The World Cryptologic Competition (WCC) 2023 is a fully-online and open competition using GitHub. The language of the competition is English. The WCC 2023 has a total duration of 295 days, from Sunday January 1st 2023 to Monday October 23rd 2023. Teams and Judges must complete registration before Wednesday June 1st.

    The WCC 2023 is a fully-online and open competition using GitHub.The language of the competition is English.The WCC 2023 has a total duration of 295 days, from Sunday January 1st 2023to Monday October 23rd 2023.Teams and Judges must complete registration before Wednesday June 1st.The WCC 2023 has three entry categories:Category A: Block Ciphers with a 512-bit block, 512-bit key, and 192-bitnonceCategory B: Digest Functions with a 512-bit key and 192-bit nonceCategory C: Stream Ciphers with a 512-bit key and 192-bit nonceAll entries are put into the public domain.There are three judging phases, each lasting three weeks:"Round 1 / Open, Judging Phase" from Monday June 19th to Sunday July 9th."Round 2, Judging Phase" from Monday August 7th to Sunday August 27th."Round 3 / Finalist, Judging Phase" from Monday October 2nd to SundayOctober 22nd.There are prizes and judge's compensation.Official Site: https://worldcryptologiccompetition.github.io/Questions to: WorldCryptologicCompetition@gmail.comHave a good weekend,Administration TeamWorld Cryptologic Competition

WCC 2023 Call For Participation

The documentation for the python CGI module suffers from a cross site scripting vulnerability.

    Is there low hanging fruit for the following observation?The documentation of the python cgi module is vulnerable to XSS(cross site scripting)https://docs.python.org/3/library/cgi.html```form = cgi.FieldStorage()print("<p>name:", form["name"].value)print("<p>addr:", form["addr"].value)```First result on google for "tutorial python cgi"is https://www.tutorialspoint.com/python/python_cgi_programming.htmAnd it is almost the same as the python doc.I verified that setting ```name=<script>alert(document.domain)</script>```will trigger dialog, demonstrating javascript is executedon the cgi host.I would expect that devs who read the docs or tutorials will writevulnerable cgis.

Python CGI Documentation Cross Site Scripting

Ubuntu Security Notice 5904-2 - USN-5904-1 fixed vulnerabilities in SoX. It was discovered that the fix for CVE-2021-33844 was incomplete. This update fixes the problem. Helmut Grohne discovered that SoX incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, and Ubuntu 18.04 LTS.

==========================================================================  
Ubuntu Security Notice USN-5904-2  
March 20, 2023

sox regression  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM  
- Ubuntu 14.04 ESM

Summary:

USN-5904-1 caused a minor regression in SoX.

Software Description:  
- sox: Swiss army knife of sound processing

Details:

USN-5904-1 fixed vulnerabilities in SoX. It was discovered that the fix for  
CVE-2021-33844 was incomplete. This update fixes the problem.

Original advisory details:

  Helmut Grohne discovered that SoX incorrectly handled certain inputs. If a  
  user or an automated system were tricked into opening a specially crafted  
  input file, a remote attacker could possibly use this issue to cause a  
  denial of service. This issue only affected Ubuntu 14.04 ESM, Ubuntu   
16.04 ESM,  
  and Ubuntu 18.04 LTS. (CVE-2019-13590)

  Helmut Grohne discovered that SoX incorrectly handled certain inputs. If a  
  user or an automated system were tricked into opening a specially crafted  
  input file, a remote attacker could possibly use this issue to cause a  
  denial of service. (CVE-2021-23159, CVE-2021-23172, CVE-2021-23210,  
  CVE-2021-33844, CVE-2021-3643, CVE-2021-40426, CVE-2022-31650, and  
  CVE-2022-31651)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   libsox3                         14.4.2+git20190427-3ubuntu0.2  
   sox                             14.4.2+git20190427-3ubuntu0.2

Ubuntu 22.04 LTS:  
   libsox3   
14.4.2+git20190427-2+deb11u2build0.22.04.1  
   sox   
14.4.2+git20190427-2+deb11u2build0.22.04.1

