Red Hat Security Advisory 2023-0483-01 - This asynchronous update patches Red Hat Fuse 7.11.1 on Karaf and Red Hat Fuse 7.11.1 on Spring Boot and several includes security fixes, which are documented in the Release Notes document linked to in the References. Issues addressed include a server-side request forgery vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Critical: Red Hat Fuse 7.11.1.P1 security update  
Advisory ID:       RHSA-2023:0483-01  
Product:           Red Hat JBoss Fuse  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0483  
Issue date:        2023-01-26  
CVE Names:         CVE-2022-36437 CVE-2022-46363 CVE-2022-46364   
=====================================================================

1. Summary:

A security update for Fuse 7.11.1 is now available for Red Hat Fuse on  
Karaf and Red Hat Fuse on Spring Boot. The purpose of this text-only errata  
is to inform you about the security issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact  
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

This asynchronous update (7.11.1.P1) patches Red Hat Fuse 7.11.1 on Karaf  
and Red Hat Fuse 7.11.1 on Spring Boot and several includes security fixes,  
which are documented in the Release Notes document linked to in the  
References.

Security Fix(es):

* hazelcast: Hazelcast connection caching (CVE-2022-36437)

* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)

* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including  
all applications, configuration files, databases and database settings, and  
so on.

Installation instructions are available from the Fuse 7.11 product  
documentation page:  
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/

4. Bugs fixed (https://bugzilla.redhat.com/):

2155681 - CVE-2022-46363 Apache CXF: directory listing / code exfiltration  
2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability  
2162053 - CVE-2022-36437 hazelcast: Hazelcast connection caching

5. References:

https://access.redhat.com/security/cve/CVE-2022-36437  
https://access.redhat.com/security/cve/CVE-2022-46363  
https://access.redhat.com/security/cve/CVE-2022-46364  
https://access.redhat.com/security/updates/classification/#critical  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=7.11.1

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY9NUUdzjgjWX9erEAQgflg//awE0J5TPmBlTtU9P84haZl/OhLThGGKk  
CBivdEesNfdN27oINbhqF7oDiINhrhvpDGoyKZT9ir+UyIN/wG3jZZO/MS39QQwW  
XCMgQlsf7PaAW7m66bAwujTlVMDaFkt6GYO97DDuF+oj2bYWuNIXnL4CzEgHO7qs  
opO+GA57f78vm4cDJQ31yFySKvE0cJ/ZXIGs40/lHx7aqqYRxWIC0Lx29Njglt+X  
+F9eoln7Di4wNCBq2AgBt6UUWj1t+2tyUW1AOQHV3u446MUmdlldEXxjT35MnnT7  
e9Xp/YB8pXNX0PEQY5Lh7l76xZlgQBWHvWWT65YL1gapG5ibk/Fi8j86jszGmEp7  
VaQr2ap4hpuA7j4mHZXzI4e/g8yVUtzlRM7uzmzaeKlNjVQvra4q+WMQTrwriyV7  
qwrct1feJGeOztKVDBc7/OplpgKpuUXcQam5HiNhHHuSQFhHyHvW97wuCnhcUlfG  
e9xKzxyYcDcs8JMmOAv8xgrzN+xHbku8gQYyr4mVHoFZd2L1qMOP8Ydx4Clc/fN/  
lHHCCzuVNX+Z36nKIKU1fr4B55tEV3M/9u+hKx8sbslo4f9p+pMwatKKScwefmTr  
XXj3lMl5lLq9+RueCfA2MLxSGZgL7ECHFyjSv5lv61uDyrnTLPg4ZiQWiQSkqN08  
8/GRm6NdUPs=  
=YYEP  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0483-01

The openscap project is a set of open source libraries that support the SCAP (Security Content Automation Protocol) set of standards from NIST. It supports CPE, CCE, CVE, CVSS, OVAL, and XCCDF.

OpenSCAP Libraries 1.3.7

Ubuntu Security Notice 5822-2 - USN-5822-1 fixed vulnerabilities in Samba. The update for Ubuntu 20.04 LTS introduced regressions in certain environments. Pending investigation of these regressions, this update temporarily reverts the security fixes. It was discovered that Samba incorrectly handled the bad password count logic. It was discovered that Samba supported weak RC4/HMAC-MD5 in NetLogon Secure Channel. Greg Hudson discovered that Samba incorrectly handled PAC parsing. Joseph Sutton discovered that Samba could be forced to issue rc4-hmac encrypted Kerberos tickets.

