Red Hat Security Advisory 2022-8067-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Issues addressed include buffer overflow, denial of service, information leakage, and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: httpd security, bug fix, and enhancement update  
Advisory ID:       RHSA-2022:8067-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8067  
Issue date:        2022-11-15  
CVE Names:         CVE-2022-22719 CVE-2022-22721 CVE-2022-23943  
                   CVE-2022-26377 CVE-2022-28614 CVE-2022-28615  
                   CVE-2022-29404 CVE-2022-30522 CVE-2022-30556  
                   CVE-2022-31813  
====================================================================  
1. Summary:

An update for httpd is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The httpd packages provide the Apache HTTP Server, a powerful, efficient,  
and extensible web server.

The following packages have been upgraded to a later upstream version:  
httpd (2.4.53). (BZ#2079939)

Security Fix(es):

* httpd: mod_sed: Read/write beyond bounds (CVE-2022-23943)

* httpd: mod_lua: Use of uninitialized value of in r:parsebody  
(CVE-2022-22719)

* httpd: core: Possible buffer overflow with very large or unlimited  
LimitXMLRequestBody (CVE-2022-22721)

* httpd: mod_proxy_ajp: Possible request smuggling (CVE-2022-26377)

* httpd: mod_lua: DoS in r:parsebody (CVE-2022-29404)

* httpd: mod_sed: DoS vulnerability (CVE-2022-30522)

* httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism  
(CVE-2022-31813)

* httpd: Out-of-bounds read via ap_rwrite() (CVE-2022-28614)

* httpd: Out-of-bounds read in ap_strcmp_match() (CVE-2022-28615)

* httpd: mod_lua: Information disclosure with websockets (CVE-2022-30556)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.1 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted  
automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

2064319 - CVE-2022-23943 httpd: mod_sed: Read/write beyond bounds  
2064320 - CVE-2022-22721 httpd: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody  
2064322 - CVE-2022-22719 httpd: mod_lua: Use of uninitialized value of in r:parsebody  
2073459 - Cannot override LD_LIBARY_PATH in Apache HTTPD using SetEnv or PassEnv. Needs documentation.  
2075406 - httpd.conf uses icon bomb.gif for all files/dirs ending with core  
2079939 - httpd rebase to 2.4.53  
2094997 - CVE-2022-26377 httpd: mod_proxy_ajp: Possible request smuggling  
2095002 - CVE-2022-28614 httpd: Out-of-bounds read via ap_rwrite()  
2095006 - CVE-2022-28615 httpd: Out-of-bounds read in ap_strcmp_match()  
2095012 - CVE-2022-29404 httpd: mod_lua: DoS in r:parsebody  
2095015 - CVE-2022-30522 httpd: mod_sed: DoS vulnerability  
2095018 - CVE-2022-30556 httpd: mod_lua: Information disclosure with websockets  
2095020 - CVE-2022-31813 httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism  
2095838 - mod_mime_magic: invalid type 0 in mconvert()

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
httpd-2.4.53-7.el9.src.rpm

aarch64:  
httpd-2.4.53-7.el9.aarch64.rpm  
httpd-core-2.4.53-7.el9.aarch64.rpm  
httpd-core-debuginfo-2.4.53-7.el9.aarch64.rpm  
httpd-debuginfo-2.4.53-7.el9.aarch64.rpm  
httpd-debugsource-2.4.53-7.el9.aarch64.rpm  
httpd-devel-2.4.53-7.el9.aarch64.rpm  
httpd-tools-2.4.53-7.el9.aarch64.rpm  
httpd-tools-debuginfo-2.4.53-7.el9.aarch64.rpm  
mod_ldap-2.4.53-7.el9.aarch64.rpm  
mod_ldap-debuginfo-2.4.53-7.el9.aarch64.rpm  
mod_lua-2.4.53-7.el9.aarch64.rpm  
mod_lua-debuginfo-2.4.53-7.el9.aarch64.rpm  
mod_proxy_html-2.4.53-7.el9.aarch64.rpm  
mod_proxy_html-debuginfo-2.4.53-7.el9.aarch64.rpm  
mod_session-2.4.53-7.el9.aarch64.rpm  
mod_session-debuginfo-2.4.53-7.el9.aarch64.rpm  
mod_ssl-2.4.53-7.el9.aarch64.rpm  
mod_ssl-debuginfo-2.4.53-7.el9.aarch64.rpm

noarch:  
httpd-filesystem-2.4.53-7.el9.noarch.rpm  
httpd-manual-2.4.53-7.el9.noarch.rpm

ppc64le:  
httpd-2.4.53-7.el9.ppc64le.rpm  
httpd-core-2.4.53-7.el9.ppc64le.rpm  
httpd-core-debuginfo-2.4.53-7.el9.ppc64le.rpm  
httpd-debuginfo-2.4.53-7.el9.ppc64le.rpm  
httpd-debugsource-2.4.53-7.el9.ppc64le.rpm  
httpd-devel-2.4.53-7.el9.ppc64le.rpm  
httpd-tools-2.4.53-7.el9.ppc64le.rpm  
httpd-tools-debuginfo-2.4.53-7.el9.ppc64le.rpm  
mod_ldap-2.4.53-7.el9.ppc64le.rpm  
mod_ldap-debuginfo-2.4.53-7.el9.ppc64le.rpm  
mod_lua-2.4.53-7.el9.ppc64le.rpm  
mod_lua-debuginfo-2.4.53-7.el9.ppc64le.rpm  
mod_proxy_html-2.4.53-7.el9.ppc64le.rpm  
mod_proxy_html-debuginfo-2.4.53-7.el9.ppc64le.rpm  
mod_session-2.4.53-7.el9.ppc64le.rpm  
mod_session-debuginfo-2.4.53-7.el9.ppc64le.rpm  
mod_ssl-2.4.53-7.el9.ppc64le.rpm  
mod_ssl-debuginfo-2.4.53-7.el9.ppc64le.rpm

s390x:  
httpd-2.4.53-7.el9.s390x.rpm  
httpd-core-2.4.53-7.el9.s390x.rpm  
httpd-core-debuginfo-2.4.53-7.el9.s390x.rpm  
httpd-debuginfo-2.4.53-7.el9.s390x.rpm  
httpd-debugsource-2.4.53-7.el9.s390x.rpm  
httpd-devel-2.4.53-7.el9.s390x.rpm  
httpd-tools-2.4.53-7.el9.s390x.rpm  
httpd-tools-debuginfo-2.4.53-7.el9.s390x.rpm  
mod_ldap-2.4.53-7.el9.s390x.rpm  
mod_ldap-debuginfo-2.4.53-7.el9.s390x.rpm  
mod_lua-2.4.53-7.el9.s390x.rpm  
mod_lua-debuginfo-2.4.53-7.el9.s390x.rpm  
mod_proxy_html-2.4.53-7.el9.s390x.rpm  
mod_proxy_html-debuginfo-2.4.53-7.el9.s390x.rpm  
mod_session-2.4.53-7.el9.s390x.rpm  
mod_session-debuginfo-2.4.53-7.el9.s390x.rpm  
mod_ssl-2.4.53-7.el9.s390x.rpm  
mod_ssl-debuginfo-2.4.53-7.el9.s390x.rpm