Ubuntu 20.04 LTS:  
   libsox3   
14.4.2+git20190427-2+deb11u2build0.20.04.1  
   sox   
14.4.2+git20190427-2+deb11u2build0.20.04.1

Ubuntu 18.04 LTS:  
   libsox3                         14.4.2-3ubuntu0.18.04.3  
   sox                             14.4.2-3ubuntu0.18.04.3

Ubuntu 16.04 ESM:  
   libsox2                         14.4.1-5+deb8u4ubuntu0.1+esm2  
   sox                             14.4.1-5+deb8u4ubuntu0.1+esm2

Ubuntu 14.04 ESM:  
   libsox2                         14.4.1-3ubuntu1.1+esm3  
   sox                             14.4.1-3ubuntu1.1+esm3

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5904-2  
   https://ubuntu.com/security/notices/USN-5904-1  
   CVE-2021-33844

Package Information:  
   https://launchpad.net/ubuntu/+source/sox/14.4.2+git20190427-3ubuntu0.2

 https://launchpad.net/ubuntu/+source/sox/14.4.2+git20190427-2+deb11u2build0.22.04.1

 https://launchpad.net/ubuntu/+source/sox/14.4.2+git20190427-2+deb11u2build0.20.04.1  
   https://launchpad.net/ubuntu/+source/sox/14.4.2-3ubuntu0.18.04.3

Ubuntu Security Notice USN-5904-2

Ubuntu Security Notice 5965-1 - It was discovered that TigerVNC mishandled TLS certificate exceptions. An attacker could use this vulnerability to impersonate any server after a client had added an exception and obtain sensitive information.

    ==========================================================================Ubuntu Security Notice USN-5965-1March 21, 2023tigervnc vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 ESMSummary:TigerVNC could be made to expose sensitive information over the network.Software Description:- tigervnc: High-performance, platform-neutral implementation of VNC Details:It was discovered that TigerVNC mishandled TLS certificate exceptions. Anattacker could use this vulnerability to impersonate any server after a clienthad added an exception and obtain sensitive information.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 ESM:  tigervnc-common                 1.10.1+dfsg-3ubuntu0.1+esm2  tigervnc-scraping-server        1.10.1+dfsg-3ubuntu0.1+esm2  tigervnc-standalone-server      1.10.1+dfsg-3ubuntu0.1+esm2In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5965-1  CVE-2020-26117

Ubuntu Security Notice USN-5965-1

Ubuntu Security Notice 5806-3 - USN-5806-1 fixed vulnerabilities in Ruby. This update fixes the problem for Ubuntu 20.04 LTS. Hiroshi Tokumaru discovered that Ruby did not properly handle certain user input for applications which generate HTTP responses using cgi gem. An attacker could possibly use this issue to maliciously modify the response a user would receive from a vulnerable application.

=========================================================================  
Ubuntu Security Notice USN-5806-3  
March 20, 2023

ruby2.7 vulnerability  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Ruby could allow for internet traffic to be modified if  
a vulnerable application processed malicious user input.

Software Description:  
- ruby2.7: Object-oriented scripting language

Details:

USN-5806-1 fixed vulnerabilities in Ruby. This update fixes the problem  
for Ubuntu 20.04 LTS.

Original advisory details:

 Hiroshi Tokumaru discovered that Ruby did not properly handle certain  
 user input for applications which generate HTTP responses using cgi gem.  
 An attacker could possibly use this issue to maliciously modify the  
 response a user would receive from a vulnerable application.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
  libruby2.7                      2.7.0-5ubuntu1.8  
  ruby2.7                         2.7.0-5ubuntu1.8

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5806-3  
  https://ubuntu.com/security/notices/USN-5806-1  
  CVE-2021-33621

Package Information:  
  https://launchpad.net/ubuntu/+source/ruby2.7/2.7.0-5ubuntu1.8