    ==========================================================================Ubuntu Security Notice USN-5822-2January 26, 2023samba regression==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:USN 5822-1 introduced regressions on Ubuntu 20.04 LTS.Software Description:- samba: SMB/CIFS file, print, and login server for UnixDetails:USN-5822-1 fixed vulnerabilities in Samba. The update for Ubuntu 20.04 LTSintroduced regressions in certain environments. Pending investigation ofthese regressions, this update temporarily reverts the security fixes.We apologize for the inconvenience.Original advisory details:  It was discovered that Samba incorrectly handled the bad password count  logic. A remote attacker could possibly use this issue to bypass bad  passwords lockouts. This issue was only addressed in Ubuntu 22.10.  (CVE-2021-20251)   Evgeny Legerov discovered that Samba incorrectly handled buffers in  certain GSSAPI routines of Heimdal. A remote attacker could possibly use  this issue to cause Samba to crash, resulting in a denial of service.  (CVE-2022-3437)   Tom Tervoort discovered that Samba incorrectly used weak rc4-hmac Kerberos  keys. A remote attacker could possibly use this issue to elevate  privileges. (CVE-2022-37966, CVE-2022-37967)   It was discovered that Samba supported weak RC4/HMAC-MD5 in NetLogon Secure  Channel. A remote attacker could possibly use this issue to elevate  privileges. (CVE-2022-38023)   Greg Hudson discovered that Samba incorrectly handled PAC parsing. On  32-bit systems, a remote attacker could use this issue to escalate  privileges, or possibly execute arbitrary code. (CVE-2022-42898)   Joseph Sutton discovered that Samba could be forced to issue rc4-hmac  encrypted Kerberos tickets. A remote attacker could possibly use this issue  to escalate privileges. This issue only affected Ubuntu 20.04 LTS and  Ubuntu 22.04 LTS. (CVE-2022-45141)   WARNING: The fixes included in these updates introduce several important  behavior changes which may cause compatibility problems interacting with  systems still expecting the former behavior. Please see the following  upstream advisories for more information:   https://www.samba.org/samba/security/CVE-2022-37966.html  https://www.samba.org/samba/security/CVE-2022-37967.html  https://www.samba.org/samba/security/CVE-2022-38023.htmlUpdate instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:   samba                           2:4.13.17~dfsg-0ubuntu1.20.04.5In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5822-2   https://ubuntu.com/security/notices/USN-5822-1   https://launchpad.net/bugs/2003867, https://launchpad.net/bugs/2003891Package Information:   https://launchpad.net/ubuntu/+source/samba/2:4.13.17~dfsg-0ubuntu1.20.04.5

Ubuntu Security Notice USN-5822-2

Micro Focus GroupWise is a messaging software for email and personal information management. Trovent Security GmbH discovered that the GroupWise web application transmits the session ID in HTTP GET requests in the URL when email content is accessed. The exposed session ID can be recorded in the browser history of the client and in log files of the web server or reverse proxy server. A possible attacker with access to the browser history or the server log files is able to take control of the user session with the help of the session ID. Versions prior to 18.4.2 are affected.

# Trovent Security Advisory 2203-01 #  
#####################################

Micro Focus GroupWise transmits session ID in URL  
#################################################

Overview  
########

Advisory ID: TRSA-2203-01  
Advisory version: 1.0  
Advisory status: Public  
Advisory URL: https://trovent.io/security-advisory-2203-01  
Affected product: Micro Focus GroupWise  
Affected version: prior to 18.4.2  
Vendor: Micro Focus, https://www.microfocus.com  
Credits: Trovent Security GmbH, Stefan Pietsch

Detailed description  
####################

Micro Focus GroupWise is a messaging software for email and personal information  
management.  
Trovent Security GmbH discovered that the GroupWise web application transmits  
the session ID in HTTP GET requests in the URL when email content is accessed.  
The exposed session ID can be recorded in the browser history of the client and  
in log files of the web server or reverse proxy server.  
A possible attacker with access to the browser history or the server log files  
is able to take control of the user session with the help of the session ID.

Severity: Medium  
CVSS Score: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)  
CVE ID: CVE-2022-38756  
CWE ID: CWE-598

Proof of concept  
################

Simplified HTTP request:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
GET /attachment?session=<SESSIONID>&id=... HTTP/1.1  
Host: <HOSTNAME>  
...  
X-User-Agent: GroupWise Web (18.4.0-139604)  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution / Workaround  
#####################

The vendor released a fixed version of GroupWise.

