Red Hat Security Advisory 2022-7185-01 - The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: device-mapper-multipath security update  
Advisory ID:       RHSA-2022:7185-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7185  
Issue date:        2022-10-25  
CVE Names:         CVE-2022-41974  
====================================================================  
1. Summary:

An update for device-mapper-multipath is now available for Red Hat  
Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

The device-mapper-multipath packages provide tools that use the  
device-mapper multipath kernel module to manage multipath devices.

Security Fix(es):

* device-mapper-multipath: Authorization bypass, multipathd daemon listens  
for client connections on an abstract Unix socket (CVE-2022-41974)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2133988 - CVE-2022-41974 device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 9):

Source:  
device-mapper-multipath-0.8.7-7.el9_0.1.src.rpm

aarch64:  
device-mapper-multipath-0.8.7-7.el9_0.1.aarch64.rpm  
device-mapper-multipath-debuginfo-0.8.7-7.el9_0.1.aarch64.rpm  
device-mapper-multipath-debugsource-0.8.7-7.el9_0.1.aarch64.rpm  
device-mapper-multipath-libs-0.8.7-7.el9_0.1.aarch64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.7-7.el9_0.1.aarch64.rpm  
kpartx-0.8.7-7.el9_0.1.aarch64.rpm  
kpartx-debuginfo-0.8.7-7.el9_0.1.aarch64.rpm  
libdmmp-debuginfo-0.8.7-7.el9_0.1.aarch64.rpm

ppc64le:  
device-mapper-multipath-0.8.7-7.el9_0.1.ppc64le.rpm  
device-mapper-multipath-debuginfo-0.8.7-7.el9_0.1.ppc64le.rpm  
device-mapper-multipath-debugsource-0.8.7-7.el9_0.1.ppc64le.rpm  
device-mapper-multipath-libs-0.8.7-7.el9_0.1.ppc64le.rpm  
device-mapper-multipath-libs-debuginfo-0.8.7-7.el9_0.1.ppc64le.rpm  
kpartx-0.8.7-7.el9_0.1.ppc64le.rpm  
kpartx-debuginfo-0.8.7-7.el9_0.1.ppc64le.rpm  
libdmmp-debuginfo-0.8.7-7.el9_0.1.ppc64le.rpm

s390x:  
device-mapper-multipath-0.8.7-7.el9_0.1.s390x.rpm  
device-mapper-multipath-debuginfo-0.8.7-7.el9_0.1.s390x.rpm  
device-mapper-multipath-debugsource-0.8.7-7.el9_0.1.s390x.rpm  
device-mapper-multipath-libs-0.8.7-7.el9_0.1.s390x.rpm  
device-mapper-multipath-libs-debuginfo-0.8.7-7.el9_0.1.s390x.rpm  
kpartx-0.8.7-7.el9_0.1.s390x.rpm  
kpartx-debuginfo-0.8.7-7.el9_0.1.s390x.rpm  
libdmmp-debuginfo-0.8.7-7.el9_0.1.s390x.rpm

x86_64:  
device-mapper-multipath-0.8.7-7.el9_0.1.x86_64.rpm  
device-mapper-multipath-debuginfo-0.8.7-7.el9_0.1.i686.rpm  
device-mapper-multipath-debuginfo-0.8.7-7.el9_0.1.x86_64.rpm  
device-mapper-multipath-debugsource-0.8.7-7.el9_0.1.i686.rpm  
device-mapper-multipath-debugsource-0.8.7-7.el9_0.1.x86_64.rpm  
device-mapper-multipath-libs-0.8.7-7.el9_0.1.i686.rpm  
device-mapper-multipath-libs-0.8.7-7.el9_0.1.x86_64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.7-7.el9_0.1.i686.rpm  
device-mapper-multipath-libs-debuginfo-0.8.7-7.el9_0.1.x86_64.rpm  
kpartx-0.8.7-7.el9_0.1.x86_64.rpm  
kpartx-debuginfo-0.8.7-7.el9_0.1.i686.rpm  
kpartx-debuginfo-0.8.7-7.el9_0.1.x86_64.rpm  
libdmmp-debuginfo-0.8.7-7.el9_0.1.i686.rpm  
libdmmp-debuginfo-0.8.7-7.el9_0.1.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 9):

aarch64:  
device-mapper-multipath-debuginfo-0.8.7-7.el9_0.1.aarch64.rpm  
device-mapper-multipath-debugsource-0.8.7-7.el9_0.1.aarch64.rpm  
device-mapper-multipath-devel-0.8.7-7.el9_0.1.aarch64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.7-7.el9_0.1.aarch64.rpm  
kpartx-debuginfo-0.8.7-7.el9_0.1.aarch64.rpm  
libdmmp-debuginfo-0.8.7-7.el9_0.1.aarch64.rpm

ppc64le:  
device-mapper-multipath-debuginfo-0.8.7-7.el9_0.1.ppc64le.rpm  
device-mapper-multipath-debugsource-0.8.7-7.el9_0.1.ppc64le.rpm  
device-mapper-multipath-devel-0.8.7-7.el9_0.1.ppc64le.rpm  
device-mapper-multipath-libs-debuginfo-0.8.7-7.el9_0.1.ppc64le.rpm  
kpartx-debuginfo-0.8.7-7.el9_0.1.ppc64le.rpm  
libdmmp-debuginfo-0.8.7-7.el9_0.1.ppc64le.rpm

s390x:  
device-mapper-multipath-debuginfo-0.8.7-7.el9_0.1.s390x.rpm  
device-mapper-multipath-debugsource-0.8.7-7.el9_0.1.s390x.rpm  
device-mapper-multipath-devel-0.8.7-7.el9_0.1.s390x.rpm  
device-mapper-multipath-libs-debuginfo-0.8.7-7.el9_0.1.s390x.rpm  
kpartx-debuginfo-0.8.7-7.el9_0.1.s390x.rpm  
libdmmp-debuginfo-0.8.7-7.el9_0.1.s390x.rpm

