Red Hat Security Advisory 2022-7581-01 - Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.

Red Hat Security Advisory 2022-7581-01

Red Hat Security Advisory 2022-7813-01 - The zlib packages provide a general-purpose lossless data compression library that is used by many different programs.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: mingw-zlib security update  
Advisory ID:       RHSA-2022:7813-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7813  
Issue date:        2022-11-08  
CVE Names:         CVE-2018-25032  
====================================================================  
1. Summary:

An update for mingw-zlib is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - noarch

3. Description:

The zlib packages provide a general-purpose lossless data compression  
library that is used by many different programs.

Security Fix(es):

* zlib: A flaw found in zlib when compressing (not decompressing) certain  
inputs (CVE-2018-25032)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 8.7 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2067945 - CVE-2018-25032 zlib: A flaw found in zlib when compressing (not decompressing) certain inputs

6. Package List:

Red Hat CodeReady Linux Builder (v. 8):

Source:  
mingw-zlib-1.2.8-10.el8.src.rpm

noarch:  
mingw32-zlib-1.2.8-10.el8.noarch.rpm  
mingw32-zlib-debuginfo-1.2.8-10.el8.noarch.rpm  
mingw32-zlib-static-1.2.8-10.el8.noarch.rpm  
mingw64-zlib-1.2.8-10.el8.noarch.rpm  
mingw64-zlib-debuginfo-1.2.8-10.el8.noarch.rpm  
mingw64-zlib-static-1.2.8-10.el8.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-25032  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.7_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2pSGdzjgjWX9erEAQgUwA/+I0Yfh7SE/3ex1OCbDRi+Y7TQV6LPIfaY  
Wf+3Kq1gTm3ApB7ZgN8oTrIEfIN/NjQ+NUKhLM6X3jEi8gVxzZloOnk3B6liK1wg  
0N3LY0PW1VdJB44WaX/ZfB/vu2sTEJfux9CgKphAm10G7vIv9gxlbRRZ8+vRXeMN  
/ATsBoATo8OaK9yzAMBLnSpbxHJvimEr0AGoU4ixZTeF91p9ypMT59yuF+GmOu+r  
Qw7DxvJSnhrz2RrekBuBCqli84SzM8y9w8PCPojrIuIkcZDmZfgXhplAgZNCs2Tm  
j8KGbjHawDhgHQEs5zHJMI+3uBjsrm6bq9G81qdUQto8o/GmLkZj36B6CpmSfk6Z  
lIUItBHDd9gEt4aHNJzBoOIPUq6KMyKqOK20t4o95Nx+Uyoww6VQoVfDaGS+x/Th  
DIufW2cA53/3r47jF91Hm2365WkEKfF2Jx1oAJFdBwaaIp2JRk0WtKkHOmsDN1//  
h0dMMMo/+sUeIAHBz0xpiP9AMLhujmCPfObU29GaB2HNPhz7SffcE6vDPs2Zq6pC  
DwivNCrBfiVDfPpC2CMwK0FZSuV3UFq56MeCbSMaqUczsPWWxESeEVxOV9AJXl6Y  
jhyoYbtM1/n8L05zLXU7d50ig6oKZ/eZoMULg7Q2LboKYjWMk0+ashgqhdOigTup  
tIaNurRUEawioM  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7813-01

Red Hat Security Advisory 2022-7830-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: nodejs:14 security update  
Advisory ID:       RHSA-2022:7830-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7830  
Issue date:        2022-11-08  
CVE Names:         CVE-2021-44531 CVE-2021-44532 CVE-2021-44533  
                   CVE-2022-21824 CVE-2022-35256  
====================================================================  
1. Summary:

An update for the nodejs:14 module is now available for Red Hat Enterprise  
Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable  
network applications in the JavaScript programming language.

Security Fix(es):

* nodejs: Improper handling of URI Subject Alternative Names  
(CVE-2021-44531)

* nodejs: Certificate Verification Bypass via String Injection  
(CVE-2021-44532)

* nodejs: Incorrect handling of certificate subject and issuer fields  
(CVE-2021-44533)

* nodejs: HTTP Request Smuggling due to incorrect parsing of header fields  
(CVE-2022-35256)

* nodejs: Prototype pollution via console.table properties (CVE-2022-21824)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2040839 - CVE-2021-44531 nodejs: Improper handling of URI Subject Alternative Names  
2040846 - CVE-2021-44532 nodejs: Certificate Verification Bypass via String Injection  
2040856 - CVE-2021-44533 nodejs: Incorrect handling of certificate subject and issuer fields  
2040862 - CVE-2022-21824 nodejs: Prototype pollution via console.table properties  
2130518 - CVE-2022-35256 nodejs: HTTP Request Smuggling due to incorrect parsing of header fields

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
nodejs-14.20.1-2.module+el8.7.0+16991+b0a68a3e.src.rpm  
nodejs-nodemon-2.0.19-2.module+el8.7.0+16991+b0a68a3e.src.rpm  
nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.src.rpm

aarch64:  
nodejs-14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64.rpm  
nodejs-debuginfo-14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64.rpm  
nodejs-debugsource-14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64.rpm  
nodejs-devel-14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64.rpm  
nodejs-full-i18n-14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64.rpm  
npm-6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.aarch64.rpm

noarch:  
nodejs-docs-14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch.rpm  
nodejs-nodemon-2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch.rpm  
nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.noarch.rpm

ppc64le:  
nodejs-14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le.rpm  
nodejs-debuginfo-14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le.rpm  
nodejs-debugsource-14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le.rpm  
nodejs-devel-14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le.rpm  
nodejs-full-i18n-14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le.rpm  
npm-6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.ppc64le.rpm

s390x:  
nodejs-14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x.rpm  
nodejs-debuginfo-14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x.rpm  
nodejs-debugsource-14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x.rpm  
nodejs-devel-14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x.rpm  
nodejs-full-i18n-14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x.rpm  
npm-6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.s390x.rpm

