Red Hat Security Advisory 2022-7177-01 - This release of Camel for Spring Boot 3.14.5 serves as a replacement for Camel for Spring Boot 3.14.2 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Red Hat Camel for Spring Boot 3.14.5 release and security update  
Advisory ID:       RHSA-2022:7177-01  
Product:           Red Hat Integration  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7177  
Issue date:        2022-10-25  
CVE Names:         CVE-2021-22573  
====================================================================  
1. Summary:

A minor version update (from 3.14.2 to 3.14.5) is now available for Camel  
for Spring Boot. The purpose of this text-only errata is to inform you  
about the security issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

This release of Camel for Spring Boot 3.14.5 serves as a replacement for  
Camel for Spring Boot 3.14.2 and includes bug fixes and enhancements, which  
are documented in the Release Notes document linked in the References.

Security Fix(es):

* google-oauth-client: Token signature not verified (CVE-2021-22573)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

Installation instructions are available from the Camel for Spring Boot  
3.14.5 product documentation page.

https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q4/html/getting_started_with_camel_spring_boot/index

https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q4/html/camel_spring_boot_reference/index

4. Bugs fixed (https://bugzilla.redhat.com/):

2081879 - CVE-2021-22573 google-oauth-client: Token signature not verified

5. References:

https://access.redhat.com/security/cve/CVE-2021-22573  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version 22-Q4

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1go/dzjgjWX9erEAQi26g/+JAMO+Er0WE3LAhwS0DawXpXpxkSovbx/  
UUrOz4XA6qnalNZlpoWUKbGBzCn6B6LptCFy4p0CUURz+tLO4XLPESVMdsuVRhf4  
KK4sSTIvgR97JFT7vIijX4C90Dn++JEUdeoXJtJTHNJ+PsxHSlVLgMHyehGarkyU  
HET7pkv6EvfhotEn7lmoX2M74IxN5stjrWpBGL93IL++btTskYvt1T2L23F+naN6  
ed6D4uBtT7MxBh73drAdv+Qj9a7D396VrCur4mis42PPsH0hGfh2CZSpBxDRPDSr  
Y2/8UTPuwkOR/lCkoNkWUnvOOSdg0YjjwXY5608Xz1hAg1J7SSKPkmGU0tRGoThe  
LwQ2wURL9x3wkj2DpP74skcRhbiNrpbIxuIU42KeggPYZgNX5pP2zq/650Q97DlN  
bI2kIBgBoFyFwIKrdrn4dZP6u017a+OAQpGFRq2llLJUIZIAU2/YNtFVtKZN+QXw  
kn3B0g0kl7+XFo4VCXJ11fukYFItXHna9u4oxUCiAEk7IBlZfDPXqoEZSwoj5US2  
J1r3F9Y1zTXMWGMvrdI1soAI2ckCD9Uxvl7Ch4A76mhPyjeb6BGV0WW6kuBbkcZ8  
gZWwZoFiVXFVPFdMlTY58GJXPHnKgWr7pgNkMq6m28x9T8nvaiLWxdFt1lOD/KI8  
YxGv6/UMihY=wS+h  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7177-01

Red Hat Security Advisory 2022-7178-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.4.0. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:7178-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7178  
Issue date:        2022-10-25  
CVE Names:         CVE-2022-39236 CVE-2022-39249 CVE-2022-39250  
                   CVE-2022-39251 CVE-2022-42927 CVE-2022-42928  
                   CVE-2022-42929 CVE-2022-42932  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.4.0.

Security Fix(es):

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an  
impersonation attack by malicious server administrators (CVE-2022-39249)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a device  
verification attack (CVE-2022-39250)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an  
impersonation attack (CVE-2022-39251)

* Mozilla: Same-origin policy violation could have leaked cross-origin URLs  
(CVE-2022-42927)

* Mozilla: Memory Corruption in JS Engine (CVE-2022-42928)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a data  
corruption issue (CVE-2022-39236)

* Mozilla: Denial of Service via window.print (CVE-2022-42929)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.4 and Thunderbird  
102.4 (CVE-2022-42932)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2135391 - CVE-2022-39236 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a data corruption issue  
2135393 - CVE-2022-39249 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack by malicious server administrators  
2135395 - CVE-2022-39250 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a device verification attack  
2135396 - CVE-2022-39251 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack  
2136156 - CVE-2022-42927 Mozilla: Same-origin policy violation could have leaked cross-origin URLs  
2136157 - CVE-2022-42928 Mozilla: Memory Corruption in JS Engine  
2136158 - CVE-2022-42929 Mozilla: Denial of Service via window.print  
2136159 - CVE-2022-42932 Mozilla: Memory safety bugs fixed in Firefox ESR 102.4 and Thunderbird 102.4

