Fossil 2.18 on Windows allows attackers to cause a denial of service (daemon crash) via an XSS payload in a ticket. This occurs because the ticket data is stored in a temporary file, and the product does not properly handle the absence of this file after Windows Defender has flagged it as malware.

CVE-2022-34009: Fossil: Change Log

A stored cross-site scripting (XSS) vulnerability in /index.php?r=site%2Fsignup of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username field.

**FeehiCMS **(English)** 首款编写单元测试、功能测试、验收测试的yii2开源系统**

基于yii2的CMS系统，运行环境与yii2(php>=5.4)一致。FeehiCMS旨在为yii2爱好者提供一个基础功能稳定完善的系统，使开发者更专注于业务功能开发。 FeehiCMS没有对yii2做任何的修改、封装，但是把yii2的一些优秀特性几乎都用在了FeehiCMS上，虽提供文档， 但FeehiCMS提倡简洁、快速上手，基于FeehiCMS开发可以无需文档，反倒FeehiCMS为yii2文档提供了最好的实例

  

**演示站点**

演示站点后台 **用户名:feehicms 密码123456**

*   后台 http://demo.cms.feehi.com/admin
*   前台 http://demo.cms.feehi.com
*   api http://demo.cms.feehi.com/api/articles

**更新记录****帮助**

1.  开发文档http://doc.feehi.com
    
2.  QQ群 936448696
    
3.  微信  
    
4.  Email job@feehi.com
    
5.  bug反馈
    

**功能**

*   多语言
*   单元测试
*   功能测试
*   验收测试
*   RBAC权限管理
*   restful api
*   文章管理
*   操作日志
*   适配手机

FeehiCMS提供完备的web系统基础通用功能，包括前后台菜单管理,文章标签,广告,banner,缓存,网站设置,seo设置,邮件设置,分类管理,单页...

**使用Docker**

1.下载镜像

    $ docker pull registry.cn-hangzhou.aliyuncs.com/feehi/cms #FQ后建议直接使用docker pull feehi/cms

2.创建容器

    $ docker run --name feehicms -h feehicms -itd -v /path/to/data:/data -e DBDSN=sqlite:/data/feehi.db -e TablePrefix=feehi\_ -e AdminUsername=admin -e AdminPassword=123456 -p 8080:80 feehi/cms

以上命令将会自动初始化FeehiCMS，并导入数据库(默认数据库为sqlite)  
如果需要更使用其他数据库，比如mysql，执行:

    $ docker run --name feehicms -h feehicms -itd -e DBDSN=mysql:host=mysql-ip;dbname=feehi -e DBUser=dbuser -e DBPassword=dbpassword -e TablePrefix=feehi\_ -e AdminUsername=admin -e AdminPassword=123456 -p 8080:80 feehi/cms

如果需要使用postgresql则将DBDSN改为pgsql:host=pgsql-ip

也可以仅初始化FeehiCMS，然后通过web在线安装

    $ docker run --name feehicms -h feehicms -itd -p 8080:80 feehi/cms -o start

然后访问http://ip:port/install.php，根据提示选择数据库类型，填写数据库用户名、数据库密码、后台管理员用户名、密码完成安装。

以上方式启动的容器只能用作开发环境，容器启动命令最终调用为php -S 0.0.0.0:80,如果用作production，可以执行

    $ docker run --name feehicms -h feehicms -itd -p 8080:80 feehi/cms -m start

容器将启动php-fpm，并监听9000端口，配合nginx使用。nginx配置大致为

    location ~ \\.php$ {
        ...
        fastcgi\_pass fpm-ip:9000;
        fastcgi\_param  SCRIPT\_FILENAME  /usr/local/feehicms/frontend/web$fastcgi\_script\_name;
        ...
    }

**因为yii2会生成js/css，以及新上传的文件（图片）需要nginx webroot使用php fpm容器同一个文件夹:/usr/local/feehicms/frontend/web**

**安装**

前置条件: 如未特别说明，本文档已默认您把php命令加入了环境变量，如果您未把php加入环境变量，请把以下命令中的php替换成/path/to/php

> 无论是使用归档文件还是composer，都有相应阶段让您填入后台管理用户名、密码

1.  使用归档文件(简单，适合没有yii2经验者)
    
    1.  下载FeehiCMS源码 点击此处下载最新版
    2.  解压到目录
    3.  配置web服务器web服务器配置
    4.  浏览器打开 http://localhost/install.php 按照提示完成安装(若使用php内置web服务a器则地址为 http://localhost:8080/install.php )
    5.  完成
2.  使用composer (推荐使用此方式安装)
    
    > composer的安装以及国内镜像设置请点击 此处
    
    > 以下命令默认您已全局安装composer，如果您是局部安装的composer:请使用php /path/to/composer.phar来替换以下命令中的composer
    
    1.  使用composer创建FeehiCMS项目
        
            $ composer create-project feehi/cms webApp //此命令创建的FeehiCMS项目不能平滑升级新版本(目录结构简单,目前主力维护版本)
        
    2.  依次执行以下命令初始化yii2框架以及导入数据库
        
        $ cd webApp
        $ php ./init --env=Development #初始化yii2框架，线上环境请使用--env=Production
        $ php ./yii migrate/up --interactive=0 #导入FeehiCMS sql数据库，执行此步骤之前请先到common/config/main-local.php修改成正确的数据库配置
        
    3.  配置web服务器web服务器配置
        
    4.  完成
        

**运行测试**

1.  仅运行单元测试,功能测试(不需要配置web服务器)

   cd /path/to/webApp
   vendor/bin/codecept run

2.  运行单元测试,功能测试,验收测试(需要配置完web服务器)
    1.  分别拷贝backend,frontend,api三个目录下的tests/acceptance.suite.yml.example到各自目录，并均重名为acceptance.suite.yml,且均修改里面的url为各自的访问url地址
    2.  与上(仅运行单元测试,功能测试)命令一致

**项目展示**

*   山东城市服务技师学院
*   优悦娱乐网
*   吉安市食品药品监督管理局
*   完美娱乐
*   房产网
*   中丞法拍网
*   51前途网
*   用友财务软件
*   ......