x86_64:  
nodejs-14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64.rpm  
nodejs-debuginfo-14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64.rpm  
nodejs-debugsource-14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64.rpm  
nodejs-devel-14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64.rpm  
nodejs-full-i18n-14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64.rpm  
npm-6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-44531  
https://access.redhat.com/security/cve/CVE-2021-44532  
https://access.redhat.com/security/cve/CVE-2021-44533  
https://access.redhat.com/security/cve/CVE-2022-21824  
https://access.redhat.com/security/cve/CVE-2022-35256  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2pSMNzjgjWX9erEAQiFmA/+PFsIM04d2Gzf9L0EzhYopvP+2hpQ3oXe  
rxs1jY17w/shvRUvBEcfFGwjqkw+9BROLnY76riBWXvS4cLdic/GaVoDYA053Swv  
qg47PgZuYgyM6Vj0ggqnN4pmN+4ydnGQnfCY5enQMZuUEEtkoP1kKj/r0b14G2Qb  
QAfRjS4kIBsIqdfWVLmB2ADyG4/RErrmQznmqnI+NgyVed+EcHQwKDXWJxQAcf1d  
bSWPPiYxKDMjl4prvFCIO4j5HIMcSxX2ydCuzU+unzdAzEVfhksJvug4vJOhI/tj  
vLbNYpb32szyWDF8RKqBCxqtpSFL+Rj1dSB9S8vLRD1vdme8GcY0bb4RMT5A7rxG  
vxboN1UnFBVasytToFrVMb6YI0hRIbY6u/AEDr7FpuZlc75IeBDuTrd513g0/JV2  
3s7uSktUx+5CLE6yTcbjNFzyxt/CWlXYRLxDjei4PAgTHUob0XV4ceegiSQtIrJR  
BsDZ92Rl3fL0h5ifQyX852F4aYDdN4wUNeaOL6dDh8I/O7YTdmwVrFJOsCaJbuW2  
eEEezk6n3EsGA0GUu3g4llzynyE+kbEVM03ZycSVeL5Rg14p05nabXiYy22r3fKq  
oKo6QsdExSS+8yzDLVpug1B8LUbQ9KjA3TwkuSpAFzLFF4Gdf9TDT81cXMnxoYbU  
9kKLmbdmAnM=ZgF8  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7830-01

Red Hat Security Advisory 2022-7585-01 - The libtiff packages contain a library of functions for manipulating Tagged Image File Format files. Issues addressed include buffer overflow, denial of service, and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: libtiff security update  
Advisory ID:       RHSA-2022:7585-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7585  
Issue date:        2022-11-08  
CVE Names:         CVE-2022-0561 CVE-2022-0562 CVE-2022-0865  
                   CVE-2022-0891 CVE-2022-0908 CVE-2022-0909  
                   CVE-2022-0924 CVE-2022-1355 CVE-2022-22844  
====================================================================  
1. Summary:

An update for libtiff is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

The libtiff packages contain a library of functions for manipulating Tagged  
Image File Format (TIFF) files.

Security Fix(es):

* libtiff: Denial of Service via crafted TIFF file (CVE-2022-0561)

* libtiff: Null source pointer lead to Denial of Service via crafted TIFF  
file (CVE-2022-0562)

* libtiff: reachable assertion (CVE-2022-0865)

* libtiff: Out-of-bounds Read error in tiffcp (CVE-2022-0924)

* libtiff: stack-buffer-overflow in tiffcp.c in main() (CVE-2022-1355)

* libtiff: out-of-bounds read in _TIFFmemcpy() in tif_unix.c  
(CVE-2022-22844)

* libtiff: heap buffer overflow in extractImageSection (CVE-2022-0891)

* tiff: Null source pointer passed as an argument to memcpy in  
TIFFFetchNormalTag() in tif_dirread.c (CVE-2022-0908)

* tiff: Divide By Zero error in tiffcrop (CVE-2022-0909)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 8.7 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running applications linked against libtiff must be restarted for this  
update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2042603 - CVE-2022-22844 libtiff: out-of-bounds read in _TIFFmemcpy() in tif_unix.c  
2054494 - CVE-2022-0561 libtiff: Denial of Service via crafted TIFF file  
2054495 - CVE-2022-0562 libtiff: Null source pointer lead to Denial of Service via crafted TIFF file  
2064145 - CVE-2022-0908 tiff: Null source pointer passed as an argument to memcpy in TIFFFetchNormalTag() in tif_dirread.c  
2064146 - CVE-2022-0909 tiff: Divide By Zero error in tiffcrop  
2064148 - CVE-2022-0924 libtiff: Out-of-bounds Read error in tiffcp  
2064406 - CVE-2022-0865 libtiff: reachable assertion  
2064411 - CVE-2022-0891 libtiff: heap buffer overflow in extractImageSection  
2074415 - CVE-2022-1355 libtiff: stack-buffer-overflow in tiffcp.c in main()

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
libtiff-4.0.9-23.el8.src.rpm

aarch64:  
libtiff-4.0.9-23.el8.aarch64.rpm  
libtiff-debuginfo-4.0.9-23.el8.aarch64.rpm  
libtiff-debugsource-4.0.9-23.el8.aarch64.rpm  
libtiff-devel-4.0.9-23.el8.aarch64.rpm  
libtiff-tools-debuginfo-4.0.9-23.el8.aarch64.rpm

ppc64le:  
libtiff-4.0.9-23.el8.ppc64le.rpm  
libtiff-debuginfo-4.0.9-23.el8.ppc64le.rpm  
libtiff-debugsource-4.0.9-23.el8.ppc64le.rpm  
libtiff-devel-4.0.9-23.el8.ppc64le.rpm  
libtiff-tools-debuginfo-4.0.9-23.el8.ppc64le.rpm

s390x:  
libtiff-4.0.9-23.el8.s390x.rpm  
libtiff-debuginfo-4.0.9-23.el8.s390x.rpm  
libtiff-debugsource-4.0.9-23.el8.s390x.rpm  
libtiff-devel-4.0.9-23.el8.s390x.rpm  
libtiff-tools-debuginfo-4.0.9-23.el8.s390x.rpm

