Debian Linux Security Advisory 5370-1 - Ronald Crane discovered that missing input saniting in the apr_encode functions of apr, the Apache Portable Runtime library, may result in denial of service or potentially the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5370-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoMarch 07, 2023                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : aprCVE ID         : CVE-2022-24963Ronald Crane discovered that missing input saniting in the apr_encodefunctions of apr, the Apache Portable Runtime library, may result indenial of service or potentially the execution of arbitrary code.For the stable distribution (bullseye), this problem has been fixed inversion 1.7.0-6+deb11u2.We recommend that you upgrade your apr packages.For the detailed security status of apr please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/aprFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmQHo6lfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0RadA/9FBVTrnAYXoqBJKLvvbNvPgKJnH+Ll5pVZa6rDEmum5Hph7TEszT+yB4fk37TxZicRIQKTs1t5UPPATVGn1JXqOfNTvxqz5MDWzAe48gCF6V/xwEYqAScA6BOk9cd+5C5GFF1t/TEUz6v9I2plZ4WMjSPEW0Tl1zervirvBBSjql7RDGP/uGM+2gPzayc4ufLJEOhaprQptp6wPyMaAgd2vTNoqzVW3StZd/7aBRMSHyN9qMy+WFAUwWNBgF9Uk8LInVMNDT0JGjHFqlHXi4zHGgBCUHz3l4SWvUwBhrjX4JRcN2egZ07A/1nrN7pVgCtRPkY9vdwKTnM9yMOV5cJ0fQvYlX73Zwogay4WYWFu3lNFAW1KsnlFcGEhGIKpJCOjV+BBvcJrR9CWPChKpGTbW0naKfAXUcFBcyGsovkFfzH45idrmkNFw+oZVRLt95LhNj0/AinYuaTpT7guPnOIvblZ/g608ULAtTS/BIiN4lTiQ9gjSTWeILoYFui8ZpFcFIQMgRb8aIeyjQJOp/I/4t5dRBcKdNh7xlxgGNJTPPwY+Acpc3hippepcPdtKBq5MBPWvz5fI45DtE3Nbn0GrgPFwW0u7z8xIJ05lyLdTRTozkZTlSzmfTev58rxaUqnm+CuZEeEoCbdDZ2uOpRmP031VqXVoQKRer6xm8VkO0=J/gX-----END PGP SIGNATURE-----

Debian Security Advisory 5370-1

Red Hat Security Advisory 2023-1093-01 - The pesign packages provide the pesign utility for signing UEFI binaries as well as other associated tools. Issues addressed include a privilege escalation vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: pesign security update  
Advisory ID:       RHSA-2023:1093-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1093  
Issue date:        2023-03-07  
CVE Names:         CVE-2022-3560  
====================================================================  
1. Summary:

An update for pesign is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client Optional (v. 7) - x86_64  
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

The pesign packages provide the pesign utility for signing UEFI binaries as  
well as other associated tools.

Security Fix(es):

* pesign: Local privilege escalation on pesign systemd service  
(CVE-2022-3560)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2135420 - CVE-2022-3560 pesign: Local privilege escalation on pesign systemd service

6. Package List:

Red Hat Enterprise Linux Client Optional (v. 7):

Source:  
pesign-0.109-11.el7_9.src.rpm

x86_64:  
pesign-0.109-11.el7_9.x86_64.rpm  
pesign-debuginfo-0.109-11.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

Source:  
pesign-0.109-11.el7_9.src.rpm

x86_64:  
pesign-0.109-11.el7_9.x86_64.rpm  
pesign-debuginfo-0.109-11.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

Source:  
pesign-0.109-11.el7_9.src.rpm

x86_64:  
pesign-0.109-11.el7_9.x86_64.rpm  
pesign-debuginfo-0.109-11.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