**运行效果**

CVE-2022-34140: GitHub - liufee/cms: Feehi CMS based on yii2

A path traversal vulnerability exists within GoAnywhere MFT before 6.8.3 that utilize self-registration for the GoAnywhere Web Client. This vulnerability could potentially allow an external user who self-registers with a specific username and/or profile information to gain access to files at a higher directory level than intended.

CVE-2021-46830: GoAnywhere MFT Release Notes

Red Hat Security Advisory 2022-5640-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: kernel security update  
Advisory ID:       RHSA-2022:5640-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5640  
Issue date:        2022-07-19  
CVE Names:         CVE-2021-22543  
====================================================================  
1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 6  
Extended Lifecycle Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server (v. 6 ELS) - i386, noarch, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 6 ELS) - i386, s390x, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux  
operating system.

Security Fix(es):

* kernel: Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO  
checks (CVE-2021-22543)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1965461 - CVE-2021-22543 kernel: Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks

6. Package List:

Red Hat Enterprise Linux Server (v. 6 ELS):

Source:  
kernel-2.6.32-754.48.1.el6.src.rpm

i386:  
kernel-2.6.32-754.48.1.el6.i686.rpm  
kernel-debug-2.6.32-754.48.1.el6.i686.rpm  
kernel-debug-debuginfo-2.6.32-754.48.1.el6.i686.rpm  
kernel-debug-devel-2.6.32-754.48.1.el6.i686.rpm  
kernel-debuginfo-2.6.32-754.48.1.el6.i686.rpm  
kernel-debuginfo-common-i686-2.6.32-754.48.1.el6.i686.rpm  
kernel-devel-2.6.32-754.48.1.el6.i686.rpm  
kernel-headers-2.6.32-754.48.1.el6.i686.rpm  
perf-2.6.32-754.48.1.el6.i686.rpm  
perf-debuginfo-2.6.32-754.48.1.el6.i686.rpm  
python-perf-debuginfo-2.6.32-754.48.1.el6.i686.rpm

noarch:  
kernel-abi-whitelists-2.6.32-754.48.1.el6.noarch.rpm  
kernel-doc-2.6.32-754.48.1.el6.noarch.rpm  
kernel-firmware-2.6.32-754.48.1.el6.noarch.rpm

s390x:  
kernel-2.6.32-754.48.1.el6.s390x.rpm  
kernel-debug-2.6.32-754.48.1.el6.s390x.rpm  
kernel-debug-debuginfo-2.6.32-754.48.1.el6.s390x.rpm  
kernel-debug-devel-2.6.32-754.48.1.el6.s390x.rpm  
kernel-debuginfo-2.6.32-754.48.1.el6.s390x.rpm  
kernel-debuginfo-common-s390x-2.6.32-754.48.1.el6.s390x.rpm  
kernel-devel-2.6.32-754.48.1.el6.s390x.rpm  
kernel-headers-2.6.32-754.48.1.el6.s390x.rpm  
kernel-kdump-2.6.32-754.48.1.el6.s390x.rpm  
kernel-kdump-debuginfo-2.6.32-754.48.1.el6.s390x.rpm  
kernel-kdump-devel-2.6.32-754.48.1.el6.s390x.rpm  
perf-2.6.32-754.48.1.el6.s390x.rpm  
perf-debuginfo-2.6.32-754.48.1.el6.s390x.rpm  
python-perf-debuginfo-2.6.32-754.48.1.el6.s390x.rpm

x86_64:  
kernel-2.6.32-754.48.1.el6.x86_64.rpm  
kernel-debug-2.6.32-754.48.1.el6.x86_64.rpm  
kernel-debug-debuginfo-2.6.32-754.48.1.el6.i686.rpm  
kernel-debug-debuginfo-2.6.32-754.48.1.el6.x86_64.rpm  
kernel-debug-devel-2.6.32-754.48.1.el6.i686.rpm  
kernel-debug-devel-2.6.32-754.48.1.el6.x86_64.rpm  
kernel-debuginfo-2.6.32-754.48.1.el6.i686.rpm  
kernel-debuginfo-2.6.32-754.48.1.el6.x86_64.rpm  
kernel-debuginfo-common-i686-2.6.32-754.48.1.el6.i686.rpm  
kernel-debuginfo-common-x86_64-2.6.32-754.48.1.el6.x86_64.rpm  
kernel-devel-2.6.32-754.48.1.el6.x86_64.rpm  
kernel-headers-2.6.32-754.48.1.el6.x86_64.rpm  
perf-2.6.32-754.48.1.el6.x86_64.rpm  
perf-debuginfo-2.6.32-754.48.1.el6.i686.rpm  
perf-debuginfo-2.6.32-754.48.1.el6.x86_64.rpm  
python-perf-debuginfo-2.6.32-754.48.1.el6.i686.rpm  
python-perf-debuginfo-2.6.32-754.48.1.el6.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 6 ELS):

i386:  
kernel-debug-debuginfo-2.6.32-754.48.1.el6.i686.rpm  
kernel-debuginfo-2.6.32-754.48.1.el6.i686.rpm  
kernel-debuginfo-common-i686-2.6.32-754.48.1.el6.i686.rpm  
perf-debuginfo-2.6.32-754.48.1.el6.i686.rpm  
python-perf-2.6.32-754.48.1.el6.i686.rpm  
python-perf-debuginfo-2.6.32-754.48.1.el6.i686.rpm

s390x:  
kernel-debug-debuginfo-2.6.32-754.48.1.el6.s390x.rpm  
kernel-debuginfo-2.6.32-754.48.1.el6.s390x.rpm  
kernel-debuginfo-common-s390x-2.6.32-754.48.1.el6.s390x.rpm  
kernel-kdump-debuginfo-2.6.32-754.48.1.el6.s390x.rpm  
perf-debuginfo-2.6.32-754.48.1.el6.s390x.rpm  
python-perf-2.6.32-754.48.1.el6.s390x.rpm  
python-perf-debuginfo-2.6.32-754.48.1.el6.s390x.rpm