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
thunderbird-102.4.0-1.el9_0.src.rpm

aarch64:  
thunderbird-102.4.0-1.el9_0.aarch64.rpm  
thunderbird-debuginfo-102.4.0-1.el9_0.aarch64.rpm  
thunderbird-debugsource-102.4.0-1.el9_0.aarch64.rpm

ppc64le:  
thunderbird-102.4.0-1.el9_0.ppc64le.rpm  
thunderbird-debuginfo-102.4.0-1.el9_0.ppc64le.rpm  
thunderbird-debugsource-102.4.0-1.el9_0.ppc64le.rpm

s390x:  
thunderbird-102.4.0-1.el9_0.s390x.rpm  
thunderbird-debuginfo-102.4.0-1.el9_0.s390x.rpm  
thunderbird-debugsource-102.4.0-1.el9_0.s390x.rpm

x86_64:  
thunderbird-102.4.0-1.el9_0.x86_64.rpm  
thunderbird-debuginfo-102.4.0-1.el9_0.x86_64.rpm  
thunderbird-debugsource-102.4.0-1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-39236  
https://access.redhat.com/security/cve/CVE-2022-39249  
https://access.redhat.com/security/cve/CVE-2022-39250  
https://access.redhat.com/security/cve/CVE-2022-39251  
https://access.redhat.com/security/cve/CVE-2022-42927  
https://access.redhat.com/security/cve/CVE-2022-42928  
https://access.redhat.com/security/cve/CVE-2022-42929  
https://access.redhat.com/security/cve/CVE-2022-42932  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1gpadzjgjWX9erEAQjZ2A//VFqqY+5rWTcCLtIv9aHbrYVzPr408fQQ  
HvSWWBqtCpKVpDK+cOmOTzidaKs+0VVy4MG1Ie/EYGj0524xyAFRZRuAyhqOoDD2  
0kbiURziU3ySM8XVXdekOjhiePVrH5PWTdwqm5XI5OF3Ud+1HoU3M6ZSlEb11Ctx  
/6tNQ400YK9+CLNm1tGuHwwx+LPeoo9uQOEN1R5F7S7Y3b5lb2tyc3CqwgqSVKU5  
m1SIz2wTthd1QJ7a2ZH4Ai9qCqnljDkrU4oqO8IMrngIGwjqqHBVc5Jjdmvjb0Ny  
TMMyYQh3rd5YUIH+kuaekPvd41c/te4OrsObk8WvUxwXNpbGsuFjodGw9b0lQ6W4  
HqP8doLB+J/Fgab27crgU+VdO3R55cqciIypsGaYTxmpyAdijyjgMUbjmo9ac4oL  
bdO6Oq7b4XgGBYScVmXBldADtOF9YuXEWBlk02dOsdQK2ThbFX7o8Ox2LrYwxQpI  
07UfBqx2vec8ah1h46ij4IsUZGWxvC7iMZm5n8F43c6XLhHlq9B1Ir8MbMczn6Fw  
lDqp6F/TZO/++PSC5qDnJ/OTUrf4VcMmXjQSnE7hdgtqRJNmpgl8GHGX/7l/VPrr  
zxExOGlYkKrHprthCK+9tCvYZJweJM97+tbg8Lh1XrO14jdoyfuAiPAzcYapCUo8  
6dJIRcgweh8=Wcpb  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7178-01

Red Hat Security Advisory 2022-7187-01 - The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: device-mapper-multipath security update  
Advisory ID:       RHSA-2022:7187-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7187  
Issue date:        2022-10-25  
CVE Names:         CVE-2022-41974  
====================================================================  
1. Summary:

An update for device-mapper-multipath is now available for Red Hat  
Enterprise Linux 8.1 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS E4S (v. 8.1) - aarch64, ppc64le, s390x, x86_64

3. Description:

The device-mapper-multipath packages provide tools that use the  
device-mapper multipath kernel module to manage multipath devices.

Security Fix(es):

* device-mapper-multipath: Authorization bypass, multipathd daemon listens  
for client connections on an abstract Unix socket (CVE-2022-41974)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2133988 - CVE-2022-41974 device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket

6. Package List:

Red Hat Enterprise Linux BaseOS E4S (v. 8.1):

Source:  
device-mapper-multipath-0.8.0-5.el8_1.1.src.rpm

aarch64:  
device-mapper-multipath-0.8.0-5.el8_1.1.aarch64.rpm  
device-mapper-multipath-debuginfo-0.8.0-5.el8_1.1.aarch64.rpm  
device-mapper-multipath-debugsource-0.8.0-5.el8_1.1.aarch64.rpm  
device-mapper-multipath-libs-0.8.0-5.el8_1.1.aarch64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.0-5.el8_1.1.aarch64.rpm  
kpartx-0.8.0-5.el8_1.1.aarch64.rpm  
kpartx-debuginfo-0.8.0-5.el8_1.1.aarch64.rpm  
libdmmp-0.8.0-5.el8_1.1.aarch64.rpm  
libdmmp-debuginfo-0.8.0-5.el8_1.1.aarch64.rpm

ppc64le:  
device-mapper-multipath-0.8.0-5.el8_1.1.ppc64le.rpm  
device-mapper-multipath-debuginfo-0.8.0-5.el8_1.1.ppc64le.rpm  
device-mapper-multipath-debugsource-0.8.0-5.el8_1.1.ppc64le.rpm  
device-mapper-multipath-libs-0.8.0-5.el8_1.1.ppc64le.rpm  
device-mapper-multipath-libs-debuginfo-0.8.0-5.el8_1.1.ppc64le.rpm  
kpartx-0.8.0-5.el8_1.1.ppc64le.rpm  
kpartx-debuginfo-0.8.0-5.el8_1.1.ppc64le.rpm  
libdmmp-0.8.0-5.el8_1.1.ppc64le.rpm  
libdmmp-debuginfo-0.8.0-5.el8_1.1.ppc64le.rpm