x86_64:  
device-mapper-multipath-debuginfo-0.8.7-7.el9_0.1.i686.rpm  
device-mapper-multipath-debuginfo-0.8.7-7.el9_0.1.x86_64.rpm  
device-mapper-multipath-debugsource-0.8.7-7.el9_0.1.i686.rpm  
device-mapper-multipath-debugsource-0.8.7-7.el9_0.1.x86_64.rpm  
device-mapper-multipath-devel-0.8.7-7.el9_0.1.i686.rpm  
device-mapper-multipath-devel-0.8.7-7.el9_0.1.x86_64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.7-7.el9_0.1.i686.rpm  
device-mapper-multipath-libs-debuginfo-0.8.7-7.el9_0.1.x86_64.rpm  
kpartx-debuginfo-0.8.7-7.el9_0.1.i686.rpm  
kpartx-debuginfo-0.8.7-7.el9_0.1.x86_64.rpm  
libdmmp-debuginfo-0.8.7-7.el9_0.1.i686.rpm  
libdmmp-debuginfo-0.8.7-7.el9_0.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-41974  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1gpMdzjgjWX9erEAQhhlxAAnLYr8LOMnAArHYkmIBZqygypwgl4J0k1  
o7ncHpmStLpV69VzD6V8NCOEeB+xgxYgMTRRsBjszKtutvPM4Sl2yZDHJS7Fyacd  
aS6GcfYz5nx4YSRSPglJ1L8vsaSz/IloIfOEs0w8sNR8CQLZBNEfAIjcVIVDLQAJ  
Hps6A48rnLbDOnYlgN5vm2UweS+hIGXzyc4jj6/kpRMcwzYSRfbWGZE++fLtal6Z  
+Ccka8OkRl6RB6kvE1YXuzwYdkL8xjWZR4PvQS3x4sKQhRI1qdjwCijaNAzuSQMy  
GUyWvwxF6FHzLDSgOCbucMGjFmpQQTx3nIw13J/7kYEKAtRkNV0OeywUmi4yguXE  
Za443sUnaGa1WvirJdrLhVySmVnR623bhbamCD90HvgGUeT6CPJ0gyZfybQWo4op  
EP51z9xlpGKcPKaMd3jkB5L81RMky5mcYLnVjWGOwhA7XfAf8zDtwk39EZztpJqd  
gHG+kCvfmqmbPntYp06wBvYeEnYnlF1dYkPJo7Df31xG0F/MrDs/qLGor6mOKpGz  
pXCX2z1v+xy7wLAFgFYj4jg9rZtNnc1SgMTYZZZGVDw7GrnzlJi76KkOxB4MzIG/  
RiWrz3+EwLQVgQVAyzmBKC26TpIkUxjZDITXX/cJTEsyIwg/CxmPpiilvPPZYusH  
PrKNM5XvBl4=INDC  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7185-01

Red Hat Security Advisory 2022-7181-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.4.0. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:7181-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7181  
Issue date:        2022-10-25  
CVE Names:         CVE-2022-39236 CVE-2022-39249 CVE-2022-39250  
                   CVE-2022-39251 CVE-2022-42927 CVE-2022-42928  
                   CVE-2022-42929 CVE-2022-42932  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.4  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.4.0.

Security Fix(es):

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an  
impersonation attack by malicious server administrators (CVE-2022-39249)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a device  
verification attack (CVE-2022-39250)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an  
impersonation attack (CVE-2022-39251)

* Mozilla: Same-origin policy violation could have leaked cross-origin URLs  
(CVE-2022-42927)

* Mozilla: Memory Corruption in JS Engine (CVE-2022-42928)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a data  
corruption issue (CVE-2022-39236)

* Mozilla: Denial of Service via window.print (CVE-2022-42929)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.4 and Thunderbird  
102.4 (CVE-2022-42932)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2135391 - CVE-2022-39236 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a data corruption issue  
2135393 - CVE-2022-39249 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack by malicious server administrators  
2135395 - CVE-2022-39250 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a device verification attack  
2135396 - CVE-2022-39251 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack  
2136156 - CVE-2022-42927 Mozilla: Same-origin policy violation could have leaked cross-origin URLs  
2136157 - CVE-2022-42928 Mozilla: Memory Corruption in JS Engine  
2136158 - CVE-2022-42929 Mozilla: Denial of Service via window.print  
2136159 - CVE-2022-42932 Mozilla: Memory safety bugs fixed in Firefox ESR 102.4 and Thunderbird 102.4

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.4):

Source:  
thunderbird-102.4.0-1.el8_4.src.rpm

aarch64:  
thunderbird-102.4.0-1.el8_4.aarch64.rpm  
thunderbird-debuginfo-102.4.0-1.el8_4.aarch64.rpm  
thunderbird-debugsource-102.4.0-1.el8_4.aarch64.rpm

ppc64le:  
thunderbird-102.4.0-1.el8_4.ppc64le.rpm  
thunderbird-debuginfo-102.4.0-1.el8_4.ppc64le.rpm  
thunderbird-debugsource-102.4.0-1.el8_4.ppc64le.rpm

s390x:  
thunderbird-102.4.0-1.el8_4.s390x.rpm  
thunderbird-debuginfo-102.4.0-1.el8_4.s390x.rpm  
thunderbird-debugsource-102.4.0-1.el8_4.s390x.rpm

x86_64:  
thunderbird-102.4.0-1.el8_4.x86_64.rpm  
thunderbird-debuginfo-102.4.0-1.el8_4.x86_64.rpm  
thunderbird-debugsource-102.4.0-1.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-39236  
https://access.redhat.com/security/cve/CVE-2022-39249  
https://access.redhat.com/security/cve/CVE-2022-39250  
https://access.redhat.com/security/cve/CVE-2022-39251  
https://access.redhat.com/security/cve/CVE-2022-42927  
https://access.redhat.com/security/cve/CVE-2022-42928  
https://access.redhat.com/security/cve/CVE-2022-42929  
https://access.redhat.com/security/cve/CVE-2022-42932  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1gpXtzjgjWX9erEAQgKbw//SKeJmtgvK39I4nnmnHEMvPAvQBni66S0  
ut2glMr63CN0qbsbDYHGjOm6WT4uLzFjwwiK0LmQYIfQLdQCctXBECgUdArDBNCd  
/IPrT3m1kL2If5ge4MApHKQo1c/Eicf2plY8I5R+ql0Xq9fz14WRroZ+RI12SRlO  
zuEkPAAoKABaoHqh/h5hdvsilMqSgnaPepAJbGKRsMXa9vqD2zSZaQ4FT8NR43Cc  
GUA5j5kXzheaLRyuK1KzlYxoD87F1Fc0ygzzljSi2+qjuxk+KsWRSeouVjSYH3sN  
J46fSgb55do1S8QMwzLFtb8liM8DKVENurVtWWDoG7LiZrHrGkzZq6EYEaM1b4kX  
7Yw7igMYf9yj2/n6uehQtQx0CAkVGvQ/88HlZpXzmCjs4ewfqDJ1HrlUy8p7ZnQF  
ndTPelBgUxsd2QPZT3ek8bypD5n8oKEfFUJl0qlsL6KzShmhluOuXsBVcRvp4RaV  
XgmOn3xKjJLaYrDCW3vVW6/CXTlto74OtqZRVJK71rl2W41Lpe3lJ4iontV3d1/M  
Et4XHHL4wvYHOwIFPT1iQS5Zz+phtmrs2HKwZUcSJusZp648rXi/qahfVjz5rnvh  
I7E3GfP9SvtfwQmUrJR6oiyXaSxKebbM47m3di/XmsGZ3+na1B9SdpEFBEVVYPKH  
n6JgqoRWgG8=s8XS  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7181-01