x86_64:  
kernel-debug-debuginfo-2.6.32-754.48.1.el6.x86_64.rpm  
kernel-debuginfo-2.6.32-754.48.1.el6.x86_64.rpm  
kernel-debuginfo-common-x86_64-2.6.32-754.48.1.el6.x86_64.rpm  
perf-debuginfo-2.6.32-754.48.1.el6.x86_64.rpm  
python-perf-2.6.32-754.48.1.el6.x86_64.rpm  
python-perf-debuginfo-2.6.32-754.48.1.el6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-22543  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYuFkGtzjgjWX9erEAQjlOhAAiCZ+s5wB8Rb353ke5gpq6Ief/UCgKQs2  
fRjw3UNmLCZ407xTdcr1ejwwWIUp79QjbwhyQmBlYXEE4RQAfykunvu3DXfh2tiU  
TzEnmZzbxqCBCvnEADSPUZKJTp7ETUc8kWp+YR/BN+sZ53VaObXzG95CLzTg5HmZ  
VoLcBjMcFSqp/Xqv+3PJp5xVxOzoHUoQ/LVFIWs1gqPz5tWMwjsR4G1538GNQa1R  
hkBGpdablfc/6XSC3IgKln/uYYuYzhVtyXqnjpf+TkIiFwhVqcDauh7UoD63F/wk  
U2ht+E0BKtDMIvPleJ0paWCkdxvyW/cPKIDZ4WfXDR96dol57bW4pNuf3f8VCrAB  
F+F6aBteM1a7z9ZwuQSAsK5fkDdo1oL4aufJ/2D6CIQPCU+YSmxDCRKYU1S3VtJe  
nMDvtf++XaH6pXckdzRt6oaozLZ7GXOjk5DpQj8yMGFSDIofWLgMVCDgaJX52FQ6  
dk8omJ10mCuW6T556JfhHviGZ7+0PXebB9mK+3tAgSJbywMVthfWSSDsjGwbwuVT  
aqIRGRd9ZU4B8tXsxchhSyouN1NjV86NeJTrN8OgayYFDDs/swtLH2MEeIJKzLlS  
UxE5pDOP00cUwLZYALBkYUu3abhISfJTHCyuiqxerNW0o01zksB0f6qeeMLNLzZU  
UcaebGp22Rg=KKir  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5640-01

Red Hat Security Advisory 2022-5718-01 - Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: grafana security update  
Advisory ID:       RHSA-2022:5718-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5718  
Issue date:        2022-07-26  
CVE Names:         CVE-2022-31107  
====================================================================  
1. Summary:

An update for grafana is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of  
Important. A Common Vulnerability Scoring System (CVSS) base score, which  
gives  
a detailed severity rating, is available for each vulnerability from the  
CVE  
link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, ppc64le, s390x, x86_64

3. Description:

Grafana is an open source, feature rich metrics dashboard and graph editor  
for  
Graphite, InfluxDB & OpenTSDB.

Security Fix(es):

* grafana: OAuth account takeover (CVE-2022-31107)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2104367 - CVE-2022-31107 grafana: OAuth account takeover

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.4):

Source:  
grafana-7.3.6-5.el8_4.src.rpm

aarch64:  
grafana-7.3.6-5.el8_4.aarch64.rpm  
grafana-debuginfo-7.3.6-5.el8_4.aarch64.rpm

ppc64le:  
grafana-7.3.6-5.el8_4.ppc64le.rpm  
grafana-debuginfo-7.3.6-5.el8_4.ppc64le.rpm

s390x:  
grafana-7.3.6-5.el8_4.s390x.rpm  
grafana-debuginfo-7.3.6-5.el8_4.s390x.rpm

x86_64:  
grafana-7.3.6-5.el8_4.x86_64.rpm  
grafana-debuginfo-7.3.6-5.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-31107  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYuFjz9zjgjWX9erEAQiR/Q/+MvAeGRr9zpOmP6dW0prqWnHUzcIgTyfA  
MdGsfAu2PACuEEGC6i8BGN/0fJmYNIkW7sAnUBKApfkIrEPNz1dyb7yN8jh3v9ld  
AbaFsLs94UXUEoYVofAk/UKSv6EpPRqPN0qGNTlhOu3SImoWo7XpdMdHpvS7v7kL  
3ChC2ANxXk6lyKiHKQeYi95eAxZMFv9EYW5MxJrn6U43wR7C9QFwq+oEXHbZ7VGB  
DW4vLtxOvxUeLyFXLaR5bn51A/uEVdQfgcF4vzfNbde4UahTIzKr9nAK2NhU0qAl  
5Qr6uiyaihgwBhhN+5khEiNAxdjhWyGWoB9xvYOjXgl2rhG+cB7zSFUd70w0BNjl  
nPGDjQ8QhMm7AopA/RE8UTDlriqfwtUuzKlRTnbLOnJ3G8AWMDX5uRU1Z7D/s2nN  
Q7+l7rAOBUmhFt7i9fTwr5BjTbIJCptm+C4X5y3DEOnAqJsa2vW1pSlFRiK5U5NB  
udAURq+yl8yhO0Jku3PtaHc5qjx6J9Qj9/MiGr3RoFiFOK1Qmo3Lr9CneQ1t5ZyI  
8age5JpSy8XsvZblF/bqm0Dz/7a+yUN/MrDgZFh5VJE5KpqV2JyzNDK5Mvdv3FtN  
XBXPltOuIjy5sdSErFFyfG81i+eFMvhEogjj57JkG7nbTkReaH9FDh3eg9tfnqrY  
feVwq9+bIKk=ZIpt  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5718-01

Red Hat Security Advisory 2022-5664-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.10.24.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: OpenShift Container Platform 4.10.24 bug fix and security update  
Advisory ID:       RHSA-2022:5664-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5664  
Issue date:        2022-07-25  
CVE Names:         CVE-2022-2403  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.10.24 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.10.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container  
Platform 4.10.24. See the following advisory for the RPM packages for this  
release:

https://access.redhat.com/errata/RHBA-2022:5663

Security Fix(es):

* openshift: oauth-serving-cert configmap contains cluster certificate  
private key (CVE-2022-2403)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s)  
listed in the References section.