x86_64:  
libtiff-4.0.9-23.el8.i686.rpm  
libtiff-4.0.9-23.el8.x86_64.rpm  
libtiff-debuginfo-4.0.9-23.el8.i686.rpm  
libtiff-debuginfo-4.0.9-23.el8.x86_64.rpm  
libtiff-debugsource-4.0.9-23.el8.i686.rpm  
libtiff-debugsource-4.0.9-23.el8.x86_64.rpm  
libtiff-devel-4.0.9-23.el8.i686.rpm  
libtiff-devel-4.0.9-23.el8.x86_64.rpm  
libtiff-tools-debuginfo-4.0.9-23.el8.i686.rpm  
libtiff-tools-debuginfo-4.0.9-23.el8.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

aarch64:  
libtiff-debuginfo-4.0.9-23.el8.aarch64.rpm  
libtiff-debugsource-4.0.9-23.el8.aarch64.rpm  
libtiff-tools-4.0.9-23.el8.aarch64.rpm  
libtiff-tools-debuginfo-4.0.9-23.el8.aarch64.rpm

ppc64le:  
libtiff-debuginfo-4.0.9-23.el8.ppc64le.rpm  
libtiff-debugsource-4.0.9-23.el8.ppc64le.rpm  
libtiff-tools-4.0.9-23.el8.ppc64le.rpm  
libtiff-tools-debuginfo-4.0.9-23.el8.ppc64le.rpm

s390x:  
libtiff-debuginfo-4.0.9-23.el8.s390x.rpm  
libtiff-debugsource-4.0.9-23.el8.s390x.rpm  
libtiff-tools-4.0.9-23.el8.s390x.rpm  
libtiff-tools-debuginfo-4.0.9-23.el8.s390x.rpm

x86_64:  
libtiff-debuginfo-4.0.9-23.el8.x86_64.rpm  
libtiff-debugsource-4.0.9-23.el8.x86_64.rpm  
libtiff-tools-4.0.9-23.el8.x86_64.rpm  
libtiff-tools-debuginfo-4.0.9-23.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-0561  
https://access.redhat.com/security/cve/CVE-2022-0562  
https://access.redhat.com/security/cve/CVE-2022-0865  
https://access.redhat.com/security/cve/CVE-2022-0891  
https://access.redhat.com/security/cve/CVE-2022-0908  
https://access.redhat.com/security/cve/CVE-2022-0909  
https://access.redhat.com/security/cve/CVE-2022-0924  
https://access.redhat.com/security/cve/CVE-2022-1355  
https://access.redhat.com/security/cve/CVE-2022-22844  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.7_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2pSdtzjgjWX9erEAQgceBAAgxamrzyTOP2GS3s+C1p5y6grhjvDcDiB  
myi0mTUQ8H8ivuHf84wq6o0+K4LDuZ9mbOo/HYxJv4QIUcSfDF3xpZA7siuC0wr2  
p4G5BSmPyekDnIak9m88mTeBGi0BAuruJUbXi8lyjh6ItfsbWVi5GcTcJyz5WslP  
fJl66PglBOGYSvy5Yy7NKjHZ9NURG2Uw1chyaJa334IthtXNiFOobwEAv/KaGUIs  
o5qlcr+zliRVv6k4hlwFhFegCtqWIM8vfqUkVsf/jP2+rGrZTfnqfNKvWnNYIXq4  
zrY95PD7DeX18/ZHQ6JXOmVXczXSL0yzQjvUAs0hJK98cRBYfKgUHXf4tSzW2wfU  
4XPXjUj9TNV/Ld4J8hKrxE63GoqF0wDyGXSnkLr6KDHc2kk6A6yvUpVbcoXxuZT+  
O498iq52P3NMzAZyUk342AfsdASR3nnewuusksd1avLGZ2SjsJHcezAD0IRJK+66  
7lizIhMG+GQ6n0WBwDAMhe/8SPiaIE9e3nOILVQ2eUdMf9RegowDJKWik2FDZfzM  
++UDx1ofhjOX8ASd2kYfvOaYY6Zt01r+RBfZVrRH8N4Ex6eozIDxyzssAV6yYvDr  
ZeH8hLuCeAsb1H59sLAjTjlQYE+lltNykmpZyeXAvBHIjfuigp3iqQnArnhzGTPT  
weUuSg0GqME=u7Ay  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7585-01

Red Hat Security Advisory 2022-7821-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a HTTP request smuggling vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: nodejs:18 security update  
Advisory ID:       RHSA-2022:7821-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7821  
Issue date:        2022-11-08  
CVE Names:         CVE-2022-35255 CVE-2022-35256  
====================================================================  
1. Summary:

An update for the nodejs:18 module is now available for Red Hat Enterprise  
Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable  
network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version:  
nodejs (18.9.1). (BZ#2130559, BZ#2131750)

Security Fix(es):

* nodejs: weak randomness in WebCrypto keygen (CVE-2022-35255)

* nodejs: HTTP Request Smuggling due to incorrect parsing of header fields  
(CVE-2022-35256)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2130517 - CVE-2022-35255 nodejs: weak randomness in WebCrypto keygen  
2130518 - CVE-2022-35256 nodejs: HTTP Request Smuggling due to incorrect parsing of header fields

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
nodejs-18.9.1-1.module+el8.7.0+16806+4109802b.src.rpm  
nodejs-nodemon-2.0.19-1.module+el8.7.0+16061+0a247725.src.rpm  
nodejs-packaging-2021.06-4.module+el8.7.0+15582+19c314fa.src.rpm

aarch64:  
nodejs-18.9.1-1.module+el8.7.0+16806+4109802b.aarch64.rpm  
nodejs-debuginfo-18.9.1-1.module+el8.7.0+16806+4109802b.aarch64.rpm  
nodejs-debugsource-18.9.1-1.module+el8.7.0+16806+4109802b.aarch64.rpm  
nodejs-devel-18.9.1-1.module+el8.7.0+16806+4109802b.aarch64.rpm  
nodejs-full-i18n-18.9.1-1.module+el8.7.0+16806+4109802b.aarch64.rpm  
npm-8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.aarch64.rpm

noarch:  
nodejs-docs-18.9.1-1.module+el8.7.0+16806+4109802b.noarch.rpm  
nodejs-nodemon-2.0.19-1.module+el8.7.0+16061+0a247725.noarch.rpm  
nodejs-packaging-2021.06-4.module+el8.7.0+15582+19c314fa.noarch.rpm  
nodejs-packaging-bundler-2021.06-4.module+el8.7.0+15582+19c314fa.noarch.rpm