x86_64:  
httpd-2.4.53-7.el9.x86_64.rpm  
httpd-core-2.4.53-7.el9.x86_64.rpm  
httpd-core-debuginfo-2.4.53-7.el9.x86_64.rpm  
httpd-debuginfo-2.4.53-7.el9.x86_64.rpm  
httpd-debugsource-2.4.53-7.el9.x86_64.rpm  
httpd-devel-2.4.53-7.el9.x86_64.rpm  
httpd-tools-2.4.53-7.el9.x86_64.rpm  
httpd-tools-debuginfo-2.4.53-7.el9.x86_64.rpm  
mod_ldap-2.4.53-7.el9.x86_64.rpm  
mod_ldap-debuginfo-2.4.53-7.el9.x86_64.rpm  
mod_lua-2.4.53-7.el9.x86_64.rpm  
mod_lua-debuginfo-2.4.53-7.el9.x86_64.rpm  
mod_proxy_html-2.4.53-7.el9.x86_64.rpm  
mod_proxy_html-debuginfo-2.4.53-7.el9.x86_64.rpm  
mod_session-2.4.53-7.el9.x86_64.rpm  
mod_session-debuginfo-2.4.53-7.el9.x86_64.rpm  
mod_ssl-2.4.53-7.el9.x86_64.rpm  
mod_ssl-debuginfo-2.4.53-7.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-22719  
https://access.redhat.com/security/cve/CVE-2022-22721  
https://access.redhat.com/security/cve/CVE-2022-23943  
https://access.redhat.com/security/cve/CVE-2022-26377  
https://access.redhat.com/security/cve/CVE-2022-28614  
https://access.redhat.com/security/cve/CVE-2022-28615  
https://access.redhat.com/security/cve/CVE-2022-29404  
https://access.redhat.com/security/cve/CVE-2022-30522  
https://access.redhat.com/security/cve/CVE-2022-30556  
https://access.redhat.com/security/cve/CVE-2022-31813  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3OMbtzjgjWX9erEAQi+FhAAo5TZLQhEKcVKirhu9FgTXKvVgAVNerft  
atmEk68++cjisOUIJI8bzD9lQ+DmRF9pjlSG0kVB64UkRAIEvT/MLq1kN4I0qTIm  
LrjjA+qV6NYVuZCd178OXR/Qn1W8/iUfjC/W6UMGp8306n1aggcOY/kzrSlX2ZWU  
ftQDrAPbUGqAWFwTK8eAlW9VlVOzD+6AHb00ew2yFkjFjCic0EPAz0kwoGMm4oGi  
PrPhzIUra8vvgTuYJN1p2Ypkt6sFFOVBqJwL116tGv63F0PqRzUfiKgqvfH16HuT  
VUcFgYV+05osb6bpQclNW4dLwCzpNcGCEwkEmZgYNGyetI2O8+6HFn+MdJna+uYO  
mykzjAXz1tyzx8RnEexR/4E4aLWQKcr1YM27CE5NVAGgqxaf+6SCiCV5NvT/3vFk  
KjKwQPUrb8SWHbWf6mxC6xInx9Iy6c6Ag4K1pk09fr7XjyZ9/GeFbbe08nirZm8a  
xSs4jQIhfRzW7wsKqEjd6eNW+QeD1qKFuGiLMSN6+2km7AUTTcTIfVd7orMY/v4Q  
WD++Xe+my6LHthH2+qYGWyc+oEp3DChQbka71X07iqVCqkKzQj9sE2GdbcTeAj6/  
pInRoDF8ZuZv3TPFn+BQ12C3WZ0HzlXF/MDs6fG+iZkIPrgukj1EfauoY11JoJNd  
wTPRPoUAq9w=hHrA  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8067-01

Red Hat Security Advisory 2022-8057-01 - Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Issues addressed include cross site request forgery, cross site scripting, denial of service, information leakage, and privilege escalation vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: grafana security, bug fix, and enhancement update  
Advisory ID:       RHSA-2022:8057-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8057  
Issue date:        2022-11-15  
CVE Names:         CVE-2021-23648 CVE-2022-1705 CVE-2022-1962  
                   CVE-2022-21673 CVE-2022-21698 CVE-2022-21702  
                   CVE-2022-21703 CVE-2022-21713 CVE-2022-28131  
                   CVE-2022-30630 CVE-2022-30631 CVE-2022-30632  
                   CVE-2022-30633 CVE-2022-30635 CVE-2022-32148  
====================================================================  
1. Summary:

An update for grafana is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

Grafana is an open source, feature rich metrics dashboard and graph editor  
for Graphite, InfluxDB & OpenTSDB.

The following packages have been upgraded to a later upstream version:  
grafana (7.5.15). (BZ#2055349)

Security Fix(es):

* sanitize-url: XSS due to improper sanitization in sanitizeUrl function  
(CVE-2021-23648)

* golang: net/http: improper sanitization of Transfer-Encoding header  
(CVE-2022-1705)

* golang: go/parser: stack exhaustion in all Parse* functions  
(CVE-2022-1962)

* grafana: Forward OAuth Identity Token can allow users to access some data  
sources (CVE-2022-21673)

* prometheus/client_golang: Denial of service using  
InstrumentHandlerCounter (CVE-2022-21698)

* grafana: XSS vulnerability in data source handling (CVE-2022-21702)

* grafana: CSRF vulnerability can lead to privilege escalation  
(CVE-2022-21703)

* grafana: IDOR vulnerability can lead to information disclosure  
(CVE-2022-21713)

* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)

* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)

* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)

* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)

* golang: net/http/httputil: NewSingleHostReverseProxy - omit  
X-Forwarded-For not working (CVE-2022-32148)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.1 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2044628 - CVE-2022-21673 grafana: Forward OAuth Identity Token can allow users to access some data sources  
2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter  
2050648 - CVE-2022-21702 grafana: XSS vulnerability in data source handling  
2050742 - CVE-2022-21703 grafana: CSRF vulnerability can lead to privilege escalation  
2050743 - CVE-2022-21713 grafana: IDOR vulnerability can lead to information disclosure  
2055349 - Rebase of Grafana in RHEL 9.1  
2065290 - CVE-2021-23648 sanitize-url: XSS due to improper sanitization in sanitizeUrl function  
2104367 - CVE-2022-31107 grafana: OAuth account takeover  
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read  
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob  
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header  
2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions  
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working  
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob  
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode  
2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip  
2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
grafana-7.5.15-3.el9.src.rpm

aarch64:  
grafana-7.5.15-3.el9.aarch64.rpm  
grafana-debuginfo-7.5.15-3.el9.aarch64.rpm

ppc64le:  
grafana-7.5.15-3.el9.ppc64le.rpm  
grafana-debuginfo-7.5.15-3.el9.ppc64le.rpm

s390x:  
grafana-7.5.15-3.el9.s390x.rpm  
grafana-debuginfo-7.5.15-3.el9.s390x.rpm

x86_64:  
grafana-7.5.15-3.el9.x86_64.rpm  
grafana-debuginfo-7.5.15-3.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-23648  
https://access.redhat.com/security/cve/CVE-2022-1705  
https://access.redhat.com/security/cve/CVE-2022-1962  
https://access.redhat.com/security/cve/CVE-2022-21673  
https://access.redhat.com/security/cve/CVE-2022-21698  
https://access.redhat.com/security/cve/CVE-2022-21702  
https://access.redhat.com/security/cve/CVE-2022-21703  
https://access.redhat.com/security/cve/CVE-2022-21713  
https://access.redhat.com/security/cve/CVE-2022-28131  
https://access.redhat.com/security/cve/CVE-2022-30630  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/cve/CVE-2022-30632  
https://access.redhat.com/security/cve/CVE-2022-30633  
https://access.redhat.com/security/cve/CVE-2022-30635  
https://access.redhat.com/security/cve/CVE-2022-32148  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3OMc9zjgjWX9erEAQi0HA/8Cyww+6XfCKlKLVfnpNcj1p0tXUTvcjnS  
OnnlUiQjXS44wBO73RbGWZL0FSZf3kjIEmzm20Tq6NZJ1K3Krw709BLd6ijx/uDi  
QoROhHbujrLa52FUEl5pQspiE8gtLRX/DfxtV8dQcCsDD5ocUarOoT661wFoxipy  
SsV9AZLw971eoGgYEeB7iD9pgnUZqATMqf75bLxMgBd8RgHT7VkheOckS+ThJrTy  
UhVXyORoLaMvbFdvcLn/U3B+ocRiEvEICQ3yFW7GkvElMEawQr1f7TSHSqAiGB3G  
IYiAV13YsatkPes+VQFiHBxKLkXuCPUJn1V0zovrfQI96gEGWsm4k9p6DogweNyK  
jQ67cjLzkBKYQoLI77NhV19dsvMjct4bQWMiVSVkdWRNECAXFyxIdndR/DalEydm  
GDXzyk8CLWRXm5l/149RhOfbIoVPqe9b/lzMZGF/TGvi/Fl+m3hPXSB0STgiCXSD  
0bNAscp6a+GEf+m4J+rf/fjePuSjYU4noUiWzL7mkZs9v/W7JGz67+h8SPRIVnH6  
65rurVnpCVgie5ObFV2WKCmkCL1q1yBTwSVIfaRL60c+Za8eRZzjA9+t+3A2mbBs  
l3oUVRAea2zLk3qXmaLbT/vAA49MClAd4IQw8OOAy1Zs2B8Yg/CyclKvgXnGcMCM  
cIsuNoeU9+M=CKDa  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8057-01