Fixed in version 18.4.2.

History  
#######

2022-03-30: Vulnerability found  
2022-08-05: Vendor contacted  
2022-10-31: Contacted vendor again  
2022-11-01: Vendor replied that the vulnerability will be investigated  
2022-11-14: Vendor contacted, asking for status  
2022-11-16: Vendor replied that a security bulletin is being prepared  
2022-12-06: Vendor published security bulletin  
2023-01-27: Advisory published

Micro Focus GroupWise Session ID Disclosure

Red Hat Security Advisory 2023-0476-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.7.1. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2023:0476-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0476  
Issue date:        2023-01-26  
CVE Names:         CVE-2022-46871 CVE-2022-46877 CVE-2023-23598   
                   CVE-2023-23599 CVE-2023-23601 CVE-2023-23602   
                   CVE-2023-23603 CVE-2023-23605   
=====================================================================

1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.7.1.

Security Fix(es):

* Mozilla: libusrsctp library out of date (CVE-2022-46871)

* Mozilla: Arbitrary file read from GTK drag and drop on Linux  
(CVE-2023-23598)

* Mozilla: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7  
(CVE-2023-23605)

* Mozilla: Malicious command could be hidden in devtools output  
(CVE-2023-23599)

* Mozilla: URL being dragged from cross-origin iframe into same tab  
triggers navigation (CVE-2023-23601)

* Mozilla: Content Security Policy wasn't being correctly applied to  
WebSockets in WebWorkers (CVE-2023-23602)

* Mozilla: Fullscreen notification bypass (CVE-2022-46877)

* Mozilla: Calls to <code>console.log</code> allowed bypasing Content  
Security Policy via format directive (CVE-2023-23603)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2162336 - CVE-2022-46871 Mozilla: libusrsctp library out of date  
2162338 - CVE-2023-23598 Mozilla: Arbitrary file read from GTK drag and drop on Linux  
2162339 - CVE-2023-23599 Mozilla: Malicious command could be hidden in devtools output  
2162340 - CVE-2023-23601 Mozilla: URL being dragged from cross-origin iframe into same tab triggers navigation  
2162341 - CVE-2023-23602 Mozilla: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers  
2162342 - CVE-2022-46877 Mozilla: Fullscreen notification bypass  
2162343 - CVE-2023-23603 Mozilla: Calls to <code>console.log</code> allowed bypasing Content Security Policy via format directive  
2162344 - CVE-2023-23605 Mozilla: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
thunderbird-102.7.1-1.el9_1.src.rpm

aarch64:  
thunderbird-102.7.1-1.el9_1.aarch64.rpm  
thunderbird-debuginfo-102.7.1-1.el9_1.aarch64.rpm  
thunderbird-debugsource-102.7.1-1.el9_1.aarch64.rpm

ppc64le:  
thunderbird-102.7.1-1.el9_1.ppc64le.rpm  
thunderbird-debuginfo-102.7.1-1.el9_1.ppc64le.rpm  
thunderbird-debugsource-102.7.1-1.el9_1.ppc64le.rpm

s390x:  
thunderbird-102.7.1-1.el9_1.s390x.rpm  
thunderbird-debuginfo-102.7.1-1.el9_1.s390x.rpm  
thunderbird-debugsource-102.7.1-1.el9_1.s390x.rpm