Ubuntu Security Notice USN-5806-3

Debian Linux Security Advisory 5376-1 - Multiple vulnerabilities have been discovered in the Apache HTTP server, which may result in HTTP response splitting or denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5376-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMarch 20, 2023                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : apache2CVE ID         : CVE-2006-20001 CVE-2022-36760 CVE-2022-37436 CVE-2023-25690                 CVE-2023-27522Multiple vulnerabilities have been discovered in the Apache HTTP server,which may result in HTTP response splitting or denial of service.For the stable distribution (bullseye), these problems have been fixed inversion 2.4.56-1~deb11u1.We recommend that you upgrade your apache2 packages.For the detailed security status of apache2 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/apache2Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmQYqdQACgkQEMKTtsN8TjYWeQ//dwKUtLc9oKmjEmiY1QsRsSYdlzMTWA8ow63vdtGD1QU3Xb/CxPSZ22Oh8zypNP5qtk3m11JA7npd7RNPpF3Gb1V5ebIlKP7GavGBIrGOmvH31hV3IUP4HoXO/mC36BA3twAgyF12HMtdPvj+qaNguYnxXhc02Kt7kl6sq+ybtdCnRnBfJJ2KYXKqtjRedc+HJZa0gSuq9fsFbaQF1OPk1jHEO/ixHhISKhEr1mHO+eLN3soQ9gqaEG/a/0jLUm1ThiBNeK5jkmCXuIuqwwrGHG16Cl9fIKGps1Yb+ef2aJca7onA4IfyUj1d1S7VmCgFFQe+5eAgdcR77mWS8RyEP/lyItY+ifzGG6xR0EUnDgD7ApcqhZBIJCgU583Dle+sjvwgb9iSSeNwynqx58Pf4648AJSx6nNlsop4ekE4To5GvKyr/eI3HNqat9BfVtwqRu4GnnurvJFzh5n2wpRl1JbQMFMx/kxb1He5ioayRtru9guViNA3ylgnd7lbk8FEsvvzS9MM0RVivlWdzD6+FVFHaWoCcwzv+0dFD6iiG5MJMGUr0pElw+juAs6bnKCCoEHU4HK0rKHlVeB6E3Ch7yF+b6PvzZqCqcOE6RB5/I2Nu9S3L78cZWRUnKXf/WHf3Lw+DCB8QKWUBuo0WjkFjmEe/oUCWHGt/UbtXGbSM+E=Bi/w-----END PGP SIGNATURE-----

Debian Security Advisory 5376-1

Red Hat Security Advisory 2023-1337-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.9.0 ESR.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2023:1337-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1337  
Issue date:        2023-03-20  
CVE Names:         CVE-2023-25751 CVE-2023-25752 CVE-2023-28162  
                   CVE-2023-28164 CVE-2023-28176  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.9.0 ESR.

Security Fix(es):

* Mozilla: Incorrect code generation during JIT compilation  
(CVE-2023-25751)

* Mozilla: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9  
(CVE-2023-28176)

* Mozilla: Potential out-of-bounds when accessing throttled streams  
(CVE-2023-25752)

* Mozilla: Invalid downcast in Worklets (CVE-2023-28162)

* Mozilla: URL being dragged from a removed cross-origin iframe into the  
same tab triggered navigation (CVE-2023-28164)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2178458 - CVE-2023-25751 Mozilla: Incorrect code generation during JIT compilation  
2178460 - CVE-2023-25752 Mozilla: Potential out-of-bounds when accessing throttled streams  
2178466 - CVE-2023-28162 Mozilla: Invalid downcast in Worklets  
2178470 - CVE-2023-28164 Mozilla: URL being dragged from a removed cross-origin iframe into the same tab triggered navigation  
2178472 - CVE-2023-28176 Mozilla: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
firefox-102.9.0-3.el9_1.src.rpm

aarch64:  
firefox-102.9.0-3.el9_1.aarch64.rpm  
firefox-debuginfo-102.9.0-3.el9_1.aarch64.rpm  
firefox-debugsource-102.9.0-3.el9_1.aarch64.rpm  
firefox-x11-102.9.0-3.el9_1.aarch64.rpm