Red Hat Security Advisory 2022-8011-01 - FriBidi is a library to handle bidirectional scripts, so that the display is done in the proper way, while the text data itself is always written in logical order. Issues addressed include a buffer overflow vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: fribidi security update  
Advisory ID:       RHSA-2022:8011-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8011  
Issue date:        2022-11-15  
CVE Names:         CVE-2022-25308 CVE-2022-25309 CVE-2022-25310  
====================================================================  
1. Summary:

An update for fribidi is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

FriBidi is a library to handle bidirectional scripts (for example Hebrew,  
Arabic), so that the display is done in the proper way, while the text data  
itself is always written in logical order.

Security Fix(es):

* fribidi: Stack based buffer overflow (CVE-2022-25308)

* fribidi: Heap-buffer-overflow in fribidi_cap_rtl_to_unicode  
(CVE-2022-25309)

* fribidi: SEGV in fribidi_remove_bidi_marks (CVE-2022-25310)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.1 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2047890 - CVE-2022-25308 fribidi: Stack based buffer overflow  
2047896 - CVE-2022-25309 fribidi: Heap-buffer-overflow in fribidi_cap_rtl_to_unicode  
2047923 - CVE-2022-25310 fribidi: SEGV in fribidi_remove_bidi_marks

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
fribidi-1.0.10-6.el9.2.src.rpm

aarch64:  
fribidi-1.0.10-6.el9.2.aarch64.rpm  
fribidi-debuginfo-1.0.10-6.el9.2.aarch64.rpm  
fribidi-debugsource-1.0.10-6.el9.2.aarch64.rpm  
fribidi-devel-1.0.10-6.el9.2.aarch64.rpm

ppc64le:  
fribidi-1.0.10-6.el9.2.ppc64le.rpm  
fribidi-debuginfo-1.0.10-6.el9.2.ppc64le.rpm  
fribidi-debugsource-1.0.10-6.el9.2.ppc64le.rpm  
fribidi-devel-1.0.10-6.el9.2.ppc64le.rpm

s390x:  
fribidi-1.0.10-6.el9.2.s390x.rpm  
fribidi-debuginfo-1.0.10-6.el9.2.s390x.rpm  
fribidi-debugsource-1.0.10-6.el9.2.s390x.rpm  
fribidi-devel-1.0.10-6.el9.2.s390x.rpm

x86_64:  
fribidi-1.0.10-6.el9.2.i686.rpm  
fribidi-1.0.10-6.el9.2.x86_64.rpm  
fribidi-debuginfo-1.0.10-6.el9.2.i686.rpm  
fribidi-debuginfo-1.0.10-6.el9.2.x86_64.rpm  
fribidi-debugsource-1.0.10-6.el9.2.i686.rpm  
fribidi-debugsource-1.0.10-6.el9.2.x86_64.rpm  
fribidi-devel-1.0.10-6.el9.2.i686.rpm  
fribidi-devel-1.0.10-6.el9.2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-25308  
https://access.redhat.com/security/cve/CVE-2022-25309  
https://access.redhat.com/security/cve/CVE-2022-25310  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3OMdtzjgjWX9erEAQiawBAAhv67WtXYKZVF00wsIwbaDm55oz1dHi+R  
TzmJ5fIwJQ6PTl9Yai+9vlVIRJ6v3CJGvQkhzKL2ajua4XWPEKOuxNgGWuXe07DY  
A3IMmpSGcu4Xjbi827k0aDs1DHUcrfSbNe6J41Tsk2QceNXjkuaxfS8wr5jBXc94  
T1yTKxaKCXuBhZNXjYhPXqyjdCcKvw625aRYmPnk3y2Ogt+Kr5eNqRogTQgg9qzn  
YEb0ysLVGf3DzmO8x5AvPbgwMiS/WsX+P12eF747kyHjzC8oONN1qyCZ02L1yudq  
CvGww/rxyKlzfAmhMqJDlta7ADIzTdiw6KN5h189esPpL0KK1qMDb50xCNmmx4Yx  
U7N3ScfBSP+Ws/JHTRLjbKUsCKkUm/8SH60eBkzMOwOnAZL+1dsVYxTonOpBX3gD  
CD9+6N9YmZGfcp4wnEEDNYafChJezwnrs/sAPLWvMkE7GvplKkue12fbPKI+yXdZ  
JPhY4A6XlYBuw0kXuwQCcCJ2BtwVyW8rWVSRj0YSXtNRjrrHsZTZlLSkIw4PaWn8  
lzsp4RzRxlfJRRbwfs4AGwMpDjNHDdGa3Onnp8kbpHtfFA21D4tj2/tfzUJ+IZeW  
I2V/9ZAj9i8qjGBsaNYonj/qXl04i6VZCxb/5W6wQoSXDxUyagRovmYxx+CD5Iu3  
nCBmB26imLwU3+  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8011-01

Red Hat Security Advisory 2022-8100-01 - SWTPM is a TPM emulator built on libtpms providing TPM functionality for QEMU VMs.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Low: swtpm security and bug fix update  
Advisory ID:       RHSA-2022:8100-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8100  
Issue date:        2022-11-15  
CVE Names:         CVE-2022-23645  
====================================================================  
1. Summary:

An update for swtpm is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Low. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, s390x, x86_64

3. Description:

SWTPM is a TPM emulator built on libtpms providing TPM functionality for  
QEMU VMs.

Security Fix(es):

* swtpm: Unchecked header size indicator against expected size  
(CVE-2022-23645)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.1 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2056491 - CVE-2022-23645 swtpm: Unchecked header size indicator against expected size  
2090219 - Not able to install windows 11 OS with vTPM in spec (disable FIPS)

