Windows CryptoAPI  Denial of Service Vulnerability

CVE-2023-24937

Windows Hyper-V Denial of Service Vulnerability

CVE-2023-32013

Remote Procedure Call Runtime Denial of Service Vulnerability

CVE-2023-29369

Windows iSCSI Discovery Service Denial of Service Vulnerability

CVE-2023-32011

Microsoft SharePoint Denial of Service Vulnerability

CVE-2023-33129

CVE-2023-24938

Sysinternals Process Monitor for Windows Denial of Service Vulnerability

CVE-2023-29353

Ubuntu Security Notice 6160-1 - It was discovered that GNU binutils incorrectly performed bounds checking operations when parsing stabs debugging information. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6160-1June 13, 2023binutils vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:GNU binutils could be made to crash or run programs if it opened aspecially crafted file.Software Description:- binutils: GNU assembler, linker and binary utilitiesDetails:It was discovered that GNU binutils incorrectly performed bounds checkingoperations when parsing stabs debugging information. An attacker couldpossibly use this issue to cause a denial of service or execute arbitrarycode.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:   binutils                        2.34-6ubuntu1.6   binutils-multiarch              2.34-6ubuntu1.6In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6160-1   CVE-2021-45078Package Information:   https://launchpad.net/ubuntu/+source/binutils/2.34-6ubuntu1.6

Ubuntu Security Notice USN-6160-1

Ubuntu Security Notice 6143-2 - USN-6143-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. Jun Kokatsu discovered that Firefox did not properly validate site-isolated process for a document loaded from a data: URL that was the result of a redirect, leading to an open redirect attack. An attacker could possibly use this issue to perform phishing attacks.

    ==========================================================================Ubuntu Security Notice USN-6143-2June 13, 2023firefox regressions==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:USN-6143-1 caused some minor regressions in Firefox.Software Description:- firefox: Mozilla Open Source web browserDetails:USN-6143-1 fixed vulnerabilities in Firefox. The update introducedseveral minor regressions. This update fixes the problem.We apologize for the inconvenience.Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2023-34414, CVE-2023-34416, CVE-2023-34417)  Jun Kokatsu discovered that Firefox did not properly validate site-isolated process for a document loaded from a data: URL that was the result of a redirect, leading to an open redirect attack. An attacker could possibly use this issue to perform phishing attacks. (CVE-2023-34415)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:  firefox                         114.0.1+build1-0ubuntu0.20.04.1After a standard system update you need to restart Firefox to make all thenecessary changes.References:  https://ubuntu.com/security/notices/USN-6143-2  https://ubuntu.com/security/notices/USN-6143-1  https://launchpad.net/bugs/2023610Package Information:  https://launchpad.net/ubuntu/+source/firefox/114.0.1+build1-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6143-2

Red Hat Security Advisory 2023-3495-01 - Logging Subsystem 5.7.2 - Red Hat OpenShift. Issues addressed include cross site scripting and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Logging Subsystem 5.7.2 - Red Hat OpenShift security update  
Advisory ID:       RHSA-2023:3495-01  
Product:           Logging Subsystem for Red Hat OpenShift  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3495  
Issue date:        2023-06-12  
CVE Names:         CVE-2021-26341 CVE-2021-33655 CVE-2021-33656  
                   CVE-2022-1462 CVE-2022-1679 CVE-2022-1789  
                   CVE-2022-2196 CVE-2022-2663 CVE-2022-3028  
                   CVE-2022-3239 CVE-2022-3522 CVE-2022-3524  
                   CVE-2022-3564 CVE-2022-3566 CVE-2022-3567  
                   CVE-2022-3619 CVE-2022-3623 CVE-2022-3625  
                   CVE-2022-3627 CVE-2022-3628 CVE-2022-3707  
                   CVE-2022-3970 CVE-2022-4129 CVE-2022-20141  
                   CVE-2022-25147 CVE-2022-25265 CVE-2022-30594  
                   CVE-2022-36227 CVE-2022-39188 CVE-2022-39189  
                   CVE-2022-41218 CVE-2022-41674 CVE-2022-41723  
                   CVE-2022-42703 CVE-2022-42720 CVE-2022-42721  
                   CVE-2022-42722 CVE-2022-43750 CVE-2022-47929  
                   CVE-2023-0394 CVE-2023-0461 CVE-2023-1195  
                   CVE-2023-1582 CVE-2023-2491 CVE-2023-22490  
                   CVE-2023-23454 CVE-2023-23946 CVE-2023-25652  
                   CVE-2023-25815 CVE-2023-27535 CVE-2023-27539  
                   CVE-2023-28120 CVE-2023-29007  
====================================================================  
1. Summary:

Logging Subsystem 5.7.2 - Red Hat OpenShift

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Logging Subsystem 5.7.2 - Red Hat OpenShift

Security Fix(es):

* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK  
decoding (CVE-2022-41723)

* rubygem-rack: denial of service in header parsing (CVE-2023-27539)

* rubygem-activesupport: Possible XSS in SafeBuffer#bytesplice  
(CVE-2023-28120)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding  
2179637 - CVE-2023-28120 rubygem-activesupport: Possible XSS in SafeBuffer#bytesplice  
2179649 - CVE-2023-27539 rubygem-rack: denial of service in header parsing

5. JIRA issues fixed (https://issues.redhat.com/):

LOG-3314 - [fluentd] The passphrase can not be enabled when forwarding logs to Kafka  
LOG-3316 - openshift-logging namespace can not be deleted directly when use lokistack as default store.  
LOG-3330 - run.sh shows incorrect chunk_limit_size if changed.  
LOG-3445 - [vector to loki]  validation is not disabled  when tls.insecureSkipVerify=true  
LOG-3749 - Unability to configure nodePlacement and toleration for logging-view-plugin  
LOG-3784 - [fluentd http] the defaut value HTTP content type application/x-ndjson is unsupported on datadog  
LOG-3827 - [fluentd http] The passphase isn't generated in fluent.conf  
LOG-3878 - [vector] PHP multiline errors are collected line by line when detectMultilineErrors is enabled.  
LOG-3945 - [Vector] Collector pods in CrashLoopBackOff when ClusterLogForwarder pipeline has space in between the pipeline name.  
LOG-3997 - Add http to log_forwarder_output_info metrics  
LOG-4011 - [Vector] Collector not complying with the custom tlsSecurityProfile configuration.  
LOG-4019 - [release-5.7] fluentd multiline exception plugin fails to detect JS client exception  
LOG-4049 - [release-5.7] User can list labels and label values for all user workload namespaces via Loki Label APIs  
LOG-4052 - [release-5.7] Fix Loki timeouts querying logs from OCP Console  
LOG-4098 - [release-5.7] No log_forwarder_output_info for splunk and google logging  
LOG-4151 - Fluentd fix  missing nil check for rotated_tw in update_watcher  
LOG-4163 - [release-5.7] TLS configuration for multiple Kafka brokers is not created in Vector  
LOG-4185 - Resources, tolerations and nodeSelector for the collector are missing  
LOG-4218 - Vector fails to run when configuring syslog forwarding for audit log  
LOG-4219 - Vector handles journal log as container log when enabling syslog forwarding. It breaks the compatibility with Fluentd  
LOG-4220 - [RHOCP4.11] Logs of POD which doesn't have labels specified by structuredTypeKey are parsed to JSON, and forwarded to app-xxxxxx  
LOG-4221 - [release-5.7] Fluentd wrongly closes a log file due to hash collision