ppc64le:  
nodejs-18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le.rpm  
nodejs-debuginfo-18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le.rpm  
nodejs-debugsource-18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le.rpm  
nodejs-devel-18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le.rpm  
nodejs-full-i18n-18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le.rpm  
npm-8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.ppc64le.rpm

s390x:  
nodejs-18.9.1-1.module+el8.7.0+16806+4109802b.s390x.rpm  
nodejs-debuginfo-18.9.1-1.module+el8.7.0+16806+4109802b.s390x.rpm  
nodejs-debugsource-18.9.1-1.module+el8.7.0+16806+4109802b.s390x.rpm  
nodejs-devel-18.9.1-1.module+el8.7.0+16806+4109802b.s390x.rpm  
nodejs-full-i18n-18.9.1-1.module+el8.7.0+16806+4109802b.s390x.rpm  
npm-8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.s390x.rpm

x86_64:  
nodejs-18.9.1-1.module+el8.7.0+16806+4109802b.x86_64.rpm  
nodejs-debuginfo-18.9.1-1.module+el8.7.0+16806+4109802b.x86_64.rpm  
nodejs-debugsource-18.9.1-1.module+el8.7.0+16806+4109802b.x86_64.rpm  
nodejs-devel-18.9.1-1.module+el8.7.0+16806+4109802b.x86_64.rpm  
nodejs-full-i18n-18.9.1-1.module+el8.7.0+16806+4109802b.x86_64.rpm  
npm-8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-35255  
https://access.redhat.com/security/cve/CVE-2022-35256  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2pSJNzjgjWX9erEAQjaww/9FwAgM6VhLuL/A6jOAoTuAbjXIPjLq3bf  
BycFTPsYskS5aXT7hJUyT8WJQobCaw1J0e5c/+QnjJW1/9RNeAfoVNpuGyrnunXA  
4Ferj6qFwWHtzr0b2noQW0mzuOm6Ecen9r30vl58e+mgpmolrDWtf+Wsm/5fxuC4  
9CUfdJ7doifnNbrnmBGNOaINHflSAPo+GUZvvrPozYv74uuE2hmMTzM6rtg5EXqG  
hEI0zLJzTf3KWsKW6iIOWlOA2Kppn7JRsjNK2DQIotSSTmfNhS0AybKfp30Mgyia  
fxcOV0hdFqMq7HrOd/daP61DhhmyAECgYUCrhnVl01ntLQAPmmTmSihOHxrTbZcJ  
HewcOKlos2GgnQAX+DoMREn6KnvFTXT2xU0vO/X8Pbl2TyQ8B89Jb8m3hR71OBnG  
ARBDiEG9yWQaMLqrI9YHcsOR+4DxsXgecjItc3Bd9jbBKkLgnTi1efEjW/SdjU9b  
GWhL/2DVPOT9yg/j/+/me8+3c9O7vnePN7zaxUEoZ0DmdsDKlOzrC/D69thVIqXY  
JSQ8cINZ37RiCNRxcEvMQpwm/y79OCWVGdPptsluBapNDur5qeg2KrDYeHYsMXGF  
X9D6fP1Vod455kt+TxJCijA9XYT0JG7BA+KA5esIT2reCTvgQlP5QaEWqlNI39d4  
z9dijpwH2po=+8w0  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7821-01

Red Hat Security Advisory 2022-7822-01 - The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Issues addressed include an information leakage vulnerability.

Red Hat Security Advisory 2022-7822-01

Red Hat Security Advisory 2022-7720-01 - The e2fsprogs packages provide a number of utilities for creating, checking, modifying, and correcting the ext2, ext3, and ext4 file systems. Issues addressed include an out of bounds read vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: e2fsprogs security and bug fix update  
Advisory ID:       RHSA-2022:7720-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7720  
Issue date:        2022-11-08  
CVE Names:         CVE-2022-1304  
====================================================================  
1. Summary:

An update for e2fsprogs is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

The e2fsprogs packages provide a number of utilities for creating,  
checking, modifying, and correcting the ext2, ext3, and ext4 file systems.

Security Fix(es):

* e2fsprogs: out-of-bounds read/write via crafted filesystem  
(CVE-2022-1304)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 8.7 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2069726 - CVE-2022-1304 e2fsprogs: out-of-bounds read/write via crafted filesystem  
2083621 - e2fsprogs: Update for RHEL8.7

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 8):

Source:  
e2fsprogs-1.45.6-5.el8.src.rpm

aarch64:  
e2fsprogs-1.45.6-5.el8.aarch64.rpm  
e2fsprogs-debuginfo-1.45.6-5.el8.aarch64.rpm  
e2fsprogs-debugsource-1.45.6-5.el8.aarch64.rpm  
e2fsprogs-devel-1.45.6-5.el8.aarch64.rpm  
e2fsprogs-libs-1.45.6-5.el8.aarch64.rpm  
e2fsprogs-libs-debuginfo-1.45.6-5.el8.aarch64.rpm  
libcom_err-1.45.6-5.el8.aarch64.rpm  
libcom_err-debuginfo-1.45.6-5.el8.aarch64.rpm  
libcom_err-devel-1.45.6-5.el8.aarch64.rpm  
libss-1.45.6-5.el8.aarch64.rpm  
libss-debuginfo-1.45.6-5.el8.aarch64.rpm

ppc64le:  
e2fsprogs-1.45.6-5.el8.ppc64le.rpm  
e2fsprogs-debuginfo-1.45.6-5.el8.ppc64le.rpm  
e2fsprogs-debugsource-1.45.6-5.el8.ppc64le.rpm  
e2fsprogs-devel-1.45.6-5.el8.ppc64le.rpm  
e2fsprogs-libs-1.45.6-5.el8.ppc64le.rpm  
e2fsprogs-libs-debuginfo-1.45.6-5.el8.ppc64le.rpm  
libcom_err-1.45.6-5.el8.ppc64le.rpm  
libcom_err-debuginfo-1.45.6-5.el8.ppc64le.rpm  
libcom_err-devel-1.45.6-5.el8.ppc64le.rpm  
libss-1.45.6-5.el8.ppc64le.rpm  
libss-debuginfo-1.45.6-5.el8.ppc64le.rpm