ppc64le:  
firefox-102.9.0-3.el9_1.ppc64le.rpm  
firefox-debuginfo-102.9.0-3.el9_1.ppc64le.rpm  
firefox-debugsource-102.9.0-3.el9_1.ppc64le.rpm  
firefox-x11-102.9.0-3.el9_1.ppc64le.rpm

s390x:  
firefox-102.9.0-3.el9_1.s390x.rpm  
firefox-debuginfo-102.9.0-3.el9_1.s390x.rpm  
firefox-debugsource-102.9.0-3.el9_1.s390x.rpm  
firefox-x11-102.9.0-3.el9_1.s390x.rpm

x86_64:  
firefox-102.9.0-3.el9_1.x86_64.rpm  
firefox-debuginfo-102.9.0-3.el9_1.x86_64.rpm  
firefox-debugsource-102.9.0-3.el9_1.x86_64.rpm  
firefox-x11-102.9.0-3.el9_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-25751  
https://access.redhat.com/security/cve/CVE-2023-25752  
https://access.redhat.com/security/cve/CVE-2023-28162  
https://access.redhat.com/security/cve/CVE-2023-28164  
https://access.redhat.com/security/cve/CVE-2023-28176  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZBh4dtzjgjWX9erEAQiCLA/9EQIrsyYlouTIW0DsRrnx+P4mS8u7qXCm  
6blO6pgZSm2hzqqEw8+M8mGlq6oGrYdd9GhT2qOYr0V/y4qxHeI6mk+ebCrL3Jq1  
YlTTfd/mLR38y2n+dEXIghNSCQ2pK4oeZ9XEbQ/U05Atrd/v1YP3YBQavF3tpbxb  
yH4EXqiQfWlyHpEpIrpsG39kKtV6kN+vgm2uA0bwMgfe+bq7yIJLVWlMRwhU+414  
s8CpsXQksSgRQLJtrDdMZ/IIYgtfeb6VAful3XFCVDBmVQskuDVNhviJSoJg4tp9  
AXXdgF/dMbXn7F73j/Rvn0GVXaurryXI6GeHNVrJ1lU0KhRyp8nZbSlTz+Px6le0  
FJrEuks8//YWtR1rHTd7J2Ytef+oE0xj65WLF7sULwIgV4aDjykOUP09WQ4pmjUf  
QsWBPwfpYdTQCuT4qaA63ZXzOn1NJZs9IyUckaMxhZ8m0NI+m1a3O5zfE7xRiAN1  
/dp/Rbt6LVwc3SFxQl8QZ1ebqeg5I5fZKgLKL7w6+MWu6bgif3zd7/HqumH+CJv6  
cgMbG6ZpTOW/cXcXXJzQ18kKhlG5JZajTT3KobY5QSi//553bFD4LRfFuskRRBFK  
Ol2kQy/fzpeUfTCIolh6VJCjrZ07eiDXEIn4hETmUc/Lto3owz9vnYCaGZFKM1Rm  
VZtQOLxSsOk=GR6W  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1337-01

Red Hat Security Advisory 2023-1332-01 - Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: nss security update  
Advisory ID:       RHSA-2023:1332-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1332  
Issue date:        2023-03-20  
CVE Names:         CVE-2023-0767  
====================================================================  
1. Summary:

An update for nss is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64  
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64  
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

Network Security Services (NSS) is a set of libraries designed to support  
the cross-platform development of security-enabled client and server  
applications.

