A cross-site scripting (XSS) vulnerability in Canteen Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

**CVE-2022-43144 : Stored-XSS****Description**

A cross-site scripting (XSS) vulnerability in Canteen Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

**Impact**

*   Allowing an attacker to hijack the user's session and take over the account.
*   To exploit this vulnerability victim must visit the page where the XXS payload is stored.

**Affected Application link**

*   https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html
*   https://www.sourcecodester.com/download-code?nid=15688&title=Canteen+Management+System+Project+Source+Code+in+PHP+Free+Download

**Proof of concept**

Once the application is up and running we can log in.

We have "Add Invoice" feature with in the application.

we can add an invoice and check our entries are made available on the "manage Invoice page".

Let's add an invoice with a special characters in the contact field.

The application does not perform any encoding of special characters provided by the user.

let's analyze the source and understand how the application is handling provided data.

It is clear that the application doesn't perform data validation and trust user-supplied data, we can use the below XSS payload as input which may be stored in the application.

Let's analyze the source too if there is any data validation in place while storing the data.

The entry provided was added to the database.

We can successfully execute the javascript payload indicating the application is vulnerable to XXS.

CVE-2022-43144: GitHub - mudassiruddin/CVE-2022-43144-Stored-XSS: PoC to exploit CVE-2022-43144

Long-awaited security fixes for ProxyNotShell and Mark of the Web bypasses are part of a glut of actively exploited zero-day vulnerabilities and other critical flaws that admins need to prioritize in the coming hours.

Microsoft finally patched the publicly known "ProxyNotShell" and Mark of the Web (MotW) security vulnerabilities in its penultimate monthly security update for 2022 — two of six zero-day bugs under active exploit in the wild.

The targeted zero-days are part of a tranche of 68 security fixes for November's Patch Tuesday group, 11 of which are rated critical.

The fixes address CVEs that affect the gamut of the security giant's product line, including Azure, BitLocker, Dynamics, Exchange Server, Office and Office components, Network Policy Server (NPS), SharePoint Server, SysInternals, Visual Studio, Windows and Windows Components, and the Linux kernel and other open source software bugs affecting Microsoft products.

**Actively Exploited Zero-Day Vulnerabilities**

The group of zero-days listed as under active attack is the largest for Microsoft so far this year.

Two of them are the critical ProxyNotShell flaws affecting Exchange Server, first disclosed in September. Both carry a CVSS vulnerability-severity score rating of 8.8 out of 10. The bug tracked as CVE-2022-41040 is a server-side request forgery (SSRF) flaw that enables attackers to elevate privileges on a compromised system, and CVE-2022-41082 is a remote code execution (RCE) flaw when PowerShell is remotely accessible to the attacker. They can be chained together for full "pwning" of an Exchange Server.

"At long last, Microsoft released patches for the ProxyNotShell vulnerabilities that are being actively exploited by Chinese threat actors," Automox researcher Preetham Gurram said in a Nov. 8 analysis. "The elevation of privilege and remote code execution vulnerabilities have been exposed and exploited since late September, so we recommend applying patches within 24 hours if you have vulnerable on-prem or hybrid Exchange Servers where temporary mitigation has not been applied."

Microsoft also addressed the known and analyzed Mark of the Web issues — they're being tracked as CVE-2022-41091 and CVE-2022-41049, two separate vulnerabilities that exist in different versions of Windows. The important-rated bugs both allow attackers to sneak malicious attachments and files past Microsoft's MotW security feature — Microsoft says only the former is being exploited in the wild. 

Another zero-day being used in active campaigns is a critical RCE bug affecting Windows Scripting Languages (CVE-2022-41128, CVSS 8.8). Mike Walters, vice president of vulnerability and threat research at Action1, tells Dark Reading that it specifically affects the JScript9 scripting language, which is Microsoft’s legacy JavaScript dialect, used by the Internet Explorer browser.

"The new zero-day vulnerability … as low complexity, uses the network vector, and requires no privilege to use, but it needs user interaction, such as using a phishing email to convince the victim to visit a malicious server share or website," he explains. "It affects all Windows OS versions starting from Windows 7 and Windows Server 2008 R2. … However, the proof-of-concept has not yet been publicly disclosed."

The remaining two bugs are important-rated elevation of privilege (EoP) issues carrying 7.8 CVSS scores. One is a memory bug that affects Microsoft's next-gen cryptography, the Windows CNG Key Isolation Service (CVE-2022-41125).

"With low privileges required and a local attack vector, this vulnerability does not necessitate any user interaction. Instead, an attacker would have to gain execution privileges on the victim’s device and run a specially crafted application to elevate privileges to exploit this vulnerability," Automox researcher Gina Geisel said in an emailed analysis. "With a long list of Windows 10 and 11 affected (in addition to Win 8.0, 7.0, Server 2008, 2012, 2016, 2019, 2022, and 2022 Azure), this vulnerability exposes industry-leading versions of Windows and could have wide-ranging impacts."

The second exists in Windows Print Spooler (CVE-2022-41073), and Action1's Walters describes it as a relative of last year's PrintNightmare bug.

"Microsoft continues to patch minions of the PrintNightmare vulnerability," he says. "This vulnerability has a local vector through which an attacker can gain system rights on the target server or desktop."

**Critical Bugs of Note for November**

Other issues in November's update that admins should prioritize include a vulnerability in Windows Kerberos RC4-HMAC (CVE-2022-37966). It earns a critical rating (CVSS 8.1), even though an attacker needs to have access and the ability to run code on the target system to exploit it.