s390x:  
device-mapper-multipath-0.8.0-5.el8_1.1.s390x.rpm  
device-mapper-multipath-debuginfo-0.8.0-5.el8_1.1.s390x.rpm  
device-mapper-multipath-debugsource-0.8.0-5.el8_1.1.s390x.rpm  
device-mapper-multipath-libs-0.8.0-5.el8_1.1.s390x.rpm  
device-mapper-multipath-libs-debuginfo-0.8.0-5.el8_1.1.s390x.rpm  
kpartx-0.8.0-5.el8_1.1.s390x.rpm  
kpartx-debuginfo-0.8.0-5.el8_1.1.s390x.rpm  
libdmmp-0.8.0-5.el8_1.1.s390x.rpm  
libdmmp-debuginfo-0.8.0-5.el8_1.1.s390x.rpm

x86_64:  
device-mapper-multipath-0.8.0-5.el8_1.1.x86_64.rpm  
device-mapper-multipath-debuginfo-0.8.0-5.el8_1.1.i686.rpm  
device-mapper-multipath-debuginfo-0.8.0-5.el8_1.1.x86_64.rpm  
device-mapper-multipath-debugsource-0.8.0-5.el8_1.1.i686.rpm  
device-mapper-multipath-debugsource-0.8.0-5.el8_1.1.x86_64.rpm  
device-mapper-multipath-libs-0.8.0-5.el8_1.1.i686.rpm  
device-mapper-multipath-libs-0.8.0-5.el8_1.1.x86_64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.0-5.el8_1.1.i686.rpm  
device-mapper-multipath-libs-debuginfo-0.8.0-5.el8_1.1.x86_64.rpm  
kpartx-0.8.0-5.el8_1.1.x86_64.rpm  
kpartx-debuginfo-0.8.0-5.el8_1.1.i686.rpm  
kpartx-debuginfo-0.8.0-5.el8_1.1.x86_64.rpm  
libdmmp-0.8.0-5.el8_1.1.i686.rpm  
libdmmp-0.8.0-5.el8_1.1.x86_64.rpm  
libdmmp-debuginfo-0.8.0-5.el8_1.1.i686.rpm  
libdmmp-debuginfo-0.8.0-5.el8_1.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-41974  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1gpEdzjgjWX9erEAQiEaRAAlP/4YecK4K+FocynN9Rfi2z1PgOWuJ0r  
qulW6O15pJMkGoElJlcQXqE7Bv3cBE1jdJJ0xT0WFME6nlnsUfUfKNTTwRwapmyh  
6p5wvMKzok28NY4eViTan2Hiek+enKoZC/YtSaAfQcHy/YUGxNlz5pSlDX4MGnHW  
IWCfZz3DmxpooVfxIbN8YRFgPASYBcSn7maprPScxDAvYsUfvyUcv1Eix8l1YJM3  
XmnG3CtteiWPNewkKhTbxSxV2ktGnFsm3k64wDyZtNuFHBrNCjnWdDcjAGy2Ze6l  
IYJ0uRnTtV4ApT6wwT2y/2gm4uMsPPF4fOrzem8x0/p0++xjtwm+cL0I4gXT9NIG  
dTkKPDoT0LhVDvtZkP5aiR/IwHdci2avE5pW4wGHgbODvibmXzPg3tnJAbbGPH9Y  
AzHNLxYODzqGhxjQZA+NCSBzkLVQmrwaGMx7Q6b6irR+0cbNGZjilpR57U+UnyuZ  
9iD/5R1M3hhCyFCduV8fENuNp6zrrPf3tCdzubCxkXPK85V7yFr3IeNWNKK5/Xey  
kEGwszZP48P+S1pEBhivwW/W7kM1bjUz1t6LuY8DCgV8+vggAh4+VZyOHsNiFBT0  
xo8nEFXXmsQ0k1su9vrUNSkJHnLkGFpyNxJOtF9oif6j3YEWhJWoITP/4DOT4sb/  
fIPFIvs0xH4=ZQiX  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7187-01

Red Hat Security Advisory 2022-7190-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.4.0. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:7190-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7190  
Issue date:        2022-10-25  
CVE Names:         CVE-2022-39236 CVE-2022-39249 CVE-2022-39250  
                   CVE-2022-39251 CVE-2022-42927 CVE-2022-42928  
                   CVE-2022-42929 CVE-2022-42932  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.4.0.

Security Fix(es):

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an  
impersonation attack by malicious server administrators (CVE-2022-39249)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a device  
verification attack (CVE-2022-39250)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an  
impersonation attack (CVE-2022-39251)

* Mozilla: Same-origin policy violation could have leaked cross-origin URLs  
(CVE-2022-42927)

* Mozilla: Memory Corruption in JS Engine (CVE-2022-42928)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a data  
corruption issue (CVE-2022-39236)

* Mozilla: Denial of Service via window.print (CVE-2022-42929)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.4 and Thunderbird  
102.4 (CVE-2022-42932)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2135391 - CVE-2022-39236 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a data corruption issue  
2135393 - CVE-2022-39249 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack by malicious server administrators  
2135395 - CVE-2022-39250 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a device verification attack  
2135396 - CVE-2022-39251 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack  
2136156 - CVE-2022-42927 Mozilla: Same-origin policy violation could have leaked cross-origin URLs  
2136157 - CVE-2022-42928 Mozilla: Memory Corruption in JS Engine  
2136158 - CVE-2022-42929 Mozilla: Denial of Service via window.print  
2136159 - CVE-2022-42932 Mozilla: Memory safety bugs fixed in Firefox ESR 102.4 and Thunderbird 102.4