Security Fix(es):

* nss: Arbitrary memory write via PKCS 12 (CVE-2023-0767)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, applications using NSS (for example, Firefox)  
must be restarted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2170377 - CVE-2023-0767 nss: Arbitrary memory write via PKCS 12

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
nss-3.79.0-5.el7_9.src.rpm

x86_64:  
nss-3.79.0-5.el7_9.i686.rpm  
nss-3.79.0-5.el7_9.x86_64.rpm  
nss-debuginfo-3.79.0-5.el7_9.i686.rpm  
nss-debuginfo-3.79.0-5.el7_9.x86_64.rpm  
nss-sysinit-3.79.0-5.el7_9.x86_64.rpm  
nss-tools-3.79.0-5.el7_9.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:  
nss-debuginfo-3.79.0-5.el7_9.i686.rpm  
nss-debuginfo-3.79.0-5.el7_9.x86_64.rpm  
nss-devel-3.79.0-5.el7_9.i686.rpm  
nss-devel-3.79.0-5.el7_9.x86_64.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.i686.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:  
nss-3.79.0-5.el7_9.src.rpm

x86_64:  
nss-3.79.0-5.el7_9.i686.rpm  
nss-3.79.0-5.el7_9.x86_64.rpm  
nss-debuginfo-3.79.0-5.el7_9.i686.rpm  
nss-debuginfo-3.79.0-5.el7_9.x86_64.rpm  
nss-sysinit-3.79.0-5.el7_9.x86_64.rpm  
nss-tools-3.79.0-5.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

x86_64:  
nss-debuginfo-3.79.0-5.el7_9.i686.rpm  
nss-debuginfo-3.79.0-5.el7_9.x86_64.rpm  
nss-devel-3.79.0-5.el7_9.i686.rpm  
nss-devel-3.79.0-5.el7_9.x86_64.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.i686.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
nss-3.79.0-5.el7_9.src.rpm

ppc64:  
nss-3.79.0-5.el7_9.ppc.rpm  
nss-3.79.0-5.el7_9.ppc64.rpm  
nss-debuginfo-3.79.0-5.el7_9.ppc.rpm  
nss-debuginfo-3.79.0-5.el7_9.ppc64.rpm  
nss-devel-3.79.0-5.el7_9.ppc.rpm  
nss-devel-3.79.0-5.el7_9.ppc64.rpm  
nss-sysinit-3.79.0-5.el7_9.ppc64.rpm  
nss-tools-3.79.0-5.el7_9.ppc64.rpm

ppc64le:  
nss-3.79.0-5.el7_9.ppc64le.rpm  
nss-debuginfo-3.79.0-5.el7_9.ppc64le.rpm  
nss-devel-3.79.0-5.el7_9.ppc64le.rpm  
nss-sysinit-3.79.0-5.el7_9.ppc64le.rpm  
nss-tools-3.79.0-5.el7_9.ppc64le.rpm

s390x:  
nss-3.79.0-5.el7_9.s390.rpm  
nss-3.79.0-5.el7_9.s390x.rpm  
nss-debuginfo-3.79.0-5.el7_9.s390.rpm  
nss-debuginfo-3.79.0-5.el7_9.s390x.rpm  
nss-devel-3.79.0-5.el7_9.s390.rpm  
nss-devel-3.79.0-5.el7_9.s390x.rpm  
nss-sysinit-3.79.0-5.el7_9.s390x.rpm  
nss-tools-3.79.0-5.el7_9.s390x.rpm

x86_64:  
nss-3.79.0-5.el7_9.i686.rpm  
nss-3.79.0-5.el7_9.x86_64.rpm  
nss-debuginfo-3.79.0-5.el7_9.i686.rpm  
nss-debuginfo-3.79.0-5.el7_9.x86_64.rpm  
nss-devel-3.79.0-5.el7_9.i686.rpm  
nss-devel-3.79.0-5.el7_9.x86_64.rpm  
nss-sysinit-3.79.0-5.el7_9.x86_64.rpm  
nss-tools-3.79.0-5.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

ppc64:  
nss-debuginfo-3.79.0-5.el7_9.ppc.rpm  
nss-debuginfo-3.79.0-5.el7_9.ppc64.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.ppc.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.ppc64.rpm

ppc64le:  
nss-debuginfo-3.79.0-5.el7_9.ppc64le.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.ppc64le.rpm