You may download the oc tool and use it to inspect release image metadata  
as follows:

(For x86_64 architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.10.24-x86_64

The image digest is  
sha256:aab51636460b5a9757b736a29bc92ada6e6e6282e46b06e6fd483063d590d62a

(For s390x architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.10.24-s390x

The image digest is  
sha256:156327166b54aa63fab480957717d6c30da816c892b6f8b850a7f4299dc414de

(For ppc64le architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.10.24-ppc64le

The image digest is  
sha256:accfdb7317648bcff5d236c7515b9903245e1730e9fcb98f455efc2b03b14d14

All OpenShift Container Platform 4.10 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift Console  
or the CLI oc command. Instructions for upgrading a cluster are available  
at  
https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.10 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html

Details on how to access this content are available at  
https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2084187 - On-prem loadbalancer ports conflict with kube node port range  
2084629 - Navigate from logs of selected Tekton task instead of last one  
2098626 - [4.10.z backport] br-ex not created due to default bond interface having a different mac address than expected  
2099206 - 120 node baremetal upgrade from 4.9.29 --> 4.10.13  crashloops on machine-approver  
2099686 - FIPS issue on OCP SNO with RT Kernel via performance profile  
2101959 - CVE-2022-2403 openshift: oauth-serving-cert configmap contains cluster certificate private key  
2106838 - Operator objects are re-created even after deleting it  
2107903 - [4.10.z] externalTrafficPolicy=Local is not working in local gateway mode RHOCP 4  
2108003 - 4.10: do not block 4.10 to 4.11 upgrades if an existing CSI driver is found. Instead, warn about presence of third party CSI driver  
2108292 - ClusterVersion history pruner does not always retain initial completed update entry

5. References:

https://access.redhat.com/security/cve/CVE-2022-2403  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYuFj8dzjgjWX9erEAQicrw/9HiDrNUjG6GZDFl2fhM2O57cSIJhV3Vre  
sPSw6oE3IQaULzNZ4T3i9WOTvJqVyxP5TfuFjvPxQ9OvoDUyvZG7tpgc5Z1cxCYh  
uxyutnRcapyqhJ8DnMSt6ndS/Vd+efVoVkIKmyd7SFc0D9ckJ0rNmZ917WllfBn8  
O6E92dM9Jf7bBFDZ1P+CtgMhZdD6Am9q1q9oMWb5lx4pFhrfkKKnyBzGXHlGCEJx  
YgfxySzY9wveCzxKgBy7BohQStJChuNrhMnK2uk5Ah2iRYtyrRGXjmtMjqwcBZpm  
ZwNTddoO/PM/QilaAmta4U2uSt/CHB+vLTcJixfeoJf31a4/uuGRLuY5xdp9Jy0m  
A0K1TfVVlFOZxaQB9m17Jr2mDEDwkPfVzRH3Yi5gOK4NOCyC8R6W7N8JssUa0t0M  
8fs7gyDkhoEvgCMU1nOZEpZwsHIrDGo8dTAAvphUmbI81FQFaPNQQD3Gvv0mAmP0  
BwxbE68NC0P93IYfkc8FLaAHmk6v9OXpEaDBtA6lYqUJvQmbVNqJfZea5/e9mwAt  
XjDUb1mSSSuBb5kCZ/XjoJ6PtSfuOE5HIYTekRrUObku+3+F/SZAqfAzAz6IncfY  
Rr11hPHtGxMPkSK5Fx/Tq2BdIvsAkodphs2aGs4BPC1mdtnSq8fR4317rVHZe+5p  
N0mmX4nbRJ8=qOmE  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5664-01

Red Hat Security Advisory 2022-5641-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Issues addressed include privilege escalation and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: kpatch-patch security update  
Advisory ID:       RHSA-2022:5641-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5641  
Issue date:        2022-07-19  
CVE Names:         CVE-2022-32250  
====================================================================  
1. Summary:

An update is now available for Red Hat Enterprise Linux 8.4 Extended Update  
Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS EUS (v.8.4) - ppc64le, x86_64

3. Description:

This is a kernel live patch module which is automatically loaded by the RPM  
post-install script to modify the code of a running kernel.

Security Fix(es):

* kernel: a use-after-free write in the netfilter subsystem can lead to  
privilege escalation to root (CVE-2022-32250)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2092427 - CVE-2022-32250 kernel: a use-after-free write in the netfilter subsystem can lead to privilege escalation to root

6. Package List:

Red Hat Enterprise Linux BaseOS EUS (v.8.4):

Source:  
kpatch-patch-4_18_0-305_10_2-1-11.el8_4.src.rpm  
kpatch-patch-4_18_0-305_12_1-1-10.el8_4.src.rpm  
kpatch-patch-4_18_0-305_17_1-1-9.el8_4.src.rpm  
kpatch-patch-4_18_0-305_19_1-1-9.el8_4.src.rpm  
kpatch-patch-4_18_0-305_25_1-1-8.el8_4.src.rpm  
kpatch-patch-4_18_0-305_30_1-1-6.el8_4.src.rpm  
kpatch-patch-4_18_0-305_34_2-1-4.el8_4.src.rpm  
kpatch-patch-4_18_0-305_40_1-1-3.el8_4.src.rpm  
kpatch-patch-4_18_0-305_40_2-1-3.el8_4.src.rpm  
kpatch-patch-4_18_0-305_45_1-1-2.el8_4.src.rpm  
kpatch-patch-4_18_0-305_49_1-1-1.el8_4.src.rpm