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
thunderbird-102.4.0-1.el8_6.src.rpm

aarch64:  
thunderbird-102.4.0-1.el8_6.aarch64.rpm  
thunderbird-debuginfo-102.4.0-1.el8_6.aarch64.rpm  
thunderbird-debugsource-102.4.0-1.el8_6.aarch64.rpm

ppc64le:  
thunderbird-102.4.0-1.el8_6.ppc64le.rpm  
thunderbird-debuginfo-102.4.0-1.el8_6.ppc64le.rpm  
thunderbird-debugsource-102.4.0-1.el8_6.ppc64le.rpm

s390x:  
thunderbird-102.4.0-1.el8_6.s390x.rpm  
thunderbird-debuginfo-102.4.0-1.el8_6.s390x.rpm  
thunderbird-debugsource-102.4.0-1.el8_6.s390x.rpm

x86_64:  
thunderbird-102.4.0-1.el8_6.x86_64.rpm  
thunderbird-debuginfo-102.4.0-1.el8_6.x86_64.rpm  
thunderbird-debugsource-102.4.0-1.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-39236  
https://access.redhat.com/security/cve/CVE-2022-39249  
https://access.redhat.com/security/cve/CVE-2022-39250  
https://access.redhat.com/security/cve/CVE-2022-39251  
https://access.redhat.com/security/cve/CVE-2022-42927  
https://access.redhat.com/security/cve/CVE-2022-42928  
https://access.redhat.com/security/cve/CVE-2022-42929  
https://access.redhat.com/security/cve/CVE-2022-42932  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1go3dzjgjWX9erEAQjv1w//f5PLkHsKJ1d09vNv03VyqLLUMQLNkccV  
uZaAu8P7heN4C8x+4+YYfRmjpELzU24e5vzkFpMmLlDfTTvonEQOE81dfJrT+5jw  
btHB2m8iy4VGowXNhcAFdHE1oZfdaVf3iHcNe55G8bOo7KU4AkArRyk1hMRm5aIm  
O6EWWaYmbqxN8iMnydJ/52EBaa9U/Fxj0a/fgr/w0Ct4heT7jO52dx6tShqswkjp  
B5pcVrEUJMeqzT6PTnlLvyS0/kjrf5m8BA1z4KbLLwe2hof427NHtxCBN0eGkbYI  
jeC+v2z/YRtFtkFkn/rX9P0Rv9dcSWCh8Bxu5XBPck6sP3eLZj8kCmkjVkFwZ9Ux  
i9A4rmkdzA4kQz4gkHePjW7AMqpn+QMinZ5jS5/xJm3M1aeb8qU2tBOCvHL1g7as  
Iw2SD/J3Y88ZaI4fi9GV895lj6cXl6V4JH+Id7u14su6EJNXWTCcH9m4HyZRMeWP  
p3yRf/VrmB6lEcBgNuFd4INLtH+7TPD9FLdruxRpDIXfyrzWxS/1MNvF09TsIKug  
T6PXjlNTXVHJT6j9uMUb3uhHzDUiRERjth0sERen4crbDmqi2gFzIoBh6AC6os9G  
71uoAamyZayQ4zUFiXWka2KnuQ6tGlmEosSlFJ1pv0r1ckrpu9Jsa2RG6f0EzFzP  
NdyCURLS0ho=TTC/  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7190-01

Red Hat Security Advisory 2022-7182-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.4.0. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:7182-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7182  
Issue date:        2022-10-25  
CVE Names:         CVE-2022-39236 CVE-2022-39249 CVE-2022-39250  
                   CVE-2022-39251 CVE-2022-42927 CVE-2022-42928  
                   CVE-2022-42929 CVE-2022-42932  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.2  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v. 8.2) - aarch64, ppc64le, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.4.0.

Security Fix(es):

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an  
impersonation attack by malicious server administrators (CVE-2022-39249)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a device  
verification attack (CVE-2022-39250)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an  
impersonation attack (CVE-2022-39251)

* Mozilla: Same-origin policy violation could have leaked cross-origin URLs  
(CVE-2022-42927)

* Mozilla: Memory Corruption in JS Engine (CVE-2022-42928)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a data  
corruption issue (CVE-2022-39236)

* Mozilla: Denial of Service via window.print (CVE-2022-42929)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.4 and Thunderbird  
102.4 (CVE-2022-42932)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2135391 - CVE-2022-39236 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a data corruption issue  
2135393 - CVE-2022-39249 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack by malicious server administrators  
2135395 - CVE-2022-39250 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a device verification attack  
2135396 - CVE-2022-39251 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack  
2136156 - CVE-2022-42927 Mozilla: Same-origin policy violation could have leaked cross-origin URLs  
2136157 - CVE-2022-42928 Mozilla: Memory Corruption in JS Engine  
2136158 - CVE-2022-42929 Mozilla: Denial of Service via window.print  
2136159 - CVE-2022-42932 Mozilla: Memory safety bugs fixed in Firefox ESR 102.4 and Thunderbird 102.4

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v. 8.2):