Source:  
pesign-0.109-11.el7_9.src.rpm

x86_64:  
pesign-0.109-11.el7_9.x86_64.rpm  
pesign-debuginfo-0.109-11.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-3560  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZAcuBdzjgjWX9erEAQgOHA/7BEHsUb4+utg+YL/EZfFuUqhkHpV3Xk6z  
i14QR6Hy5kepLhwvGvv37A0U5o8x4rfPYQI+w8vzxliWPY/JXQlawK+qVNcia+xb  
1esZBTq7Pn3yfGxbbdA/nW0V0iFdeG/OnTvuyIWZXVe5RpdxMm6y3AB99xY9WM7Z  
l8QyDNfDQeNRQiZbMupF5Ie8vhnwFEmdNE1rbcBxPInqQ9KJqJNBRqPs/y5fiY9J  
IDuV/zHFGLAru9zfo0j1YxOV+vKa9FgUkgQwcqT3m39/L1qCY1j2aE0W8C9PFLcN  
nWu0qO3AChD2qMqTRxUwlag6OU8m99yXeXJD69udM91KBiAT5NwxPFZTwmodNX8p  
A9VLOuK30khSAjZKaL3jKH9V48WAEXWoIY2ncfFPovw7v7Zyv6bPq2nEIjghvlEf  
9ymb60lfH/5wm29OLbmyOGc9eO0FK1qIcarjkI8Tb+PGsLDkocN+vDy7sbr48AlR  
ZGqLy7awTvdL1G9mFR1S9WMD62jSoHP/wKBwdCHb4cxOXkGjUBMrAnbOXkWU+vkf  
Q3Pc1a6PFkzgH+TjVNYXy6aOyeHZJxCEj/FDXHo/+QauTxx/xUmryxREFjzand7Z  
8TYxpRm78DHmBPmctht+ivZ6thfrcLqtq4xMkCQEUL4PI2pWuL94GiRI3l6e/Iil  
r77PJEmt1v4=fimS  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1093-01

By Deeba Ahmed
All malicious apps for macOS identified by researchers were uploaded to The Pirate Bay by a user called "wtfisthat34698409672."
This is a post from HackRead.com Read the original post: Cryptojackers Deploy Trojanized Mac Apps on The Pirate Bay

It simply goes to show that users should never download software from a third-party website or marketplace.

The cybersecurity researchers at Jamf discovered that cybercriminals are trojanizing legitimate Mac software apps with malware and uploading them to **The Pirate Bay** and other pirated software sites, where users download them and unknowingly infect their devices. The attackers use XMRig cryptojacking malware to execute the XMRig utility.

For your information, **XMRig** is a command-line cryptominer. It isn’t new on Mac, as Trend Micro **analyzed** a sample in February 2020. This tool is used for legitimate purposes, but its open-source, adaptable design has made it a popular choice among threat actors.

The newly discovered XMRig implementation was disguised as **Final Cut Pro**, Apple’s video editing software. Attackers used the Invisible Internet Project (I2P) in both iterations of XMRig for outbound communication, raising confusion about whether the infections were connected or part of something larger.

The malicious version of Final Cut Pro is unauthorized by Apple. It executes XMRig in the background. When it wasn’t initially dubbed as malicious by any security mechanism on VirusTotal, from Jan 2023 onwards multiple vendors detected the malware. Still, most of the malicious apps remain undetected.

Researchers from Jamf searched for the **malware source on The Pirate Bay** and found one with a matching hash to the trojanized version and a series of Apple Mac apps, including Logic Pro and Photoshop.

It is worth noting that all apps were uploaded to The Pirate Bay by the user called “wtfisthat34698409672.” Moreover, they found numerous versions of Final Cut Pro.

All malicious apps for macOS have been uploaded by “wtfisthat34698409672.” (Screenshot credit: Jamf)

In a **blog post**, researchers said that,

> “We suspected that the Mach-O sample arrived packaged in a DMG (an Apple image format used to compress installers) for Adobe Photoshop CC 2019 v20.0.6. However, the parent file was not successfully sourced.”
> 
> Jamf

Further probing revealed three generations of malware—the first generation started in August 2019 and was a standard malware implementation. The second generation started in April 2021 and wasn’t detected by **VirusTotal** until February 13, 2023. This version was different as there were additional hidden files, but no persistence mechanism was noted.

Instead, the malware opened with the app and stopped functioning when the app was closed. The third generation had greater stealth features, as there weren’t any hidden executables, but only one large binary with base64-encoded components and **LZMA compression**.

New versions of these malicious Mac apps started appearing on The Pirate Bay within just 24 hours of Apple’s app update releases and were disguised as legitimate processes.

Researchers state that this isn’t a typical **malware campaign** and is more like a methodology for delivering malware. Still, users should beware of trojanized apps and avoid downloading software from unknown sources.

1.  **YTStealer Malware Hijacking YouTube Channels**
2.  **Famous movies spread malware through torrents**
3.  **Torrent uploader CracksNow spreading ransomware**
4.  **BHUNT malware uses cracked software to steal crypto**
5.  **KryptoCibule malware uses torrent sites to steal crypto**

Cryptojackers Deploy Trojanized Mac Apps on The Pirate Bay

The number of people who have made the weaponized software available for sharing via torrent suggests that many unsuspecting victims may have downloaded the XMRig coin miner.