x86_64:  
thunderbird-102.7.1-1.el9_1.x86_64.rpm  
thunderbird-debuginfo-102.7.1-1.el9_1.x86_64.rpm  
thunderbird-debugsource-102.7.1-1.el9_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-46871  
https://access.redhat.com/security/cve/CVE-2022-46877  
https://access.redhat.com/security/cve/CVE-2023-23598  
https://access.redhat.com/security/cve/CVE-2023-23599  
https://access.redhat.com/security/cve/CVE-2023-23601  
https://access.redhat.com/security/cve/CVE-2023-23602  
https://access.redhat.com/security/cve/CVE-2023-23603  
https://access.redhat.com/security/cve/CVE-2023-23605  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY9L//dzjgjWX9erEAQh2Ag//Z+GUFhiFqY66raAqH14e824fGrVsTUgT  
JAwhqw8/ku5/JGsOC9WRdXpSPXPH9TrR1c0d2wZqB574eGxYJf2tNJFZCaq5YaGo  
KkBnR35OQA2aXmAB8jaRrsaYkL/MjJyQbbg6EnI/ho8d+f2CDLQvyCOkf95FTdop  
jWPGv/99d7x0nIfJzqlCSJzTH8W5yx+dhpRu1R5Y3D6RrrQ2wL+0C6aa4CRjq75M  
acvpva3zgXdqy7vztBQoXO4j2Ov8WOGkSd5mLhVKbTxjikcBn0krKMOOodz4Zwil  
LdCZ99dFs97g65Feb+8R+KT5WhFlG+rBQjtmYGTIweNDphzEgAiKMOVN8IARLxEs  
QxoceVv13CIU6aW5jVSb4wDxt3hdRA6OGwHod+veoTc25A/dqGMf/CXkPsXNG0so  
z+eV4QfxVqywifLqEyFBaq0ySM1aRY6EAbzVfBW+UzwW7SoqyKxzFoMgsoxlrtiQ  
ID5y2c14Rd/TEPZaQhRtzAAUL85cFYhT7Kjg71pnk9s0YdLOpZzkhjc9k5leQe+v  
v/woJfMmV/f/lt2dm0NW1broHmzSEnJ/SWzEjBzBggu0cHodyn4pWZnVixO4cIRT  
4YeDncrfkN7GihXPa7UjIJuCclYBgZHRLCGDqjgD0Gbh4gobTheD0py0byYUsqGO  
pswTQTOkxDY=  
=PlBp  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0476-01

Debian Linux Security Advisory 5329-1 - Several vulnerabilities were discovered in BIND, a DNS server implementation, which may result in denial of service against named.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5329-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJanuary 26, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : bind9CVE ID         : CVE-2022-3094 CVE-2022-3736 CVE-2022-3924Several vulnerabilities were discovered in BIND, a DNS serverimplementation, which may result in denial of service against named.For the stable distribution (bullseye), these problems have been fixed inversion 1:9.16.37-1~deb11u1.We recommend that you upgrade your bind9 packages.For the detailed security status of bind9 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/bind9Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmPSxg4ACgkQEMKTtsN8TjaEyw//bjGBSD6QFX5xfkXzm4fHKEBnl3/yg0z+p6ml3xGQQJaBzwljn4J2McGxxtCsgOVTyyvy/uocUsK4X1LZk8kGfbbiGN+63o2PoADX76bPhbv69CiRxd1NRnprSMLsJyBHaiB8TFPFBnPz//Q7KY9KvhzUbv/g4ocIYmlrxUZiZmmyJB8kJ3lzFJIBzThlcmnCLHjs4IDF516BJMywxYnsnSRc0G73jB1zlcmBB0loYpD3U434C+pUCMKkrpYPeBFZHGikpYs7x+lJ95WmggYtoNjz0iPwpK1hd2vvM1rxr93jARKMTlKh5OMtljIK67NQeKfyojd4Uva49SAVYuo38MCLO2H4NEPPoEh+OGUJBgCagvwgye+GPOM+c++Ii9LNqNdwEThG2WVVP4f/Hore27l4lswGICLk9662lSJsAnZtdTQUSvFbeI8k8ne/2bvYrkZbCWDv8gPhLlCa6c80zag+ZzhOAvghBfj7AbRch/7feqe+RYAJ4qPuHmEokpxGL9gboa/4y3YJeCSKv13xXbz13FJyPMpsfiLVCp6ajhE1iVL3Trkr4rUGGmQVXClsBrDibeIu5YQvqnBtTZckrt8WoKo7GedrZxu/vrAqtwQVsL+7UrNUQbZLcTTLwZRc/RRegsHBqptYu/+joV+8ndQ9G2wX/35ss8hd+uQ2wvE==/JXy-----END PGP SIGNATURE-----

Debian Security Advisory 5329-1

Red Hat Security Advisory 2023-0481-01 - Submariner enables direct networking between pods and services on different Kubernetes clusters that are either on-premises or in the cloud. This advisory contains bug fixes and enhancements to the Submariner container images.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: Submariner 0.12.3 - security update and bug fix  
Advisory ID:       RHSA-2023:0481-01  
Product:           Red Hat ACM  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0481  
Issue date:        2023-01-26  
CVE Names:         CVE-2022-32149   
=====================================================================

1. Summary:

Submariner 0.12.3 packages that fix various bugs and add various  
enhancements that are now available for Red Hat Advanced Cluster Management  
for Kubernetes version 2.5.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Submariner enables direct networking between pods and services on different  
Kubernetes clusters that are either on-premises or in the cloud.