That's likely because Kerberos is an authentication protocol to verify a user or the host's identity, noted Automox's Gurram. It provides a token that enables a service to act on behalf of its client when connecting to other services; when used within an organization's domain, it enables single sign-on (SSO).

"The primary encryption type used in Windows is based on the RC4 stream cipher, with an MD5-HMAC algorithm used for the checksum field," Gurram said. "RC4 encryption is considered to be the least secure and most attackable encryption algorithm. If being used for encrypting Kerberos tokens in the Active Directory domain, it can be exploited and take full control of any service accounts."

ZDI's Dustin Childs noted in a blog post that for this bug and another critical-rated issue in Kerberos tracked as CVE-2022-37967 (CVSS 7.2), admins will need to take additional actions beyond just applying the patch.

"Specifically, you’ll need to review KB5020805 and KB5021131 to see the changes made and next steps," he advised. "Microsoft notes this is a phased rollout of fixes, so look for additional updates to further impact the Kerberos functionality."

Childs also flagged three critical-rated fixes for the Point-to-Point Tunneling Protocol (PPTP), all carrying CVSS scores of 8.1, and all allowing RCE (CVE-2022-41039, CVE-2022-41088, and CVE-2022-41044).

"There seems to be a continuing trend of researchers looking for (and finding) bugs in older protocols," Childs said. "If you rely on PPTP, you should really consider upgrading to something more modern."

The remaining critical bugs are as follows:

*   CVE-2022-38015: A denial-of-service (DoS) bug in Hyper-V (CVSS 6.5), which Microsoft said "could allow a Hyper-V guest to affect the functionality of the Hyper-V host.”
*   CVE-2022-41118: An RCE bug affecting the Chakra and Jscript scripting languages (CVSS 7.5)
*   CVE-2022-39327: An Azure CLI RCE bug (no CVSS) — a previously released fix that is just being documented now.

**Patch ASAP**

Even though this month's update is relatively light, admins should get to patching ASAP, according to Bharat Jogi, director of vulnerability and threat research at Qualys — especially with so many zero-day exploits circulating.

"As we approach the holiday season, security teams must be on high alert and increasingly vigilant, as attackers typically ramp up activity during this time (e.g., Log4j, SolarWinds, etc.)," he said in emailed commentary. "It is likely we will see bad actors attempting to take advantage of disclosed zero-days and vulnerabilities released that organizations have left unpatched."

Microsoft Quashes Bevy of Actively Exploited Zero-Days for November Patch Tuesday

By Waqas
It has been identified that these malicious packages are downloaded over 29 million times each day.
This is a post from HackRead.com Read the original post: Python Developers Beware: Malicious Packages are Swapping Out Your Crypto Addresses

According to the IT security researchers at Phylum, dozens of malicious **Python** packages target developers by replacing crypto addresses in developer clipboards.

Phylum researchers have identified dozens of typosquat packages, and a separate campaign is also identified in which several more packages are involved. This campaign is also targeting developers and their cryptocurrency.

What’s worse, researchers have found that these malicious packages are downloaded over 29 million times each day.

**Modus Operandi**

Once the package is installed, a malicious JavaScript file is launched in the background of an ongoing web browsing session. Therefore, when a developer in the **clipboard copies a cryptocurrency address**, it is replaced with the attacker’s address.

So far, these packages have been downloaded more than a hundred times. The payload for each malicious package is present in the setup.py. The attackers initiate the attack chain by obtaining a list of interesting paths. If the user has an administrator account, the attacker will add an additional path to the list.

Afterward, they will create an Extension director in case there isn’t one already. Lastly, the attacker will write an obfuscated JavaScript to the$APPDATA\\\\Extension folder and a manifest.json to the $APPDATA\\\\Extension folder to request for clipboardWrite and clipboardRead permissions.

**Malicious Packages List**

The list of packages is constantly expanding in this currently active campaign. In a **blog post** published November 7th, Phylum’s Co-founder and ex-NSA software developer Louis Lang shared the following list:

baeutifulsoup4

beautifulsup4

cloorama

cryptograpyh

crpytography

djangoo

ipyhton

mail-validator

mariabd

notebok

pillwo

pyautogiu

pygaem

 

pytorhc

python-dateuti

python-flask

python3-flask

pyyalm

rqeuests

slenium

sqlachemy

sqlalcemy

tkniter

urlllib

hello-world-exampl

hello-world-example

mysql-connector-pyhton

**Associated Dangers**

After successfully dropping the payload and gaining the required permissions, the attacker can create a textarea on the page and **paste clipboard content** or use regular expressions to look for common cryptocurrency address formats.

Moreover, they can **replace identified addresses** with attacker-controlled addresses in the already created textarea. When the compromised developer copies a wallet address, the malicious package replaces the address with an attacker-controlled address, inadvertently leading to transferring of funds to the attacker’s wallet.

However, as of now, funds haven’t been transferred to any of the attacker-controlled wallets, including the following:

*   TRX TWStXoQpXzVL8mx1ejiVmkgeUVGjZz8LRx
*   LTC LPDEYUCna9e5dYaDPYorJBXXgc43tvV9Rq
*   BNB bnb1cm0pllx3c7e902mta8drjfyn0ypl7ar4ty29uv
*   BTC bc1qqwkpp77ya9qavyh8sm8e4usad45fwlusg7vs5v
*   ETH 0x18c36eBd7A5d9C3b88995D6872BCe11a080Bc4d9

Phylum assumes that although the malicious packages have been reported, their number of downloads and package count may keep increasing.