s390x:  
e2fsprogs-1.45.6-5.el8.s390x.rpm  
e2fsprogs-debuginfo-1.45.6-5.el8.s390x.rpm  
e2fsprogs-debugsource-1.45.6-5.el8.s390x.rpm  
e2fsprogs-devel-1.45.6-5.el8.s390x.rpm  
e2fsprogs-libs-1.45.6-5.el8.s390x.rpm  
e2fsprogs-libs-debuginfo-1.45.6-5.el8.s390x.rpm  
libcom_err-1.45.6-5.el8.s390x.rpm  
libcom_err-debuginfo-1.45.6-5.el8.s390x.rpm  
libcom_err-devel-1.45.6-5.el8.s390x.rpm  
libss-1.45.6-5.el8.s390x.rpm  
libss-debuginfo-1.45.6-5.el8.s390x.rpm

x86_64:  
e2fsprogs-1.45.6-5.el8.x86_64.rpm  
e2fsprogs-debuginfo-1.45.6-5.el8.i686.rpm  
e2fsprogs-debuginfo-1.45.6-5.el8.x86_64.rpm  
e2fsprogs-debugsource-1.45.6-5.el8.i686.rpm  
e2fsprogs-debugsource-1.45.6-5.el8.x86_64.rpm  
e2fsprogs-devel-1.45.6-5.el8.i686.rpm  
e2fsprogs-devel-1.45.6-5.el8.x86_64.rpm  
e2fsprogs-libs-1.45.6-5.el8.i686.rpm  
e2fsprogs-libs-1.45.6-5.el8.x86_64.rpm  
e2fsprogs-libs-debuginfo-1.45.6-5.el8.i686.rpm  
e2fsprogs-libs-debuginfo-1.45.6-5.el8.x86_64.rpm  
libcom_err-1.45.6-5.el8.i686.rpm  
libcom_err-1.45.6-5.el8.x86_64.rpm  
libcom_err-debuginfo-1.45.6-5.el8.i686.rpm  
libcom_err-debuginfo-1.45.6-5.el8.x86_64.rpm  
libcom_err-devel-1.45.6-5.el8.i686.rpm  
libcom_err-devel-1.45.6-5.el8.x86_64.rpm  
libss-1.45.6-5.el8.i686.rpm  
libss-1.45.6-5.el8.x86_64.rpm  
libss-debuginfo-1.45.6-5.el8.i686.rpm  
libss-debuginfo-1.45.6-5.el8.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

aarch64:  
e2fsprogs-debuginfo-1.45.6-5.el8.aarch64.rpm  
e2fsprogs-debugsource-1.45.6-5.el8.aarch64.rpm  
e2fsprogs-libs-debuginfo-1.45.6-5.el8.aarch64.rpm  
libcom_err-debuginfo-1.45.6-5.el8.aarch64.rpm  
libss-debuginfo-1.45.6-5.el8.aarch64.rpm  
libss-devel-1.45.6-5.el8.aarch64.rpm

ppc64le:  
e2fsprogs-debuginfo-1.45.6-5.el8.ppc64le.rpm  
e2fsprogs-debugsource-1.45.6-5.el8.ppc64le.rpm  
e2fsprogs-libs-debuginfo-1.45.6-5.el8.ppc64le.rpm  
libcom_err-debuginfo-1.45.6-5.el8.ppc64le.rpm  
libss-debuginfo-1.45.6-5.el8.ppc64le.rpm  
libss-devel-1.45.6-5.el8.ppc64le.rpm

s390x:  
e2fsprogs-debuginfo-1.45.6-5.el8.s390x.rpm  
e2fsprogs-debugsource-1.45.6-5.el8.s390x.rpm  
e2fsprogs-libs-debuginfo-1.45.6-5.el8.s390x.rpm  
libcom_err-debuginfo-1.45.6-5.el8.s390x.rpm  
libss-debuginfo-1.45.6-5.el8.s390x.rpm  
libss-devel-1.45.6-5.el8.s390x.rpm

x86_64:  
e2fsprogs-debuginfo-1.45.6-5.el8.i686.rpm  
e2fsprogs-debuginfo-1.45.6-5.el8.x86_64.rpm  
e2fsprogs-debugsource-1.45.6-5.el8.i686.rpm  
e2fsprogs-debugsource-1.45.6-5.el8.x86_64.rpm  
e2fsprogs-libs-debuginfo-1.45.6-5.el8.i686.rpm  
e2fsprogs-libs-debuginfo-1.45.6-5.el8.x86_64.rpm  
libcom_err-debuginfo-1.45.6-5.el8.i686.rpm  
libcom_err-debuginfo-1.45.6-5.el8.x86_64.rpm  
libss-debuginfo-1.45.6-5.el8.i686.rpm  
libss-debuginfo-1.45.6-5.el8.x86_64.rpm  
libss-devel-1.45.6-5.el8.i686.rpm  
libss-devel-1.45.6-5.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1304  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.7_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2pR0NzjgjWX9erEAQhITRAAnFoWBpSbcI2BzXr/x3+LnUzzJyis1MyZ  
riZGIfQBlqO0c67WDLJjSZp0BVu9o+u0yv4nlrohif2s+zntt7vrOg5TkFXkVWY3  
i2ZlcGs9u0hEwBlO6QlSB8Tkk0ky61MgLqjVetcT/y2GAmnooRYUnqs5E+b8elt8  
f9nBJRmQRciRCOYegJPiOxpq9rtKQkFxU4c0M5x42B4aDqmfd2iGuBcMZDcBHKNe  
q2mTgZ7al0VqHT+rDjKddyzyF4e/r70wiDAhYs3DDKiH0ievDtEm4edgWXcxuXrO  
p6wxrSZi5eqK4jE86QJ+DC+wzTyrY5b8JWI6DC4atJk8PfhxRhHAXPTa8LPTMvVm  
N9Vcxx3wbHqrbyAYhkXtyyIWLJNhv79KEYhGLY33blxL2Vb/GcMQs5fiYdVF1PNT  
aH1NikPBlEjcpSMdKyaVN6wWJYAAJEmGqU4bh9zisJ5czIJQWQH9/clS3i7njBZT  
ZZnRy9grj0kNdVgnCTcBkXXPT7Rp/geHGNV9FPJa3Gppj6bAdMEpJQItGebBMZ6X  
mmWDV8eqwjQkTKD/BU+x9J93WIWrEIBk21hqYofiNXjnoqL6ktiGhJaViq3b1nTq  
JmxWdlTOqd7O5kAuU7mDxSxa52cTr7Jv2PcqhMNcCxyWgR/wQiE7SG7zYVyF1FBq  
V9IPXHt4rKc=htvR  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7720-01