People using pirated versions of Apple's Final Cut Pro video editing software may have gotten more than they bargained for when they downloaded the software from the many illicit torrents through which it is available.

For the past several months at least, an unknown threat actor has used a pirated version of the macOS software to deliver the XMRig cryptocurrency mining tool on systems belonging to people who downloaded the app.

Researchers from Jamf who recently spotted the operation have been unable to determine how many users might have installed the weaponized software on their system and currently have XMRig running on them, but the level of sharing of the software suggests it could be hundreds.

**Potentially Wide Impact for XMRig**

Jaron Bradley, macOS detections expert at Jamf, says his company spotted over 400 seeders — or users who have the complete app — making it available via torrent to those who want it. The security vendor found that the individual who originally uploaded the weaponized version of Final Cut Pro for torrent sharing is someone with a multiyear track record of uploading pirated macOS software with the same cryptominer. Software in which the threat actor had previously sneaked the malware into includes pirated macOS versions of Logic Pro and Adobe Photoshop.

"Given the relatively high number of seeders and \[the fact\] that the malware author has been motivated enough to continuously update and upload the malware over the course of three and a half years, we suspect it has a fairly wide reach," Bradley says.

Jamf described the poisoned Final Cut Pro sample that it discovered as a new and improved version of previous samples of the malware, with obfuscation features that have made it almost invisible to malware scanners on VirusTotal. One key attribute of the malware is its use of the Invisible Internet Project (i2p) protocol for communication. I2p is a private network layer that offers users similar kind of anonymity as that offered by The Onion Router (Tor) network. All i2p traffic exists inside the network, meaning it does not touch the Internet directly.

"The malware author never reaches out to a website located anywhere except within the i2p network," Bradley says. "All attacker tooling is downloaded over the anonymous i2p network and mined currency is sent to the attackers' wallet over i2p as well."

With the pirated version of Final Cut Pro that Jamf discovered, the threat actor had modified the main binary so when a user double clicks the application bundle the main executable is a malware dropper. The dropper is responsible for carrying out all further malicious activity on the system including launching the cryptominer in the background and then displaying the pirated application to the user, Bradley says.

**Continuous Malware Evolution**

As noted, one of the most notable differences between the latest version of the malware and previous versions is its increased stealth — but this has been a pattern. 

The earliest version — bundled into pirated macOS software back in 2019 — was the least stealthy and mined cryptocurrency all the time whether the user was at the computer or not. This made it easy to spot. A later iteration of the malware got sneakier; it would only start mining cryptocurrency when the user opened a pirated software program. 

"This made it harder for users to detect the malware's activity, but it would keep mining until the user logged out or restarted the computer. Additionally, the authors started using a technique called base 64 encoding to hide suspicious strings of code associated with the malware, making it harder for antivirus programs to detect," Bradley says.

He tells Dark Reading that with the latest version, the malware changes the process name to look identical to system processes. "This makes it difficult for the user to distinguish the malware processes from native ones when viewing a process listing using a command-line tool.

One feature that has remained consistent through the different versions of the malware is its constant monitoring of the "Activity Monitor" application. Users can often open the app to troubleshoot problems with their computers and in doing so could end up detecting the malware. So, "once the malware detects that the user has opened the Activity Monitor, it immediately stops all its processes to avoid detection."

Instance of threat actors bundling malware into pirated macOS apps have been rare and far between. In fact, one of the last well-known instances of such an operation was in July 2020, when researchers at Malwarebytes discovered a pirated version of application firewall Little Snitch that contained a downloader for a macOS ransomware variant.

Pirated Final Cut Pro for macOS Offers Stealth Malware Delivery

Trojanized versions of legitimate applications are being used to deploy evasive cryptocurrency mining malware on macOS systems.
Jamf Threat Labs, which made the discovery, said the XMRig coin miner was executed as Final Cut Pro, a video editing software from Apple, which contained an unauthorized modification.
"This malware makes use of the Invisible Internet Project (i2p) [...] to download

Endpoint Security / Cryptocurrency

Trojanized versions of legitimate applications are being used to deploy evasive cryptocurrency mining malware on macOS systems.

Jamf Threat Labs, which made the discovery, said the XMRig coin miner was executed as Final Cut Pro, a video editing software from Apple, which contained an unauthorized modification.