1.  **Trojan Source attack lets hackers exploit source code**
2.  **6 official Python repositories plagued with crypto malware**
3.  **Malicious npm Packages Used in Siphoning Off Discord Tokens**
4.  **Cryptojacking Campaign Kiss-a-dog Hits Docker and Kubernetes**
5.  **Cybercriminals hit malware authors with malicious NPM packages**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Python Developers Beware: Malicious Packages are Swapping Out Your Crypto Addresses

Server Side Request Forgery (SSRF) vulnerability in All in One SEO Pro plugin <= 4.2.5.1 on WordPress.

CVE-2022-42494: AIOSEO Changelog - AIOSEO

Insecure direct object references (IDOR) vulnerability in the wpForo Forum plugin <= 2.0.5 on WordPress allows attackers with subscriber or higher user roles to mark any forum post as private/public.

CVE-2022-40206: wpForo Forum

Rapid remedy follows reawakening of long-dormant bug threat

Rapid remedy follows reawakening of long-dormant bug threat

A critical vulnerability arising from improper input validation has been addressed in XMLDOM, the JavaScript implementation of W3C DOM for Node.js, Rhino, and browsers.

The flawed behavior was seemingly first flagged as potentially in need of remedy in 2016. But it was only with the recent discovery of an authentication bypass in Passport-SAML, the SAML 2.0 authentication provider for Node.js library Passport, that XMLDOM maintainers tackled the root cause of the problem.

“Xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the childNodes collection of the Document, without reporting any error or throwing,” an XMLDOM advisory published on November 1 explained.

**Breaking the assumption**

“This breaks the assumption that there is only a single root node in the tree,” it continues, and poses “a potential issue for dependents”.

The bug was assigned CVE-2022-39353 and a severity rating of CVSS 9.4 by GitHub CVE Numbering Authority, later uprated in severity to CVSS 9.8 by the NIST National Vulnerability Database.

XMLDOM is widely used, with NPM detecting 2.8 million weekly downloads (albeit caveats apply regarding the accuracy of download counts).

DON’T MISS Gatsby patches SSRF, XSS bugs in Cloud Image CDN

Kurt Boberg, a maintainer on the project, told The Daily Swig: “Any security-critical workflow that accepts partial signatures on XML and reads a child node is likely affected by this issue.

“The core problem is that you can supply two XML documents to a request (one valid, one forged) and as long as the validator accepts the legitimate one, a property read via xmldom can potentially read a node value out of the forged document.”

**Passport-SAML bypass**

Passport-SAML, which has 167,000 weekly NPM downloads, mishandled cryptographic signature verification because of the XMLDOM flaw. Tracked as CVE-2022-39299, the high severity Passport-SAML issue potentially enabled an attacker “to bypass SAML authentication on a website using passport-saml,” The CVE description said.

“A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered.”

The bug, assigned a severity score of CVSS 8.1, was patched on October 11.

**‘Worst possible outcome’**

Asked what other damage an attacker might potentially cause downstream of the XMLDOM bug, Boberg said it “really depends on the expectations around the XML parsing. The aforementioned SAML issue is pretty much the worst possible outcome.

Read more of the latest cybersecurity vulnerability news

“It really hinges on the parsing application making a security decision based on XML input from the user that it expects to be signed. It’s like stapling an additional page to a notarized document, and passing it through a verification process that only checks if the first page is notarized.”

He added: “The downstream impact depends entirely on what the legitimate document would let you do.”

**Path to a patch**

The related GitHub bug thread began in 2016, when an XMLDOM maintainer said the issue “appears to me to be a violation of the W3C DOM Level 2 Core Specification”.

Speculating that the flaw “might be a ‘false-positive’ bug”, he suggested “there is some utility in being able to parse multiple documents in a single stream, if the API can be re-tooled just a bit”. He also described doing so “silently without issuing even so much as a warning to consumers” as “odd”.

The thread then remained dormant until the emergence of the Passport-SAML vulnerability and its root cause quickly became apparent, prompting the rapid deployment of patches within @xmldom/xmldom NPM versions 0.7.7, 0.8.4, and 0.9.0-beta.4, together with mitigations, fix details, and advice to developers to align with the specs to avoid code breakage.

YOU MIGHT ALSO LIKE OpenSSL vulnerability downgraded to ‘high’ severity

Passport-SAML auth bypass triggers fix of critical, upstream XMLDOM bug

True the Vote’s IV3 app is meant to catch election cheaters. But it has a fundamental flaw.

Ten days before Georgia’s Senate runoff election in 2021, Gamaliel Warren Turner Sr., a 69-year-old veteran, found out that someone in his county had challenged his eligibility to vote. Turner, a retired major in the US Army, had requested an absentee ballot, and when it didn’t arrive in the mail, he got nervous and called the Muscogee County registrar’s office to figure out where it was. According to court records, a clerk informed Turner that his name was on a list of thousands of voters in the county whose registrations were under investigation.

“I was beyond irate. I was hollering,” Turner says. “I didn’t know what the hell a voter challenge was. I just wanted to know, am I going to be able to vote or not?”

Turner has lived in Georgia for his entire life and voted there in nearly every election for the past 50 years. He owns a home there and the utility bills are under his name. He has a Georgia driver’s license that he uses to drive his two cars, both registered in Muscogee County. But in 2019, his job required that he temporarily relocate to Camarillo, California. In order to avoid missing packages while away on his temporary work assignment, he did what millions of Americans do every year and notified the United States Postal Service (USPS) that he wanted his mail forwarded to a new address.

