Debian Linux Security Advisory 5617-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5617-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonFebruary 08, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-1283 CVE-2024-1284Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 121.0.6167.160-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIyBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmXEllwACgkQZF0CR8NudjcIrQ/4nDJyajY62INMkRpAFjT9a7+IDO5ozl2IcYf7+Jz11HhZmc891MSHbnFEVeZfaCFGmt6Xo9WRwvDlkDjAiQ7jA571PoNE8cF3oaLpD6+6/oj2apUpD7LkTNaviWRct19zRflJyhehYl2oxR7A0Yi6GTvGtn+azkhoqYTSw9WWdFzKNI1wmpID0bxp+CgtzZmVkDCa0WFM4MP2C+IdGWzhBTc9+7VggO91ATAwHscSJ/2D3jJVJMVP8vKqla6QJabGwo7N3wRE3aB3YybluhvYWzhaOmf8oNavwFarEwrEhm5siJWadkte7OlZeusBfONZVircFx4zqfYqilyCLx384qlKyRtjwMwiTE/vk61xm3dl6AV5mUIbyVu4FUIVTftBBE0mwW055ncDCEy3FgEc3ZRxFdvolcWJhONt6f8jAn6iOfH82nQ8SfVmgpQPP2eKLHT/l9IT9T0blJYlNIjXM1T4IjMZvtFb7KUp9rP/T2UDDKwxR8ahs0/EC7FubjjzhnmZFAe/L2xFlM612Fl+C+6mgqUH0oS0TF6CLmWH1gNuXUFjiyVL+zkQA7Fcp6iiUdhSrEAz8y+Igv0Ty2n06xRxkUF3t1SG6XxAxbKW3BuyEz5B9fivLh9KzXGiXWHrvpTHvNYMuKPXeOM9QvcFKhzXLvcWRpirgC22ca7JNA===+kgA-----END PGP SIGNATURE-----

Debian Security Advisory 5617-1

Ubuntu Security Notice 6624-1 - Marek Marczykowski-Górecki discovered that the Xen event channel infrastructure implementation in the Linux kernel contained a race condition. An attacker in a guest VM could possibly use this to cause a denial of service. Zheng Wang discovered a use-after-free in the Renesas Ethernet AVB driver in the Linux kernel during device removal. A privileged attacker could use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6624-1  
February 07, 2024

linux, linux-aws, linux-gcp, linux-hwe-6.5, linux-laptop,  
linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle,  
linux-raspi, linux-starfive vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux: Linux kernel  
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems  
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems  
- linux-laptop: Linux kernel for Lenovo X13s ARM laptops  
- linux-lowlatency: Linux low latency kernel  
- linux-oracle: Linux kernel for Oracle Cloud systems  
- linux-raspi: Linux kernel for Raspberry Pi systems  
- linux-starfive: Linux kernel for StarFive processors  
- linux-hwe-6.5: Linux hardware enablement (HWE) kernel  
- linux-lowlatency-hwe-6.5: Linux low latency kernel  
- linux-oem-6.5: Linux kernel for OEM systems

Details:

Marek Marczykowski-Górecki discovered that the Xen event channel  
infrastructure implementation in the Linux kernel contained a race  
condition. An attacker in a guest VM could possibly use this to cause a  
denial of service (paravirtualized device unavailability). (CVE-2023-34324)

Zheng Wang discovered a use-after-free in the Renesas Ethernet AVB driver  
in the Linux kernel during device removal. A privileged attacker could use  
this to cause a denial of service (system crash). (CVE-2023-35827)

Tom Dohrmann discovered that the Secure Encrypted Virtualization (SEV)  
implementation for AMD processors in the Linux kernel contained a race  
condition when accessing MMIO registers. A local attacker in a SEV guest VM  
could possibly use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-46813)

It was discovered that the io_uring subsystem in the Linux kernel contained  
a race condition, leading to a null pointer dereference vulnerability. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2023-46862)

It was discovered that the netfilter subsystem in the Linux kernel did not  
properly validate inner tunnel netlink attributes, leading to a null  
pointer dereference vulnerability. A local attacker could use this to cause  
a denial of service (system crash). (CVE-2023-5972)

It was discovered that the TLS subsystem in the Linux kernel did not  
properly perform cryptographic operations in some situations, leading to a  
null pointer dereference vulnerability. A local attacker could use this to  
cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2023-6176)