Red Hat Security Advisory 2022-7173-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Issues addressed include privilege escalation and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: kpatch-patch security update  
Advisory ID:       RHSA-2022:7173-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7173  
Issue date:        2022-10-25  
CVE Names:         CVE-2021-3715 CVE-2022-2588  
====================================================================  
1. Summary:

An update for kpatch-patch is now available for Red Hat Enterprise Linux  
7.6 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server E4S (v. 7.6) - ppc64le, x86_64

3. Description:

This is a kernel live patch module which is automatically loaded by the RPM  
post-install script to modify the code of a running kernel.

Security Fix(es):

* kernel: use-after-free in route4_change() in net/sched/cls_route.c  
(CVE-2021-3715)

* kernel: a use-after-free in cls_route filter implementation may lead to  
privilege escalation (CVE-2022-2588)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1993988 - CVE-2021-3715 kernel: use-after-free in route4_change() in net/sched/cls_route.c  
2114849 - CVE-2022-2588 kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation

6. Package List:

Red Hat Enterprise Linux Server E4S (v. 7.6):

Source:  
kpatch-patch-3_10_0-957_84_1-1-6.el7.src.rpm  
kpatch-patch-3_10_0-957_92_1-1-3.el7.src.rpm  
kpatch-patch-3_10_0-957_94_1-1-2.el7.src.rpm  
kpatch-patch-3_10_0-957_95_1-1-1.el7.src.rpm  
kpatch-patch-3_10_0-957_97_1-1-1.el7.src.rpm

ppc64le:  
kpatch-patch-3_10_0-957_84_1-1-6.el7.ppc64le.rpm  
kpatch-patch-3_10_0-957_84_1-debuginfo-1-6.el7.ppc64le.rpm  
kpatch-patch-3_10_0-957_92_1-1-3.el7.ppc64le.rpm  
kpatch-patch-3_10_0-957_92_1-debuginfo-1-3.el7.ppc64le.rpm  
kpatch-patch-3_10_0-957_94_1-1-2.el7.ppc64le.rpm  
kpatch-patch-3_10_0-957_94_1-debuginfo-1-2.el7.ppc64le.rpm  
kpatch-patch-3_10_0-957_95_1-1-1.el7.ppc64le.rpm  
kpatch-patch-3_10_0-957_95_1-debuginfo-1-1.el7.ppc64le.rpm  
kpatch-patch-3_10_0-957_97_1-1-1.el7.ppc64le.rpm  
kpatch-patch-3_10_0-957_97_1-debuginfo-1-1.el7.ppc64le.rpm

x86_64:  
kpatch-patch-3_10_0-957_84_1-1-6.el7.x86_64.rpm  
kpatch-patch-3_10_0-957_84_1-debuginfo-1-6.el7.x86_64.rpm  
kpatch-patch-3_10_0-957_92_1-1-3.el7.x86_64.rpm  
kpatch-patch-3_10_0-957_92_1-debuginfo-1-3.el7.x86_64.rpm  
kpatch-patch-3_10_0-957_94_1-1-2.el7.x86_64.rpm  
kpatch-patch-3_10_0-957_94_1-debuginfo-1-2.el7.x86_64.rpm  
kpatch-patch-3_10_0-957_95_1-1-1.el7.x86_64.rpm  
kpatch-patch-3_10_0-957_95_1-debuginfo-1-1.el7.x86_64.rpm  
kpatch-patch-3_10_0-957_97_1-1-1.el7.x86_64.rpm  
kpatch-patch-3_10_0-957_97_1-debuginfo-1-1.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-3715  
https://access.redhat.com/security/cve/CVE-2022-2588  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1gpc9zjgjWX9erEAQiy6A/8C67uLSq65p6yUadRtDHkjmZo5ep5xmmZ  
ob2WmG6yx99aLg5YGX96mpoogEU+kUOSgHKahmB+XWZGbS92a3VjPIFIprmCN/+N  
pKgyUXbiKiWmO+qYs12fqSKKoxYbloXixGukXbHbKLDjqrwV6kG0ALI5aen93PjL  
Zz204Q8X/Fs+KeOQmQZklcAmRnzFQLChVXB+UOHIK4S772llcT+GbOfVCs3mewaS  
siYv0dOU/pcclk0CZ3iF1EqKXLsQWmeh/iwZIA5M+g3IF6lhmJu1rz2oq92DmeKl  
4L2MQvBCU2XtmVchvuZVyZ3Xi8QZQfDwVu6blNdTAJsHnMgwK6JA0zB/GVvKADSx  
3pXHTAIVpKkGLjQF4PYnKez+5SUlvmbTwI6ZsAusLAtQDyOlLo5lh55NxMtINfuK  
GgNHuTKyD3aje1j8mXSMRxNkDwvl5Y2h8RPY3NDZ9XjNnTT5ks75lb1wHsWA2C4Q  
epPgCgsZ1uKaU/3SqVFaS3zHnh5wWtaZ7bJVXe87sP+t0TH8goreIhvyC0RhKNnx  
/m0acKsLvBpK6cq1eX7Gl8n7bnl6uphNhxPyodLvlcWrdICePPmsgW3KBCQ8fWYc  
aizY4umnH8cPpRI3Tb6UYsp15HPtSqvoLlBbcxLy+pF2GFJMkcpPsPEbYQ84sFfQ  
87DG6wthkiM§oV  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7173-01

Red Hat Security Advisory 2022-7178-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.4.0. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:7178-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7178  
Issue date:        2022-10-25  
CVE Names:         CVE-2022-39236 CVE-2022-39249 CVE-2022-39250  
                   CVE-2022-39251 CVE-2022-42927 CVE-2022-42928  
                   CVE-2022-42929 CVE-2022-42932  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.4.0.