Source:  
thunderbird-102.4.0-1.el8_2.src.rpm

aarch64:  
thunderbird-102.4.0-1.el8_2.aarch64.rpm  
thunderbird-debuginfo-102.4.0-1.el8_2.aarch64.rpm  
thunderbird-debugsource-102.4.0-1.el8_2.aarch64.rpm

ppc64le:  
thunderbird-102.4.0-1.el8_2.ppc64le.rpm  
thunderbird-debuginfo-102.4.0-1.el8_2.ppc64le.rpm  
thunderbird-debugsource-102.4.0-1.el8_2.ppc64le.rpm

x86_64:  
thunderbird-102.4.0-1.el8_2.x86_64.rpm  
thunderbird-debuginfo-102.4.0-1.el8_2.x86_64.rpm  
thunderbird-debugsource-102.4.0-1.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-39236  
https://access.redhat.com/security/cve/CVE-2022-39249  
https://access.redhat.com/security/cve/CVE-2022-39250  
https://access.redhat.com/security/cve/CVE-2022-39251  
https://access.redhat.com/security/cve/CVE-2022-42927  
https://access.redhat.com/security/cve/CVE-2022-42928  
https://access.redhat.com/security/cve/CVE-2022-42929  
https://access.redhat.com/security/cve/CVE-2022-42932  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1go89zjgjWX9erEAQgxkw//RMipzdXSXA2DPrWCC1vV37pz9ANknnMZ  
i5ncuYcqg9uACzo4DvcVBef69HxuRCLcgqJ5WJFXJ6qibYuP2oHn2BQhMQxCWOoJ  
mc4zsPQvmaejEUFI3P9pgEA4M1EUxKOIZedTyATlxwtqo1a5UkpkF354zIdk8AhL  
OtYJOtCwhB6u/g+a9wSJLDAWyDXrtzlKWvMEfhfCJU4r1oHcdl985SHK1cR3oxDu  
+18I/iWlxoCNZG0OK+Y19udBaRvkZQ8jGixTvXBgt8NBRFvO8LDoqjrPrRJLkRB4  
Z+7mP06V9cIAcFuWU4PXXFS6JrWrOvW9q5M6f7O4OCj7LJ0fgaqFRK/jpXymv8rF  
36GcqTkfuefLDKQrOjRNAugchBdTCn5em1fpr5WYdbE2U96bY2lA5gKbh9In8wI1  
i9aJu4ETVh7SBJN/XnTx5tABaTs/7iIQA7D4jBFe+ru3XKm+NdvLegSlayPx/Xpe  
L0MzA7beaPiVeRLRGPxVyVpSmiYmUE0zP83v8kvU4iHvBZG450YGgTHGcDVSx3ku  
Qj0fba0eG1+2jcsOVAwXx5ZikKsUQjWY5fiCtO3USDzcNV88RRtTnVdgV2IPqsyb  
2cmS9jgPnknj9lXo+ERwbfhobDYkrval0IduvihPpArpGQ0vH7gxs663O/832OOY  
wZQOOzLSwsI=GMRF  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7182-01

Red Hat Security Advisory 2022-7188-01 - The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: device-mapper-multipath security update  
Advisory ID:       RHSA-2022:7188-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7188  
Issue date:        2022-10-25  
CVE Names:         CVE-2022-41974  
====================================================================  
1. Summary:

An update for device-mapper-multipath is now available for Red Hat  
Enterprise Linux 8.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder EUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS EUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64

3. Description:

The device-mapper-multipath packages provide tools that use the  
device-mapper multipath kernel module to manage multipath devices.

Security Fix(es):

* device-mapper-multipath: Authorization bypass, multipathd daemon listens  
for client connections on an abstract Unix socket (CVE-2022-41974)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2133988 - CVE-2022-41974 device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket

6. Package List:

Red Hat Enterprise Linux BaseOS EUS (v. 8.2):

Source:  
device-mapper-multipath-0.8.3-3.el8_2.7.src.rpm

aarch64:  
device-mapper-multipath-0.8.3-3.el8_2.7.aarch64.rpm  
device-mapper-multipath-debuginfo-0.8.3-3.el8_2.7.aarch64.rpm  
device-mapper-multipath-debugsource-0.8.3-3.el8_2.7.aarch64.rpm  
device-mapper-multipath-libs-0.8.3-3.el8_2.7.aarch64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.3-3.el8_2.7.aarch64.rpm  
kpartx-0.8.3-3.el8_2.7.aarch64.rpm  
kpartx-debuginfo-0.8.3-3.el8_2.7.aarch64.rpm  
libdmmp-0.8.3-3.el8_2.7.aarch64.rpm  
libdmmp-debuginfo-0.8.3-3.el8_2.7.aarch64.rpm

ppc64le:  
device-mapper-multipath-0.8.3-3.el8_2.7.ppc64le.rpm  
device-mapper-multipath-debuginfo-0.8.3-3.el8_2.7.ppc64le.rpm  
device-mapper-multipath-debugsource-0.8.3-3.el8_2.7.ppc64le.rpm  
device-mapper-multipath-libs-0.8.3-3.el8_2.7.ppc64le.rpm  
device-mapper-multipath-libs-debuginfo-0.8.3-3.el8_2.7.ppc64le.rpm  
kpartx-0.8.3-3.el8_2.7.ppc64le.rpm  
kpartx-debuginfo-0.8.3-3.el8_2.7.ppc64le.rpm  
libdmmp-0.8.3-3.el8_2.7.ppc64le.rpm  
libdmmp-debuginfo-0.8.3-3.el8_2.7.ppc64le.rpm