What Turner didn’t know at the time was that this simple notification to the USPS would enmesh him in a scheme dreamed up by a right-wing activist group called True the Vote that ended up challenging the voter registrations of 364,000 Georgians.

Best known for its work on the widely debunked film _2,000 Mules_, True the Vote had developed an algorithm that matched names in voter rolls with data kept by the USPS about individuals who changed addresses. The group’s goal was to aggressively cull voter rolls, under the suspicion that inaccurate registrations lead to voter fraud, which is extremely rare in the US.

Along with Turner’s, True the Vote sent the names of approximately 4,000 supposedly ineligible voters to the leader of the Republican Party in Muscogee County, Alton Russell, a toilet paper salesman, who in turn submitted them to the county Board of Elections to challenge their voter registrations. But the scheme didn’t work: Most of the counties in Georgia rejected True the Vote’s challenges, and Turner successfully sued the Muscogee County Board of Elections to ensure his ballot would be counted in the 2021 runoff election.

Undeterred, True the Vote has quietly rolled out a web app called IV3 to replicate this process around the country. The browser-based application has led to the challenges of hundreds of thousands of voter registrations, the group claims. Yet little is known about IV3. The app is not active in most states, and to get access, you need to provide True the Vote with a valid form of identification. But by analyzing the code IV3 uses for its frontend, WIRED has been able to piece together how the tool likely functions. Our review found that the app ultimately uses an ineffective and unreliable methodology to determine who should remain on the rolls. Experts say that the app weaponizes public data and is more likely to remove eligible voters from the rolls than it is to catch rampant fraud that doesn’t exist in this country.

True the Vote is a Texas–based nonprofit whose founder, Catherine Engelbrecht, has played a crucial role in mainstreaming the voter fraud movement. The organization has set itself apart by using technology to legitimize their dubious claims of massive voter fraud, but it has consistently refused to provide any empirical evidence. IV3 is part of a growing strategy by right-wing activists to leverage state laws that allow a private citizen to dispute a voter's eligibility to toss out tens of thousands of voter registrations and ballots in battleground states. According to _The New York Times_, activists in Michigan tried to challenge 22,000 voter registrations for the state’s August primary. In Texas, residents challenged the eligibility of more than 6,000 voters in Harris County.

While it’s unclear how many voter challenges were facilitated using True the Vote’s app, Facebook posts from groups organizing some of the country’s largest voter challenges suggest that people are actively using IV3. For instance, in September, a group called VoterGA challenged the registrations of 37,500 voters in Georgia. On its Facebook page, one member encouraged her colleagues to use IV3, claiming that she had used the app to challenge nearly 6,000 people in Georgia’s Fayette County.

According to the True the Votes tax filings obtained by _Reveal_ from the Center for Investigative Reporting, True the Vote spent more than $500,000 on app development in 2020, using some of those funds to build a “proprietary organizing web app” that leverages its “national voter roll database” to “notify counties of voter role inaccuracies”. The app, which is not named but whose description mirrors IV3, was likely built by OPSEC Group LLC, whose founder, Gregg Phillips, was a former board member of True the Vote who has worked closely with Engelbrecht for years. OPSEC also performed the debunked data analysis behind _2,000 Mules_.

Court marshals arrested Engelbrecht and Phillips last week after they refused a court order to turn over alleged evidence of voter fraud that’s central to a defamation case brought by software company Konnech against True the Vote. Representatives for True the Vote did not respond to WIRED’s request for comment.

Access to IV3 is limited only to verified individuals who reside in one of the seven states where the app is active. However, WIRED was able to analyze the app’s public-facing code to get a better understanding of how it works. This was possible because upon loading the app’s login page, the browser automatically requests all the code needed to render the frontend components of the entire tool, even if a user is unauthenticated. By saving these HTML, JavaScript, and CSS files and running a web mock server, WIRED was able to explore some of the core features of the app, albeit without live data sent from True the Vote’s servers.

In a help page WIRED found bundled in the app’s code, True the Vote claims that IV3 cross-references state databases of voter registrations with the USPS NCOALink database, a dataset of approximately 160 million permanent change-of-address records that can be licensed for a fee. If True the Vote’s algorithm finds a “substantive discrepancy” between the two records, it will flag the registration for manual review by individuals who sign up to use the app. These records then show up in a page on the app called “IV3 Identified Records for Review.” After a volunteer submits a challenge, True the Vote claims to “prepare that challenge for filing based on your state’s specific requirements.” Network requests made by the app suggest that individuals who sign up for IV3 are only able to see and vet registered voters in their own county, as many state laws only allow other voters within the county to submit challenges.

When we rendered the frontend components in IV3, we found that the tool also gives vetted users the ability to look up the registrations of any voter in their county in order to determine whether or not the registration looks suspicious enough to challenge. While this voter registration data is technically public, its distribution by a partisan group can feel intimidating. “I feared that I could—or my family could—become the next target of harassment from True the Vote and their supporters for having voted, especially because my name and address had been published online and I had been publicly identified as a challenged voter,” a woman who had their registration challenged by True the Vote said in court records.

While WIRED was unable to use the app with live data, court records suggest that the way True the Vote matches individuals from voter rolls to those in the USPS database appears broken. Ken Mayer, a political scientist who analyzed a file of challenged voters for a lawsuit that Fair Fight filed against True the Vote, said in an expert report that True the Vote’s file of challenged voters was “riddled with errors” and “almost certainly mismatches voters with NCOA records.” He added, “The results do not come anywhere close to what would be required for valid practices in academic studies of election administration.” True the Vote did not respond to questions about Mayer’s assessment.