Security Fix(es):

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an  
impersonation attack by malicious server administrators (CVE-2022-39249)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a device  
verification attack (CVE-2022-39250)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an  
impersonation attack (CVE-2022-39251)

* Mozilla: Same-origin policy violation could have leaked cross-origin URLs  
(CVE-2022-42927)

* Mozilla: Memory Corruption in JS Engine (CVE-2022-42928)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a data  
corruption issue (CVE-2022-39236)

* Mozilla: Denial of Service via window.print (CVE-2022-42929)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.4 and Thunderbird  
102.4 (CVE-2022-42932)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2135391 - CVE-2022-39236 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a data corruption issue  
2135393 - CVE-2022-39249 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack by malicious server administrators  
2135395 - CVE-2022-39250 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a device verification attack  
2135396 - CVE-2022-39251 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack  
2136156 - CVE-2022-42927 Mozilla: Same-origin policy violation could have leaked cross-origin URLs  
2136157 - CVE-2022-42928 Mozilla: Memory Corruption in JS Engine  
2136158 - CVE-2022-42929 Mozilla: Denial of Service via window.print  
2136159 - CVE-2022-42932 Mozilla: Memory safety bugs fixed in Firefox ESR 102.4 and Thunderbird 102.4

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
thunderbird-102.4.0-1.el9_0.src.rpm

aarch64:  
thunderbird-102.4.0-1.el9_0.aarch64.rpm  
thunderbird-debuginfo-102.4.0-1.el9_0.aarch64.rpm  
thunderbird-debugsource-102.4.0-1.el9_0.aarch64.rpm

ppc64le:  
thunderbird-102.4.0-1.el9_0.ppc64le.rpm  
thunderbird-debuginfo-102.4.0-1.el9_0.ppc64le.rpm  
thunderbird-debugsource-102.4.0-1.el9_0.ppc64le.rpm

s390x:  
thunderbird-102.4.0-1.el9_0.s390x.rpm  
thunderbird-debuginfo-102.4.0-1.el9_0.s390x.rpm  
thunderbird-debugsource-102.4.0-1.el9_0.s390x.rpm

x86_64:  
thunderbird-102.4.0-1.el9_0.x86_64.rpm  
thunderbird-debuginfo-102.4.0-1.el9_0.x86_64.rpm  
thunderbird-debugsource-102.4.0-1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-39236  
https://access.redhat.com/security/cve/CVE-2022-39249  
https://access.redhat.com/security/cve/CVE-2022-39250  
https://access.redhat.com/security/cve/CVE-2022-39251  
https://access.redhat.com/security/cve/CVE-2022-42927  
https://access.redhat.com/security/cve/CVE-2022-42928  
https://access.redhat.com/security/cve/CVE-2022-42929  
https://access.redhat.com/security/cve/CVE-2022-42932  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1gpadzjgjWX9erEAQjZ2A//VFqqY+5rWTcCLtIv9aHbrYVzPr408fQQ  
HvSWWBqtCpKVpDK+cOmOTzidaKs+0VVy4MG1Ie/EYGj0524xyAFRZRuAyhqOoDD2  
0kbiURziU3ySM8XVXdekOjhiePVrH5PWTdwqm5XI5OF3Ud+1HoU3M6ZSlEb11Ctx  
/6tNQ400YK9+CLNm1tGuHwwx+LPeoo9uQOEN1R5F7S7Y3b5lb2tyc3CqwgqSVKU5  
m1SIz2wTthd1QJ7a2ZH4Ai9qCqnljDkrU4oqO8IMrngIGwjqqHBVc5Jjdmvjb0Ny  
TMMyYQh3rd5YUIH+kuaekPvd41c/te4OrsObk8WvUxwXNpbGsuFjodGw9b0lQ6W4  
HqP8doLB+J/Fgab27crgU+VdO3R55cqciIypsGaYTxmpyAdijyjgMUbjmo9ac4oL  
bdO6Oq7b4XgGBYScVmXBldADtOF9YuXEWBlk02dOsdQK2ThbFX7o8Ox2LrYwxQpI  
07UfBqx2vec8ah1h46ij4IsUZGWxvC7iMZm5n8F43c6XLhHlq9B1Ir8MbMczn6Fw  
lDqp6F/TZO/++PSC5qDnJ/OTUrf4VcMmXjQSnE7hdgtqRJNmpgl8GHGX/7l/VPrr  
zxExOGlYkKrHprthCK+9tCvYZJweJM97+tbg8Lh1XrO14jdoyfuAiPAzcYapCUo8  
6dJIRcgweh8=Wcpb  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7178-01

Red Hat Security Advisory 2022-7190-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.4.0. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:7190-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7190  
Issue date:        2022-10-25  
CVE Names:         CVE-2022-39236 CVE-2022-39249 CVE-2022-39250  
                   CVE-2022-39251 CVE-2022-42927 CVE-2022-42928  
                   CVE-2022-42929 CVE-2022-42932  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.4.0.