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
swtpm-0.7.0-3.20211109gitb79fd91.el9.src.rpm

aarch64:  
swtpm-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm  
swtpm-debuginfo-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm  
swtpm-debugsource-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm  
swtpm-libs-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm  
swtpm-libs-debuginfo-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm  
swtpm-tools-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm  
swtpm-tools-debuginfo-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm

s390x:  
swtpm-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm  
swtpm-debuginfo-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm  
swtpm-debugsource-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm  
swtpm-libs-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm  
swtpm-libs-debuginfo-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm  
swtpm-tools-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm  
swtpm-tools-debuginfo-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm

x86_64:  
swtpm-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm  
swtpm-debuginfo-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm  
swtpm-debugsource-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm  
swtpm-libs-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm  
swtpm-libs-debuginfo-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm  
swtpm-tools-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm  
swtpm-tools-debuginfo-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-23645  
https://access.redhat.com/security/updates/classification/#low  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3OMXtzjgjWX9erEAQgHDA/+OMR2sFGbdP6hED6vJ/mp7wcx8xDO2fcl  
lUsbNs1WXDZ8N0ZFoQNN/iqXOE4f3YtliWHcFQOcacIyTAyev8469r4lTRHK5+RV  
KcQOOvdvVeibxvjR1bQS5hMZET+FWxfcQawVkTZjse6Osef6I3GF7VD5QoSbDI2B  
Lgj9SdvshnG2goTyLpwE9ZFUIyUhWy1CVDEGOFoeLk1zkJFMerkWb/FeQa2yCOxZ  
hPx1d3NIOH6V+bYYRl1owf9SpS/DhQJ7sCsay3zwz8uzjqzSX3x2cnj1U1LgCQ66  
RkP3T1CHY9uRd3T7WT0oAGj4uodtXjf8+64ZgNBKqtv/2Ls7aZciIvRb1xwNVGc2  
fOTSdv3zRPBwoIlxRiCxuqr5kDj3+9b9rGu1xqkedEt+736XaBcQ6uD6gHjFS41R  
2KWxQ/Db0DetUyZc99atVs9YcP5YPqI+XbQWNJaGPmLR3JaZ8JAQTNEQWAKMXQD/  
EPnoPYY8sgmZGDnzZb04IcnYIfvzj3DLWm0JB3cORwawvL1SulFhoikEuJ9DEKPG  
uIhE1nwHfGUlMmIMAbk0dPzoDt80gZMr4nHlWfEUOwCUQrQw6O67Nr9JNd32bwAW  
T77tKs+HriSXYQ9isoaGFnlVsVH965tEte1pHna3YqNznR3GC6Hh072gfJXWf/qx  
XpYcV7g6aB0=l7Di  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8100-01

Red Hat Security Advisory 2022-7978-01 - The GIMP is an image composition and editing program. GIMP provides a large image manipulation toolbox, including channel operations and layers, effects, sub-pixel imaging and anti-aliasing, and conversions, all with multi-level undo. Issues addressed include buffer overflow and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: gimp security and enhancement update  
Advisory ID:       RHSA-2022:7978-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7978  
Issue date:        2022-11-15  
CVE Names:         CVE-2022-30067 CVE-2022-32990  
====================================================================  
1. Summary:

An update for gimp is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

The GIMP (GNU Image Manipulation Program) is an image composition and  
editing program. GIMP provides a large image manipulation toolbox,  
including channel operations and layers, effects, sub-pixel imaging and  
anti-aliasing, and conversions, all with multi-level undo.

Security Fix(es):

* gimp: buffer overflow through a crafted XCF file (CVE-2022-30067)

* gimp: unhandled exception via a crafted XCF file may lead to DoS  
(CVE-2022-32990)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.1 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2087591 - CVE-2022-30067 gimp: buffer overflow through a crafted XCF file  
2103202 - CVE-2022-32990 gimp: unhandled exception via a crafted XCF file may lead to DoS

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
gimp-2.99.8-3.el9.src.rpm

aarch64:  
gimp-2.99.8-3.el9.aarch64.rpm  
gimp-debuginfo-2.99.8-3.el9.aarch64.rpm  
gimp-debugsource-2.99.8-3.el9.aarch64.rpm  
gimp-devel-tools-debuginfo-2.99.8-3.el9.aarch64.rpm  
gimp-libs-2.99.8-3.el9.aarch64.rpm  
gimp-libs-debuginfo-2.99.8-3.el9.aarch64.rpm

ppc64le:  
gimp-2.99.8-3.el9.ppc64le.rpm  
gimp-debuginfo-2.99.8-3.el9.ppc64le.rpm  
gimp-debugsource-2.99.8-3.el9.ppc64le.rpm  
gimp-devel-tools-debuginfo-2.99.8-3.el9.ppc64le.rpm  
gimp-libs-2.99.8-3.el9.ppc64le.rpm  
gimp-libs-debuginfo-2.99.8-3.el9.ppc64le.rpm

s390x:  
gimp-2.99.8-3.el9.s390x.rpm  
gimp-debuginfo-2.99.8-3.el9.s390x.rpm  
gimp-debugsource-2.99.8-3.el9.s390x.rpm  
gimp-devel-tools-debuginfo-2.99.8-3.el9.s390x.rpm  
gimp-libs-2.99.8-3.el9.s390x.rpm  
gimp-libs-debuginfo-2.99.8-3.el9.s390x.rpm

x86_64:  
gimp-2.99.8-3.el9.x86_64.rpm  
gimp-debuginfo-2.99.8-3.el9.i686.rpm  
gimp-debuginfo-2.99.8-3.el9.x86_64.rpm  
gimp-debugsource-2.99.8-3.el9.i686.rpm  
gimp-debugsource-2.99.8-3.el9.x86_64.rpm  
gimp-devel-tools-debuginfo-2.99.8-3.el9.i686.rpm  
gimp-devel-tools-debuginfo-2.99.8-3.el9.x86_64.rpm  
gimp-libs-2.99.8-3.el9.i686.rpm  
gimp-libs-2.99.8-3.el9.x86_64.rpm  
gimp-libs-debuginfo-2.99.8-3.el9.i686.rpm  
gimp-libs-debuginfo-2.99.8-3.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-30067  
https://access.redhat.com/security/cve/CVE-2022-32990  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3OMfNzjgjWX9erEAQj5TA//bPsUi7sLSgUYBRJ4F1TTjT0sBrKPN5ZG  
FAYwxZEsez6Bxco5qckXUvJcPD8rcl6BYrA46M1dHlN9hK0jfdKxHsMg7ZSNB8BF  
A862I5hRMFXb8sBy8szLTvzHvRE5hmedH3QElCQN2EqNinVeHYSApJYLeamIkuYx  
8wf70QHGrlGJb38ddRg2hKADDJCV10k4NUepgb+UNVPDPwQCmyk2gaPD4BBplPok  
tmP908mU50IKwgwnjnw1Li7fxtrJmmZE7teogW7oAkqeFjNNtf3DUXUeqMtK0I8a  
pZlpYG2FlepWtn2SGHiAfkkwWNtQlv2suwRGBsaroyGc2zI+BLwr3/kyjTRBrYEa  
+rayYOQ7BiqGMvycIPW114adiEuYeLGa2z4u4W+lpJIDq1x3oZte2CgbxquYxjGR  
huIhgJg1ZjkJMTtOf0yhCgkgDAs9C9Uv6/GqPnokMn90bH/45REvnlAAmNU/iRfX  
TTbHugkSsdYskOMEAwtCRxMZ1JAf0FXTXJUfHcoQKsGAcde71Rf5+gukxHUm/5yU  
K5vuh4RGVQi81ewHiNRiPdL3EDS85hy11/s86UPFa87mFdDEdK73p3pB1IyO6a0X  
Wi9rvXUd/MdPTiS/HB+3T1bHMUxA4EJxYIIjF5qE3BPJoofgjfErHHugXa8jZnNq  
EqA1kj/GHYo=X7Ae  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7978-01

Red Hat Security Advisory 2022-8197-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: php security, bug fix, and enhancement update  
Advisory ID:       RHSA-2022:8197-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8197  
Issue date:        2022-11-15  
CVE Names:         CVE-2021-21708 CVE-2022-31625  
====================================================================  
1. Summary:

An update for php is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

PHP is an HTML-embedded scripting language commonly used with the Apache  
HTTP Server.