Red Hat Security Advisory 2022-7514-01 - FriBidi is a library to handle bidirectional scripts, so that the display is done in the proper way, while the text data itself is always written in logical order. Issues addressed include a buffer overflow vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: fribidi security update  
Advisory ID:       RHSA-2022:7514-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7514  
Issue date:        2022-11-08  
CVE Names:         CVE-2022-25308 CVE-2022-25309 CVE-2022-25310  
====================================================================  
1. Summary:

An update for fribidi is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

FriBidi is a library to handle bidirectional scripts (for example Hebrew,  
Arabic), so that the display is done in the proper way, while the text data  
itself is always written in logical order.

Security Fix(es):

* fribidi: Stack based buffer overflow (CVE-2022-25308)

* fribidi: Heap-buffer-overflow in fribidi_cap_rtl_to_unicode  
(CVE-2022-25309)

* fribidi: SEGV in fribidi_remove_bidi_marks (CVE-2022-25310)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 8.7 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2047890 - CVE-2022-25308 fribidi: Stack based buffer overflow  
2047896 - CVE-2022-25309 fribidi: Heap-buffer-overflow in fribidi_cap_rtl_to_unicode  
2047923 - CVE-2022-25310 fribidi: SEGV in fribidi_remove_bidi_marks

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
fribidi-1.0.4-9.el8.src.rpm

aarch64:  
fribidi-1.0.4-9.el8.aarch64.rpm  
fribidi-debuginfo-1.0.4-9.el8.aarch64.rpm  
fribidi-debugsource-1.0.4-9.el8.aarch64.rpm  
fribidi-devel-1.0.4-9.el8.aarch64.rpm

ppc64le:  
fribidi-1.0.4-9.el8.ppc64le.rpm  
fribidi-debuginfo-1.0.4-9.el8.ppc64le.rpm  
fribidi-debugsource-1.0.4-9.el8.ppc64le.rpm  
fribidi-devel-1.0.4-9.el8.ppc64le.rpm

s390x:  
fribidi-1.0.4-9.el8.s390x.rpm  
fribidi-debuginfo-1.0.4-9.el8.s390x.rpm  
fribidi-debugsource-1.0.4-9.el8.s390x.rpm  
fribidi-devel-1.0.4-9.el8.s390x.rpm

x86_64:  
fribidi-1.0.4-9.el8.i686.rpm  
fribidi-1.0.4-9.el8.x86_64.rpm  
fribidi-debuginfo-1.0.4-9.el8.i686.rpm  
fribidi-debuginfo-1.0.4-9.el8.x86_64.rpm  
fribidi-debugsource-1.0.4-9.el8.i686.rpm  
fribidi-debugsource-1.0.4-9.el8.x86_64.rpm  
fribidi-devel-1.0.4-9.el8.i686.rpm  
fribidi-devel-1.0.4-9.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-25308  
https://access.redhat.com/security/cve/CVE-2022-25309  
https://access.redhat.com/security/cve/CVE-2022-25310  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.7_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2pSl9zjgjWX9erEAQjiCQ//c3fOFXaSK86vN6LQtZQDtRb4lY3e8LA/  
YuAXQrtQzoaXiPGgYv/NBgKdngKAAKdj+NCMZMweNor7s6O5oi6n+YhC8FI0imz+  
enbnrhsbRcOHXq9F1bD7t6mg0/91vbH+risyqJ7A5mG3LH7ZqCs2PJ7WErGCCU5A  
N/PDESAIr80F5+oW2poS++sWbUhzYht4cGSRP1haPAVKCb1r7RSk9o2HXSaYkdRQ  
EBLeuxmBW5Zb/VxWdCdWhCyz/bWjAEHkLdTjBYvSq97kZyH0OIWPhJptg5Sg3afI  
U8VQQjE80F/uMpNAZOej7TawV+JmpPrNkOTcmVw3G6BeggMGNmz8gTKZ7TbnAZxl  
XWq4VYUHHAuKZi4WQ8e9E8P8GSa1+aDSCmRk2D/UJy+TboVEmhW9hyYOvy0NZq34  
idsr81JdwHx2NxhkBpu6tNA4pONgmPUs8O117tO0+gaxw0TgkquQh760mRqyUf4i  
I+1PPEWfBFMYLGc7wyMGNZXatBTJsvUiIxgZHFf2uZivbf7s5qe6RiR0fLKc0DC3  
MFAmaeO6QinyZ0LHlPBcjySXzGQsfJfWAkrFYHCFC1luGz8dUgki9xLOu2nE21aB  
1QwsE8g4AWRPPl+afFB1/GCT5/mYuSqJx+tY+zXFNuTJWlp6a+SgR2LSYvOeZTen  
ANw5l8k4X3wsn  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7514-01

Red Hat Security Advisory 2022-7643-01 - The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Issues addressed include denial of service and memory leak vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: bind9.16 security update  
Advisory ID:       RHSA-2022:7643-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7643  
Issue date:        2022-11-08  
CVE Names:         CVE-2021-25220 CVE-2022-0396  
====================================================================  
1. Summary:

An update for bind9.16 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain  
Name System (DNS) protocols. BIND includes a DNS server (named); a resolver  
library (routines for applications to use when interfacing with DNS); and  
tools for verifying that the DNS server is operating correctly.