"This malware makes use of the Invisible Internet Project (i2p) \[...\] to download malicious components and send mined currency to the attacker's wallet," Jamf researchers Matt Benyo, Ferdous Saljooki, and Jaron Bradley said in a report shared with The Hacker News.

An earlier iteration of the campaign was documented exactly a year ago by Trend Micro, which pointed out the malware's use of i2p to conceal network traffic and speculated that it may have been delivered as a DMG file for Adobe Photoshop CC 2019.

The Apple device management company said the source of the cryptojacking apps can be traced to Pirate Bay, with the earliest uploads dating all the way back to 2019.

The result is the discovery of three generations of the malware, observed first in August 2019, April 2021, and October 2021, that charts the evolution of the campaign's sophistication and stealth.

One example of the evasion technique is a shell script that monitors the list of running processes to check for the presence of Activity Monitor, and if so, terminate the mining processes.

The malicious mining process banks on the user launching the pirated application, upon which the code embedded in the executable connects to an actor-controlled server over i2p to download the XMRig component.

The malware's ability to fly under the radar, coupled with the fact that users running cracked software are willingly doing something illegal, has made the distribution vector a highly effective one for many years.

Apple, however, has taken steps to combat such abuse by subjecting notarized apps to more stringent Gatekeeper checks in macOS Ventura, thereby preventing tampered apps from being launched.

"On the other hand, macOS Ventura did not prevent the miner from executing," Jamf researchers noted. "By the time the user receives the error message, that malware has already been installed."

"It did prevent the modified version of Final Cut Pro from launching, which could raise suspicion for the user as well as greatly reduce the probability of subsequent launches by the user."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Using Trojanized macOS Apps to Deploy Evasive Cryptocurrency Mining Malware

Red Hat Security Advisory 2023-0634-01 - Logging Subsystem 5.6.1 - Red Hat OpenShift. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenShift (Logging Subsystem) security update  
Advisory ID:       RHSA-2023:0634-01  
Product:           Logging Subsystem for Red Hat OpenShift  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0634  
Issue date:        2023-02-09  
CVE Names:         CVE-2021-35065 CVE-2021-46848 CVE-2022-3821  
                   CVE-2022-4883 CVE-2022-35737 CVE-2022-40303  
                   CVE-2022-40304 CVE-2022-42010 CVE-2022-42011  
                   CVE-2022-42012 CVE-2022-42898 CVE-2022-43680  
                   CVE-2022-44617 CVE-2022-46175 CVE-2022-46285  
====================================================================  
1. Summary:

Logging Subsystem 5.6.1 - Red Hat OpenShift

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Logging Subsystem 5.6.1 - Red Hat OpenShift

Security Fix(es):

* glob-parent: Regular Expression Denial of Service (CVE-2021-35065)

* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2156263 - CVE-2022-46175 json5: Prototype Pollution in JSON5 via Parse Method  
2156324 - CVE-2021-35065 glob-parent: Regular Expression Denial of Service

5. JIRA issues fixed (https://issues.jboss.org/):

LOG-3397 - [Developer Console] "parse error" when testing with normal user  
LOG-3441 - [Administrator Console] Seeing "parse error" while using Severity filter for cluster view user  
LOG-3463 - [release-5.6] ElasticsearchError error="400 - Rejected by Elasticsearch" when adding some labels in application namespaces  
LOG-3477 - [Logging 5.6.0]CLF raises 'invalid: unrecognized outputs: [default]' after adding `default` to outputRefs.  
LOG-3494 - [release-5.6] After querying logs in loki, compactor pod raises many TLS handshake error if retention policy is enabled.  
LOG-3496 - [release-5.6] LokiStack status is still 'Pending' when all loki components are running  
LOG-3510 - [release-5.6] TLS errors on Loki controller pod due to bad certificate