Moreover, experts say that the entire premise of using USPS data alone to invalidate voter registrations is flawed. Andrew Garber, a counsel within the Brennan Center’s Voting Rights and Elections Program, says that there are dozens of reasons why people might want their mail forwarded and all are insufficient alone to cancel a voter’s registration. “The use of this app is really concerning because it seems to be an effort to automate and take onto a mass scale a process that’s supposed to be local and individualized,” Garber says.

USPS did not immediately respond to WIRED’s request to comment on True the Vote’s use of its address-change data.

The voter challenges facilitated by IV3 have already run into problems. In an email IV3 sent to its users in August that WIRED obtained, True the Vote has run into hurdles in Georgia, Ohio, and Pennsylvania. The email states that in Pennsylvania, election officials told True the Vote each challenge requires a notarized and signed affidavit, at a cost of $5 to $7 each. “Think about that for those of you who completed 20, or 50, or 100, or several hundred challenges,” the August email reads. “It was never our intent for this process to cost our volunteers any money, much less hundreds to thousands of dollars just to ask your county to check and verify the rolls. We will be talking to election attorneys and Pennsylvania officials about this statute. It needs to be changed.”

While IV3 makes it possible to file a large number of challenges, it’s highly unlikely that any of them would be sufficient to remove anyone from voter rolls. Nevertheless, the challenges are likely to burden election officials as they may have to research and adjudicate each challenge brought. According to Garber, “even if the challenges don’t result in people being removed from the roles, they are gumming up the works and slowing down other vital election processes.”

Turner says he already voted by absentee ballot for the 2022 US midterms, which conclude today. But that doesn’t mean he’s not concerned with what True the Vote has been up to around the country. “It’s dangerous,” he says. “They are just throwing everything up against the wall and seeing what sticks. All of their strategies to disenfranchise voters are just sowing distrust about elections and it’s frustrating. I just don’t know where all of this is heading.”

Inside the ‘Election Integrity App’ Built to Purge US Voter Rolls

Red Hat Security Advisory 2022-7830-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: nodejs:14 security update  
Advisory ID:       RHSA-2022:7830-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7830  
Issue date:        2022-11-08  
CVE Names:         CVE-2021-44531 CVE-2021-44532 CVE-2021-44533  
                   CVE-2022-21824 CVE-2022-35256  
====================================================================  
1. Summary:

An update for the nodejs:14 module is now available for Red Hat Enterprise  
Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable  
network applications in the JavaScript programming language.

Security Fix(es):

* nodejs: Improper handling of URI Subject Alternative Names  
(CVE-2021-44531)

* nodejs: Certificate Verification Bypass via String Injection  
(CVE-2021-44532)

* nodejs: Incorrect handling of certificate subject and issuer fields  
(CVE-2021-44533)

* nodejs: HTTP Request Smuggling due to incorrect parsing of header fields  
(CVE-2022-35256)

* nodejs: Prototype pollution via console.table properties (CVE-2022-21824)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2040839 - CVE-2021-44531 nodejs: Improper handling of URI Subject Alternative Names  
2040846 - CVE-2021-44532 nodejs: Certificate Verification Bypass via String Injection  
2040856 - CVE-2021-44533 nodejs: Incorrect handling of certificate subject and issuer fields  
2040862 - CVE-2022-21824 nodejs: Prototype pollution via console.table properties  
2130518 - CVE-2022-35256 nodejs: HTTP Request Smuggling due to incorrect parsing of header fields

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
nodejs-14.20.1-2.module+el8.7.0+16991+b0a68a3e.src.rpm  
nodejs-nodemon-2.0.19-2.module+el8.7.0+16991+b0a68a3e.src.rpm  
nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.src.rpm

aarch64:  
nodejs-14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64.rpm  
nodejs-debuginfo-14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64.rpm  
nodejs-debugsource-14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64.rpm  
nodejs-devel-14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64.rpm  
nodejs-full-i18n-14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64.rpm  
npm-6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.aarch64.rpm

noarch:  
nodejs-docs-14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch.rpm  
nodejs-nodemon-2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch.rpm  
nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.noarch.rpm

ppc64le:  
nodejs-14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le.rpm  
nodejs-debuginfo-14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le.rpm  
nodejs-debugsource-14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le.rpm  
nodejs-devel-14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le.rpm  
nodejs-full-i18n-14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le.rpm  
npm-6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.ppc64le.rpm

s390x:  
nodejs-14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x.rpm  
nodejs-debuginfo-14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x.rpm  
nodejs-debugsource-14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x.rpm  
nodejs-devel-14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x.rpm  
nodejs-full-i18n-14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x.rpm  
npm-6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.s390x.rpm