The following packages have been upgraded to a later upstream version: php  
(8.0.20). (BZ#2095752)

Security Fix(es):

* php: Use after free due to php_filter_float() failing for ints  
(CVE-2021-21708)

* php: Uninitialized array in pg_query_params() leading to RCE  
(CVE-2022-31625)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.1 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon must be restarted  
for the update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2055879 - CVE-2021-21708 php: Use after free due to php_filter_float() failing for ints  
2095447 - php-fpm has an odd Requires  
2095752 - Rebase to 8.0.20  
2098521 - CVE-2022-31625 php: Uninitialized array in pg_query_params() leading to RCE  
2104630 - PHP 8 snmp3 Calls Using authPriv or authNoPriv Immediately Return False Without Error Message

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
php-8.0.20-3.el9.src.rpm

aarch64:  
php-8.0.20-3.el9.aarch64.rpm  
php-bcmath-8.0.20-3.el9.aarch64.rpm  
php-bcmath-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-cli-8.0.20-3.el9.aarch64.rpm  
php-cli-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-common-8.0.20-3.el9.aarch64.rpm  
php-common-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-dba-8.0.20-3.el9.aarch64.rpm  
php-dba-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-dbg-8.0.20-3.el9.aarch64.rpm  
php-dbg-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-debugsource-8.0.20-3.el9.aarch64.rpm  
php-devel-8.0.20-3.el9.aarch64.rpm  
php-embedded-8.0.20-3.el9.aarch64.rpm  
php-embedded-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-enchant-8.0.20-3.el9.aarch64.rpm  
php-enchant-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-ffi-8.0.20-3.el9.aarch64.rpm  
php-ffi-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-fpm-8.0.20-3.el9.aarch64.rpm  
php-fpm-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-gd-8.0.20-3.el9.aarch64.rpm  
php-gd-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-gmp-8.0.20-3.el9.aarch64.rpm  
php-gmp-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-intl-8.0.20-3.el9.aarch64.rpm  
php-intl-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-ldap-8.0.20-3.el9.aarch64.rpm  
php-ldap-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-mbstring-8.0.20-3.el9.aarch64.rpm  
php-mbstring-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-mysqlnd-8.0.20-3.el9.aarch64.rpm  
php-mysqlnd-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-odbc-8.0.20-3.el9.aarch64.rpm  
php-odbc-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-opcache-8.0.20-3.el9.aarch64.rpm  
php-opcache-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-pdo-8.0.20-3.el9.aarch64.rpm  
php-pdo-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-pgsql-8.0.20-3.el9.aarch64.rpm  
php-pgsql-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-process-8.0.20-3.el9.aarch64.rpm  
php-process-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-snmp-8.0.20-3.el9.aarch64.rpm  
php-snmp-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-soap-8.0.20-3.el9.aarch64.rpm  
php-soap-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-xml-8.0.20-3.el9.aarch64.rpm  
php-xml-debuginfo-8.0.20-3.el9.aarch64.rpm

ppc64le:  
php-8.0.20-3.el9.ppc64le.rpm  
php-bcmath-8.0.20-3.el9.ppc64le.rpm  
php-bcmath-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-cli-8.0.20-3.el9.ppc64le.rpm  
php-cli-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-common-8.0.20-3.el9.ppc64le.rpm  
php-common-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-dba-8.0.20-3.el9.ppc64le.rpm  
php-dba-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-dbg-8.0.20-3.el9.ppc64le.rpm  
php-dbg-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-debugsource-8.0.20-3.el9.ppc64le.rpm  
php-devel-8.0.20-3.el9.ppc64le.rpm  
php-embedded-8.0.20-3.el9.ppc64le.rpm  
php-embedded-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-enchant-8.0.20-3.el9.ppc64le.rpm  
php-enchant-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-ffi-8.0.20-3.el9.ppc64le.rpm  
php-ffi-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-fpm-8.0.20-3.el9.ppc64le.rpm  
php-fpm-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-gd-8.0.20-3.el9.ppc64le.rpm  
php-gd-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-gmp-8.0.20-3.el9.ppc64le.rpm  
php-gmp-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-intl-8.0.20-3.el9.ppc64le.rpm  
php-intl-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-ldap-8.0.20-3.el9.ppc64le.rpm  
php-ldap-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-mbstring-8.0.20-3.el9.ppc64le.rpm  
php-mbstring-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-mysqlnd-8.0.20-3.el9.ppc64le.rpm  
php-mysqlnd-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-odbc-8.0.20-3.el9.ppc64le.rpm  
php-odbc-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-opcache-8.0.20-3.el9.ppc64le.rpm  
php-opcache-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-pdo-8.0.20-3.el9.ppc64le.rpm  
php-pdo-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-pgsql-8.0.20-3.el9.ppc64le.rpm  
php-pgsql-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-process-8.0.20-3.el9.ppc64le.rpm  
php-process-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-snmp-8.0.20-3.el9.ppc64le.rpm  
php-snmp-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-soap-8.0.20-3.el9.ppc64le.rpm  
php-soap-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-xml-8.0.20-3.el9.ppc64le.rpm  
php-xml-debuginfo-8.0.20-3.el9.ppc64le.rpm

s390x:  
php-8.0.20-3.el9.s390x.rpm  
php-bcmath-8.0.20-3.el9.s390x.rpm  
php-bcmath-debuginfo-8.0.20-3.el9.s390x.rpm  
php-cli-8.0.20-3.el9.s390x.rpm  
php-cli-debuginfo-8.0.20-3.el9.s390x.rpm  
php-common-8.0.20-3.el9.s390x.rpm  
php-common-debuginfo-8.0.20-3.el9.s390x.rpm  
php-dba-8.0.20-3.el9.s390x.rpm  
php-dba-debuginfo-8.0.20-3.el9.s390x.rpm  
php-dbg-8.0.20-3.el9.s390x.rpm  
php-dbg-debuginfo-8.0.20-3.el9.s390x.rpm  
php-debuginfo-8.0.20-3.el9.s390x.rpm  
php-debugsource-8.0.20-3.el9.s390x.rpm  
php-devel-8.0.20-3.el9.s390x.rpm  
php-embedded-8.0.20-3.el9.s390x.rpm  
php-embedded-debuginfo-8.0.20-3.el9.s390x.rpm  
php-enchant-8.0.20-3.el9.s390x.rpm  
php-enchant-debuginfo-8.0.20-3.el9.s390x.rpm  
php-ffi-8.0.20-3.el9.s390x.rpm  
php-ffi-debuginfo-8.0.20-3.el9.s390x.rpm  
php-fpm-8.0.20-3.el9.s390x.rpm  
php-fpm-debuginfo-8.0.20-3.el9.s390x.rpm  
php-gd-8.0.20-3.el9.s390x.rpm  
php-gd-debuginfo-8.0.20-3.el9.s390x.rpm  
php-gmp-8.0.20-3.el9.s390x.rpm  
php-gmp-debuginfo-8.0.20-3.el9.s390x.rpm  
php-intl-8.0.20-3.el9.s390x.rpm  
php-intl-debuginfo-8.0.20-3.el9.s390x.rpm  
php-ldap-8.0.20-3.el9.s390x.rpm  
php-ldap-debuginfo-8.0.20-3.el9.s390x.rpm  
php-mbstring-8.0.20-3.el9.s390x.rpm  
php-mbstring-debuginfo-8.0.20-3.el9.s390x.rpm  
php-mysqlnd-8.0.20-3.el9.s390x.rpm  
php-mysqlnd-debuginfo-8.0.20-3.el9.s390x.rpm  
php-odbc-8.0.20-3.el9.s390x.rpm  
php-odbc-debuginfo-8.0.20-3.el9.s390x.rpm  
php-opcache-8.0.20-3.el9.s390x.rpm  
php-opcache-debuginfo-8.0.20-3.el9.s390x.rpm  
php-pdo-8.0.20-3.el9.s390x.rpm  
php-pdo-debuginfo-8.0.20-3.el9.s390x.rpm  
php-pgsql-8.0.20-3.el9.s390x.rpm  
php-pgsql-debuginfo-8.0.20-3.el9.s390x.rpm  
php-process-8.0.20-3.el9.s390x.rpm  
php-process-debuginfo-8.0.20-3.el9.s390x.rpm  
php-snmp-8.0.20-3.el9.s390x.rpm  
php-snmp-debuginfo-8.0.20-3.el9.s390x.rpm  
php-soap-8.0.20-3.el9.s390x.rpm  
php-soap-debuginfo-8.0.20-3.el9.s390x.rpm  
php-xml-8.0.20-3.el9.s390x.rpm  
php-xml-debuginfo-8.0.20-3.el9.s390x.rpm