s390x:  
nss-debuginfo-3.79.0-5.el7_9.s390.rpm  
nss-debuginfo-3.79.0-5.el7_9.s390x.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.s390.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.s390x.rpm

x86_64:  
nss-debuginfo-3.79.0-5.el7_9.i686.rpm  
nss-debuginfo-3.79.0-5.el7_9.x86_64.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.i686.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
nss-3.79.0-5.el7_9.src.rpm

x86_64:  
nss-3.79.0-5.el7_9.i686.rpm  
nss-3.79.0-5.el7_9.x86_64.rpm  
nss-debuginfo-3.79.0-5.el7_9.i686.rpm  
nss-debuginfo-3.79.0-5.el7_9.x86_64.rpm  
nss-devel-3.79.0-5.el7_9.i686.rpm  
nss-devel-3.79.0-5.el7_9.x86_64.rpm  
nss-sysinit-3.79.0-5.el7_9.x86_64.rpm  
nss-tools-3.79.0-5.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:  
nss-debuginfo-3.79.0-5.el7_9.i686.rpm  
nss-debuginfo-3.79.0-5.el7_9.x86_64.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.i686.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-0767  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZBh4d9zjgjWX9erEAQi0VA/9EDOjHMY594bv+AZ4cg4w1wAKFyh+3m+j  
jyOn0aHNkLFAXyHixGKeANhURkvQ6MG2CWVz/2idzPWvrVBMAmN26OXOJI7MmOve  
AZPPt+kK83ec+PAdNLRKDWlMXx/C7YxIDlMolC3vsHs8GFOh07sQSl+qCgCUsoqL  
wULhFZoxfjvMRM7PNsXYrjWhOQkbCZYudbp3sXhWXNcMFGttR2I51f0AVWvVl1P1  
JPwVBlEK0EphYWNncr2zQphP6zWLPyl0B0o+7O/M5a/bkXrAN13ShHv8N06Rmxry  
XFWJTk9DyPQljYK2dYJjo0N/9zDKouXwdTxuwoxPYhrFgsy+VKEFp47oFUlrzLB6  
x5pdDarqpdcOkPFNZuRjuBw2RbMozWkoy+JajW7NXFz3XYZky9B95RZSNI2lHhdQ  
cwqJ2aZSAgOJMexcxPxkiwkE4l2V82yYBEHgkf2/6/HZSoYCFZtYJKF5miPaMNYY  
nhbc2w6Z3aQ78C5jS9wqdVsJsCpVPflwRq8FXUO0bAB91VG/GvqAIdH/VhxAlXy5  
5h2g/skrFCTAR9iKE4AWm5uk1mPN/tTQa7eHY7fx/fA3cTm46Jd/5am0w8IhZHoq  
I1X6fJzE3WMg4AZ6y/BAiVSTxolLhepNy3zdCP8cpyK+aMDipPimw8rddTayiEaU  
1y2vLw5oCe4=ZIU4  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1332-01

OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols with full-strength cryptography world-wide. The 3.1.x series is the current major version of OpenSSL.

OpenSSL Toolkit 3.1.0

Red Hat Security Advisory 2023-1333-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.9.0 ESR.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2023:1333-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1333  
Issue date:        2023-03-20  
CVE Names:         CVE-2023-25751 CVE-2023-25752 CVE-2023-28162  
                   CVE-2023-28164 CVE-2023-28176  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.9.0 ESR.