Jann Horn discovered that a race condition existed in the Linux kernel when  
handling io_uring over sockets, leading to a use-after-free vulnerability.  
A local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2023-6531)

Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel did  
not properly handle dynset expressions passed from userspace, leading to a  
null pointer dereference vulnerability. A local attacker could use this to  
cause a denial of service (system crash). (CVE-2023-6622)

It was discovered that the TIPC protocol implementation in the Linux kernel  
did not properly handle locking during tipc_crypto_key_revoke() operations.  
A local attacker could use this to cause a denial of service (kernel  
deadlock). (CVE-2024-0641)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   linux-image-6.5.0-1007-starfive  6.5.0-1007.8  
   linux-image-6.5.0-1009-laptop   6.5.0-1009.12  
   linux-image-6.5.0-1010-raspi    6.5.0-1010.13  
   linux-image-6.5.0-1013-aws      6.5.0-1013.13  
   linux-image-6.5.0-1013-gcp      6.5.0-1013.13  
   linux-image-6.5.0-1015-oracle   6.5.0-1015.15  
   linux-image-6.5.0-17-generic    6.5.0-17.17  
   linux-image-6.5.0-17-generic-64k  6.5.0-17.17  
   linux-image-6.5.0-17-lowlatency  6.5.0-17.17.1  
   linux-image-6.5.0-17-lowlatency-64k  6.5.0-17.17.1  
   linux-image-aws                 6.5.0.1013.13  
   linux-image-gcp                 6.5.0.1013.13  
   linux-image-generic             6.5.0.17.19  
   linux-image-generic-64k         6.5.0.17.19  
   linux-image-generic-lpae        6.5.0.17.19  
   linux-image-kvm                 6.5.0.17.19  
   linux-image-laptop-23.10        6.5.0.1009.12  
   linux-image-lowlatency          6.5.0.17.17.14  
   linux-image-lowlatency-64k      6.5.0.17.17.14  
   linux-image-oracle              6.5.0.1015.15  
   linux-image-raspi               6.5.0.1010.11  
   linux-image-raspi-nolpae        6.5.0.1010.11  
   linux-image-starfive            6.5.0.1007.9  
   linux-image-virtual             6.5.0.17.19

Ubuntu 22.04 LTS:  
   linux-image-6.5.0-1014-oem      6.5.0-1014.15  
   linux-image-6.5.0-17-generic    6.5.0-17.17~22.04.1  
   linux-image-6.5.0-17-generic-64k  6.5.0-17.17~22.04.1  
   linux-image-6.5.0-17-lowlatency  6.5.0-17.17.1.1.1~22.04.1  
   linux-image-6.5.0-17-lowlatency-64k  6.5.0-17.17.1.1.1~22.04.1  
   linux-image-generic-64k-hwe-22.04  6.5.0.17.17~22.04.9  
   linux-image-generic-hwe-22.04   6.5.0.17.17~22.04.9  
   linux-image-lowlatency-64k-hwe-22.04  6.5.0.17.17.1.1.1~22.04.6  
   linux-image-lowlatency-hwe-22.04  6.5.0.17.17.1.1.1~22.04.6  
   linux-image-oem-22.04d          6.5.0.1014.16  
   linux-image-virtual-hwe-22.04   6.5.0.17.17~22.04.9

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6624-1  
   CVE-2023-34324, CVE-2023-35827, CVE-2023-46813, CVE-2023-46862,  
   CVE-2023-5972, CVE-2023-6176, CVE-2023-6531, CVE-2023-6622,  
   CVE-2024-0641

Package Information:  
   https://launchpad.net/ubuntu/+source/linux/6.5.0-17.17  
   https://launchpad.net/ubuntu/+source/linux-aws/6.5.0-1013.13  
   https://launchpad.net/ubuntu/+source/linux-gcp/6.5.0-1013.13  
   https://launchpad.net/ubuntu/+source/linux-laptop/6.5.0-1009.12  
   https://launchpad.net/ubuntu/+source/linux-lowlatency/6.5.0-17.17.1  
   https://launchpad.net/ubuntu/+source/linux-oracle/6.5.0-1015.15  
   https://launchpad.net/ubuntu/+source/linux-raspi/6.5.0-1010.13  
   https://launchpad.net/ubuntu/+source/linux-starfive/6.5.0-1007.8  
   https://launchpad.net/ubuntu/+source/linux-hwe-6.5/6.5.0-17.17~22.04.1

 https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-6.5/6.5.0-17.17.1.1.1~22.04.1  
   https://launchpad.net/ubuntu/+source/linux-oem-6.5/6.5.0-1014.15