x86_64:  
nodejs-14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64.rpm  
nodejs-debuginfo-14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64.rpm  
nodejs-debugsource-14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64.rpm  
nodejs-devel-14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64.rpm  
nodejs-full-i18n-14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64.rpm  
npm-6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-44531  
https://access.redhat.com/security/cve/CVE-2021-44532  
https://access.redhat.com/security/cve/CVE-2021-44533  
https://access.redhat.com/security/cve/CVE-2022-21824  
https://access.redhat.com/security/cve/CVE-2022-35256  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2pSMNzjgjWX9erEAQiFmA/+PFsIM04d2Gzf9L0EzhYopvP+2hpQ3oXe  
rxs1jY17w/shvRUvBEcfFGwjqkw+9BROLnY76riBWXvS4cLdic/GaVoDYA053Swv  
qg47PgZuYgyM6Vj0ggqnN4pmN+4ydnGQnfCY5enQMZuUEEtkoP1kKj/r0b14G2Qb  
QAfRjS4kIBsIqdfWVLmB2ADyG4/RErrmQznmqnI+NgyVed+EcHQwKDXWJxQAcf1d  
bSWPPiYxKDMjl4prvFCIO4j5HIMcSxX2ydCuzU+unzdAzEVfhksJvug4vJOhI/tj  
vLbNYpb32szyWDF8RKqBCxqtpSFL+Rj1dSB9S8vLRD1vdme8GcY0bb4RMT5A7rxG  
vxboN1UnFBVasytToFrVMb6YI0hRIbY6u/AEDr7FpuZlc75IeBDuTrd513g0/JV2  
3s7uSktUx+5CLE6yTcbjNFzyxt/CWlXYRLxDjei4PAgTHUob0XV4ceegiSQtIrJR  
BsDZ92Rl3fL0h5ifQyX852F4aYDdN4wUNeaOL6dDh8I/O7YTdmwVrFJOsCaJbuW2  
eEEezk6n3EsGA0GUu3g4llzynyE+kbEVM03ZycSVeL5Rg14p05nabXiYy22r3fKq  
oKo6QsdExSS+8yzDLVpug1B8LUbQ9KjA3TwkuSpAFzLFF4Gdf9TDT81cXMnxoYbU  
9kKLmbdmAnM=ZgF8  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7830-01

Red Hat Security Advisory 2022-7821-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a HTTP request smuggling vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: nodejs:18 security update  
Advisory ID:       RHSA-2022:7821-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7821  
Issue date:        2022-11-08  
CVE Names:         CVE-2022-35255 CVE-2022-35256  
====================================================================  
1. Summary:

An update for the nodejs:18 module is now available for Red Hat Enterprise  
Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable  
network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version:  
nodejs (18.9.1). (BZ#2130559, BZ#2131750)

Security Fix(es):

* nodejs: weak randomness in WebCrypto keygen (CVE-2022-35255)

* nodejs: HTTP Request Smuggling due to incorrect parsing of header fields  
(CVE-2022-35256)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2130517 - CVE-2022-35255 nodejs: weak randomness in WebCrypto keygen  
2130518 - CVE-2022-35256 nodejs: HTTP Request Smuggling due to incorrect parsing of header fields

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
nodejs-18.9.1-1.module+el8.7.0+16806+4109802b.src.rpm  
nodejs-nodemon-2.0.19-1.module+el8.7.0+16061+0a247725.src.rpm  
nodejs-packaging-2021.06-4.module+el8.7.0+15582+19c314fa.src.rpm

aarch64:  
nodejs-18.9.1-1.module+el8.7.0+16806+4109802b.aarch64.rpm  
nodejs-debuginfo-18.9.1-1.module+el8.7.0+16806+4109802b.aarch64.rpm  
nodejs-debugsource-18.9.1-1.module+el8.7.0+16806+4109802b.aarch64.rpm  
nodejs-devel-18.9.1-1.module+el8.7.0+16806+4109802b.aarch64.rpm  
nodejs-full-i18n-18.9.1-1.module+el8.7.0+16806+4109802b.aarch64.rpm  
npm-8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.aarch64.rpm

noarch:  
nodejs-docs-18.9.1-1.module+el8.7.0+16806+4109802b.noarch.rpm  
nodejs-nodemon-2.0.19-1.module+el8.7.0+16061+0a247725.noarch.rpm  
nodejs-packaging-2021.06-4.module+el8.7.0+15582+19c314fa.noarch.rpm  
nodejs-packaging-bundler-2021.06-4.module+el8.7.0+15582+19c314fa.noarch.rpm

ppc64le:  
nodejs-18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le.rpm  
nodejs-debuginfo-18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le.rpm  
nodejs-debugsource-18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le.rpm  
nodejs-devel-18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le.rpm  
nodejs-full-i18n-18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le.rpm  
npm-8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.ppc64le.rpm

s390x:  
nodejs-18.9.1-1.module+el8.7.0+16806+4109802b.s390x.rpm  
nodejs-debuginfo-18.9.1-1.module+el8.7.0+16806+4109802b.s390x.rpm  
nodejs-debugsource-18.9.1-1.module+el8.7.0+16806+4109802b.s390x.rpm  
nodejs-devel-18.9.1-1.module+el8.7.0+16806+4109802b.s390x.rpm  
nodejs-full-i18n-18.9.1-1.module+el8.7.0+16806+4109802b.s390x.rpm  
npm-8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.s390x.rpm

