Red Hat Security Advisory 2023-5970-01 - An update for collectd-libpod-stats is now available for Red Hat OpenStack Platform 17.1.1. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5970.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat OpenStack Platform 17.1.1 (collectd-libpod-stats) security updateAdvisory ID:        RHSA-2023:5970-01Product:            Red Hat OpenStack PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5970Issue date:         2023-10-20Revision:           01CVE Names:          CVE-2023-39325====================================================================Summary: An update for collectd-libpod-stats is now available for Red Hat OpenStack Platform 17.1.1.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:A highly-available key value store for shared configurationShared library for infrawatch golang componentsSecurity Fix(es):* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-39325References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-5970-01

Red Hat Security Advisory 2023-5969-01 - An update for collectd-libpod-stats, etcd, and python-octavia-tests-tempest is now available for Red Hat OpenStack Platform 17.1.1. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5969.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat OpenStack Platform 17.1.1 security updateAdvisory ID:        RHSA-2023:5969-01Product:            Red Hat OpenStack PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5969Issue date:         2023-10-20Revision:           01CVE Names:          CVE-2023-29409====================================================================Summary: An update for collectd-libpod-stats, etcd, and python-octavia-tests-tempest is now available for Red Hat OpenStack Platform 17.1.1.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The etcd packages provide a highly available key-value store for shared configuration.Security Fix(es):* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)* golang: crypto/tls: slow verification of certificate chains containing large RSA keys (CVE-2023-29409)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-29409References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-5969-01

Red Hat Security Advisory 2023-5967-01 - An update for collectd-libpod-stats and etcd is now available for Red Hat OpenStack Platform 16.1.9. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5967.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat OpenStack Platform 16.1.9 (collectd-libpod-stats, etcd) security updateAdvisory ID:        RHSA-2023:5967-01Product:            Red Hat OpenStack PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5967Issue date:         2023-10-20Revision:           01CVE Names:          CVE-2023-39325====================================================================Summary: An update for collectd-libpod-stats and etcd is now availablefor Red Hat OpenStack Platform 16.1.9 (Train).Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:A highly-available key value store for shared configurationSecurity Fix(es):* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-39325References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-5967-01

Red Hat Security Advisory 2023-5965-01 - An update for collectd-libpod-stats and etcd is now available for Red Hat OpenStack Platform 16.2.5. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5965.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat OpenStack Platform 16.2.5 (collectd-libpod-stats, etcd) security updateAdvisory ID:        RHSA-2023:5965-01Product:            Red Hat OpenStack PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5965Issue date:         2023-10-20Revision:           01CVE Names:          CVE-2023-29406====================================================================Summary: An update for collectd-libpod-stats and etcd is now available for Red Hat OpenStack Platform 16.2.5 (Train).Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:A highly-available key value store for shared configurationSecurity Fix(es):* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)* golang: net/http: insufficient sanitization of Host header (CVE-2023-29406)* golang: crypto/tls: slow verification of certificate chains containing large RSA keys (CVE-2023-29409)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-29406References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-5965-01

Red Hat Security Advisory 2023-5964-01 - An update for collectd-libpod-stats is now available for Red Hat OpenStack Platform 16.2.5. Issues addressed include a denial of service vulnerability.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5964.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat OpenStack Platform 16.2.5 (collectd-libpod-stats) security update  
Advisory ID:        RHSA-2023:5964-01  
Product:            Red Hat OpenStack Platform  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:5964  
Issue date:         2023-10-20  
Revision:           01  
CVE Names:          CVE-2022-41724  
====================================================================

Summary: 

An update for collectd-libpod-stats is now available for Red Hat OpenStack  
Platform 16.2.5 (Train).

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Collectd plugin for gathering resource usage statistics from containers  
created with the libpod library.

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* golang: crypto/tls: large handshake records may cause panics (CVE-2022-41724)

* golang: net/http, mime/multipart: denial of service from excessive resource consumption (CVE-2022-41725)

* golang: net/http, net/textproto: denial of service from excessive memory allocation (CVE-2023-24534)

* golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption (CVE-2023-24536)

* golang: go/parser: Infinite loop in parsing (CVE-2023-24537)

* golang: html/template: backticks not treated as string delimiters (CVE-2023-24538)

* golang: crypto/tls: slow verification of certificate chains containing large RSA keys (CVE-2023-29409)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-41724