Security Fix(es):

* Mozilla: Incorrect code generation during JIT compilation  
(CVE-2023-25751)

* Mozilla: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9  
(CVE-2023-28176)

* Mozilla: Potential out-of-bounds when accessing throttled streams  
(CVE-2023-25752)

* Mozilla: Invalid downcast in Worklets (CVE-2023-28162)

* Mozilla: URL being dragged from a removed cross-origin iframe into the  
same tab triggered navigation (CVE-2023-28164)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2178458 - CVE-2023-25751 Mozilla: Incorrect code generation during JIT compilation  
2178460 - CVE-2023-25752 Mozilla: Potential out-of-bounds when accessing throttled streams  
2178466 - CVE-2023-28162 Mozilla: Invalid downcast in Worklets  
2178470 - CVE-2023-28164 Mozilla: URL being dragged from a removed cross-origin iframe into the same tab triggered navigation  
2178472 - CVE-2023-28176 Mozilla: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
firefox-102.9.0-3.el7_9.src.rpm

x86_64:  
firefox-102.9.0-3.el7_9.x86_64.rpm  
firefox-debuginfo-102.9.0-3.el7_9.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:  
firefox-102.9.0-3.el7_9.i686.rpm  
firefox-debuginfo-102.9.0-3.el7_9.i686.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
firefox-102.9.0-3.el7_9.src.rpm

ppc64:  
firefox-102.9.0-3.el7_9.ppc64.rpm  
firefox-debuginfo-102.9.0-3.el7_9.ppc64.rpm

ppc64le:  
firefox-102.9.0-3.el7_9.ppc64le.rpm  
firefox-debuginfo-102.9.0-3.el7_9.ppc64le.rpm

s390x:  
firefox-102.9.0-3.el7_9.s390x.rpm  
firefox-debuginfo-102.9.0-3.el7_9.s390x.rpm

x86_64:  
firefox-102.9.0-3.el7_9.x86_64.rpm  
firefox-debuginfo-102.9.0-3.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

x86_64:  
firefox-102.9.0-3.el7_9.i686.rpm  
firefox-debuginfo-102.9.0-3.el7_9.i686.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
firefox-102.9.0-3.el7_9.src.rpm

x86_64:  
firefox-102.9.0-3.el7_9.x86_64.rpm  
firefox-debuginfo-102.9.0-3.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:  
firefox-102.9.0-3.el7_9.i686.rpm  
firefox-debuginfo-102.9.0-3.el7_9.i686.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-25751  
https://access.redhat.com/security/cve/CVE-2023-25752  
https://access.redhat.com/security/cve/CVE-2023-28162  
https://access.redhat.com/security/cve/CVE-2023-28164  
https://access.redhat.com/security/cve/CVE-2023-28176  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZBh4dtzjgjWX9erEAQj81A//S6TInGACud9jWKSoJ4HAJyy2S8hpEbtK  
gCLwSk0UoRVJD9jSQu9pOBBVueCabQzeOEH3GLmHxyYdrGYnhZIxnmayn/Z704TT  
j1i5Pl+cecMUG/4gLsMbRQCB+n8wkfoWpkBK4Pk6FbyMX6ERoj2iEdFlFZ71FjyK  
LjnjiKSsMalugN3Aa0pn2WOrVWo6SLfXLkmdDc3PLtBRQsvIgrmnwOQBet7fDRlV  
dbCTfC7lRqriSZw1lvVWXWitoK0AJmhUlpLUGxXFftkCZ6hAeW23rsnsA/GwoDcT  
8phSbbkyLUu0MuPWP2KTad8dZh9MO82sIzOlZDiQac8LCv9V16k1DWDZSQV/tdFv  
rwWpv+HWGJ9uJSY0L5Tdi8KBrVlIVBDShV6p8mBHLoUcnVYhjfC6VLJ76aZDPHwb  
13mt56+xL5QTA28P+zIlp3ErYncYz4zxz0qtY4YFt5tq+JsPE+LQ36YoClDqY5A4  
8j1Uyvj0vTlXwWBns3KmpxgKOQ+V5aPh6tWH2gu/oTVB4qLcduJ8hf72gPLMCpZB  
7maVF1965oSDf1ee6BU2PRuBLWe15+jbb/CkKWKjiaOR7m1XcqHaRgQOGMOHezC0  
K3t6lwqw5OU5NCZyRdU5M6TRQoFYAHWWDC/9yhkkkZ4Q9V64kePEWQT/J+z3hFcq  
fGlU9/kXsOM=Go6C  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Source

Packet Storm