Security Fix(es):

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an  
impersonation attack by malicious server administrators (CVE-2022-39249)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a device  
verification attack (CVE-2022-39250)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an  
impersonation attack (CVE-2022-39251)

* Mozilla: Same-origin policy violation could have leaked cross-origin URLs  
(CVE-2022-42927)

* Mozilla: Memory Corruption in JS Engine (CVE-2022-42928)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a data  
corruption issue (CVE-2022-39236)

* Mozilla: Denial of Service via window.print (CVE-2022-42929)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.4 and Thunderbird  
102.4 (CVE-2022-42932)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2135391 - CVE-2022-39236 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a data corruption issue  
2135393 - CVE-2022-39249 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack by malicious server administrators  
2135395 - CVE-2022-39250 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a device verification attack  
2135396 - CVE-2022-39251 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack  
2136156 - CVE-2022-42927 Mozilla: Same-origin policy violation could have leaked cross-origin URLs  
2136157 - CVE-2022-42928 Mozilla: Memory Corruption in JS Engine  
2136158 - CVE-2022-42929 Mozilla: Denial of Service via window.print  
2136159 - CVE-2022-42932 Mozilla: Memory safety bugs fixed in Firefox ESR 102.4 and Thunderbird 102.4

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
thunderbird-102.4.0-1.el8_6.src.rpm

aarch64:  
thunderbird-102.4.0-1.el8_6.aarch64.rpm  
thunderbird-debuginfo-102.4.0-1.el8_6.aarch64.rpm  
thunderbird-debugsource-102.4.0-1.el8_6.aarch64.rpm

ppc64le:  
thunderbird-102.4.0-1.el8_6.ppc64le.rpm  
thunderbird-debuginfo-102.4.0-1.el8_6.ppc64le.rpm  
thunderbird-debugsource-102.4.0-1.el8_6.ppc64le.rpm

s390x:  
thunderbird-102.4.0-1.el8_6.s390x.rpm  
thunderbird-debuginfo-102.4.0-1.el8_6.s390x.rpm  
thunderbird-debugsource-102.4.0-1.el8_6.s390x.rpm

x86_64:  
thunderbird-102.4.0-1.el8_6.x86_64.rpm  
thunderbird-debuginfo-102.4.0-1.el8_6.x86_64.rpm  
thunderbird-debugsource-102.4.0-1.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-39236  
https://access.redhat.com/security/cve/CVE-2022-39249  
https://access.redhat.com/security/cve/CVE-2022-39250  
https://access.redhat.com/security/cve/CVE-2022-39251  
https://access.redhat.com/security/cve/CVE-2022-42927  
https://access.redhat.com/security/cve/CVE-2022-42928  
https://access.redhat.com/security/cve/CVE-2022-42929  
https://access.redhat.com/security/cve/CVE-2022-42932  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1go3dzjgjWX9erEAQjv1w//f5PLkHsKJ1d09vNv03VyqLLUMQLNkccV  
uZaAu8P7heN4C8x+4+YYfRmjpELzU24e5vzkFpMmLlDfTTvonEQOE81dfJrT+5jw  
btHB2m8iy4VGowXNhcAFdHE1oZfdaVf3iHcNe55G8bOo7KU4AkArRyk1hMRm5aIm  
O6EWWaYmbqxN8iMnydJ/52EBaa9U/Fxj0a/fgr/w0Ct4heT7jO52dx6tShqswkjp  
B5pcVrEUJMeqzT6PTnlLvyS0/kjrf5m8BA1z4KbLLwe2hof427NHtxCBN0eGkbYI  
jeC+v2z/YRtFtkFkn/rX9P0Rv9dcSWCh8Bxu5XBPck6sP3eLZj8kCmkjVkFwZ9Ux  
i9A4rmkdzA4kQz4gkHePjW7AMqpn+QMinZ5jS5/xJm3M1aeb8qU2tBOCvHL1g7as  
Iw2SD/J3Y88ZaI4fi9GV895lj6cXl6V4JH+Id7u14su6EJNXWTCcH9m4HyZRMeWP  
p3yRf/VrmB6lEcBgNuFd4INLtH+7TPD9FLdruxRpDIXfyrzWxS/1MNvF09TsIKug  
T6PXjlNTXVHJT6j9uMUb3uhHzDUiRERjth0sERen4crbDmqi2gFzIoBh6AC6os9G  
71uoAamyZayQ4zUFiXWka2KnuQ6tGlmEosSlFJ1pv0r1ckrpu9Jsa2RG6f0EzFzP  
NdyCURLS0ho=TTC/  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7190-01

Red Hat Security Advisory 2022-7182-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.4.0. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:7182-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7182  
Issue date:        2022-10-25  
CVE Names:         CVE-2022-39236 CVE-2022-39249 CVE-2022-39250  
                   CVE-2022-39251 CVE-2022-42927 CVE-2022-42928  
                   CVE-2022-42929 CVE-2022-42932  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.2  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v. 8.2) - aarch64, ppc64le, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.4.0.

Security Fix(es):

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an  
impersonation attack by malicious server administrators (CVE-2022-39249)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a device  
verification attack (CVE-2022-39250)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an  
impersonation attack (CVE-2022-39251)

* Mozilla: Same-origin policy violation could have leaked cross-origin URLs  
(CVE-2022-42927)

* Mozilla: Memory Corruption in JS Engine (CVE-2022-42928)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a data  
corruption issue (CVE-2022-39236)

* Mozilla: Denial of Service via window.print (CVE-2022-42929)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.4 and Thunderbird  
102.4 (CVE-2022-42932)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2135391 - CVE-2022-39236 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a data corruption issue  
2135393 - CVE-2022-39249 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack by malicious server administrators  
2135395 - CVE-2022-39250 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a device verification attack  
2135396 - CVE-2022-39251 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack  
2136156 - CVE-2022-42927 Mozilla: Same-origin policy violation could have leaked cross-origin URLs  
2136157 - CVE-2022-42928 Mozilla: Memory Corruption in JS Engine  
2136158 - CVE-2022-42929 Mozilla: Denial of Service via window.print  
2136159 - CVE-2022-42932 Mozilla: Memory safety bugs fixed in Firefox ESR 102.4 and Thunderbird 102.4

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v. 8.2):