s390x:  
device-mapper-multipath-0.8.3-3.el8_2.7.s390x.rpm  
device-mapper-multipath-debuginfo-0.8.3-3.el8_2.7.s390x.rpm  
device-mapper-multipath-debugsource-0.8.3-3.el8_2.7.s390x.rpm  
device-mapper-multipath-libs-0.8.3-3.el8_2.7.s390x.rpm  
device-mapper-multipath-libs-debuginfo-0.8.3-3.el8_2.7.s390x.rpm  
kpartx-0.8.3-3.el8_2.7.s390x.rpm  
kpartx-debuginfo-0.8.3-3.el8_2.7.s390x.rpm  
libdmmp-0.8.3-3.el8_2.7.s390x.rpm  
libdmmp-debuginfo-0.8.3-3.el8_2.7.s390x.rpm

x86_64:  
device-mapper-multipath-0.8.3-3.el8_2.7.x86_64.rpm  
device-mapper-multipath-debuginfo-0.8.3-3.el8_2.7.i686.rpm  
device-mapper-multipath-debuginfo-0.8.3-3.el8_2.7.x86_64.rpm  
device-mapper-multipath-debugsource-0.8.3-3.el8_2.7.i686.rpm  
device-mapper-multipath-debugsource-0.8.3-3.el8_2.7.x86_64.rpm  
device-mapper-multipath-libs-0.8.3-3.el8_2.7.i686.rpm  
device-mapper-multipath-libs-0.8.3-3.el8_2.7.x86_64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.3-3.el8_2.7.i686.rpm  
device-mapper-multipath-libs-debuginfo-0.8.3-3.el8_2.7.x86_64.rpm  
kpartx-0.8.3-3.el8_2.7.x86_64.rpm  
kpartx-debuginfo-0.8.3-3.el8_2.7.i686.rpm  
kpartx-debuginfo-0.8.3-3.el8_2.7.x86_64.rpm  
libdmmp-0.8.3-3.el8_2.7.i686.rpm  
libdmmp-0.8.3-3.el8_2.7.x86_64.rpm  
libdmmp-debuginfo-0.8.3-3.el8_2.7.i686.rpm  
libdmmp-debuginfo-0.8.3-3.el8_2.7.x86_64.rpm

Red Hat CodeReady Linux Builder EUS (v. 8.2):

aarch64:  
device-mapper-multipath-debuginfo-0.8.3-3.el8_2.7.aarch64.rpm  
device-mapper-multipath-debugsource-0.8.3-3.el8_2.7.aarch64.rpm  
device-mapper-multipath-devel-0.8.3-3.el8_2.7.aarch64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.3-3.el8_2.7.aarch64.rpm  
kpartx-debuginfo-0.8.3-3.el8_2.7.aarch64.rpm  
libdmmp-debuginfo-0.8.3-3.el8_2.7.aarch64.rpm

ppc64le:  
device-mapper-multipath-debuginfo-0.8.3-3.el8_2.7.ppc64le.rpm  
device-mapper-multipath-debugsource-0.8.3-3.el8_2.7.ppc64le.rpm  
device-mapper-multipath-devel-0.8.3-3.el8_2.7.ppc64le.rpm  
device-mapper-multipath-libs-debuginfo-0.8.3-3.el8_2.7.ppc64le.rpm  
kpartx-debuginfo-0.8.3-3.el8_2.7.ppc64le.rpm  
libdmmp-debuginfo-0.8.3-3.el8_2.7.ppc64le.rpm

s390x:  
device-mapper-multipath-debuginfo-0.8.3-3.el8_2.7.s390x.rpm  
device-mapper-multipath-debugsource-0.8.3-3.el8_2.7.s390x.rpm  
device-mapper-multipath-devel-0.8.3-3.el8_2.7.s390x.rpm  
device-mapper-multipath-libs-debuginfo-0.8.3-3.el8_2.7.s390x.rpm  
kpartx-debuginfo-0.8.3-3.el8_2.7.s390x.rpm  
libdmmp-debuginfo-0.8.3-3.el8_2.7.s390x.rpm

x86_64:  
device-mapper-multipath-debuginfo-0.8.3-3.el8_2.7.i686.rpm  
device-mapper-multipath-debuginfo-0.8.3-3.el8_2.7.x86_64.rpm  
device-mapper-multipath-debugsource-0.8.3-3.el8_2.7.i686.rpm  
device-mapper-multipath-debugsource-0.8.3-3.el8_2.7.x86_64.rpm  
device-mapper-multipath-devel-0.8.3-3.el8_2.7.i686.rpm  
device-mapper-multipath-devel-0.8.3-3.el8_2.7.x86_64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.3-3.el8_2.7.i686.rpm  
device-mapper-multipath-libs-debuginfo-0.8.3-3.el8_2.7.x86_64.rpm  
kpartx-debuginfo-0.8.3-3.el8_2.7.i686.rpm  
kpartx-debuginfo-0.8.3-3.el8_2.7.x86_64.rpm  
libdmmp-debuginfo-0.8.3-3.el8_2.7.i686.rpm  
libdmmp-debuginfo-0.8.3-3.el8_2.7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-41974  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1gpB9zjgjWX9erEAQgvHQ//aFrOuagMn10M1A1vTXSXiRD5m9ba+27b  
aCNjowKyAX3hgP2YVd8cA/fnAgPcDqrEOobWf1TEZawsOoOr2YYSQOx9zrR1l7Kx  
rOhIFaGq537IQ4pLO6iOkiuer21Rt9f6q0MrnarF9VXb3+FpZkWMljKhuZwnK+tl  
uZj4x7Y/5SFNgkxm0BKYN9WvuFyRER1gfTZVjbq6i9HDX/BN0cg90PhzdskglATB  
kEpLE9VevUB/D/319LrFtjHo7FHwA2Sz3sUVJaJ36ZYEsdaRfQvB2ZguDWaW+Pdy  
trvXg7Q8G+l8W5fXifSJsSTX/q/GyyL96cXvBkklajul3hYReqUApb6I0EFEKEmB  
qSmbjuSanqDgE102ibfa3PePNvGgg7JmfQ9Q9H22LsWLgNODHECYWyQTfpjRSURo  
U86qsaSJrE55kjmJwDQiZ58SdB5n/lw9A/5mJhdGhcYmOg9UDO86b8Qez04+Cd5D  
2gbVkBeLn0Szl331IBo3V/rX1EKOO8u2ylEH3JSCC4IbHyD4Ej1Cf7nllkYI6u/7  
UVDmJQBaAM0s6u3u0ZlELNSGp1rgE2WmCQyQ+nFUU63aZfYT2tMdk63qxXQFa8SW  
nnkULXzX6/ywl4lWqxdu8j+eTSuyGWlzl3n1SBMyIwyjEamm0MVVz0NUI0AmRy96  
/JRhzgikIpM©Bs  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7188-01