x86_64:  
php-8.0.20-3.el9.x86_64.rpm  
php-bcmath-8.0.20-3.el9.x86_64.rpm  
php-bcmath-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-cli-8.0.20-3.el9.x86_64.rpm  
php-cli-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-common-8.0.20-3.el9.x86_64.rpm  
php-common-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-dba-8.0.20-3.el9.x86_64.rpm  
php-dba-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-dbg-8.0.20-3.el9.x86_64.rpm  
php-dbg-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-debugsource-8.0.20-3.el9.x86_64.rpm  
php-devel-8.0.20-3.el9.x86_64.rpm  
php-embedded-8.0.20-3.el9.x86_64.rpm  
php-embedded-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-enchant-8.0.20-3.el9.x86_64.rpm  
php-enchant-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-ffi-8.0.20-3.el9.x86_64.rpm  
php-ffi-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-fpm-8.0.20-3.el9.x86_64.rpm  
php-fpm-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-gd-8.0.20-3.el9.x86_64.rpm  
php-gd-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-gmp-8.0.20-3.el9.x86_64.rpm  
php-gmp-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-intl-8.0.20-3.el9.x86_64.rpm  
php-intl-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-ldap-8.0.20-3.el9.x86_64.rpm  
php-ldap-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-mbstring-8.0.20-3.el9.x86_64.rpm  
php-mbstring-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-mysqlnd-8.0.20-3.el9.x86_64.rpm  
php-mysqlnd-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-odbc-8.0.20-3.el9.x86_64.rpm  
php-odbc-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-opcache-8.0.20-3.el9.x86_64.rpm  
php-opcache-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-pdo-8.0.20-3.el9.x86_64.rpm  
php-pdo-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-pgsql-8.0.20-3.el9.x86_64.rpm  
php-pgsql-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-process-8.0.20-3.el9.x86_64.rpm  
php-process-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-snmp-8.0.20-3.el9.x86_64.rpm  
php-snmp-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-soap-8.0.20-3.el9.x86_64.rpm  
php-soap-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-xml-8.0.20-3.el9.x86_64.rpm  
php-xml-debuginfo-8.0.20-3.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-21708  
https://access.redhat.com/security/cve/CVE-2022-31625  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3OMW9zjgjWX9erEAQj/kg/9GSYTpNzlEIlJZov+EWGaAKzxPB7NoVQ/  
cLTon+/fVVU0qBcxoxWA3O56UxYi8lifl62aMvFUbihLsC76QTteLAkwasjWWAyg  
Hl0/+tg6OzOaV6zmMyr/Y+RcM4+NhvQj1+ECj1sx8FXSypgOFhi7bXDM5XfjnOTh  
K+jd2LY16YBzbvf7hcOsZxqMsNANwCWIWJC8kc41ARM/FREx+cy/R3MsdmHQ+Ucn  
zr5AUORu92rUW4qgsoNcR4wzUKvhulN8ZVgix8IRh+OsDZWB/EMiKIml99pQG/Vi  
Nl/wPNOpIZHBHDOSDg0BGMJz0Z+w//mp+m9XDk0KKA3wSoH4L4tl+w6ZIunP/mr/  
CiWPnMySwdlBCIQ64D2kICErN9g63u04t8PUgQfQKiFpObiaLcYwfed1kr4dpIki  
co4nCrF6CwknSn5cDF4cp5Y3pcN/dSsd2WdLN756Ebf0osfuqh6q3Pwoc/Jfp9uG  
YAgw/kli1sjl3YiG/nfuDVJBid8kS8ylymkUSDgfii7tMHLcnLnCk7deI40qDMUa  
p28RFPjNY27uCQURvi5oUzflsDo08otNYVq0/fQhGC2UrPWglyC4ClGp2GArag06  
i3kCsjDAiyRcavAh4KcymbWsVaTDyZOeWNAEJlcko2jjFARjFtNkmoMaa98uIEmP  
PRH5jXRX0+gµpo  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8197-01

Red Hat Security Advisory 2022-7928-01 - The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: device-mapper-multipath security update  
Advisory ID:       RHSA-2022:7928-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7928  
Issue date:        2022-11-14  
CVE Names:         CVE-2022-3787  
====================================================================  
1. Summary:

An update for device-mapper-multipath is now available for Red Hat  
Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

The device-mapper-multipath packages provide tools that use the  
device-mapper multipath kernel module to manage multipath devices.

Security Fix(es):

* device-mapper-multipath: Regression of CVE-2022-41974 fix in Red Hat  
Enterprise Linux (CVE-2022-3787)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2138959 - CVE-2022-3787 device-mapper-multipath: Regression of CVE-2022-41974 fix in Red Hat Enterprise Linux

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 8):

Source:  
device-mapper-multipath-0.8.4-28.el8_7.1.src.rpm

aarch64:  
device-mapper-multipath-0.8.4-28.el8_7.1.aarch64.rpm  
device-mapper-multipath-debuginfo-0.8.4-28.el8_7.1.aarch64.rpm  
device-mapper-multipath-debugsource-0.8.4-28.el8_7.1.aarch64.rpm  
device-mapper-multipath-libs-0.8.4-28.el8_7.1.aarch64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-28.el8_7.1.aarch64.rpm  
kpartx-0.8.4-28.el8_7.1.aarch64.rpm  
kpartx-debuginfo-0.8.4-28.el8_7.1.aarch64.rpm  
libdmmp-0.8.4-28.el8_7.1.aarch64.rpm  
libdmmp-debuginfo-0.8.4-28.el8_7.1.aarch64.rpm

ppc64le:  
device-mapper-multipath-0.8.4-28.el8_7.1.ppc64le.rpm  
device-mapper-multipath-debuginfo-0.8.4-28.el8_7.1.ppc64le.rpm  
device-mapper-multipath-debugsource-0.8.4-28.el8_7.1.ppc64le.rpm  
device-mapper-multipath-libs-0.8.4-28.el8_7.1.ppc64le.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-28.el8_7.1.ppc64le.rpm  
kpartx-0.8.4-28.el8_7.1.ppc64le.rpm  
kpartx-debuginfo-0.8.4-28.el8_7.1.ppc64le.rpm  
libdmmp-0.8.4-28.el8_7.1.ppc64le.rpm  
libdmmp-debuginfo-0.8.4-28.el8_7.1.ppc64le.rpm

s390x:  
device-mapper-multipath-0.8.4-28.el8_7.1.s390x.rpm  
device-mapper-multipath-debuginfo-0.8.4-28.el8_7.1.s390x.rpm  
device-mapper-multipath-debugsource-0.8.4-28.el8_7.1.s390x.rpm  
device-mapper-multipath-libs-0.8.4-28.el8_7.1.s390x.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-28.el8_7.1.s390x.rpm  
kpartx-0.8.4-28.el8_7.1.s390x.rpm  
kpartx-debuginfo-0.8.4-28.el8_7.1.s390x.rpm  
libdmmp-0.8.4-28.el8_7.1.s390x.rpm  
libdmmp-debuginfo-0.8.4-28.el8_7.1.s390x.rpm