Source:  
thunderbird-102.4.0-1.el8_2.src.rpm

aarch64:  
thunderbird-102.4.0-1.el8_2.aarch64.rpm  
thunderbird-debuginfo-102.4.0-1.el8_2.aarch64.rpm  
thunderbird-debugsource-102.4.0-1.el8_2.aarch64.rpm

ppc64le:  
thunderbird-102.4.0-1.el8_2.ppc64le.rpm  
thunderbird-debuginfo-102.4.0-1.el8_2.ppc64le.rpm  
thunderbird-debugsource-102.4.0-1.el8_2.ppc64le.rpm

x86_64:  
thunderbird-102.4.0-1.el8_2.x86_64.rpm  
thunderbird-debuginfo-102.4.0-1.el8_2.x86_64.rpm  
thunderbird-debugsource-102.4.0-1.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-39236  
https://access.redhat.com/security/cve/CVE-2022-39249  
https://access.redhat.com/security/cve/CVE-2022-39250  
https://access.redhat.com/security/cve/CVE-2022-39251  
https://access.redhat.com/security/cve/CVE-2022-42927  
https://access.redhat.com/security/cve/CVE-2022-42928  
https://access.redhat.com/security/cve/CVE-2022-42929  
https://access.redhat.com/security/cve/CVE-2022-42932  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1go89zjgjWX9erEAQgxkw//RMipzdXSXA2DPrWCC1vV37pz9ANknnMZ  
i5ncuYcqg9uACzo4DvcVBef69HxuRCLcgqJ5WJFXJ6qibYuP2oHn2BQhMQxCWOoJ  
mc4zsPQvmaejEUFI3P9pgEA4M1EUxKOIZedTyATlxwtqo1a5UkpkF354zIdk8AhL  
OtYJOtCwhB6u/g+a9wSJLDAWyDXrtzlKWvMEfhfCJU4r1oHcdl985SHK1cR3oxDu  
+18I/iWlxoCNZG0OK+Y19udBaRvkZQ8jGixTvXBgt8NBRFvO8LDoqjrPrRJLkRB4  
Z+7mP06V9cIAcFuWU4PXXFS6JrWrOvW9q5M6f7O4OCj7LJ0fgaqFRK/jpXymv8rF  
36GcqTkfuefLDKQrOjRNAugchBdTCn5em1fpr5WYdbE2U96bY2lA5gKbh9In8wI1  
i9aJu4ETVh7SBJN/XnTx5tABaTs/7iIQA7D4jBFe+ru3XKm+NdvLegSlayPx/Xpe  
L0MzA7beaPiVeRLRGPxVyVpSmiYmUE0zP83v8kvU4iHvBZG450YGgTHGcDVSx3ku  
Qj0fba0eG1+2jcsOVAwXx5ZikKsUQjWY5fiCtO3USDzcNV88RRtTnVdgV2IPqsyb  
2cmS9jgPnknj9lXo+ERwbfhobDYkrval0IduvihPpArpGQ0vH7gxs663O/832OOY  
wZQOOzLSwsI=GMRF  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7182-01

Red Hat Security Advisory 2022-7188-01 - The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: device-mapper-multipath security update  
Advisory ID:       RHSA-2022:7188-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7188  
Issue date:        2022-10-25  
CVE Names:         CVE-2022-41974  
====================================================================  
1. Summary:

An update for device-mapper-multipath is now available for Red Hat  
Enterprise Linux 8.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder EUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS EUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64

3. Description:

The device-mapper-multipath packages provide tools that use the  
device-mapper multipath kernel module to manage multipath devices.

Security Fix(es):

* device-mapper-multipath: Authorization bypass, multipathd daemon listens  
for client connections on an abstract Unix socket (CVE-2022-41974)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2133988 - CVE-2022-41974 device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket

6. Package List:

Red Hat Enterprise Linux BaseOS EUS (v. 8.2):

Source:  
device-mapper-multipath-0.8.3-3.el8_2.7.src.rpm

aarch64:  
device-mapper-multipath-0.8.3-3.el8_2.7.aarch64.rpm  
device-mapper-multipath-debuginfo-0.8.3-3.el8_2.7.aarch64.rpm  
device-mapper-multipath-debugsource-0.8.3-3.el8_2.7.aarch64.rpm  
device-mapper-multipath-libs-0.8.3-3.el8_2.7.aarch64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.3-3.el8_2.7.aarch64.rpm  
kpartx-0.8.3-3.el8_2.7.aarch64.rpm  
kpartx-debuginfo-0.8.3-3.el8_2.7.aarch64.rpm  
libdmmp-0.8.3-3.el8_2.7.aarch64.rpm  
libdmmp-debuginfo-0.8.3-3.el8_2.7.aarch64.rpm

ppc64le:  
device-mapper-multipath-0.8.3-3.el8_2.7.ppc64le.rpm  
device-mapper-multipath-debuginfo-0.8.3-3.el8_2.7.ppc64le.rpm  
device-mapper-multipath-debugsource-0.8.3-3.el8_2.7.ppc64le.rpm  
device-mapper-multipath-libs-0.8.3-3.el8_2.7.ppc64le.rpm  
device-mapper-multipath-libs-debuginfo-0.8.3-3.el8_2.7.ppc64le.rpm  
kpartx-0.8.3-3.el8_2.7.ppc64le.rpm  
kpartx-debuginfo-0.8.3-3.el8_2.7.ppc64le.rpm  
libdmmp-0.8.3-3.el8_2.7.ppc64le.rpm  
libdmmp-debuginfo-0.8.3-3.el8_2.7.ppc64le.rpm

s390x:  
device-mapper-multipath-0.8.3-3.el8_2.7.s390x.rpm  
device-mapper-multipath-debuginfo-0.8.3-3.el8_2.7.s390x.rpm  
device-mapper-multipath-debugsource-0.8.3-3.el8_2.7.s390x.rpm  
device-mapper-multipath-libs-0.8.3-3.el8_2.7.s390x.rpm  
device-mapper-multipath-libs-debuginfo-0.8.3-3.el8_2.7.s390x.rpm  
kpartx-0.8.3-3.el8_2.7.s390x.rpm  
kpartx-debuginfo-0.8.3-3.el8_2.7.s390x.rpm  
libdmmp-0.8.3-3.el8_2.7.s390x.rpm  
libdmmp-debuginfo-0.8.3-3.el8_2.7.s390x.rpm

x86_64:  
device-mapper-multipath-0.8.3-3.el8_2.7.x86_64.rpm  
device-mapper-multipath-debuginfo-0.8.3-3.el8_2.7.i686.rpm  
device-mapper-multipath-debuginfo-0.8.3-3.el8_2.7.x86_64.rpm  
device-mapper-multipath-debugsource-0.8.3-3.el8_2.7.i686.rpm  
device-mapper-multipath-debugsource-0.8.3-3.el8_2.7.x86_64.rpm  
device-mapper-multipath-libs-0.8.3-3.el8_2.7.i686.rpm  
device-mapper-multipath-libs-0.8.3-3.el8_2.7.x86_64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.3-3.el8_2.7.i686.rpm  
device-mapper-multipath-libs-debuginfo-0.8.3-3.el8_2.7.x86_64.rpm  
kpartx-0.8.3-3.el8_2.7.x86_64.rpm  
kpartx-debuginfo-0.8.3-3.el8_2.7.i686.rpm  
kpartx-debuginfo-0.8.3-3.el8_2.7.x86_64.rpm  
libdmmp-0.8.3-3.el8_2.7.i686.rpm  
libdmmp-0.8.3-3.el8_2.7.x86_64.rpm  
libdmmp-debuginfo-0.8.3-3.el8_2.7.i686.rpm  
libdmmp-debuginfo-0.8.3-3.el8_2.7.x86_64.rpm