6. References:

https://access.redhat.com/security/cve/CVE-2021-35065  
https://access.redhat.com/security/cve/CVE-2021-46848  
https://access.redhat.com/security/cve/CVE-2022-3821  
https://access.redhat.com/security/cve/CVE-2022-4883  
https://access.redhat.com/security/cve/CVE-2022-35737  
https://access.redhat.com/security/cve/CVE-2022-40303  
https://access.redhat.com/security/cve/CVE-2022-40304  
https://access.redhat.com/security/cve/CVE-2022-42010  
https://access.redhat.com/security/cve/CVE-2022-42011  
https://access.redhat.com/security/cve/CVE-2022-42012  
https://access.redhat.com/security/cve/CVE-2022-42898  
https://access.redhat.com/security/cve/CVE-2022-43680  
https://access.redhat.com/security/cve/CVE-2022-44617  
https://access.redhat.com/security/cve/CVE-2022-46175  
https://access.redhat.com/security/cve/CVE-2022-46285  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY+VrodzjgjWX9erEAQhJHxAAjYeOHe6O2pl6MFdHqTfER/9rMjZqgo6z  
u4AkFcT625z+SEyIHz/xqD41KCkWfDCL0i7MabKHhOnXd5jDhIveFy/kTsNu4Jyb  
DCstNACisLM2B4ytXCkfR7pOj20BZlO5IY14zK+rOPJeu3uF7kKF332ELhvDJQHZ  
9iZa0yLdebgJVjK072WYioQqBHUWus7dkmKTMpbud/TmaMVivVGPhpKo449hJSMI  
8c2K3YMG0Cx1IBfZk1yugGHstNkNP/zAVMyx1jYtfBzfap5xX0djfkanDGtwXGdG  
Qsqhks+tXj1SJdrQMwOXr2D9hETnLz56lYKTd3GF+3qYJiEJ+niJj47f5IBnJSep  
abSduOiaYxzZu8eOwMJ9sD/yrYBPxi2pH8pvDjo5gJ/eRowEFtHeuXbpSPv9+0OP  
Ot5TJVYQaJ7sPKwleFPrB0IE42IXYPACMLwLEYLdq+bZhzsMLr3gAuCfK7oqIx/m  
7V9gAHD13BDU3aJlgAu/KsFxL8SopABcCfbXlktBgFVQF43s9eoGTlUTGPWQ5Stm  
t1SD85kYd5kOQk1qt25X9OLVs6tOeHQeFLOd4UBNf9cmzA2K+jlAEerwayTOHJNW  
H3LRkX/8FA4HFYX4aX0sB38pP3DZyPTeVj++QDQLk+k3y53dFRcfexi7tSeul/bw  
7CsN2+c4hI0=1so9  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0634-01

Red Hat Security Advisory 2023-0570-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.2. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.12.2 security update  
Advisory ID:       RHSA-2023:0570-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0570  
Issue date:        2023-02-07  
CVE Names:         CVE-2021-4235  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.12.2 is now available with  
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container  
Platform 4.12.2. See the following advisory for the container images for  
this release:

https://access.redhat.com/errata/RHSA-2023:0569

Security Fix(es):

* go-yaml: Denial of Service in go-yaml (CVE-2021-4235)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All OpenShift Container Platform 4.12 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.12 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-[y]-release-notes.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2156727 - CVE-2021-4235 go-yaml: Denial of Service in go-yaml

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-5526 - AMQ reconnect for 7 minutes  floods linuxptp daemon with socket connection error

6. References:

https://access.redhat.com/security/cve/CVE-2021-4235  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY+MWPNzjgjWX9erEAQjW2A/9HUdsDAuW4GAuwqXacgTYZc1qeuVi/pZr  
+PlhXvXvlOSn2+MxGW+NHTSJGAgJOJS66HsazMJjNPO5S67ZjIxQPrbYd8rXVP+q  
aVaR/19Ois+8nnwDq9m3l+msEJGKnoDQ23XYUhUnKHBJcRQ6v69/PuZiplL33M2c  
7XjOWSh/Z2m5QHSlbKbur537mnAhlT3UnsYz+ZReT7qg5gGXrBfSDl2ICXpY7fdm  
jVujD7RlnUizdesKZp85f6/tRTbEZg/abOqTbFa/ovmLROqEopybekJtS6jaDaEq  
ds+yGrspQgEjo8jNyFYf9QdZxjpMjNzbINSSuX2wZLOdo/xbABU63IN7fM3TsYol  
HM+M8IKmuhiYT4rivwgltX4zjtxUQbz1E0LI1GhO+zDlcYHu0LozGwXIZNVNw8Q+  
FW8UuZYSXLf3Uc52XwPHHfRDeTR/POxCWXnRVGAKA3iDPAjdrVMTk3ScqHqxzEQ8  
5ILr7GIyLWItw200qvK/UWB9TDsypnj32ZNy6lKlQS49gI+fTcd17E8iwuQaSdpC  
sHUv1kIA3+vcO/WJq3oVCPpLgXI2POpOFc3SL+K/99h3hthDk5uhOglNGbkMfaHv  
oyHCJuCo7us5HrTxXn35WumejXDxE/BL8atM2NHnGFYs2HB3AWLFwVleyXcOsezd  
DwdR2k28dik=I1Sm  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0570-01

I2P is an anonymizing network, offering a simple layer that identity-sensitive applications can use to securely communicate. All data is wrapped with several layers of encryption, and the network is both distributed and dynamic, with no trusted parties. This is the source code release version.