Security Fix(es):

* bind: DNS forwarders - cache poisoning vulnerability (CVE-2021-25220)

* bind: DoS from specifically crafted TCP packets (CVE-2022-0396)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 8.7 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2064512 - CVE-2021-25220 bind: DNS forwarders - cache poisoning vulnerability  
2064513 - CVE-2022-0396 bind: DoS from specifically crafted TCP packets  
2128601 - CVE-2022-38177 bind: memory leak in ECDSA DNSSEC verification code

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
bind9.16-9.16.23-0.9.el8.1.src.rpm

aarch64:  
bind9.16-9.16.23-0.9.el8.1.aarch64.rpm  
bind9.16-chroot-9.16.23-0.9.el8.1.aarch64.rpm  
bind9.16-debuginfo-9.16.23-0.9.el8.1.aarch64.rpm  
bind9.16-debugsource-9.16.23-0.9.el8.1.aarch64.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.9.el8.1.aarch64.rpm  
bind9.16-libs-9.16.23-0.9.el8.1.aarch64.rpm  
bind9.16-libs-debuginfo-9.16.23-0.9.el8.1.aarch64.rpm  
bind9.16-utils-9.16.23-0.9.el8.1.aarch64.rpm  
bind9.16-utils-debuginfo-9.16.23-0.9.el8.1.aarch64.rpm

noarch:  
bind9.16-license-9.16.23-0.9.el8.1.noarch.rpm

ppc64le:  
bind9.16-9.16.23-0.9.el8.1.ppc64le.rpm  
bind9.16-chroot-9.16.23-0.9.el8.1.ppc64le.rpm  
bind9.16-debuginfo-9.16.23-0.9.el8.1.ppc64le.rpm  
bind9.16-debugsource-9.16.23-0.9.el8.1.ppc64le.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.9.el8.1.ppc64le.rpm  
bind9.16-libs-9.16.23-0.9.el8.1.ppc64le.rpm  
bind9.16-libs-debuginfo-9.16.23-0.9.el8.1.ppc64le.rpm  
bind9.16-utils-9.16.23-0.9.el8.1.ppc64le.rpm  
bind9.16-utils-debuginfo-9.16.23-0.9.el8.1.ppc64le.rpm

s390x:  
bind9.16-9.16.23-0.9.el8.1.s390x.rpm  
bind9.16-chroot-9.16.23-0.9.el8.1.s390x.rpm  
bind9.16-debuginfo-9.16.23-0.9.el8.1.s390x.rpm  
bind9.16-debugsource-9.16.23-0.9.el8.1.s390x.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.9.el8.1.s390x.rpm  
bind9.16-libs-9.16.23-0.9.el8.1.s390x.rpm  
bind9.16-libs-debuginfo-9.16.23-0.9.el8.1.s390x.rpm  
bind9.16-utils-9.16.23-0.9.el8.1.s390x.rpm  
bind9.16-utils-debuginfo-9.16.23-0.9.el8.1.s390x.rpm

x86_64:  
bind9.16-9.16.23-0.9.el8.1.x86_64.rpm  
bind9.16-chroot-9.16.23-0.9.el8.1.x86_64.rpm  
bind9.16-debuginfo-9.16.23-0.9.el8.1.x86_64.rpm  
bind9.16-debugsource-9.16.23-0.9.el8.1.x86_64.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.9.el8.1.x86_64.rpm  
bind9.16-libs-9.16.23-0.9.el8.1.x86_64.rpm  
bind9.16-libs-debuginfo-9.16.23-0.9.el8.1.x86_64.rpm  
bind9.16-utils-9.16.23-0.9.el8.1.x86_64.rpm  
bind9.16-utils-debuginfo-9.16.23-0.9.el8.1.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

aarch64:  
bind9.16-debuginfo-9.16.23-0.9.el8.1.aarch64.rpm  
bind9.16-debugsource-9.16.23-0.9.el8.1.aarch64.rpm  
bind9.16-devel-9.16.23-0.9.el8.1.aarch64.rpm  
bind9.16-dnssec-utils-9.16.23-0.9.el8.1.aarch64.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.9.el8.1.aarch64.rpm  
bind9.16-libs-debuginfo-9.16.23-0.9.el8.1.aarch64.rpm  
bind9.16-utils-debuginfo-9.16.23-0.9.el8.1.aarch64.rpm

noarch:  
bind9.16-doc-9.16.23-0.9.el8.1.noarch.rpm  
python3-bind9.16-9.16.23-0.9.el8.1.noarch.rpm

ppc64le:  
bind9.16-debuginfo-9.16.23-0.9.el8.1.ppc64le.rpm  
bind9.16-debugsource-9.16.23-0.9.el8.1.ppc64le.rpm  
bind9.16-devel-9.16.23-0.9.el8.1.ppc64le.rpm  
bind9.16-dnssec-utils-9.16.23-0.9.el8.1.ppc64le.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.9.el8.1.ppc64le.rpm  
bind9.16-libs-debuginfo-9.16.23-0.9.el8.1.ppc64le.rpm  
bind9.16-utils-debuginfo-9.16.23-0.9.el8.1.ppc64le.rpm

s390x:  
bind9.16-debuginfo-9.16.23-0.9.el8.1.s390x.rpm  
bind9.16-debugsource-9.16.23-0.9.el8.1.s390x.rpm  
bind9.16-devel-9.16.23-0.9.el8.1.s390x.rpm  
bind9.16-dnssec-utils-9.16.23-0.9.el8.1.s390x.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.9.el8.1.s390x.rpm  
bind9.16-libs-debuginfo-9.16.23-0.9.el8.1.s390x.rpm  
bind9.16-utils-debuginfo-9.16.23-0.9.el8.1.s390x.rpm