Ubuntu Security Notice USN-6624-1

Red Hat Security Advisory 2024-0729-03 - Red Hat Advanced Cluster Management for Kubernetes 2.7.11 General Availability release images, which provide security updates and fix bugs. Issues addressed include denial of service and traversal vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0729.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Critical: Red Hat Advanced Cluster Management 2.7.11 security and bug fix container update  
Advisory ID:        RHSA-2024:0729-03  
Product:            Red Hat ACM  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0729  
Issue date:         2024-02-08  
Revision:           03  
CVE Names:          CVE-2023-49568  
====================================================================

Summary: 

Red Hat Advanced Cluster Management for Kubernetes 2.7.11 General  
Availability release images, which provide security updates and fix bugs.

Red Hat Product Security has rated this update as having a security impact  
of Critical. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE links in the References section.

Description:

Red Hat Advanced Cluster Management for Kubernetes 2.7.11 images

Red Hat Advanced Cluster Management for Kubernetes provides the  
capabilities to address common challenges that administrators and site  
reliability engineers face as they work across a range of public and  
private cloud environments. Clusters and applications are all visible and  
managed from a single console—with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster  
Management for Kubernetes, which fix several bugs. See the following Release Notes documentation for additional details about this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/release_notes/

Security fix(es):  
CVE-2023-49568 go-git: Maliciously crafted Git server replies can cause DoS on  
go-git clients  
CVE-2023-49569 go-git: Maliciously crafted Git server replies can lead to path  
traversal and RCE on go-git clients

Solution:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/install/installing

CVEs:

CVE-2023-49568

References:

https://access.redhat.com/security/updates/classification/#critical  
https://bugzilla.redhat.com/show_bug.cgi?id=2258143  
https://bugzilla.redhat.com/show_bug.cgi?id=2258165

Red Hat Security Advisory 2024-0729-03

Red Hat Security Advisory 2024-0724-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include buffer overflow, bypass, denial of service, double free, memory leak, null pointer, privilege escalation, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0724.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel security and bug fix update  
Advisory ID:        RHSA-2024:0724-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0724  
Issue date:         2024-02-07  
Revision:           03  
CVE Names:          CVE-2021-3640  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: use-after-free in sch_qfq network scheduler (CVE-2023-4921)

* kernel: inactive elements in nft_pipapo_walk (CVE-2023-6817)

* kernel: ktls overwrites readonly memory pages when using function splice with a ktls socket as destination (CVE-2024-0646)

* kernel: use-after-free vulnerability in function sco_sock_sendmsg() (CVE-2021-3640)

* kernel: improper input validation may lead to privilege escalation (CVE-2021-4204)

* kernel: memory leak for large arguments in video_usercopy function in drivers/media/v4l2-core/v4l2-ioctl.c (CVE-2021-30002)

* kernel: eBPF verification flaw (CVE-2021-34866)

* kernel: smb2_ioctl_query_info NULL pointer dereference (CVE-2022-0168)

* kernel: Linux ebpf logic vulnerability leads to critical memory read and write gaining root privileges (CVE-2022-0500)

* kernel: NULL pointer dereference in udf_expand_file_adinicbdue() during writeback (CVE-2022-0617)

* kernel: possible race condition in drivers/tty/tty_buffers.c (CVE-2022-1462)

* kernel: buffer overflow in nft_set_desc_concat_parse() (CVE-2022-2078)

* kernel: nf_tables cross-table potential use-after-free may lead to local privilege escalation (CVE-2022-2586)

* kernel: netfilter: nf_conntrack_irc message handling issue (CVE-2022-2663)

* kernel: memory leak in ipv6_renew_options() (CVE-2022-3524)

* kernel: nfp: use-after-free in area_cache_get() (CVE-2022-3545)

* kernel: data races around icsk->icsk_af_ops in do_ipv6_setsockopt (CVE-2022-3566)

* kernel: Rate limit overflow messages in r8152 in intr_callback (CVE-2022-3594)

* kernel: memory leak in l2cap_recv_acldata of the file net/bluetooth/l2cap_core.c (CVE-2022-3619)

* kernel: denial of service in follow_page_pte in mm/gup.c due to poisoned pte entry (CVE-2022-3623)