ppc64le:  
kpatch-patch-4_18_0-305_10_2-1-11.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_10_2-debuginfo-1-11.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_10_2-debugsource-1-11.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_12_1-1-10.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_12_1-debuginfo-1-10.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_12_1-debugsource-1-10.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_17_1-1-9.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_17_1-debuginfo-1-9.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_17_1-debugsource-1-9.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_19_1-1-9.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_19_1-debuginfo-1-9.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_19_1-debugsource-1-9.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_25_1-1-8.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_25_1-debuginfo-1-8.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_25_1-debugsource-1-8.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_30_1-1-6.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_30_1-debuginfo-1-6.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_30_1-debugsource-1-6.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_34_2-1-4.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_34_2-debuginfo-1-4.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_34_2-debugsource-1-4.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_40_1-1-3.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_40_1-debuginfo-1-3.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_40_1-debugsource-1-3.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_40_2-1-3.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_40_2-debuginfo-1-3.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_40_2-debugsource-1-3.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_45_1-1-2.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_45_1-debuginfo-1-2.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_45_1-debugsource-1-2.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_49_1-1-1.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_49_1-debuginfo-1-1.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_49_1-debugsource-1-1.el8_4.ppc64le.rpm

x86_64:  
kpatch-patch-4_18_0-305_10_2-1-11.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_10_2-debuginfo-1-11.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_10_2-debugsource-1-11.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_12_1-1-10.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_12_1-debuginfo-1-10.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_12_1-debugsource-1-10.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_17_1-1-9.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_17_1-debuginfo-1-9.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_17_1-debugsource-1-9.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_19_1-1-9.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_19_1-debuginfo-1-9.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_19_1-debugsource-1-9.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_25_1-1-8.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_25_1-debuginfo-1-8.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_25_1-debugsource-1-8.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_30_1-1-6.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_30_1-debuginfo-1-6.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_30_1-debugsource-1-6.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_34_2-1-4.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_34_2-debuginfo-1-4.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_34_2-debugsource-1-4.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_40_1-1-3.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_40_1-debuginfo-1-3.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_40_1-debugsource-1-3.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_40_2-1-3.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_40_2-debuginfo-1-3.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_40_2-debugsource-1-3.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_45_1-1-2.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_45_1-debuginfo-1-2.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_45_1-debugsource-1-2.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_49_1-1-1.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_49_1-debuginfo-1-1.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_49_1-debugsource-1-1.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-32250  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYuFj49zjgjWX9erEAQhzbg//YQVpllplt9m8RinEY3mL5oG1mDLt4rat  
rKLhkymEbHaox+OoT9KotX+Op7GK+xvlT8j8vFKaV/GNtxATJ2Y0zLEgSnMXGNIQ  
B0tDXn0QOkubEpsl1e02Zer0GSQVj3mCs4C3jm9itJkknq+bqVQpgKvkfPDM9l6R  
qTsCSIx1pSVwE97cMwXU0Lm6IrAZHu4zseR1mubomBMtqtuOK41sQJHed8QlkoiX  
ATSNO5C40IRJvQqnDJjE0LJ/3CehjyaMQJrwYiTsF48wrwUC400GDiMD0xnIjFnu  
8pO6mvfc1omp4ITK8pfFTUI4EHWSRSSgwTz1J4CK+8XD3cDuv7psB2b27jx+61pM  
9M+DjUTq7QGKj7IrBeo5pqtZCEDolz6SNC/hHxoV0s/szcfKf4MmrrTqKF/Cz0pG  
d6y83iW2olwmCsYqh1oIRcBBwVCwzzht5trpXRC3yag6B3/mIuJ0MHE26z3H+5GK  
BdLpwZkmBDPmsv7oc4Yl6PAwYLLXfa+qY1bnFEH1LCVXsS4cheDlEkahO5WSKdGp  
aruGRWwa/TvAlcfvMxh5Zw+kj2sZO+HZ5OhigHTUGMhWb6mhthd5PHElh4daaofa  
jwMOtjsoTRSb0dNjDCHypeIqqHOBTqX0qw+H+e6imRi9HT5xVDTXGq3mjD544bmt  
wF08BCh2kKE=IqpZ  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5641-01

Red Hat Security Advisory 2022-5004-01 - Red Hat OpenShift Service Mesh is a Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Critical: Red Hat OpenShift Service Mesh 2.1.3 security update  
Advisory ID:       RHSA-2022:5004-01  
Product:           Red Hat OpenShift Service Mesh  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5004  
Issue date:        2022-06-13  
CVE Names:         CVE-2022-23772 CVE-2022-23773 CVE-2022-23806  
                   CVE-2022-29224 CVE-2022-29225 CVE-2022-29226  
                   CVE-2022-29228 CVE-2022-31045  
====================================================================  
1. Summary:

Red Hat OpenShift Service Mesh 2.1.3 has been released.

Red Hat Product Security has rated this update as having a security impact  
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

OpenShift Service Mesh 2.1 - noarch, ppc64le, s390x, x86_64

3. Description:

Red Hat OpenShift Service Mesh is a Red Hat distribution of the Istio  
service mesh project, tailored for installation into an on-premise  
OpenShift Container Platform installation.

This advisory covers the RPM packages for the release.

Security Fix(es):

* envoy: oauth filter allows trivial bypass (CVE-2022-29226)  
* envoy: Decompressors can be zip bombed (CVE-2022-29225)  
* envoy: oauth filter calls continueDecoding() from within decodeHeaders()  
(CVE-2022-29228)  
* golang: math/big: uncontrolled memory consumption due to an unhandled  
overflow via Rat.SetString (CVE-2022-23772)  
* golang: cmd/go: misinterpretation of branch names can lead to incorrect  
access control (CVE-2022-23773)  
* golang: crypto/elliptic IsOnCurve returns true for invalid field elements  
(CVE-2022-23806)  
* envoy: Segfault in GrpcHealthCheckerImpl (CVE-2022-29224)  
* Istio: Unsafe memory access in metadata exchange (CVE-2022-31045)

For more details about the security issues, including the impact, a CVSS  
score, acknowledgments, and other related information, see the CVE page  
listed in the References section.

4. Solution:

The OpenShift Service Mesh Release Notes provide information on the  
features and known issues. See the link in the References section.