x86_64:  
nodejs-18.9.1-1.module+el8.7.0+16806+4109802b.x86_64.rpm  
nodejs-debuginfo-18.9.1-1.module+el8.7.0+16806+4109802b.x86_64.rpm  
nodejs-debugsource-18.9.1-1.module+el8.7.0+16806+4109802b.x86_64.rpm  
nodejs-devel-18.9.1-1.module+el8.7.0+16806+4109802b.x86_64.rpm  
nodejs-full-i18n-18.9.1-1.module+el8.7.0+16806+4109802b.x86_64.rpm  
npm-8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-35255  
https://access.redhat.com/security/cve/CVE-2022-35256  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2pSJNzjgjWX9erEAQjaww/9FwAgM6VhLuL/A6jOAoTuAbjXIPjLq3bf  
BycFTPsYskS5aXT7hJUyT8WJQobCaw1J0e5c/+QnjJW1/9RNeAfoVNpuGyrnunXA  
4Ferj6qFwWHtzr0b2noQW0mzuOm6Ecen9r30vl58e+mgpmolrDWtf+Wsm/5fxuC4  
9CUfdJ7doifnNbrnmBGNOaINHflSAPo+GUZvvrPozYv74uuE2hmMTzM6rtg5EXqG  
hEI0zLJzTf3KWsKW6iIOWlOA2Kppn7JRsjNK2DQIotSSTmfNhS0AybKfp30Mgyia  
fxcOV0hdFqMq7HrOd/daP61DhhmyAECgYUCrhnVl01ntLQAPmmTmSihOHxrTbZcJ  
HewcOKlos2GgnQAX+DoMREn6KnvFTXT2xU0vO/X8Pbl2TyQ8B89Jb8m3hR71OBnG  
ARBDiEG9yWQaMLqrI9YHcsOR+4DxsXgecjItc3Bd9jbBKkLgnTi1efEjW/SdjU9b  
GWhL/2DVPOT9yg/j/+/me8+3c9O7vnePN7zaxUEoZ0DmdsDKlOzrC/D69thVIqXY  
JSQ8cINZ37RiCNRxcEvMQpwm/y79OCWVGdPptsluBapNDur5qeg2KrDYeHYsMXGF  
X9D6fP1Vod455kt+TxJCijA9XYT0JG7BA+KA5esIT2reCTvgQlP5QaEWqlNI39d4  
z9dijpwH2po=+8w0  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7821-01

Red Hat Security Advisory 2022-7643-01 - The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Issues addressed include denial of service and memory leak vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: bind9.16 security update  
Advisory ID:       RHSA-2022:7643-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7643  
Issue date:        2022-11-08  
CVE Names:         CVE-2021-25220 CVE-2022-0396  
====================================================================  
1. Summary:

An update for bind9.16 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain  
Name System (DNS) protocols. BIND includes a DNS server (named); a resolver  
library (routines for applications to use when interfacing with DNS); and  
tools for verifying that the DNS server is operating correctly.

Security Fix(es):

* bind: DNS forwarders - cache poisoning vulnerability (CVE-2021-25220)

* bind: DoS from specifically crafted TCP packets (CVE-2022-0396)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 8.7 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2064512 - CVE-2021-25220 bind: DNS forwarders - cache poisoning vulnerability  
2064513 - CVE-2022-0396 bind: DoS from specifically crafted TCP packets  
2128601 - CVE-2022-38177 bind: memory leak in ECDSA DNSSEC verification code

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
bind9.16-9.16.23-0.9.el8.1.src.rpm

aarch64:  
bind9.16-9.16.23-0.9.el8.1.aarch64.rpm  
bind9.16-chroot-9.16.23-0.9.el8.1.aarch64.rpm  
bind9.16-debuginfo-9.16.23-0.9.el8.1.aarch64.rpm  
bind9.16-debugsource-9.16.23-0.9.el8.1.aarch64.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.9.el8.1.aarch64.rpm  
bind9.16-libs-9.16.23-0.9.el8.1.aarch64.rpm  
bind9.16-libs-debuginfo-9.16.23-0.9.el8.1.aarch64.rpm  
bind9.16-utils-9.16.23-0.9.el8.1.aarch64.rpm  
bind9.16-utils-debuginfo-9.16.23-0.9.el8.1.aarch64.rpm

noarch:  
bind9.16-license-9.16.23-0.9.el8.1.noarch.rpm

ppc64le:  
bind9.16-9.16.23-0.9.el8.1.ppc64le.rpm  
bind9.16-chroot-9.16.23-0.9.el8.1.ppc64le.rpm  
bind9.16-debuginfo-9.16.23-0.9.el8.1.ppc64le.rpm  
bind9.16-debugsource-9.16.23-0.9.el8.1.ppc64le.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.9.el8.1.ppc64le.rpm  
bind9.16-libs-9.16.23-0.9.el8.1.ppc64le.rpm  
bind9.16-libs-debuginfo-9.16.23-0.9.el8.1.ppc64le.rpm  
bind9.16-utils-9.16.23-0.9.el8.1.ppc64le.rpm  
bind9.16-utils-debuginfo-9.16.23-0.9.el8.1.ppc64le.rpm

s390x:  
bind9.16-9.16.23-0.9.el8.1.s390x.rpm  
bind9.16-chroot-9.16.23-0.9.el8.1.s390x.rpm  
bind9.16-debuginfo-9.16.23-0.9.el8.1.s390x.rpm  
bind9.16-debugsource-9.16.23-0.9.el8.1.s390x.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.9.el8.1.s390x.rpm  
bind9.16-libs-9.16.23-0.9.el8.1.s390x.rpm  
bind9.16-libs-debuginfo-9.16.23-0.9.el8.1.s390x.rpm  
bind9.16-utils-9.16.23-0.9.el8.1.s390x.rpm  
bind9.16-utils-debuginfo-9.16.23-0.9.el8.1.s390x.rpm

