-15.el8_6.x86_64.rpm  
pam_ssh_agent_auth-0.10.3-7.15.el8_6.x86_64.rpm  
pam_ssh_agent_auth-debuginfo-0.10.3-7.15.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-38408  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkyWl1AAoJENzjgjWX9erEcU0P/RQAp6tLg4iMPX8CMCPDI73o  
1bWh+LTdbJedsrzDywniRiuest4L1H0vDzrRc8xtU9pYsIg/ZhqXZH1dYkjS59YI  
Zk4IHFIWEcBr0g8AbknjAXeba/ASbjYz4Ng1FqAsCLSe8rG6viE/0+OXlDURw52O  
5gkxSh8JaOD+RgsjMypo7GAR47TGbPmwc3akvcg3o6kWMdnFR1MN/cQVHLNLuiem  
RBNbxO/KJty/6UNWf+lz+ikhNaCc1HS+6OCUA9l79a92NQqUyU26I4b7NwFdEnfv  
jkfZ/vPwVypvgo+17ajVLwg1S9lnk5sFmCEQYLmoYNclvpctf7gH5hTDUUdpO5Vc  
2p5ZjbSymap084hXB8t7ess1jOZ0D8WYuCW3jyAjWvFgEOsTgN84KVYfimgoVmij  
kS/pWQrYwrkzB4AtoxOc6KC3vSTrTqTat6IyyK01YOQrxedfb0o0G0xw/wmXTqpc  
MFF3OcAgXQ1ZQUSdIJKBwD0/2e+Gqi0ZkQ9ISMxd+76bK+tVkbTALLrULt6pOrtd  
gJ44C4762hHlJ8bjaFgErN8WsiJY0cpjP64rvPbzLZjHypAY6ZFyhDuNXLdFxLff  
F5519WI0HPJ9HBf1+ZtHW7LYAdAGScuAoVUaaVPzd9m1ry6q448k8kIF891zWRYN  
wcgAsTh2fo0DuorLrcpB  
=MjE7  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4413-01

Cryptolive CMS version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Cryptolive cms v1.0 Auth by pass Vulnerability                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : https://scriptmafia.org/                                                                                           |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] user & pass : 1'or'1'='1[+] Panel : https://127.0.0.1/cryptoinlivecom/admin/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Source

Packet Storm