5. Bugs fixed (https://bugzilla.redhat.com/):

2053429 - CVE-2022-23806 golang: crypto/elliptic IsOnCurve returns true for invalid field elements  
2053532 - CVE-2022-23772 golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString  
2053541 - CVE-2022-23773 golang: cmd/go: misinterpretation of branch names can lead to incorrect access control  
2088737 - CVE-2022-29225 envoy: Decompressors can be zip bombed  
2088738 - CVE-2022-29224 envoy: Segfault in GrpcHealthCheckerImpl  
2088739 - CVE-2022-29226 envoy: oauth filter allows trivial bypass  
2088740 - CVE-2022-29228 envoy: oauth filter calls continueDecoding() from within decodeHeaders()  
2088819 - CVE-2022-31045 Istio: Unsafe memory access in metadata exchange.

6. JIRA issues fixed (https://issues.jboss.org/):

OSSM-1107 - Take jwksResolverExtraRootCA out of TechPreview  
OSSM-1614 - RPM Release for Maistra 2.1.3

7. Package List:

OpenShift Service Mesh 2.1:

Source:  
servicemesh-2.1.3-1.el8.src.rpm  
servicemesh-operator-2.1.3-2.el8.src.rpm  
servicemesh-prometheus-2.23.0-7.el8.src.rpm  
servicemesh-proxy-2.1.3-1.el8.src.rpm  
servicemesh-ratelimit-2.1.3-1.el8.src.rpm

noarch:  
servicemesh-proxy-wasm-2.1.3-1.el8.noarch.rpm

ppc64le:  
servicemesh-2.1.3-1.el8.ppc64le.rpm  
servicemesh-cni-2.1.3-1.el8.ppc64le.rpm  
servicemesh-operator-2.1.3-2.el8.ppc64le.rpm  
servicemesh-pilot-agent-2.1.3-1.el8.ppc64le.rpm  
servicemesh-pilot-discovery-2.1.3-1.el8.ppc64le.rpm  
servicemesh-prometheus-2.23.0-7.el8.ppc64le.rpm  
servicemesh-proxy-2.1.3-1.el8.ppc64le.rpm  
servicemesh-proxy-debuginfo-2.1.3-1.el8.ppc64le.rpm  
servicemesh-proxy-debugsource-2.1.3-1.el8.ppc64le.rpm  
servicemesh-ratelimit-2.1.3-1.el8.ppc64le.rpm

s390x:  
servicemesh-2.1.3-1.el8.s390x.rpm  
servicemesh-cni-2.1.3-1.el8.s390x.rpm  
servicemesh-operator-2.1.3-2.el8.s390x.rpm  
servicemesh-pilot-agent-2.1.3-1.el8.s390x.rpm  
servicemesh-pilot-discovery-2.1.3-1.el8.s390x.rpm  
servicemesh-prometheus-2.23.0-7.el8.s390x.rpm  
servicemesh-proxy-2.1.3-1.el8.s390x.rpm  
servicemesh-proxy-debuginfo-2.1.3-1.el8.s390x.rpm  
servicemesh-proxy-debugsource-2.1.3-1.el8.s390x.rpm  
servicemesh-ratelimit-2.1.3-1.el8.s390x.rpm

x86_64:  
servicemesh-2.1.3-1.el8.x86_64.rpm  
servicemesh-cni-2.1.3-1.el8.x86_64.rpm  
servicemesh-operator-2.1.3-2.el8.x86_64.rpm  
servicemesh-pilot-agent-2.1.3-1.el8.x86_64.rpm  
servicemesh-pilot-discovery-2.1.3-1.el8.x86_64.rpm  
servicemesh-prometheus-2.23.0-7.el8.x86_64.rpm  
servicemesh-proxy-2.1.3-1.el8.x86_64.rpm  
servicemesh-proxy-debuginfo-2.1.3-1.el8.x86_64.rpm  
servicemesh-proxy-debugsource-2.1.3-1.el8.x86_64.rpm  
servicemesh-ratelimit-2.1.3-1.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

8. References:

https://access.redhat.com/security/cve/CVE-2022-23772  
https://access.redhat.com/security/cve/CVE-2022-23773  
https://access.redhat.com/security/cve/CVE-2022-23806  
https://access.redhat.com/security/cve/CVE-2022-29224  
https://access.redhat.com/security/cve/CVE-2022-29225  
https://access.redhat.com/security/cve/CVE-2022-29226  
https://access.redhat.com/security/cve/CVE-2022-29228  
https://access.redhat.com/security/cve/CVE-2022-31045  
https://access.redhat.com/security/updates/classification/#critical  
https://docs.openshift.com/container-platform/latest/service_mesh/v2x/servicemesh-release-notes.html

9. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYuFj49zjgjWX9erEAQgckw//dWuW9UCVvebhaNN2VyMupXOGEXMXlBp2  
RUbS4wp6/7x9c8UOvcBWhZORVzZ+MNRYp2137Otb0YB17LTs8VAzsLiU5bTvc//y  
CE4Cwfqg/RPoNOFZHnjHDRoldK42L0Wqon/+e6fYbjRL8ECbwnMOLl3qKbhuigi1  
tLm5naN3Y7U4F+R6Fgi7iniL9cYmAd+Y3BlDij8Wf6PJSHUfSh6PaduYgnXavS7p  
u6Vzg3QKqFDKyU2nXKNSB9VsJ7mMs0Nza6tfpAwhoIO36D54NqgTCBMgxKdnohhM  
ZIBVqFVAxABDKlsMoMG2dfJR7c+aHTGC4PC53b/KTU+f+F9uBbk5OpXEjCODe+K3  
4mmq3CoeTKE+HGhb3hCbO+X3jhG2wWK8fRcgsYagbszH5zHqnfM5YDVYvH/EMlun  
gXcS/sFoATqwf2nxenPYzQrkJKwUBL+74jWLshK44PvlR0n1EWUPGrHeMymGWWz8  
8BB9e6GVEqPRqW2AQKkuEqardLZRHuERkP9g6GSfxi7pXU5phDWF+c3tC5klGhew  
ffIvOsvBmcpov+5W+p4vHTNW/3gATrCDFvT9fJBOMGLNk6LzTHqoxqB5Ev+qgRBo  
UcZRaTlTTwiBf5NcYTBPLvoqjilahFpA1kKkN/YTCHePtHy7bY1L8MveVsV6MW0d  
a36YRXXR0DcÞmi  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5004-01

Red Hat Security Advisory 2022-5719-01 - Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: grafana security update  
Advisory ID:       RHSA-2022:5719-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5719  
Issue date:        2022-07-26  
CVE Names:         CVE-2022-31107  
====================================================================  
1. Summary:

An update for grafana is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of  
Important. A Common Vulnerability Scoring System (CVSS) base score, which  
gives  
a detailed severity rating, is available for each vulnerability from the  
CVE  
link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64

3. Description:

Grafana is an open source, feature rich metrics dashboard and graph editor  
for  
Graphite, InfluxDB & OpenTSDB.