* kernel: Double-free in split_2MB_gtt_entry when function intel_gvt_dma_map_guest_page failed (CVE-2022-3707)

* kernel: possible to use the debugger to write zero into a location of choice (CVE-2022-21499)

* kernel: local privileges escalation in kernel/bpf/verifier.c (CVE-2022-23222)

* kernel: Executable Space Protection Bypass (CVE-2022-25265)

* kernel: double free in usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c (CVE-2022-28388)

* kernel: double free in ems_usb_start_xmit in drivers/net/can/usb/ems_usb.c (CVE-2022-28390)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2021-3640

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=1946279  
https://bugzilla.redhat.com/show_bug.cgi?id=1980646  
https://bugzilla.redhat.com/show_bug.cgi?id=2000457  
https://bugzilla.redhat.com/show_bug.cgi?id=2037386  
https://bugzilla.redhat.com/show_bug.cgi?id=2039178  
https://bugzilla.redhat.com/show_bug.cgi?id=2043520  
https://bugzilla.redhat.com/show_bug.cgi?id=2044578  
https://bugzilla.redhat.com/show_bug.cgi?id=2051444  
https://bugzilla.redhat.com/show_bug.cgi?id=2053632  
https://bugzilla.redhat.com/show_bug.cgi?id=2055499  
https://bugzilla.redhat.com/show_bug.cgi?id=2073064  
https://bugzilla.redhat.com/show_bug.cgi?id=2073091  
https://bugzilla.redhat.com/show_bug.cgi?id=2074208  
https://bugzilla.redhat.com/show_bug.cgi?id=2078466  
https://bugzilla.redhat.com/show_bug.cgi?id=2084183  
https://bugzilla.redhat.com/show_bug.cgi?id=2096178  
https://bugzilla.redhat.com/show_bug.cgi?id=2114878  
https://bugzilla.redhat.com/show_bug.cgi?id=2115278  
https://bugzilla.redhat.com/show_bug.cgi?id=2123056  
https://bugzilla.redhat.com/show_bug.cgi?id=2124788  
https://bugzilla.redhat.com/show_bug.cgi?id=2137979  
https://bugzilla.redhat.com/show_bug.cgi?id=2143893  
https://bugzilla.redhat.com/show_bug.cgi?id=2148520  
https://bugzilla.redhat.com/show_bug.cgi?id=2149024  
https://bugzilla.redhat.com/show_bug.cgi?id=2150947  
https://bugzilla.redhat.com/show_bug.cgi?id=2154235  
https://bugzilla.redhat.com/show_bug.cgi?id=2161310  
https://bugzilla.redhat.com/show_bug.cgi?id=2165721  
https://bugzilla.redhat.com/show_bug.cgi?id=2168332  
https://bugzilla.redhat.com/show_bug.cgi?id=2173434  
https://bugzilla.redhat.com/show_bug.cgi?id=2176140  
https://bugzilla.redhat.com/show_bug.cgi?id=2177389  
https://bugzilla.redhat.com/show_bug.cgi?id=2181330  
https://bugzilla.redhat.com/show_bug.cgi?id=2185945  
https://bugzilla.redhat.com/show_bug.cgi?id=2187813  
https://bugzilla.redhat.com/show_bug.cgi?id=2187931  
https://bugzilla.redhat.com/show_bug.cgi?id=2193219  
https://bugzilla.redhat.com/show_bug.cgi?id=2207625  
https://bugzilla.redhat.com/show_bug.cgi?id=2213199  
https://bugzilla.redhat.com/show_bug.cgi?id=2215837  
https://bugzilla.redhat.com/show_bug.cgi?id=2221707  
https://bugzilla.redhat.com/show_bug.cgi?id=2231800  
https://bugzilla.redhat.com/show_bug.cgi?id=2244715  
https://bugzilla.redhat.com/show_bug.cgi?id=2245514  
https://bugzilla.redhat.com/show_bug.cgi?id=2246944  
https://bugzilla.redhat.com/show_bug.cgi?id=2246945  
https://bugzilla.redhat.com/show_bug.cgi?id=2253614  
https://bugzilla.redhat.com/show_bug.cgi?id=2253908  
https://bugzilla.redhat.com/show_bug.cgi?id=2254052  
https://bugzilla.redhat.com/show_bug.cgi?id=2254053  
https://bugzilla.redhat.com/show_bug.cgi?id=2254054  
https://bugzilla.redhat.com/show_bug.cgi?id=2255139  
https://bugzilla.redhat.com/show_bug.cgi?id=2255283

