Red Hat Security Data

An update is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-19869: qt5-qtsvg: Invalid parsing of malformed url reference resulting in a denial of service * CVE-2018-19871: qt5-qtimageformats: QTgaFile CPU exhaustion * CVE-2018-19872: qt: Malformed PPM image causing division by zero and crash in qppmhandler.cpp * CVE-2019-18281: qt5-qtbase: Out-of-bounds access in generateDirectionalRuns() function in qtextengine.cpp

An update for the pki-core:10.6 and pki-deps:10.6 modules is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System. Security Fix(es): * jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig (CVE-2019-14540) * jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource (CVE-2019-16335) * jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* (CVE-2019-16942) * jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource (CVE-2019-16943) * jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531) For more details...

An update for e2fsprogs is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The e2fsprogs packages provide a number of utilities for creating, checking, modifying, and correcting the ext2, ext3, and ext4 file systems. The following packages have been upgraded to a later upstream version: e2fsprogs (1.45.4). (BZ#1783777) Security Fix(es): * e2fsprogs: crafted ext4 partition leads to out-of-bounds write (CVE-2019-5094) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.2 Release Notes l...

An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2015-9289: A vulnerability was found in the Linux kernel’s CX24116 tv-card driver, where an out of bounds read occurs when checking userspace params in drivers/media/dvb-frontends/cx24116.c. An attacker could use this flaw to leak kernel private information to userspace. * CVE-2017-17807: The KEYS subsystem in the Linux kernel omitted an access-control check ...

An update for mariadb is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a later upstream version: mariadb (5.5.65). (BZ#1741357) Security Fix(es): * mysql: Server: Pluggable Auth unspecified vulnerability (CPU Jul 2019) (CVE-2019-2737) * mysql: Server: Security: Privileges unspecified vulnerability (CPU Jul 2019) (CVE-2019-2739) * mysql: Server: XML unspecified vulnerability (CPU Jul 2019) (CVE-2019-2740) * mysql: Server: Parser unspecified vulnerability (CPU Jul 2019) (CVE-2019-2805) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, ...

Updated packages that resolve various issues are now available for Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.Red Hat OpenStack Platform provides the facilities for building, deploying and monitoring a private or public infrastructure-as-a-service (IaaS) cloud running on commonly available physical hardware. Changes to the openstack-octavia-ui component: * This enhancement adds new features and usability enhancements to the Octavia Horizon dashboard. (BZ#1698467) Related CVEs: * CVE-2019-14818: dpdk: possible memory leak leads to denial of service

Red Hat OpenShift Container Platform release 4.3.1 is now available with updates to packages and images that fix several bugs.Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.3.1. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHBA-2020:0391 All OpenShift Container Platform 4.3 users are advised to upgrade to these updated packages and images. Related CVEs: * CVE-2019-17596: golang: invalid public key causes panic in dsa.Verify * CVE-2020-7039: QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu() * CVE-2020-7211: QEMU: Slirp: potential directory traversal using relative paths via tftp server on Windows host

Updated packages that fix several bugs and add various enhancements are now available for Red Hat OpenStack Platform 16.0 (Train) for RHEL 8.1.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2019-3866: An information-exposure vulnerability was discovered where openstack-mistral's undercloud log files containing clear-text information were made world readable. A malicious system user could exploit this flaw to access sensitive user information. * CVE-2019-19687: A disclosure vulnerability was found in openstack-keystone's credentials API. Users with a project role are able to list any credentials with the /v3/credentials API when enforce_scope is false. Information for time-based one time passwords (TOTP) may also be disclosed. Deploymen...

Updated packages that fix several bugs and add various enhancements are now available for Red Hat OpenStack Platform 16.0 (Train) for RHEL 8.1.Red Hat OpenStack Platform provides the facilities for building, deploying and monitoring a private or public infrastructure-as-a-service (IaaS) cloud running on commonly available physical hardware. For additional information about the items in this advisory, see the Technical Notes: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.0/html/release_notes/chap-technical_notes. Related CVEs: * CVE-2019-3866: openstack-mistral: information disclosure in mistral log

Red Hat OpenShift Container Platform release 4.3.0, which fixes several bugs and includes various enhancements, is now available.Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.3.0. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHBA-2020:0063 Space precludes documenting all of the bug fixes and enhancements in this advisory, as well as all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.openshift.com/container-platform/4.3/release_notes/ocp-4-3-release-notes.html You may download the oc tool and use it to inspect release image metadata as follows: $ oc adm release info quay.io/openshift-release-dev/ocp-re...