6. References:

https://access.redhat.com/security/cve/CVE-2021-26341  
https://access.redhat.com/security/cve/CVE-2021-33655  
https://access.redhat.com/security/cve/CVE-2021-33656  
https://access.redhat.com/security/cve/CVE-2022-1462  
https://access.redhat.com/security/cve/CVE-2022-1679  
https://access.redhat.com/security/cve/CVE-2022-1789  
https://access.redhat.com/security/cve/CVE-2022-2196  
https://access.redhat.com/security/cve/CVE-2022-2663  
https://access.redhat.com/security/cve/CVE-2022-3028  
https://access.redhat.com/security/cve/CVE-2022-3239  
https://access.redhat.com/security/cve/CVE-2022-3522  
https://access.redhat.com/security/cve/CVE-2022-3524  
https://access.redhat.com/security/cve/CVE-2022-3564  
https://access.redhat.com/security/cve/CVE-2022-3566  
https://access.redhat.com/security/cve/CVE-2022-3567  
https://access.redhat.com/security/cve/CVE-2022-3619  
https://access.redhat.com/security/cve/CVE-2022-3623  
https://access.redhat.com/security/cve/CVE-2022-3625  
https://access.redhat.com/security/cve/CVE-2022-3627  
https://access.redhat.com/security/cve/CVE-2022-3628  
https://access.redhat.com/security/cve/CVE-2022-3707  
https://access.redhat.com/security/cve/CVE-2022-3970  
https://access.redhat.com/security/cve/CVE-2022-4129  
https://access.redhat.com/security/cve/CVE-2022-20141  
https://access.redhat.com/security/cve/CVE-2022-25147  
https://access.redhat.com/security/cve/CVE-2022-25265  
https://access.redhat.com/security/cve/CVE-2022-30594  
https://access.redhat.com/security/cve/CVE-2022-36227  
https://access.redhat.com/security/cve/CVE-2022-39188  
https://access.redhat.com/security/cve/CVE-2022-39189  
https://access.redhat.com/security/cve/CVE-2022-41218  
https://access.redhat.com/security/cve/CVE-2022-41674  
https://access.redhat.com/security/cve/CVE-2022-41723  
https://access.redhat.com/security/cve/CVE-2022-42703  
https://access.redhat.com/security/cve/CVE-2022-42720  
https://access.redhat.com/security/cve/CVE-2022-42721  
https://access.redhat.com/security/cve/CVE-2022-42722  
https://access.redhat.com/security/cve/CVE-2022-43750  
https://access.redhat.com/security/cve/CVE-2022-47929  
https://access.redhat.com/security/cve/CVE-2023-0394  
https://access.redhat.com/security/cve/CVE-2023-0461  
https://access.redhat.com/security/cve/CVE-2023-1195  
https://access.redhat.com/security/cve/CVE-2023-1582  
https://access.redhat.com/security/cve/CVE-2023-2491  
https://access.redhat.com/security/cve/CVE-2023-22490  
https://access.redhat.com/security/cve/CVE-2023-23454  
https://access.redhat.com/security/cve/CVE-2023-23946  
https://access.redhat.com/security/cve/CVE-2023-25652  
https://access.redhat.com/security/cve/CVE-2023-25815  
https://access.redhat.com/security/cve/CVE-2023-27535  
https://access.redhat.com/security/cve/CVE-2023-27539  
https://access.redhat.com/security/cve/CVE-2023-28120  
https://access.redhat.com/security/cve/CVE-2023-29007  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZIfBndzjgjWX9erEAQj/Vg/8D/xYKPgCJDjD2IbguRkgOWsZ5r5BP36n  
pbizOqZem1fs5J1oxmKotej5vE/BD5iumTsNYY59E1y/MjrBYPkaTjnHwgxkNYq/  
Lptwmt7pc2jE92E4qUMa5LpUhJxLQfw10SAMmYFVJIqOjVh+82XhU5NW5bJYStRs  
767suxjFzYZs8CHwpVyBVqEfI/sCyU+Ok3Pja5McaPjomAt9cNYfXoaPUSq3UMMD  
ifVOjVz3fE8YY6UhmVY5SPHrG4Ak2YcKOpyJ/A3UjRuKOTrtnLSxtLZisH4UMetZ  
R0e2ovt1TP4emH9Cblhl18qZxfi6RsveAwQ3IUplCltSRMbl7hrLB11cbAUUoPPc  
+MGvw6id7BHpH/0pBR1u7HH04VlzK/J1/pAiJNR3uL8W4OomgF9A5oSXSoJ9mY9C  
hFjUvQp7rR3+l9ivIT5pb//7lGBJs+QIn/W8OJXWEdqUMpC1ybPnJX7+azLUjLAt  
w7WEuMS7usNdDAUzP/sYFVlHfsNtOKHvx8c+DUi8ti9gkaXakw6VZIUh0g3ZUvmi  
hUWP7oktj6dZyISk75TpmpPppL5pmlKoHREJgiohSXUnFtp/XsYRAoZRfMbbqKr4  
MmyT7J11sfRH5+M1294PtdYJodXu13GESfjW38urAhVE/1SLpvWMQTv7U9CnDimF  
m78/igCYu/A=NjOC  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#dos