Red Hat Security Advisory 2024-0724-03

Red Hat Security Advisory 2024-0719-03 - Migration Toolkit for Runtimes 1.2.4 release. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0719.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Migration Toolkit for Runtimes security, bug fix and enhancement updateAdvisory ID:        RHSA-2024:0719-03Product:            Migration Toolkit for RuntimesAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0719Issue date:         2024-02-07Revision:           03CVE Names:          CVE-2022-25883====================================================================Summary: Migration Toolkit for Runtimes 1.2.4 releaseRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Migration Toolkit for Runtimes 1.2.4 ImagesSecurity Fix(es):* nodejs-semver: Regular expression denial of service (CVE-2022-25883)* jackson-databind: denial of service via cylic dependencies (CVE-2023-35116)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-25883References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2215214https://bugzilla.redhat.com/show_bug.cgi?id=2216475

Red Hat Security Advisory 2024-0719-03

Red Hat Security Advisory 2024-0695-03 - Logging 5.6.16 - Red Hat OpenShift. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0695.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Logging 5.6.16 - Red Hat OpenShiftAdvisory ID:        RHSA-2024:0695-03Product:            Logging Subsystem for Red Hat OpenShiftAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0695Issue date:         2024-02-08Revision:           03CVE Names:          CVE-2023-39326====================================================================Summary: Logging 5.6.16 - Red Hat OpenShiftRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Logging 5.6.16 - Red Hat OpenShiftSecurity Fix(es):* golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-39326References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2253330https://issues.redhat.com/browse/LOG-4967

Red Hat Security Advisory 2024-0695-03

Red Hat Security Advisory 2024-0694-03 - Logging Subsystem 5.7.11 - Red Hat OpenShift. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0694.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Logging Subsystem 5.7.11 - Red Hat OpenShiftAdvisory ID:        RHSA-2024:0694-03Product:            Logging Subsystem for Red Hat OpenShiftAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0694Issue date:         2024-02-07Revision:           03CVE Names:          CVE-2023-39326====================================================================Summary: Logging Subsystem 5.7.11 - Red Hat OpenShiftRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Logging Subsystem 5.7.11 - Red Hat OpenShiftSecurity Fix(es):* golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-39326References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2253330https://issues.redhat.com/browse/LOG-4968

Red Hat Security Advisory 2024-0694-03

Red Hat Security Advisory 2024-0660-03 - Red Hat OpenShift Container Platform release 4.13.32 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0660.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.13.32 bug fix and security update  
Advisory ID:        RHSA-2024:0660-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0660  
Issue date:         2024-02-07  
Revision:           03  
CVE Names:          CVE-2023-39325  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.13.32 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.13.

Red Hat Product Security has rated this update as having a security impact of  Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.32. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2024:0662

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive  
work (CVE-2023-44487) (CVE-2023-39325)  
* opentelemetry: DoS vulnerability in otelhttp (CVE-2023-45142)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.  
All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-39325

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://bugzilla.redhat.com/show_bug.cgi?id=2245180  
https://issues.redhat.com/browse/OCPBUGS-23106  
https://issues.redhat.com/browse/OCPBUGS-23499  
https://issues.redhat.com/browse/OCPBUGS-27257  
https://issues.redhat.com/browse/OCPBUGS-27736  
https://issues.redhat.com/browse/OCPBUGS-27816  
https://issues.redhat.com/browse/OCPBUGS-27891  
https://issues.redhat.com/browse/OCPBUGS-27958  
https://issues.redhat.com/browse/OCPBUGS-28228

Red Hat Security Advisory 2024-0660-03

Red Hat Security Advisory 2024-0642-03 - An update is now available for Red Hat OpenShift Container Platform 4.14. Issues addressed include denial of service and traversal vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0642.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Critical: OpenShift Container Platform 4.14.11 bug fix and security update  
Advisory ID:        RHSA-2024:0642-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0642  
Issue date:         2024-02-07  
Revision:           03  
CVE Names:          CVE-2023-39325  
====================================================================

Summary: 

An update is now available for Red Hat OpenShift Container Platform 4.14.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.14.11. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2024:0645

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)

* go-git: Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients (CVE-2023-49569)

* go-git: Maliciously crafted Git server replies can cause DoS on go-git clients (CVE-2023-49568)