Red Hat CodeReady Linux Builder EUS (v. 8.2):

aarch64:  
device-mapper-multipath-debuginfo-0.8.3-3.el8_2.7.aarch64.rpm  
device-mapper-multipath-debugsource-0.8.3-3.el8_2.7.aarch64.rpm  
device-mapper-multipath-devel-0.8.3-3.el8_2.7.aarch64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.3-3.el8_2.7.aarch64.rpm  
kpartx-debuginfo-0.8.3-3.el8_2.7.aarch64.rpm  
libdmmp-debuginfo-0.8.3-3.el8_2.7.aarch64.rpm

ppc64le:  
device-mapper-multipath-debuginfo-0.8.3-3.el8_2.7.ppc64le.rpm  
device-mapper-multipath-debugsource-0.8.3-3.el8_2.7.ppc64le.rpm  
device-mapper-multipath-devel-0.8.3-3.el8_2.7.ppc64le.rpm  
device-mapper-multipath-libs-debuginfo-0.8.3-3.el8_2.7.ppc64le.rpm  
kpartx-debuginfo-0.8.3-3.el8_2.7.ppc64le.rpm  
libdmmp-debuginfo-0.8.3-3.el8_2.7.ppc64le.rpm

s390x:  
device-mapper-multipath-debuginfo-0.8.3-3.el8_2.7.s390x.rpm  
device-mapper-multipath-debugsource-0.8.3-3.el8_2.7.s390x.rpm  
device-mapper-multipath-devel-0.8.3-3.el8_2.7.s390x.rpm  
device-mapper-multipath-libs-debuginfo-0.8.3-3.el8_2.7.s390x.rpm  
kpartx-debuginfo-0.8.3-3.el8_2.7.s390x.rpm  
libdmmp-debuginfo-0.8.3-3.el8_2.7.s390x.rpm

x86_64:  
device-mapper-multipath-debuginfo-0.8.3-3.el8_2.7.i686.rpm  
device-mapper-multipath-debuginfo-0.8.3-3.el8_2.7.x86_64.rpm  
device-mapper-multipath-debugsource-0.8.3-3.el8_2.7.i686.rpm  
device-mapper-multipath-debugsource-0.8.3-3.el8_2.7.x86_64.rpm  
device-mapper-multipath-devel-0.8.3-3.el8_2.7.i686.rpm  
device-mapper-multipath-devel-0.8.3-3.el8_2.7.x86_64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.3-3.el8_2.7.i686.rpm  
device-mapper-multipath-libs-debuginfo-0.8.3-3.el8_2.7.x86_64.rpm  
kpartx-debuginfo-0.8.3-3.el8_2.7.i686.rpm  
kpartx-debuginfo-0.8.3-3.el8_2.7.x86_64.rpm  
libdmmp-debuginfo-0.8.3-3.el8_2.7.i686.rpm  
libdmmp-debuginfo-0.8.3-3.el8_2.7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-41974  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1gpB9zjgjWX9erEAQgvHQ//aFrOuagMn10M1A1vTXSXiRD5m9ba+27b  
aCNjowKyAX3hgP2YVd8cA/fnAgPcDqrEOobWf1TEZawsOoOr2YYSQOx9zrR1l7Kx  
rOhIFaGq537IQ4pLO6iOkiuer21Rt9f6q0MrnarF9VXb3+FpZkWMljKhuZwnK+tl  
uZj4x7Y/5SFNgkxm0BKYN9WvuFyRER1gfTZVjbq6i9HDX/BN0cg90PhzdskglATB  
kEpLE9VevUB/D/319LrFtjHo7FHwA2Sz3sUVJaJ36ZYEsdaRfQvB2ZguDWaW+Pdy  
trvXg7Q8G+l8W5fXifSJsSTX/q/GyyL96cXvBkklajul3hYReqUApb6I0EFEKEmB  
qSmbjuSanqDgE102ibfa3PePNvGgg7JmfQ9Q9H22LsWLgNODHECYWyQTfpjRSURo  
U86qsaSJrE55kjmJwDQiZ58SdB5n/lw9A/5mJhdGhcYmOg9UDO86b8Qez04+Cd5D  
2gbVkBeLn0Szl331IBo3V/rX1EKOO8u2ylEH3JSCC4IbHyD4Ej1Cf7nllkYI6u/7  
UVDmJQBaAM0s6u3u0ZlELNSGp1rgE2WmCQyQ+nFUU63aZfYT2tMdk63qxXQFa8SW  
nnkULXzX6/ywl4lWqxdu8j+eTSuyGWlzl3n1SBMyIwyjEamm0MVVz0NUI0AmRy96  
/JRhzgikIpM©Bs  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7188-01

Red Hat Security Advisory 2022-7133-01 - 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: 389-ds:1.4 security update  
Advisory ID:       RHSA-2022:7133-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7133  
Issue date:        2022-10-25  
CVE Names:         CVE-2022-2850  
====================================================================  
1. Summary:

An update for the 389-ds:1.4 module is now available for Red Hat Enterprise  
Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The  
base packages include the Lightweight Directory Access Protocol (LDAP)  
server and command-line utilities for server administration.