Ubuntu Security Notice 5698-2 - USN-5698-1 fixed a vulnerability in Open. This update provides the corresponding update for Ubuntu 16.04 ESM. It was discovered that Open vSwitch incorrectly handled comparison of certain minimasks. A remote attacker could use this issue to cause Open vSwitch to crash, resulting in a denial of service, or possibly execute arbitrary code.

    =========================================================================Ubuntu Security Notice USN-5698-2October 25, 2022openvswitch vulnerability=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:Open vSwitch could be made to crash or run programs if it receivedspecially crafted network traffic.Software Description:- openvswitch: Ethernet virtual switchDetails:USN-5698-1 fixed a vulnerability in Open. This update providesthe corresponding update for Ubuntu 16.04 ESM.Original advisory details: It was discovered that Open vSwitch incorrectly handled comparison of certain minimasks. A remote attacker could use this issue to cause Open vSwitch to crash, resulting in a denial of service, or possibly execute arbitrary code.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:  openvswitch-common              2.5.9-0ubuntu0.16.04.3+esm1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5698-2  https://ubuntu.com/security/notices/USN-5698-1  CVE-2022-32166

Ubuntu Security Notice USN-5698-2

Ubuntu Security Notice 5697-1 - Douglas Mendizabal discovered that Barbican incorrectly handled certain query strings. A remote attacker could possibly use this issue to bypass the access policy.

==========================================================================  
Ubuntu Security Notice USN-5697-1  
October 25, 2022

barbican vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Barbican could be made to expose sensitive information over the  
network.

Software Description:  
- barbican: OpenStack Key Management Service - API Server

Details:

Douglas Mendizabal discovered that Barbican incorrectly handled certain  
query strings. A remote attacker could possibly use this issue to bypass  
the access policy.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   python3-barbican                2:14.0.0-0ubuntu1.1

Ubuntu 20.04 LTS:  
   python3-barbican                1:10.1.0-0ubuntu2.2

Ubuntu 18.04 LTS:  
   python-barbican                 1:6.0.1-0ubuntu1.2

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5697-1  
   CVE-2022-3100

Package Information:  
   https://launchpad.net/ubuntu/+source/barbican/2:14.0.0-0ubuntu1.1  
   https://launchpad.net/ubuntu/+source/barbican/1:10.1.0-0ubuntu2.2  
   https://launchpad.net/ubuntu/+source/barbican/1:6.0.1-0ubuntu1.2

Ubuntu Security Notice USN-5697-1

Ubuntu Security Notice 5698-1 - It was discovered that Open vSwitch incorrectly handled comparison of certain minimasks. A remote attacker could use this issue to cause Open vSwitch to crash, resulting in a denial of service, or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5698-1October 25, 2022openvswitch vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTSSummary:Open vSwitch could be made to crash or run programs if it receivedspecially crafted network traffic.Software Description:- openvswitch: Ethernet virtual switchDetails:It was discovered that Open vSwitch incorrectly handled comparison ofcertain minimasks. A remote attacker could use this issue to cause OpenvSwitch to crash, resulting in a denial of service, or possibly executearbitrary code.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS:   openvswitch-common              2.9.8-0ubuntu0.18.04.3In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5698-1   CVE-2022-32166Package Information:   https://launchpad.net/ubuntu/+source/openvswitch/2.9.8-0ubuntu0.18.04.3

Ubuntu Security Notice USN-5698-1

Red Hat Security Advisory 2022-7133-01 - 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: 389-ds:1.4 security update  
Advisory ID:       RHSA-2022:7133-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7133  
Issue date:        2022-10-25  
CVE Names:         CVE-2022-2850  
====================================================================  
1. Summary:

An update for the 389-ds:1.4 module is now available for Red Hat Enterprise  
Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The  
base packages include the Lightweight Directory Access Protocol (LDAP)  
server and command-line utilities for server administration.