For more information about Submariner, see the Submariner open source  
community website at: https://submariner.io/.

This advisory contains bug fixes and enhancements to the Submariner  
container images.

Major bug addressed: 

ACM-2318: Submariner gateway node: Error updating load balancer with new  
hosts map

Security fix:

* CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage  
takes a long time to parse complex tags

3. Solution:

For details on how to install Submariner, refer to:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.5/html/add-ons/add-ons-overview#submariner-deploy-console

and

https://submariner.io/getting-started/

4. Bugs fixed (https://bugzilla.redhat.com/):

2134010 - CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags

5. JIRA issues fixed (https://issues.jboss.org/):

ACM-2318 - Submariner gateway node: Error updating load balancer with new hosts map

6. References:

https://access.redhat.com/security/cve/CVE-2022-32149  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY9L/+tzjgjWX9erEAQiAkBAAgFGVRsLKFwitm8caXqJWJO+vkYy7NHUW  
YUsJ8hSkTIo4JOD29ARdXZXabZnvNWogGZYfOXI+kTKyE1Ojz+PmXfSl5j4/iETo  
OZzxX03BpoetYwWf6Q2V/kT+jTR2+X63G0SNLIWiLrTuqdF0aJ6ZSs5ptPGW8ovq  
fsBtHua2002yBSqQ1SgSQGB/Lj980+A4lC580NbcmbeFYicaUTibr76NTYQXXmWf  
PSCs08wYZ8XaIOdQM5myr/6KOoYAzx3GGMnrRg8t6jJVp0ss4Yf6rMbKUFGrZbT6  
ZKaU6kgOU1hCN8yuHn9OTtt/nibVzowzb0O545a9dZ8/cma5r9gr31pzrB5tty5O  
1ah0pYPfb4YPHnXwSJiGjcmlpfdyhG+xG+9znbLme/Cf+aNE8bkxvZRGMPXQYQps  
94N37bzFtf/Po3LrgM9RtpAHUIylQ5sLBgvhK5aOkdZR/D7Gufp/CbsEzDvNU82a  
kctOka+4GY65ZuT0zNi6XV87RYCGBV18eH81j+8KNHkseNRvHuegRV61BiOAqpom  
DWyp8UyQFksZwFR/u+MpjSgFWSBtABj4KoBBASm5+QKvXS18/9FnWjqLOEts9BXQ  
0S8IR18iEZblEfkDcQPtXNqkq8fSlx9SIJVT8BcYRVVajFZw+7vWlU1Q5WwpmeBZ  
U5Wpzu1l6Ks=  
=VmQk  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0481-01

Apple Security Advisory 2023-01-24-1 - tvOS 16.3 addresses bypass, code execution, and information leakage vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-01-24-1 tvOS 16.3

tvOS 16.3 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213601.

AppleMobileFileIntegrity  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to access user-sensitive data  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2023-23499: Wojciech Reguła (@_r3ggi) of SecuRing  
(wojciechregula.blog)

ImageIO  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Processing an image may lead to a denial-of-service  
Description: A memory corruption issue was addressed with improved  
state management.  
CVE-2023-23519: Yiğit Can YILMAZ (@yilmazcanyigit)

Kernel  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to leak sensitive kernel state  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23500: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.  
Ltd. (@starlabs_sg)

Kernel  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to determine kernel memory layout  
Description: An information disclosure issue was addressed by  
removing the vulnerable code.  
CVE-2023-23502: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.  
Ltd. (@starlabs_sg)

Kernel  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23504: Adam Doupé of ASU SEFCOM

Maps  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to bypass Privacy preferences  
Description: A logic issue was addressed with improved state  
management.  
CVE-2023-23503: an anonymous researcher

Safari  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Visiting a website may lead to an app denial-of-service  
Description: The issue was addressed with improved handling of  
caches.  
CVE-2023-23512: Adriatik Raci

Weather  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to bypass Privacy preferences  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23511: Wojciech Regula of SecuRing (wojciechregula.blog), an  
anonymous researcher

WebKit  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 245464  
CVE-2023-23496: ChengGang Wu, Yan Kang, YuHao Hu, Yue Sun, Jiming  
Wang, JiKai Ren and Hang Shu of Institute of Computing Technology,  
Chinese Academy of Sciences

WebKit  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 248268  
CVE-2023-23518: YeongHyeon Choi (@hyeon101010), Hyeon Park  
(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),  
JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE  
WebKit Bugzilla: 248268  
CVE-2023-23517: YeongHyeon Choi (@hyeon101010), Hyeon Park  
(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),  
JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE

Additional recognition

Kernel  
We would like to acknowledge Nick Stenning of Replicate for their  
assistance.