Security Fix(es):

* 389-ds-base: SIGSEGV in sync_repl (CVE-2022-2850)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2118691 - CVE-2022-2850 389-ds-base: SIGSEGV in sync_repl

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
389-ds-base-1.4.3.28-8.module+el8.6.0+16880+945f9b53.src.rpm

aarch64:  
389-ds-base-1.4.3.28-8.module+el8.6.0+16880+945f9b53.aarch64.rpm  
389-ds-base-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.aarch64.rpm  
389-ds-base-debugsource-1.4.3.28-8.module+el8.6.0+16880+945f9b53.aarch64.rpm  
389-ds-base-devel-1.4.3.28-8.module+el8.6.0+16880+945f9b53.aarch64.rpm  
389-ds-base-legacy-tools-1.4.3.28-8.module+el8.6.0+16880+945f9b53.aarch64.rpm  
389-ds-base-legacy-tools-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.aarch64.rpm  
389-ds-base-libs-1.4.3.28-8.module+el8.6.0+16880+945f9b53.aarch64.rpm  
389-ds-base-libs-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.aarch64.rpm  
389-ds-base-snmp-1.4.3.28-8.module+el8.6.0+16880+945f9b53.aarch64.rpm  
389-ds-base-snmp-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.aarch64.rpm

noarch:  
python3-lib389-1.4.3.28-8.module+el8.6.0+16880+945f9b53.noarch.rpm

ppc64le:  
389-ds-base-1.4.3.28-8.module+el8.6.0+16880+945f9b53.ppc64le.rpm  
389-ds-base-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.ppc64le.rpm  
389-ds-base-debugsource-1.4.3.28-8.module+el8.6.0+16880+945f9b53.ppc64le.rpm  
389-ds-base-devel-1.4.3.28-8.module+el8.6.0+16880+945f9b53.ppc64le.rpm  
389-ds-base-legacy-tools-1.4.3.28-8.module+el8.6.0+16880+945f9b53.ppc64le.rpm  
389-ds-base-legacy-tools-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.ppc64le.rpm  
389-ds-base-libs-1.4.3.28-8.module+el8.6.0+16880+945f9b53.ppc64le.rpm  
389-ds-base-libs-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.ppc64le.rpm  
389-ds-base-snmp-1.4.3.28-8.module+el8.6.0+16880+945f9b53.ppc64le.rpm  
389-ds-base-snmp-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.ppc64le.rpm

s390x:  
389-ds-base-1.4.3.28-8.module+el8.6.0+16880+945f9b53.s390x.rpm  
389-ds-base-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.s390x.rpm  
389-ds-base-debugsource-1.4.3.28-8.module+el8.6.0+16880+945f9b53.s390x.rpm  
389-ds-base-devel-1.4.3.28-8.module+el8.6.0+16880+945f9b53.s390x.rpm  
389-ds-base-legacy-tools-1.4.3.28-8.module+el8.6.0+16880+945f9b53.s390x.rpm  
389-ds-base-legacy-tools-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.s390x.rpm  
389-ds-base-libs-1.4.3.28-8.module+el8.6.0+16880+945f9b53.s390x.rpm  
389-ds-base-libs-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.s390x.rpm  
389-ds-base-snmp-1.4.3.28-8.module+el8.6.0+16880+945f9b53.s390x.rpm  
389-ds-base-snmp-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.s390x.rpm

x86_64:  
389-ds-base-1.4.3.28-8.module+el8.6.0+16880+945f9b53.x86_64.rpm  
389-ds-base-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.x86_64.rpm  
389-ds-base-debugsource-1.4.3.28-8.module+el8.6.0+16880+945f9b53.x86_64.rpm  
389-ds-base-devel-1.4.3.28-8.module+el8.6.0+16880+945f9b53.x86_64.rpm  
389-ds-base-legacy-tools-1.4.3.28-8.module+el8.6.0+16880+945f9b53.x86_64.rpm  
389-ds-base-legacy-tools-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.x86_64.rpm  
389-ds-base-libs-1.4.3.28-8.module+el8.6.0+16880+945f9b53.x86_64.rpm  
389-ds-base-libs-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.x86_64.rpm  
389-ds-base-snmp-1.4.3.28-8.module+el8.6.0+16880+945f9b53.x86_64.rpm  
389-ds-base-snmp-debuginfo-1.4.3.28-8.module+el8.6.0+16880+945f9b53.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2850  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1fUUNzjgjWX9erEAQh3VA/+IbU1+Ixiquw3BALaO/hobhG9e90WaggP  
i5zSunNXQXh+pKYaLWT3PPXR0vnf8uudZ0/wT97aQQcDvihV7vPhg/KILjzsbfGW  
zhkHgJSOPiGqPRSpOCVLJKCsH+4w+6J1aBfnHj7rh/7fZJww9HDg4l2ys5aMsGLa  
qsySbJwUuS7yNr+3HWDP2j54ekU3KpMq2s+NN+okCL1XE2AOT2pqbGZ3ruQA3qjz  
6GGsGFv9W51M6R4j4FBdYldwaO3aBi8KSbnFOKmj+doSumQM45mCc08gcbTL273k  
3tGrkSBNqguw7bTaGJYJoTVYGASU2H3fhEI+1d9n6jfJjWEpwA/AtL5ox5OUVMnF  
tDu/MxGON86KCq2+xMslonXyVdjiRd0alFS3fStUWlJvbw78ITocPiZkrjbgha9w  
XSL2bV7ygM6u74nYHGS9earSJqmwoAC7H5f5pGv/6S4ba+0XhKkXVWbhN+rUxy9f  
0xhRam709uRKw7WnkfOcGTQwNf2LwBUNrW224RrGEWHSKIhy/qbxMiMPuI4gVFQd  
+qCj2c2Wy6AVmx/SFI2az5qFzPCGRR+IdhWWhzRWukPY6G3Kax+eTHOB5B5htVPO  
g5878aNczXnztdMyY4zab/2dQCry31fqYzICSYC2o7X439pPif5VXQQgSH6qYSFI  
YfkfQQpwKMg=wWl7  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7133-01

feathers-sequelize is vulnerable to improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection.

**feathers-sequelize vulnerable to SQL injection due to improper parameter filtering**

Critical severity GitHub Reviewed Published Oct 26, 2022 • Updated Oct 31, 2022

GHSA-5hq7-j5wq-p227: feathers-sequelize vulnerable to SQL injection due to improper parameter filtering

Due to improper input validation in the Feathers js library, it is possible to perform a SQL injection attack on the back-end database, in case the feathers-sequelize package is used.

**PENDING feathers-sequelize contains improper input validation leading to SQL injection**

Critical severity GitHub Reviewed Published Oct 26, 2022 • Updated Oct 31, 2022

Tag

#js