* opentelemetry: DoS vulnerability in otelhttp (CVE-2023-45142)

* opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics (CVE-2023-47108)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

CVEs:

CVE-2023-39325

References:

https://access.redhat.com/security/updates/classification/#critical  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://bugzilla.redhat.com/show_bug.cgi?id=2245180  
https://bugzilla.redhat.com/show_bug.cgi?id=2251198  
https://bugzilla.redhat.com/show_bug.cgi?id=2258143  
https://bugzilla.redhat.com/show_bug.cgi?id=2258165  
https://issues.redhat.com/browse/OCPBUGS-11385  
https://issues.redhat.com/browse/OCPBUGS-21795  
https://issues.redhat.com/browse/OCPBUGS-21812  
https://issues.redhat.com/browse/OCPBUGS-22315  
https://issues.redhat.com/browse/OCPBUGS-23395  
https://issues.redhat.com/browse/OCPBUGS-23498  
https://issues.redhat.com/browse/OCPBUGS-23500  
https://issues.redhat.com/browse/OCPBUGS-23738  
https://issues.redhat.com/browse/OCPBUGS-24307  
https://issues.redhat.com/browse/OCPBUGS-24315  
https://issues.redhat.com/browse/OCPBUGS-24401  
https://issues.redhat.com/browse/OCPBUGS-24423  
https://issues.redhat.com/browse/OCPBUGS-24521  
https://issues.redhat.com/browse/OCPBUGS-24660  
https://issues.redhat.com/browse/OCPBUGS-25081  
https://issues.redhat.com/browse/OCPBUGS-25352  
https://issues.redhat.com/browse/OCPBUGS-25800  
https://issues.redhat.com/browse/OCPBUGS-26238  
https://issues.redhat.com/browse/OCPBUGS-26553  
https://issues.redhat.com/browse/OCPBUGS-26568  
https://issues.redhat.com/browse/OCPBUGS-26597  
https://issues.redhat.com/browse/OCPBUGS-27178  
https://issues.redhat.com/browse/OCPBUGS-27193  
https://issues.redhat.com/browse/OCPBUGS-27243  
https://issues.redhat.com/browse/OCPBUGS-27256  
https://issues.redhat.com/browse/OCPBUGS-27275  
https://issues.redhat.com/browse/OCPBUGS-27305  
https://issues.redhat.com/browse/OCPBUGS-27350  
https://issues.redhat.com/browse/OCPBUGS-27362  
https://issues.redhat.com/browse/OCPBUGS-27369  
https://issues.redhat.com/browse/OCPBUGS-27471  
https://issues.redhat.com/browse/OCPBUGS-27485  
https://issues.redhat.com/browse/OCPBUGS-27759  
https://issues.redhat.com/browse/OCPBUGS-27822  
https://issues.redhat.com/browse/OCPBUGS-27851  
https://issues.redhat.com/browse/OCPBUGS-27858  
https://issues.redhat.com/browse/OCPBUGS-28200  
https://issues.redhat.com/browse/OCPBUGS-28249  
https://issues.redhat.com/browse/OCPBUGS-28382  
https://issues.redhat.com/browse/OCPBUGS-28608

Red Hat Security Advisory 2024-0642-03

Red Hat Security Advisory 2024-0641-03 - An update is now available for Red Hat OpenShift Container Platform 4.14. Issues addressed include denial of service and traversal vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0641.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Critical: OpenShift Container Platform 4.14.11 security and extras update  
Advisory ID:        RHSA-2024:0641-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0641  
Issue date:         2024-02-07  
Revision:           03  
CVE Names:          CVE-2023-45142  
====================================================================

Summary: 

An update is now available for Red Hat OpenShift Container Platform 4.14.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.14.11. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2024:0642

Security Fix(es):

* go-git: Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients (CVE-2023-49569)

* go-git: Maliciously crafted Git server replies can cause DoS on go-git clients (CVE-2023-49568)

* opentelemetry: DoS vulnerability in otelhttp (CVE-2023-45142)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

CVEs:

CVE-2023-45142

References:

https://access.redhat.com/security/updates/classification/#critical  
https://bugzilla.redhat.com/show_bug.cgi?id=2245180  
https://bugzilla.redhat.com/show_bug.cgi?id=2258143  
https://bugzilla.redhat.com/show_bug.cgi?id=2258165  
https://issues.redhat.com/browse/OCPBUGS-26237

Tag

#dos