Security Fix(es):

* 389-ds-base: SIGSEGV in sync_repl (CVE-2022-2850)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2118691 - CVE-2022-2850 389-ds-base: SIGSEGV in sync_repl

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
389-ds-base-1.4.3.28-8.module+el8.6.0+16880+945f9b53.src.rpm

aarch64:  
389-ds-base-1.4.3.28-8.module+el8.6.0+16880+945f9b53.aarch64.rpm  
389-ds-base-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.aarch64.rpm  
389-ds-base-debugsource-1.4.3.28-8.module+el8.6.0+16880+945f9b53.aarch64.rpm  
389-ds-base-devel-1.4.3.28-8.module+el8.6.0+16880+945f9b53.aarch64.rpm  
389-ds-base-legacy-tools-1.4.3.28-8.module+el8.6.0+16880+945f9b53.aarch64.rpm  
389-ds-base-legacy-tools-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.aarch64.rpm  
389-ds-base-libs-1.4.3.28-8.module+el8.6.0+16880+945f9b53.aarch64.rpm  
389-ds-base-libs-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.aarch64.rpm  
389-ds-base-snmp-1.4.3.28-8.module+el8.6.0+16880+945f9b53.aarch64.rpm  
389-ds-base-snmp-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.aarch64.rpm

noarch:  
python3-lib389-1.4.3.28-8.module+el8.6.0+16880+945f9b53.noarch.rpm

ppc64le:  
389-ds-base-1.4.3.28-8.module+el8.6.0+16880+945f9b53.ppc64le.rpm  
389-ds-base-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.ppc64le.rpm  
389-ds-base-debugsource-1.4.3.28-8.module+el8.6.0+16880+945f9b53.ppc64le.rpm  
389-ds-base-devel-1.4.3.28-8.module+el8.6.0+16880+945f9b53.ppc64le.rpm  
389-ds-base-legacy-tools-1.4.3.28-8.module+el8.6.0+16880+945f9b53.ppc64le.rpm  
389-ds-base-legacy-tools-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.ppc64le.rpm  
389-ds-base-libs-1.4.3.28-8.module+el8.6.0+16880+945f9b53.ppc64le.rpm  
389-ds-base-libs-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.ppc64le.rpm  
389-ds-base-snmp-1.4.3.28-8.module+el8.6.0+16880+945f9b53.ppc64le.rpm  
389-ds-base-snmp-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.ppc64le.rpm

s390x:  
389-ds-base-1.4.3.28-8.module+el8.6.0+16880+945f9b53.s390x.rpm  
389-ds-base-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.s390x.rpm  
389-ds-base-debugsource-1.4.3.28-8.module+el8.6.0+16880+945f9b53.s390x.rpm  
389-ds-base-devel-1.4.3.28-8.module+el8.6.0+16880+945f9b53.s390x.rpm  
389-ds-base-legacy-tools-1.4.3.28-8.module+el8.6.0+16880+945f9b53.s390x.rpm  
389-ds-base-legacy-tools-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.s390x.rpm  
389-ds-base-libs-1.4.3.28-8.module+el8.6.0+16880+945f9b53.s390x.rpm  
389-ds-base-libs-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.s390x.rpm  
389-ds-base-snmp-1.4.3.28-8.module+el8.6.0+16880+945f9b53.s390x.rpm  
389-ds-base-snmp-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.s390x.rpm

x86_64:  
389-ds-base-1.4.3.28-8.module+el8.6.0+16880+945f9b53.x86_64.rpm  
389-ds-base-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.x86_64.rpm  
389-ds-base-debugsource-1.4.3.28-8.module+el8.6.0+16880+945f9b53.x86_64.rpm  
389-ds-base-devel-1.4.3.28-8.module+el8.6.0+16880+945f9b53.x86_64.rpm  
389-ds-base-legacy-tools-1.4.3.28-8.module+el8.6.0+16880+945f9b53.x86_64.rpm  
389-ds-base-legacy-tools-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.x86_64.rpm  
389-ds-base-libs-1.4.3.28-8.module+el8.6.0+16880+945f9b53.x86_64.rpm  
389-ds-base-libs-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.x86_64.rpm  
389-ds-base-snmp-1.4.3.28-8.module+el8.6.0+16880+945f9b53.x86_64.rpm  
389-ds-base-snmp-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2850  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1fUUNzjgjWX9erEAQh3VA/+IbU1+Ixiquw3BALaO/hobhG9e90WaggP  
i5zSunNXQXh+pKYaLWT3PPXR0vnf8uudZ0/wT97aQQcDvihV7vPhg/KILjzsbfGW  
zhkHgJSOPiGqPRSpOCVLJKCsH+4w+6J1aBfnHj7rh/7fZJww9HDg4l2ys5aMsGLa  
qsySbJwUuS7yNr+3HWDP2j54ekU3KpMq2s+NN+okCL1XE2AOT2pqbGZ3ruQA3qjz  
6GGsGFv9W51M6R4j4FBdYldwaO3aBi8KSbnFOKmj+doSumQM45mCc08gcbTL273k  
3tGrkSBNqguw7bTaGJYJoTVYGASU2H3fhEI+1d9n6jfJjWEpwA/AtL5ox5OUVMnF  
tDu/MxGON86KCq2+xMslonXyVdjiRd0alFS3fStUWlJvbw78ITocPiZkrjbgha9w  
XSL2bV7ygM6u74nYHGS9earSJqmwoAC7H5f5pGv/6S4ba+0XhKkXVWbhN+rUxy9f  
0xhRam709uRKw7WnkfOcGTQwNf2LwBUNrW224RrGEWHSKIhy/qbxMiMPuI4gVFQd  
+qCj2c2Wy6AVmx/SFI2az5qFzPCGRR+IdhWWhzRWukPY6G3Kax+eTHOB5B5htVPO  
g5878aNczXnztdMyY4zab/2dQCry31fqYzICSYC2o7X439pPif5VXQQgSH6qYSFI  
YfkfQQpwKMg=wWl7  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Source

Packet Storm