WebKit  
We would like to acknowledge Eliya Stein of Confiant for their  
assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPQS+MACgkQ4RjMIDke  
Nxl2xhAAu5swycPjzTAolynfVnOR8FvGiVeCUFfn2JpEFVXRiIMcZgQga7bb7cEk  
0Abcm9FfLAq4z7SBTXh9csi1erT0bbT2/DK8PhEDsZz9MInzxXUTN9+ZrWlN/PLJ  
ZIQZh1gwUGkf31DAaBQ15QYo6XukzwV++t1AkeY5CQsTEXf/rJhYH7E3kNWsqj+5  
B6vAw0Xw7hLsZwfAv7W2khhLtiBa5sxtuJKRPJ/4xjBKfWZaeVjjgsTC0LLUN/3l  
qxFI8H4QxQPxXtAt2O2wPGnR3WhfmDlGqgnYkj4IM8FlRnGedpD5O/kPoZNzRtKt  
z7pRORoHD+o3KOY3UkRZ19sJEWEkeWJxHO6htRf/IsgbX1/eQJnIqSuOeLRJ3EDY  
xCTUfiTU0NU3Iy/iDgpwllq4oU8rYeFJiPU4RNzndX+Z3+V/Tu9mc3rBax3A8gGi  
bN5dKB0bGNCV2MnOlpuy5E7u56cfMlH04Gtj0j8L05t9yxYKiCuBVNBL0KjJB/cF  
wjAl0ZoK8auWTDFKPJHGRGWtqR0svrV4qw5lPpQc+w26+xh8LHL8HzHr+pxHEZ75  
4CUxi9L7w4hWieZgHNyWUj4xIlqhrefk+M6QqwxwwKSB/z2eiaOBHSCaKDOvg9JU  
6w6VML1ezs/zpC5H0//PXTqK2o8XkaBNKQ0Ljx6zejIVwFbwHVQ=  
=WvwW  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-01-24-1

PHPJabbers Car Rental Script version 3.0 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : PHPJabbers.com                                                             ││  Vendor   : PHPJabbers                                                                 ││  Software : PHPJabbers Car Rental Script 3.0                                           ││  Vuln Type: SQL Injection                                                              ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│ Release Notes:                                                                         ││ ═════════════                                                                          ││                                                                                        ││ SQL injection attacks can allow unauthorized access to sensitive data, modification of ││ data and crash the application or make it unavailable, leading to lost revenue and     ││ damage to a company's reputation.                                                      ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.phpPOST parameter 'hour_from' is vulnerable to SQLIPOST parameter 'minutes_to' is vulnerable to SQLIdate_from=27.01.2023&hour_from=[INJECT-HERE]&minutes_from=00&date_to=28.01.2023&hour_to=09&minutes_to=[INJECT-HERE]&pickup_id=4&same_location=1POST parameter 'col_name' is vulnerable to SQLIindex.php?controller=pjFront&action=pjActionLoadCars&session_id=9j5lonhuljjtcpff7l1qjq5a85&type_id=all&transmission=&col_name=total_price&direction=asc[-] Done

PHPJabbers Car Rental Script 3.0 SQL Injection

Red Hat Security Advisory 2023-0208-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Issues addressed include a deserialization vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: java-1.8.0-openjdk security and bug fix update  
Advisory ID:       RHSA-2023:0208-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0208  
Issue date:        2023-01-26  
CVE Names:         CVE-2023-21830 CVE-2023-21843   
=====================================================================

1. Summary:

An update for java-1.8.0-openjdk is now available for Red Hat Enterprise  
Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, x86_64  
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime  
Environment and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

* OpenJDK: improper restrictions in CORBA deserialization (Serialization,  
8285021) (CVE-2023-21830)

* OpenJDK: soundbank URL remote loading (Sound, 8293742) (CVE-2023-21843)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Leak File Descriptors Because of  
ResolverLocalFilesystem#engineResolveURI() (BZ#2139705)