x86_64:  
device-mapper-multipath-0.8.4-28.el8_7.1.x86_64.rpm  
device-mapper-multipath-debuginfo-0.8.4-28.el8_7.1.i686.rpm  
device-mapper-multipath-debuginfo-0.8.4-28.el8_7.1.x86_64.rpm  
device-mapper-multipath-debugsource-0.8.4-28.el8_7.1.i686.rpm  
device-mapper-multipath-debugsource-0.8.4-28.el8_7.1.x86_64.rpm  
device-mapper-multipath-libs-0.8.4-28.el8_7.1.i686.rpm  
device-mapper-multipath-libs-0.8.4-28.el8_7.1.x86_64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-28.el8_7.1.i686.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-28.el8_7.1.x86_64.rpm  
kpartx-0.8.4-28.el8_7.1.x86_64.rpm  
kpartx-debuginfo-0.8.4-28.el8_7.1.i686.rpm  
kpartx-debuginfo-0.8.4-28.el8_7.1.x86_64.rpm  
libdmmp-0.8.4-28.el8_7.1.i686.rpm  
libdmmp-0.8.4-28.el8_7.1.x86_64.rpm  
libdmmp-debuginfo-0.8.4-28.el8_7.1.i686.rpm  
libdmmp-debuginfo-0.8.4-28.el8_7.1.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

aarch64:  
device-mapper-multipath-debuginfo-0.8.4-28.el8_7.1.aarch64.rpm  
device-mapper-multipath-debugsource-0.8.4-28.el8_7.1.aarch64.rpm  
device-mapper-multipath-devel-0.8.4-28.el8_7.1.aarch64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-28.el8_7.1.aarch64.rpm  
kpartx-debuginfo-0.8.4-28.el8_7.1.aarch64.rpm  
libdmmp-debuginfo-0.8.4-28.el8_7.1.aarch64.rpm

ppc64le:  
device-mapper-multipath-debuginfo-0.8.4-28.el8_7.1.ppc64le.rpm  
device-mapper-multipath-debugsource-0.8.4-28.el8_7.1.ppc64le.rpm  
device-mapper-multipath-devel-0.8.4-28.el8_7.1.ppc64le.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-28.el8_7.1.ppc64le.rpm  
kpartx-debuginfo-0.8.4-28.el8_7.1.ppc64le.rpm  
libdmmp-debuginfo-0.8.4-28.el8_7.1.ppc64le.rpm

s390x:  
device-mapper-multipath-debuginfo-0.8.4-28.el8_7.1.s390x.rpm  
device-mapper-multipath-debugsource-0.8.4-28.el8_7.1.s390x.rpm  
device-mapper-multipath-devel-0.8.4-28.el8_7.1.s390x.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-28.el8_7.1.s390x.rpm  
kpartx-debuginfo-0.8.4-28.el8_7.1.s390x.rpm  
libdmmp-debuginfo-0.8.4-28.el8_7.1.s390x.rpm

x86_64:  
device-mapper-multipath-debuginfo-0.8.4-28.el8_7.1.i686.rpm  
device-mapper-multipath-debuginfo-0.8.4-28.el8_7.1.x86_64.rpm  
device-mapper-multipath-debugsource-0.8.4-28.el8_7.1.i686.rpm  
device-mapper-multipath-debugsource-0.8.4-28.el8_7.1.x86_64.rpm  
device-mapper-multipath-devel-0.8.4-28.el8_7.1.i686.rpm  
device-mapper-multipath-devel-0.8.4-28.el8_7.1.x86_64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-28.el8_7.1.i686.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-28.el8_7.1.x86_64.rpm  
kpartx-debuginfo-0.8.4-28.el8_7.1.i686.rpm  
kpartx-debuginfo-0.8.4-28.el8_7.1.x86_64.rpm  
libdmmp-debuginfo-0.8.4-28.el8_7.1.i686.rpm  
libdmmp-debuginfo-0.8.4-28.el8_7.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-3787  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3I6xNzjgjWX9erEAQh/cA//fWHgFPMOQS/fLZZKehl33DnYZY3hTvLG  
5esVHpJpRuanUJJ54aM5SmEEKFTTKp3Va929HCazKTBr8sbVrJNIVTRpYmOpBWXQ  
25rrnHGYygBtBiDloQgxQYmpJCVKzWCXq48zaxsz6a7sm8eRKaP2/nUgghKA8KJb  
NclesY9SrNJqoDDbeO5RoOvPL5q3ZlzPj1m1ZyknEGsx/ynChE0n+etxR0VSHnyp  
25wFck8ZbR1lPrwk9YPOCCc8VPK5lZvBfBCOljesIEyrriasa5UAO7uRmwniqCjB  
PfE1xZxL+ms3saUigG1GrekmcMsin8f1DNm8c08t9X8IjtYxQXbaBbWxvDMCielM  
QOneatWAccQFFKe5FzJsVC1EGGOOY+l5VVUUevKVGMWZ71hagS5LiCHDy6Vy2Ku5  
A3vQAhAKmZcE98h/MwYsA7cH5UCSx5aWAITJsnek1yWMmNZZ9gpJSDyHGmSPRZrP  
82cwDMhgqmYp2oG5/BMyUqi+49bGDZN4wOdNMpYF2KGEiEUsbnkBmIkwDR/Zl1ks  
vg+A6Sms/j3SrzeQCFKyxRzhUUJAfxBLqcoG71cdVeJxTGzfSCYQ+0TN+2ZpH2Zl  
yHJYOankSUgQPWfJjFJbaD/GZpDL/OMKOR3IgLU9nalUW/cvdVFPKwrpec51qc2Z  
58XJPG/Uaeg=+XLK  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7928-01

Red Hat Security Advisory 2022-7927-01 - KSBA is a library to make X.509 certificates as well as the CMS easily accessible by other applications. Both specifications are building blocks of S/MIME and TLS. Issues addressed include code execution and integer overflow vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: libksba security update  
Advisory ID:       RHSA-2022:7927-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7927  
Issue date:        2022-11-14  
CVE Names:         CVE-2022-3515  
====================================================================  
1. Summary:

An update for libksba is now available for Red Hat Enterprise Linux 8.4  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder EUS (v. 8.4) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS EUS (v.8.4) - aarch64, ppc64le, s390x, x86_64

3. Description:

KSBA (pronounced Kasbah) is a library to make X.509 certificates as well as  
the CMS easily accessible by other applications. Both specifications are  
building blocks of S/MIME and TLS.

Security Fix(es):

* libksba: integer overflow may lead to remote code execution  
(CVE-2022-3515)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2135610 - CVE-2022-3515 libksba: integer overflow may lead to remote code execution

6. Package List:

Red Hat Enterprise Linux BaseOS EUS (v.8.4):

Source:  
libksba-1.3.5-8.el8_4.src.rpm

aarch64:  
libksba-1.3.5-8.el8_4.aarch64.rpm  
libksba-debuginfo-1.3.5-8.el8_4.aarch64.rpm  
libksba-debugsource-1.3.5-8.el8_4.aarch64.rpm

ppc64le:  
libksba-1.3.5-8.el8_4.ppc64le.rpm  
libksba-debuginfo-1.3.5-8.el8_4.ppc64le.rpm  
libksba-debugsource-1.3.5-8.el8_4.ppc64le.rpm

s390x:  
libksba-1.3.5-8.el8_4.s390x.rpm  
libksba-debuginfo-1.3.5-8.el8_4.s390x.rpm  
libksba-debugsource-1.3.5-8.el8_4.s390x.rpm

x86_64:  
libksba-1.3.5-8.el8_4.i686.rpm  
libksba-1.3.5-8.el8_4.x86_64.rpm  
libksba-debuginfo-1.3.5-8.el8_4.i686.rpm  
libksba-debuginfo-1.3.5-8.el8_4.x86_64.rpm  
libksba-debugsource-1.3.5-8.el8_4.i686.rpm  
libksba-debugsource-1.3.5-8.el8_4.x86_64.rpm