I2P 2.1.0

Red Hat Security Advisory 2022-8961-01 - Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.1 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes the security fixes listed below. Issues addressed include a traversal vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Red Hat Single Sign-On 7.6.1 security update on RHEL 7  
Advisory ID:       RHSA-2022:8961-01  
Product:           Red Hat Single Sign-On  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8961  
Issue date:        2022-12-13  
CVE Names:         CVE-2022-3782 CVE-2022-3916  
====================================================================  
1. Summary:

New Red Hat Single Sign-On 7.6.1 packages are now available for Red Hat  
Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Single Sign-On 7.6 for RHEL 7 Server - noarch

3. Description:

Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak  
project, that provides authentication and standards-based single sign-on  
capabilities for web and mobile applications.

This release of Red Hat Single Sign-On 7.6.1 on RHEL 7 serves as a  
replacement for Red Hat Single Sign-On 7.6.1, and includes the security  
fixes listed below.

Security Fix(es):

* keycloak: path traversal via double URL encoding (CVE-2022-3782)

* keycloak: Session takeover with OIDC offline refreshtokens  
(CVE-2022-3916)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2138971 - CVE-2022-3782 keycloak: path traversal via double URL encoding  
2141404 - CVE-2022-3916 keycloak: Session takeover with OIDC offline refreshtokens

6. JIRA issues fixed (https://issues.jboss.org/):

CIAM-4414 - Build RPMs for this patch

7. Package List:

Red Hat Single Sign-On 7.6 for RHEL 7 Server:

Source:  
rh-sso7-keycloak-18.0.3-1.redhat_00002.1.el7sso.src.rpm

noarch:  
rh-sso7-keycloak-18.0.3-1.redhat_00002.1.el7sso.noarch.rpm  
rh-sso7-keycloak-server-18.0.3-1.redhat_00002.1.el7sso.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

8. References:

https://access.redhat.com/security/cve/CVE-2022-3782  
https://access.redhat.com/security/cve/CVE-2022-3916  
https://access.redhat.com/security/updates/classification/#important

9. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5ipotzjgjWX9erEAQjCBA//UBYUDvesP1x2wXWYvnR28asrOWhGk7tA  
n2G9Rf8/9jkZS2QetFy9xLsSBVGEOz+4ZhnyMST5XgjRkdpC+TcpcjgkgZ+w3V6X  
fSfbeyC3SvxK9S8+s59yrRHmBbkXBhlJf37BEXhWaJXJ0FTO72NvPM1vUWRKWW1w  
vK5/CW27UBTqxNgpXSiBeO/rIVRbknVCxD+YXQlwaGW8+jvxWzo/8JJ/nshJ1bDg  
5Q3mC6kuv5SFpF4UhjGBQAuw+COoMZ+4FNRSUNWuErpvPd1YpEDyEEfxT1tArZDM  
IKWxpaVSNnFvKrkAqFUs6uuNiW/vzc+Sm7u79Ax0o6WUpD3J3t7oAstS8FWHM6qL  
WFuEUv0sKROLtR1o1IxROwjlMRyJXhTKwNZI3A8xG762/tFX9N0y1tJFO5rm/Wqf  
cXsi9fily473Y+JCnTNQS0rrwhy3ZV2w3SFM1lcrgMA5Y3BuRYqz63yLq8EsYMwX  
hW/1TgBj0QBP5QLlncs9eFF+vfvSFMq5780JJhniTkmdfLtuIPlWhFPjpwcA0XKY  
K+pVXDSfZ76V4mZaNKN8JQnps/xvbc7rUHjWZ8MCi2PDnZwpzj2KT+WjI31YsQbe  
5CHaMYS5ikZ3P2xHQIqaacAmEUqrYHo1dI75KZ9azjXcubgMk5/KNXD+gmo0bmnX  
uI04HxR4UHc1O  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8961-01

Red Hat Security Advisory 2022-8940-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include an out of bounds write vulnerability.

Tag

#i2p