x86_64:  
bind9.16-9.16.23-0.9.el8.1.x86_64.rpm  
bind9.16-chroot-9.16.23-0.9.el8.1.x86_64.rpm  
bind9.16-debuginfo-9.16.23-0.9.el8.1.x86_64.rpm  
bind9.16-debugsource-9.16.23-0.9.el8.1.x86_64.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.9.el8.1.x86_64.rpm  
bind9.16-libs-9.16.23-0.9.el8.1.x86_64.rpm  
bind9.16-libs-debuginfo-9.16.23-0.9.el8.1.x86_64.rpm  
bind9.16-utils-9.16.23-0.9.el8.1.x86_64.rpm  
bind9.16-utils-debuginfo-9.16.23-0.9.el8.1.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

aarch64:  
bind9.16-debuginfo-9.16.23-0.9.el8.1.aarch64.rpm  
bind9.16-debugsource-9.16.23-0.9.el8.1.aarch64.rpm  
bind9.16-devel-9.16.23-0.9.el8.1.aarch64.rpm  
bind9.16-dnssec-utils-9.16.23-0.9.el8.1.aarch64.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.9.el8.1.aarch64.rpm  
bind9.16-libs-debuginfo-9.16.23-0.9.el8.1.aarch64.rpm  
bind9.16-utils-debuginfo-9.16.23-0.9.el8.1.aarch64.rpm

noarch:  
bind9.16-doc-9.16.23-0.9.el8.1.noarch.rpm  
python3-bind9.16-9.16.23-0.9.el8.1.noarch.rpm

ppc64le:  
bind9.16-debuginfo-9.16.23-0.9.el8.1.ppc64le.rpm  
bind9.16-debugsource-9.16.23-0.9.el8.1.ppc64le.rpm  
bind9.16-devel-9.16.23-0.9.el8.1.ppc64le.rpm  
bind9.16-dnssec-utils-9.16.23-0.9.el8.1.ppc64le.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.9.el8.1.ppc64le.rpm  
bind9.16-libs-debuginfo-9.16.23-0.9.el8.1.ppc64le.rpm  
bind9.16-utils-debuginfo-9.16.23-0.9.el8.1.ppc64le.rpm

s390x:  
bind9.16-debuginfo-9.16.23-0.9.el8.1.s390x.rpm  
bind9.16-debugsource-9.16.23-0.9.el8.1.s390x.rpm  
bind9.16-devel-9.16.23-0.9.el8.1.s390x.rpm  
bind9.16-dnssec-utils-9.16.23-0.9.el8.1.s390x.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.9.el8.1.s390x.rpm  
bind9.16-libs-debuginfo-9.16.23-0.9.el8.1.s390x.rpm  
bind9.16-utils-debuginfo-9.16.23-0.9.el8.1.s390x.rpm

x86_64:  
bind9.16-debuginfo-9.16.23-0.9.el8.1.i686.rpm  
bind9.16-debuginfo-9.16.23-0.9.el8.1.x86_64.rpm  
bind9.16-debugsource-9.16.23-0.9.el8.1.i686.rpm  
bind9.16-debugsource-9.16.23-0.9.el8.1.x86_64.rpm  
bind9.16-devel-9.16.23-0.9.el8.1.i686.rpm  
bind9.16-devel-9.16.23-0.9.el8.1.x86_64.rpm  
bind9.16-dnssec-utils-9.16.23-0.9.el8.1.x86_64.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.9.el8.1.i686.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.9.el8.1.x86_64.rpm  
bind9.16-libs-9.16.23-0.9.el8.1.i686.rpm  
bind9.16-libs-debuginfo-9.16.23-0.9.el8.1.i686.rpm  
bind9.16-libs-debuginfo-9.16.23-0.9.el8.1.x86_64.rpm  
bind9.16-utils-debuginfo-9.16.23-0.9.el8.1.i686.rpm  
bind9.16-utils-debuginfo-9.16.23-0.9.el8.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-25220  
https://access.redhat.com/security/cve/CVE-2022-0396  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.7_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2pSW9zjgjWX9erEAQhIyw//SGCFyvcxj0U6yn2bbf0O2/C9simPnh9g  
11SwSlmRGAfEAcVbaczaAUd9Z74ap5lEDdUSagxBdV9HA6OWoTPRYkcikvn4JDK2  
27Kl1/yjsEEdRGpjCd3TjTBsRO/2YsQJwCzpf9iwnD5RJKlX9hty7EIwxRQR9EnY  
SVlaPmUDcXgSfcJ+6SaUahPRkzvZ0tya30oBuqNgAl6UExAiQ+hUN3K7J8by3ZQw  
ZMovwQ3CTyN0y8YJubuTswVyLcNDtQVMk8Hu6EHvdlhc0ZUgH9tXcxGakyA5uF0Q  
7IvKDnGxnVEDBUdSTZp06iX+nhM8RawWJfa95Z1V9nKkOIAA3ALFBWdC8VT+X2RJ  
+GRLIqSVu5lGteA38+G29T8NPHEXWPEzQfuf54Wy9JPWetKHk1o2iCgbLiX4D8gu  
YMylIk0m/CdfkAjDGn2msG+gnCDMLPgyTunYK0enflWGJvaTN3BmSA84/fAci36M  
f+DROFugmjD+meGmDcNxyw72/UB3dARuUJjtlHaym4DIv8O/LuSVo4XgspBLtIJT  
Kh3qDsXzKE2WvkLseynI87E/7C0aWLacDmzf2m4QiTu+4r/tesRxv0oJfcD7c1aF  
DdLGHtWtjuQqu2Yr3xG0IhJiPYdKpB8R5L2p8Lyl2CX26ppgds0m6qUAQGmbz4gX  
1ORsy/EWei0=pWJB  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#java