Red Hat CodeReady Linux Builder EUS (v. 8.4):

aarch64:  
libksba-debuginfo-1.3.5-8.el8_4.aarch64.rpm  
libksba-debugsource-1.3.5-8.el8_4.aarch64.rpm  
libksba-devel-1.3.5-8.el8_4.aarch64.rpm

ppc64le:  
libksba-debuginfo-1.3.5-8.el8_4.ppc64le.rpm  
libksba-debugsource-1.3.5-8.el8_4.ppc64le.rpm  
libksba-devel-1.3.5-8.el8_4.ppc64le.rpm

s390x:  
libksba-debuginfo-1.3.5-8.el8_4.s390x.rpm  
libksba-debugsource-1.3.5-8.el8_4.s390x.rpm  
libksba-devel-1.3.5-8.el8_4.s390x.rpm

x86_64:  
libksba-debuginfo-1.3.5-8.el8_4.i686.rpm  
libksba-debuginfo-1.3.5-8.el8_4.x86_64.rpm  
libksba-debugsource-1.3.5-8.el8_4.i686.rpm  
libksba-debugsource-1.3.5-8.el8_4.x86_64.rpm  
libksba-devel-1.3.5-8.el8_4.i686.rpm  
libksba-devel-1.3.5-8.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-3515  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3I6xtzjgjWX9erEAQgIqQ/+MihsJWSSwPhPmCV2TvOun35p83LSJur6  
rgdf9Jl7toLptN1aK7tgffgLskX2SLbv7XqLvkQiebkonXp2zfRajPvR3JHnDpgV  
NrhABfLdcA0GXlceSR6DZWrFELXMkxb97H9lDYlv+dDkF2+tqfP1ZszcqCTuySdn  
rZtllxPwBbq1fGRrtv0HdwroWUKDES0lAEyDUnp3KCGp5+456z9CnAui8T8na5jJ  
SD38E1w/r6R9v9hH55Lg6RJz2u3MhOnFBwrWzY29iBWbe2eqynBEPhsAjONhVj6w  
FtQgH9PVS7Q5DNGC+KvrjVGXa7zIbjEGyS6HdVnWR2UDJYjFi2RXM+XeyqfTEd43  
Erjjhjsz/gDQbZD3XvnubThcQ0XXjrJKUGS0yj17ZpWTDtBVFktD+6WryMnPYb3/  
BCaUnJcZ6hFD0mMgHN2nV7UDk43a2IX/zhhfq/YkxCWPm3dRqsmevU56NG+uDUmv  
QSkiDwL7G5M+oHfKfjBrh9NRrSkt6R/7YsiRyOe36PNGJ5LC+cQx734TbMBFaMYo  
KqEvlFnzBXO9NryisDMq9db1aj2EV1N/gwzNXynm0c4vxhMHPyEpbQd62sFYQ/bH  
3tvLXNE1hrdXU9UW/h3c1HgRUD1WRr/49DU5zVgNunlFTc2WOz59xRF2fiQDvF1s  
YW0G0pPZhVw=Wx01  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7927-01

Debian Linux Security Advisory 5278-1 - It was discovered that a buffer overflow in the _getCountedString() function of the Xorg X server may result in denial of service or potentially the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5278-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
November 13, 2022                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : xorg-server  
CVE ID         : CVE-2022-3550 CVE-2022-3551

It was discovered that a buffer overflow in the _getCountedString()  
function of the Xorg X server may result in denial of service or  
potentially the execution of arbitrary code.

For the stable distribution (bullseye), these problems have been fixed in  
version 2:1.20.11-1+deb11u3.

We recommend that you upgrade your xorg-server packages.

For the detailed security status of xorg-server please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/xorg-server

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmNxPhMACgkQEMKTtsN8  
TjYGIw//eDkQaWMUaRzlfNcFJUPkYQJot20IGvCa5UwUgNCcky13/riQ13OedOAZ  
n7ORM7vtn28v3WhQkUqO2XJ8ODT0LGKuAFuwbXOLqJd/f1bqkhAVYp0eNMmZm3wr  
CLfa8zoTM0lh4eOu5r7ecdFSd/sZ3Dy7ODwL8tuOaTrHo+rJ5epYd2xqrFxVi9NA  
EfyeycQb8LY+/OqCbpp8nUq+CpvT22Z7oNTgQpKy4ScQKLe7pqPQDO4VEkSwsBrs  
HGInGuNRMMM3uAHTTQts6tn4jK5eou24hws1fYUXSi57zTJc5jwVG75jhIjEtGOm  
/UfnEhAbUeEB+o21gP0HAxLy1F20h8Qonasvh3LH1ormzwhl8RqVR/Ny62jb79/k  
jlS4IUUQGPK8WYdbkJPrs1GFu/2quW8VWcpYRIE5b/Ylq/XsmLNotSVs29ID10Q2  
U91rimYdlTKG3UDsErFzBh6uPqNP2vWUimpPq6nRQgEfX94H2kb96cyE1EpKnDnk  
jf1+UINP4Pe2r+XPGglw9krUGWsFMIJoPohCwOsXBSNhkfOJ4bO4huOzz3C1XLy3  
9i6BIrhaZRrKASemZSGieoKQyHXfsCBN1JIsoXYqYPxIu6STvyoG4kIv8VlAylXY  
9b9F1jtO2G3zGXuVlPEwJacMh5CPKNcUJP/SgpRrcov0iop/X8U=gxG8  
-----END PGP SIGNATURE-----

Debian Security Advisory 5278-1

Debian Linux Security Advisory 5277-1 - Multiple security issues were discovered in PHP, a widely-used open source general purpose scripting language which could result an denial of service, information disclosure, insecure cooking handling or potentially the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5277-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 13, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : php7.4CVE ID         : CVE-2022-31630 CVE-2022-37454 CVE-2022-31629 CVE-2022-31628Multiple security issues were discovered in PHP, a widely-used opensource general purpose scripting language which could result an denialof service, information disclosure, insecure cooking handling orpotentially the execution of arbitrary code.For the stable distribution (bullseye), these problems have been fixed inversion 7.4.33-1+deb11u1.We recommend that you upgrade your php7.4 packages.For the detailed security status of php7.4 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/php7.4Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmNxOm0ACgkQEMKTtsN8TjYZ7xAAspdPvtpc+Sq8l2NsZlKUew50JSsTb0UbwAYH0G8prnYzEQK898syuP2eaZsbPHec/aqClyvFfrhnWsrGyWUAwHtQIHmG0lIPXAZuCMawbud95MY3sFY7lidK+6UvTFxBCx3hbYaZE/Xz+3Zsx6qX3L+eSQSEdVKy4lV4CbZtVBM3iVlg+lB+EXZqFjdZZsoDSbK5K8pYRD2HQBMa7RMFau/zYc7ZZpcwRjcojUvrLB+2xQHitcCZLxNtJ4IpNqKr3BmDfIe+h9mzY9q22sdTC5H29u9p+s2XssYgNfkS9h6IxBfYbYQAwxZLfBIDJ3inbmAnHz/OBTEcmt/OufdaBUt0V4otddaZHT/6nhaY/0Hhdd9f5F40ohKGR4R4nv5zFKVLB9/fONxPjKARj7X81PsBhB7GFzKbrdQtpK+tTek/sxDJTW5TSvN+tvRtAPBTxzEbvzl+duscIZr7eVlIqfd/tLuspnc/iaeOxBWup1ekx8Eu5voHcC3SFnLJCFeSdqfA9/qiG8Gj/FYA4a8/S2D7mWH+xQlT1aWVU33b9bgJkzdg1WYj79Dv6K9Yg64T22CIy0w8EOpQXSJcKlILd6gP6cdz3P5WfCt/51VhBQAJb/+qd4w98c5LAhoet75dSWVIbynja1asPTMZ1RhJvIWpYud3LmfOAO8Q/NFGYtc=MMQt-----END PGP SIGNATURE-----

Source

Packet Storm