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-5964-01

Red Hat Security Advisory 2023-5715-01 - An update for the nginx:1.20 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5715.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: nginx:1.20 security updateAdvisory ID:        RHSA-2023:5715-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5715Issue date:         2023-10-16Revision:           01CVE Names:          CVE-2023-44487====================================================================Summary: An update for the nginx:1.20 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Security Fix(es):* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44487References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-5715-01

Red Hat Security Advisory 2023-5712-01 - An update for the nginx:1.20 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5712.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: nginx:1.20 security updateAdvisory ID:        RHSA-2023:5712-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5712Issue date:         2023-10-16Revision:           01CVE Names:          CVE-2023-44487====================================================================Summary: An update for the nginx:1.20 module is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Security Fix(es):* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44487References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-5712-01

Red Hat Security Advisory 2023-5701-01 - An update is now available for Red Hat Ansible Automation Platform 2.3. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5701.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat Ansible Automation Platform 2.3 Product Security and Bug Fix UpdateAdvisory ID:        RHSA-2023:5701-01Product:            Red Hat Ansible Automation PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5701Issue date:         2023-10-16Revision:           01CVE Names:          CVE-2023-5115====================================================================Summary: An update is now available for Red Hat Ansible Automation Platform 2.3Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.Security Fix(es):* ansible-core: malicious role archive can cause ansible-galaxy to overwrite arbitrary files (CVE-2023-5115)* automation-controller: Django: Potential denial of service vulnerability in django.utils.encoding.uri_to_iri() (CVE-2023-41164)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Additional changes:* ansible-core has been updated to 2.14.11* automation-controller has been updated to 4.3.16Solution:CVEs:CVE-2023-5115References:https://access.redhat.com/security/updates/classification/#moderate

Red Hat Security Advisory 2023-5701-01

Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.

**Next.js missing cache-control header may lead to CDN caching empty reply**

Low severity GitHub Reviewed Published Oct 22, 2023 to the GitHub Advisory Database • Updated Oct 24, 2023

GHSA-c59h-r6p8-q9wc: Next.js missing cache-control header may lead to CDN caching empty reply

Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN.

**Verify canary release**

*   I verified that the issue exists in the latest Next.js canary release

**Provide environment information**

    Operating System:
      Platform: darwin
      Arch: arm64
      Version: Darwin Kernel Version 22.2.0: Fri Nov 11 02:03:51 PST 2022; root:xnu-8792.61.2~4/RELEASE_ARM64_T6000
    Binaries:
      Node: 16.19.0
      npm: 9.4.0
      Yarn: 1.22.19
      pnpm: 7.26.0
    Relevant packages:
      next: 13.1.6-canary.1
      eslint-config-next: 13.1.5
      react: 18.2.0
      react-dom: 18.2.0
    

**Which area(s) of Next.js are affected? (leave empty if unsure)**

Data fetching (gS(S)P, getInitialProps)

**Link to the code that reproduces this issue**

https://github.com/muntamala/nextjs-no-cache-issue

**To Reproduce**

Run the server in production mode

    yarn
    yarn build
    yarn start
    

and navigate to http://localhost:3000/. Observer the network for example with chrome developer tools. When loading the  
static home page the app also prefetches the ssr pages json. What the response for the SSR page json is missing is  
cache-control no-cache directive. Navigating to the ssr page results in the ssr pages json being re-fetched and this time  
it does include the no-cache directive but if there would be a caching element in between like a CDN then we would not hit  
the actual api until the empty cached response expires.

**Describe the Bug**

Prefetch of data for SSR pages returning empty object without a cache-control header having no-cache directive. This can potentially cause issues with CDNs as it did in our case. For example CloudFront having a default TTL value of higher than 0, which by default is 24h, would result in the CDN caching the empty response. The empty cached response would then be served by the CDN when user navigates to the SSR page and the page tries to fetch server side props using the same URL (.../ssr.json)

The enabler for this behaviour seems to be using a middleware. If a middleware (middleware.ts) is present then the  
prefetch for pages is done separately for each page whose path is present on the page via Link component (prefetch true).

**Expected Behavior**

I'd expect next.js to behave sensibly in terms of cache control and set no-cache directive for getServerSideProps as  
stated in next.js documentation:

    If the page uses getServerSideProps or getInitialProps, it will use the default Cache-Control header set by next start
    in order to prevent accidental caching of responses that cannot be cached. If you want a different cache behavior while 
    using getServerSideProps, use res.setHeader('Cache-Control', 'value_you_prefer') inside of the function as shown above.
    

**Which browser are you using? (if relevant)**

Google Chrome 109.0.5414.119 (Official Build) (arm64)

**How are you deploying your application? (if relevant)**

yarn build, yarn start

Tag

#js