* Prepare for the next quarterly OpenJDK upstream release (2023-01, 8u362)  
[rhel-8] (BZ#2159910)

* solr broken due to access denied ("java.io.FilePermission"  
"/etc/pki/java/cacerts" "read") [rhel-8, openjdk-8] (BZ#2163595)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of OpenJDK Java must be restarted for this update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2139705 - Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI() [rhel-8.7.0.z]  
2159910 - Prepare for the next quarterly OpenJDK upstream release (2023-01, 8u362) [rhel-8] [rhel-8.7.0.z]  
2160475 - CVE-2023-21843 OpenJDK: soundbank URL remote loading (Sound, 8293742)  
2160490 - CVE-2023-21830 OpenJDK: improper restrictions in CORBA deserialization (Serialization, 8285021)  
2163595 - solr broken due to access denied ("java.io.FilePermission" "/etc/pki/java/cacerts" "read") [rhel-8, openjdk-8] [rhel-8.7.0.z]

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
java-1.8.0-openjdk-1.8.0.362.b09-2.el8_7.src.rpm

aarch64:  
java-1.8.0-openjdk-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-demo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-devel-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-headless-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-src-1.8.0.362.b09-2.el8_7.aarch64.rpm

noarch:  
java-1.8.0-openjdk-javadoc-1.8.0.362.b09-2.el8_7.noarch.rpm  
java-1.8.0-openjdk-javadoc-zip-1.8.0.362.b09-2.el8_7.noarch.rpm

ppc64le:  
java-1.8.0-openjdk-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-demo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-devel-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-headless-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-src-1.8.0.362.b09-2.el8_7.ppc64le.rpm

s390x:  
java-1.8.0-openjdk-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-demo-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-devel-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-headless-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-src-1.8.0.362.b09-2.el8_7.s390x.rpm

x86_64:  
java-1.8.0-openjdk-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-demo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-devel-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-headless-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-src-1.8.0.362.b09-2.el8_7.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

aarch64:  
java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-demo-fastdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-demo-slowdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-devel-fastdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-devel-slowdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-fastdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-headless-fastdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-headless-slowdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-slowdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-src-fastdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-src-slowdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm

ppc64le:  
java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-demo-fastdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-demo-slowdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-devel-fastdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-devel-slowdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-fastdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-headless-fastdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-headless-slowdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-slowdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-src-fastdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-src-slowdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm

x86_64:  
java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-demo-fastdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-demo-slowdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-devel-fastdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-devel-slowdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-fastdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-headless-fastdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-headless-slowdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-slowdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-src-fastdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-src-slowdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-21830  
https://access.redhat.com/security/cve/CVE-2023-21843  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY9L/99zjgjWX9erEAQh6/w//RI9EX2stArR4n/6NtrZFHBZEZrqbjRva  
6TJ1TC1lihoGmXbnDPeFJyh6MQx06+bqJsjVM8pYOkJKqNUmEulvWXPoN7ZSKoF4  
EKcuYOTGrKXBK0DQxK20cHnDCQU+ky2DHeIEQkdwR8P54UV47VIidc2dFbVtKgUS  
1vBpE8UZIfHIiLvfdAQ4GJN9i3SRYMT59yqcO8NRXx4y9HRHcWygCwJDBhT1f/iR  
Bhw3wMbdnb7xIxNVFHP4FTg+z6/50sZn2HP7ps+fzDQzCCB8XLKtPIc/ACkoegDg  
9kA5FS76AG68ILfPD15DEi/9qPQEvg3B0XjT9yl2EQimgraJg3CAfYDwdF3duZQd  
GORSP7R/tyCIKXkBccMcyKJ0ekNCuvgjMwmKrRdA41JcVnHqWQRQ75b8D6Lx/J1e  
0ILZlmTQkWWlyGISpV70jbkn+8RwBPDAGwoZa3Hf9CvKsv+XyprN2hztCEy7ZPRn  
Cb0Ccsuok2dmbJ07EQKo9CXNfZ/3ghAOk3fz+FR+lrFAnpzm/35TlVAGmXv4wKNS  
/PrNCaxOTr+SxR6SjLWS51UWMG+p310VBeACL8cjO67yEMboezamKezSrvjtBMPZ  
dhU56pCX1hknTxOQ6GZpUUHAX2Exk1tcuoygeeTufs2Vy5fyDU9bd05VUj+htQH4  
hKYGWAz0KmQ=  
=EqEP  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Source

Packet Storm