x86_64:  
bind9.16-debuginfo-9.16.23-0.9.el8.1.i686.rpm  
bind9.16-debuginfo-9.16.23-0.9.el8.1.x86_64.rpm  
bind9.16-debugsource-9.16.23-0.9.el8.1.i686.rpm  
bind9.16-debugsource-9.16.23-0.9.el8.1.x86_64.rpm  
bind9.16-devel-9.16.23-0.9.el8.1.i686.rpm  
bind9.16-devel-9.16.23-0.9.el8.1.x86_64.rpm  
bind9.16-dnssec-utils-9.16.23-0.9.el8.1.x86_64.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.9.el8.1.i686.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.9.el8.1.x86_64.rpm  
bind9.16-libs-9.16.23-0.9.el8.1.i686.rpm  
bind9.16-libs-debuginfo-9.16.23-0.9.el8.1.i686.rpm  
bind9.16-libs-debuginfo-9.16.23-0.9.el8.1.x86_64.rpm  
bind9.16-utils-debuginfo-9.16.23-0.9.el8.1.i686.rpm  
bind9.16-utils-debuginfo-9.16.23-0.9.el8.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-25220  
https://access.redhat.com/security/cve/CVE-2022-0396  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.7_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2pSW9zjgjWX9erEAQhIyw//SGCFyvcxj0U6yn2bbf0O2/C9simPnh9g  
11SwSlmRGAfEAcVbaczaAUd9Z74ap5lEDdUSagxBdV9HA6OWoTPRYkcikvn4JDK2  
27Kl1/yjsEEdRGpjCd3TjTBsRO/2YsQJwCzpf9iwnD5RJKlX9hty7EIwxRQR9EnY  
SVlaPmUDcXgSfcJ+6SaUahPRkzvZ0tya30oBuqNgAl6UExAiQ+hUN3K7J8by3ZQw  
ZMovwQ3CTyN0y8YJubuTswVyLcNDtQVMk8Hu6EHvdlhc0ZUgH9tXcxGakyA5uF0Q  
7IvKDnGxnVEDBUdSTZp06iX+nhM8RawWJfa95Z1V9nKkOIAA3ALFBWdC8VT+X2RJ  
+GRLIqSVu5lGteA38+G29T8NPHEXWPEzQfuf54Wy9JPWetKHk1o2iCgbLiX4D8gu  
YMylIk0m/CdfkAjDGn2msG+gnCDMLPgyTunYK0enflWGJvaTN3BmSA84/fAci36M  
f+DROFugmjD+meGmDcNxyw72/UB3dARuUJjtlHaym4DIv8O/LuSVo4XgspBLtIJT  
Kh3qDsXzKE2WvkLseynI87E/7C0aWLacDmzf2m4QiTu+4r/tesRxv0oJfcD7c1aF  
DdLGHtWtjuQqu2Yr3xG0IhJiPYdKpB8R5L2p8Lyl2CX26ppgds0m6qUAQGmbz4gX  
1ORsy/EWei0=pWJB  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7643-01

Red Hat Security Advisory 2022-7458-01 - Flatpak-builder is a tool for building flatpaks from sources.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: flatpak-builder security and bug fix update  
Advisory ID:       RHSA-2022:7458-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7458  
Issue date:        2022-11-08  
CVE Names:         CVE-2022-21682  
====================================================================  
1. Summary:

An update for flatpak-builder is now available for Red Hat Enterprise Linux  
8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

Flatpak-builder is a tool for building flatpaks from sources.

Security Fix(es):

* flatpak: flatpak-builder --mirror-screenshots-url can access files  
outside the build directory (CVE-2022-21682)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 8.7 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2041592 - CVE-2022-21682 flatpak: flatpak-builder --mirror-screenshots-url can access files outside the build directory  
2047312 - Update flatpak-builder to 1.0.14

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
flatpak-builder-1.0.14-2.el8.src.rpm

aarch64:  
flatpak-builder-1.0.14-2.el8.aarch64.rpm  
flatpak-builder-debuginfo-1.0.14-2.el8.aarch64.rpm  
flatpak-builder-debugsource-1.0.14-2.el8.aarch64.rpm

ppc64le:  
flatpak-builder-1.0.14-2.el8.ppc64le.rpm  
flatpak-builder-debuginfo-1.0.14-2.el8.ppc64le.rpm  
flatpak-builder-debugsource-1.0.14-2.el8.ppc64le.rpm

s390x:  
flatpak-builder-1.0.14-2.el8.s390x.rpm  
flatpak-builder-debuginfo-1.0.14-2.el8.s390x.rpm  
flatpak-builder-debugsource-1.0.14-2.el8.s390x.rpm

x86_64:  
flatpak-builder-1.0.14-2.el8.x86_64.rpm  
flatpak-builder-debuginfo-1.0.14-2.el8.x86_64.rpm  
flatpak-builder-debugsource-1.0.14-2.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-21682  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.7_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2pSqNzjgjWX9erEAQjQlxAAjusjcuaudtoVemTFAaTYBrdir2ZQBUFt  
tv5kw9b8dN7PdGZB8J9HO6hDzx1EJfSZCCbp2Jy8LEiERLuGqn9djmOK004UE0Rj  
q8n9TRWAXSHFgDjjOs9t4v4swUGPG020+szRJGPw5C7T1+CicfL2vP2cxkWTA9Ym  
IYQ9IsEiDzjla8Jy3DvzHY/utOh8iFdyv+qN6k2wed3yYety0I2NlQ8e9rDj9K/c  
2+9jj84wHu+Mp02HEUoQ1ui5NkF3U8uzW3lNQVNKxD7XuOm3t5kdHqxeY8LhwIQC  
lJpWANB5jFq4EwIOPAL03Ib+oZa+4Qn24Gj7z0y3F2lEJl/kehs5/e6w13YLXKZC  
7lFuMdQInjssjKML0s8SJLSxRDn+/C2CIKOCc/zE970XW9DlHQ3bZUZZZeA3K/fR  
zJAIEQAxAIMDoNohrvezEzKx3aGGdCzcnj1GgElmnNzOdjQLlh+vt2RZGuJobO4W  
1In7fCF7QJavjFJaSlZ7N6J8uzXfqs4Erhy5P53kc0Irl4dM8aQFBm16B7co8hgw  
nqCa3tDnZm1vJY840VgfimaLpbj0WogLTanZYU2ZfKGn8D9aO1DLhtVsHXSxxPkJ  
x+BSboC1tE5lFOB0/3CTygrvErGRf1je0fqVdHneeyJkV1b/9EoefLwqogQzl+hf  
Wh6XxShteP8=vNug  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#js