Security Fix(es):

* grafana: OAuth account takeover (CVE-2022-31107)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s)  
listed in the References section.

4. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2104367 - CVE-2022-31107 grafana: OAuth account takeover

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v. 8.2):

Source:  
grafana-6.3.6-5.el8_2.src.rpm

aarch64:  
grafana-6.3.6-5.el8_2.aarch64.rpm  
grafana-azure-monitor-6.3.6-5.el8_2.aarch64.rpm  
grafana-cloudwatch-6.3.6-5.el8_2.aarch64.rpm  
grafana-debuginfo-6.3.6-5.el8_2.aarch64.rpm  
grafana-elasticsearch-6.3.6-5.el8_2.aarch64.rpm  
grafana-graphite-6.3.6-5.el8_2.aarch64.rpm  
grafana-influxdb-6.3.6-5.el8_2.aarch64.rpm  
grafana-loki-6.3.6-5.el8_2.aarch64.rpm  
grafana-mssql-6.3.6-5.el8_2.aarch64.rpm  
grafana-mysql-6.3.6-5.el8_2.aarch64.rpm  
grafana-opentsdb-6.3.6-5.el8_2.aarch64.rpm  
grafana-postgres-6.3.6-5.el8_2.aarch64.rpm  
grafana-prometheus-6.3.6-5.el8_2.aarch64.rpm  
grafana-stackdriver-6.3.6-5.el8_2.aarch64.rpm

ppc64le:  
grafana-6.3.6-5.el8_2.ppc64le.rpm  
grafana-azure-monitor-6.3.6-5.el8_2.ppc64le.rpm  
grafana-cloudwatch-6.3.6-5.el8_2.ppc64le.rpm  
grafana-debuginfo-6.3.6-5.el8_2.ppc64le.rpm  
grafana-elasticsearch-6.3.6-5.el8_2.ppc64le.rpm  
grafana-graphite-6.3.6-5.el8_2.ppc64le.rpm  
grafana-influxdb-6.3.6-5.el8_2.ppc64le.rpm  
grafana-loki-6.3.6-5.el8_2.ppc64le.rpm  
grafana-mssql-6.3.6-5.el8_2.ppc64le.rpm  
grafana-mysql-6.3.6-5.el8_2.ppc64le.rpm  
grafana-opentsdb-6.3.6-5.el8_2.ppc64le.rpm  
grafana-postgres-6.3.6-5.el8_2.ppc64le.rpm  
grafana-prometheus-6.3.6-5.el8_2.ppc64le.rpm  
grafana-stackdriver-6.3.6-5.el8_2.ppc64le.rpm

s390x:  
grafana-6.3.6-5.el8_2.s390x.rpm  
grafana-azure-monitor-6.3.6-5.el8_2.s390x.rpm  
grafana-cloudwatch-6.3.6-5.el8_2.s390x.rpm  
grafana-debuginfo-6.3.6-5.el8_2.s390x.rpm  
grafana-elasticsearch-6.3.6-5.el8_2.s390x.rpm  
grafana-graphite-6.3.6-5.el8_2.s390x.rpm  
grafana-influxdb-6.3.6-5.el8_2.s390x.rpm  
grafana-loki-6.3.6-5.el8_2.s390x.rpm  
grafana-mssql-6.3.6-5.el8_2.s390x.rpm  
grafana-mysql-6.3.6-5.el8_2.s390x.rpm  
grafana-opentsdb-6.3.6-5.el8_2.s390x.rpm  
grafana-postgres-6.3.6-5.el8_2.s390x.rpm  
grafana-prometheus-6.3.6-5.el8_2.s390x.rpm  
grafana-stackdriver-6.3.6-5.el8_2.s390x.rpm

x86_64:  
grafana-6.3.6-5.el8_2.x86_64.rpm  
grafana-azure-monitor-6.3.6-5.el8_2.x86_64.rpm  
grafana-cloudwatch-6.3.6-5.el8_2.x86_64.rpm  
grafana-debuginfo-6.3.6-5.el8_2.x86_64.rpm  
grafana-elasticsearch-6.3.6-5.el8_2.x86_64.rpm  
grafana-graphite-6.3.6-5.el8_2.x86_64.rpm  
grafana-influxdb-6.3.6-5.el8_2.x86_64.rpm  
grafana-loki-6.3.6-5.el8_2.x86_64.rpm  
grafana-mssql-6.3.6-5.el8_2.x86_64.rpm  
grafana-mysql-6.3.6-5.el8_2.x86_64.rpm  
grafana-opentsdb-6.3.6-5.el8_2.x86_64.rpm  
grafana-postgres-6.3.6-5.el8_2.x86_64.rpm  
grafana-prometheus-6.3.6-5.el8_2.x86_64.rpm  
grafana-stackdriver-6.3.6-5.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-31107  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYuFjxdzjgjWX9erEAQi2gg/+Mbhoq3V0HDfeqYn9DiYBkMl82dxFNSot  
H1YvcnX8cbK9x9smkF0pU7RYi9lMN3AlF/T/GD8AObsJSk1VLtvAs1I0k246OJnz  
Vzsvr0Yj0K0ypREv5kLxaTzQ4qoDPpXdgBwxxRItJAtWDVlWffun54cNzDL8D9Qg  
zkuRk2D2REC1W8g3AMUt9ClcpwNCfFVqJwB4OZstTkP6XherWuTjPJ99oh0kvYPG  
jbP8QI4TYHok9SfvRVPGjR8t8z5/6xhh4nw5rIBp/VlYbFS1SGvpLyx35jnv7LLM  
q8wqkUYrGlfMa4salHipCqIqjrOh3XkYx/h3wHJNPac5OD4JjZQSRGaPAw/CYJZH  
xxuScr4GeYBIQAuFLWgxU0uUufkPo85Ek+4uCGLtz1OmLCvlhBPPtttq9JtWcXIP  
tqbl5WT8LwTsUWlojxWT/X92Rq3IQXoEjFChaaJsg/5tjHo0B6p7yevldaMUOQsY  
cL0RXiI4MO7dNEGTaGu/pUnMzQe4x7h6WO1I9EX4OrvwAldpU4Uq2bxlemEOjEv4  
VeoNYVmOM45Tp78KKrDEiF094fxSgZmcLDCzganHTjfk0/xMEAbTMrn9U8xihXk/  
wiPcWYR3Tazsus2Bs26q3ElADirgTwRIVN0MzPkcrl4krrLyBZd4/6FVc0zYchKZ  
pFDHhfWaSWY=+SbP  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5719-01

Red Hat Security Advisory 2022-4931-01 - The RHV-M Appliance automates the process of installing and configuring the Red Hat Virtualization Manager. The appliance is available to download as an OVA file from the Customer Portal.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: RHV Appliance (rhvm-appliance) security update [ovirt-4.5.0]  
Advisory ID:       RHSA-2022:4931-01  
Product:           Red Hat Virtualization  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:4931  
Issue date:        2022-06-07  
CVE Names:         CVE-2021-3677  
====================================================================  
1. Summary:

Updated RHV-M Appliance packages that fix several bugs and add various  
enhancements are now available.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Virtualization 4 Hypervisor for RHEL 8 - x86_64  
Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts - x86_64

3. Description:

The RHV-M Appliance automates the process of installing and configuring the  
Red Hat Virtualization Manager. The appliance is available to download as  
an OVA file from the Customer Portal.

Security Fix(es):

* postgresql: memory disclosure in certain queries (CVE-2021-3677)

For more details about the security issue(s), including the impact, a CVSS  
score, and other related information, refer to the CVE page(s) listed in  
the References section.

Bug Fix(es):

* RHV-M Appliance rebased on RHEL 8.6 (BZ#1997073)

* Previously, a self-hosted engine deployment failed when an OpenSCAP  
security profile was applied, resulting in the SSH key permissions being  
changed to 0640. In this release, the permissions are not changed and the  
deployment succeeds. (BZ#2011309)

* rng-tools, rsyslog-gnutls, usbguard packages added to the RHV-M Appliance  
to comply with DISA-STIG profile requirements (BZ#2070963)

* OVA package manifest added to the RHV-M Appliance RPM. (BZ#2070980)

* Previously, the nodejs package was downgraded during the RHV-M  
installation.  
In this release, the correct version of the nodejs package is installed and  
maintained. (BZ#2075852)

* RHV-M Appliance rebased on Ceph 4.3 (BZ#2090137)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/2974891

5. Bugs fixed (https://bugzilla.redhat.com/):

1958396 - RHV installation process downgrades some packages  
1997073 - Rebase RHV-M Appliance on RHEL 8.6.0  
2001857 - CVE-2021-3677 postgresql: memory disclosure in certain queries  
2011309 - sshd service fails to start after rebooting to apply FIPS settings  
2050071 - Use authselect in RHV-H and appliance images  
2056146 - Hosted engine deployed failed since no enabled repositories can be found for engine setup.  
2070963 - Include packages needed by DISA STIG  
2070980 - [RFE] Include a manifest in the rpm  
2073965 - [Hosted Engine]Error message  "Destination directory /etc/fapolicyd/rules.d does not exist" is displayed but it is existed  
2075852 - nodejs module not enabled causes nodejs downgrade to version 10  
2090137 - Rebase rhvm-appliance on ceph 4.3

6. Package List:

Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts:

Source:  
rhvm-appliance-4.5-20220603.1.el8ev.src.rpm

x86_64:  
rhvm-appliance-4.5-20220603.1.el8ev.x86_64.rpm

Red Hat Virtualization 4 Hypervisor for RHEL 8:

Source:  
rhvm-appliance-4.5-20220603.1.el8ev.src.rpm

x86_64:  
rhvm-appliance-4.5-20220603.1.el8ev.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-3677  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYuFj29zjgjWX9erEAQjj7RAAluJoSnFbhfCHvE/0HwzZIXt+LC5+QPor  
HffFFR3MtPWTmQtlJCuFoyhRfBNU7CgUyEyOJI3BKycXv/NlpVRDQroRWQPz0tLF  
ZmwByCjauSZ4OLCikYLDuIuZUHZPWWOLAh9d0wP1Im9GvYkaKiTIjvLMNsQt5U8h  
NTADL/9OJMXpFDa6IvfpeBZXDnYUYUZEYhFKfZTHuSeOHcsRnPPRd3TcikLroxma  
+Rqwn4VkN2CnJS0Z8XYf6Y7PCOif0ynxE7GH5xOEJ9qT36ikjw427bOBSMB4xU6K  
0JWvYMVPv7d9BNxQhJe1F+Eg/vKLe6fZp1LLPS8BSK4uWoFsUOYaGDiPk/JdWUon  
1YrH96YphQYxBtOz+4DITFsMe8TV9uDbq1P3zlHdCFRaCTiZFX0wk3ZgRvnF7TP2  
9pWV0LEUwgjHs7nlVkdAxqQGJEz3U+CcGlwW9T4pji86J+nszzqZY9vdVcgMUetv  
4jbVFkMr4bSoJwjIQVTSC5/BgbBvdG0cgGLNeamYfBXN5MROE2MkLR9n+PIrTUGG  
vmaS+Ak8yNDX2r7P2dh62ebncnNu2z7gVl9DY3NwbxWArCvdxE9P0JfB7ogvLxv7  
F1aHF4dJYnd3ABkmIvdTyWo8lLMH/EKPaxCCp489q4WJvOG9L+xH6l+SYoKA6x5t  
OUChjlkp1dQ=hW7D  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#js