Red Hat Security Advisory 2024-3421-03 - An update for kernel is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include a use-after-free vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3421.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel security and bug fix update  
Advisory ID:        RHSA-2024:3421-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:3421  
Issue date:         2024-05-28  
Revision:           03  
CVE Names:          CVE-2023-4244  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: Marvin vulnerability side-channel leakage in the RSA decryption operation (CVE-2023-6240)

* kernel: nf_tables: use-after-free vulnerability in the nft_verdict_init() function (CVE-2024-1086)

* kernel: mlxsw: spectrum_acl_tcam: Fix stack corruption (CVE-2024-26586)

* CVE-2024-25743 hw: amd: Instruction raise #VC exception at exit (AMD-SN-3008,CVE-2024-25742,CVE-2024-25743)

* kernel: netfilter: nftables: exthdr: fix 4-byte stack OOB write (CVE-2023-52628)

* kernel: Use-after-free in nft_verdict_dump due to a race between set GC and transaction (CVE-2023-4244)

* kernel: inactive elements in nft_pipapo_walk (CVE-2023-6817)

Bug Fix(es):

* kdump 2nd kernel panic in call trace tick_handle_periodic (JIRA:RHEL-32889)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-4244

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2235306  
https://bugzilla.redhat.com/show_bug.cgi?id=2250843  
https://bugzilla.redhat.com/show_bug.cgi?id=2255139  
https://bugzilla.redhat.com/show_bug.cgi?id=2262126  
https://bugzilla.redhat.com/show_bug.cgi?id=2265645  
https://bugzilla.redhat.com/show_bug.cgi?id=2270836  
https://bugzilla.redhat.com/show_bug.cgi?id=2272041

Red Hat Security Advisory 2024-3421-03

Red Hat Security Advisory 2024-3418-03 - An update for rust is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3418.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: rust security updateAdvisory ID:        RHSA-2024:3418-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3418Issue date:         2024-05-28Revision:           03CVE Names:          CVE-2023-38497====================================================================Summary: An update for rust is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, which givesa detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Description:Rust Toolset provides the Rust programming language compiler rustc, the cargobuild tool and dependency manager, and required libraries.Security Fix(es):* rust-cargo: cargo does not respect the umask when extracting dependencies(CVE-2023-38497)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-38497References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2228038

Red Hat Security Advisory 2024-3418-03

Red Hat Security Advisory 2024-3417-03 - An update for mod_http2 is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3417.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: mod_http2 security updateAdvisory ID:        RHSA-2024:3417-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3417Issue date:         2024-05-28Revision:           03CVE Names:          CVE-2024-27316====================================================================Summary: An update for mod_http2 is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The mod_h2 Apache httpd module implements the HTTP2 protocol (h2+h2c) on top of libnghttp2 for httpd 2.4 servers.Security Fix(es):* httpd: CONTINUATION frames DoS (CVE-2024-27316,VU#421644.4)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-27316References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2268277

Red Hat Security Advisory 2024-3417-03

Red Hat Security Advisory 2024-3414-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include a use-after-free vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3414.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel-rt security and bug fix update  
Advisory ID:        RHSA-2024:3414-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:3414  
Issue date:         2024-05-28  
Revision:           03  
CVE Names:          CVE-2023-4244  
====================================================================

Summary: 

An update for kernel-rt is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: Marvin vulnerability side-channel leakage in the RSA decryption operation (CVE-2023-6240)

* kernel: nf_tables: use-after-free vulnerability in the nft_verdict_init() function (CVE-2024-1086)

* kernel: mlxsw: spectrum_acl_tcam: Fix stack corruption (CVE-2024-26586)

* kernel: netfilter: nftables: exthdr: fix 4-byte stack OOB write (CVE-2023-52628)

* kernel: Use-after-free in nft_verdict_dump due to a race between set GC and transaction (CVE-2023-4244)

* kernel: inactive elements in nft_pipapo_walk (CVE-2023-6817) 

Bug Fix(es):

* kernel-rt: update RT source tree to the latest RHEL-9.0.z Batch 17 (JIRA:RHEL-32673)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-4244

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2235306  
https://bugzilla.redhat.com/show_bug.cgi?id=2250843  
https://bugzilla.redhat.com/show_bug.cgi?id=2255139  
https://bugzilla.redhat.com/show_bug.cgi?id=2262126  
https://bugzilla.redhat.com/show_bug.cgi?id=2265645  
https://bugzilla.redhat.com/show_bug.cgi?id=2272041

Red Hat Security Advisory 2024-3414-03

Debian Linux Security Advisory 5699-1 - Multiple cross-site scripting vulnerabilities were found in Redmine, a project management web application.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5699-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMay 24, 2024                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : redmineCVE ID         : CVE-2023-47258 CVE-2023-47259 CVE-2023-47260Multiple cross-site scripting vulnerabilities were found in Redmine,a project management web application.For the stable distribution (bookworm), these problems have been fixed inversion 5.0.4-5+deb12u1.We recommend that you upgrade your redmine packages.For the detailed security status of redmine please refer toits security tracker page at:https://security-tracker.debian.org/tracker/redmineFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZQw0gACgkQEMKTtsN8TjbXDhAAlwLX55/MEXwBGXK2/diyo0jALkcur3+674tfQQGzTDeOzN9LVxJLLSS6FkgJEv/9bW/EjRpltBR64eqPjJC8JSmiqcEC7YU0paZi4gKyurBBy1F5hI2kHHFNM9KzjIh44Wak6W/3PtJHw8nClZMG2uJZFiXhqzrR1Gv+NWlFILhNyB1RGzB5hQYr2/arb7tEj4heXGWtahrbzi7YZS5a0aREK0nQ7y09DCYpvlJTlpt3almGxPJhpbyzRTwhRMrOTOZJHfwAwxjND2xmblfvkeQxLrNbBBEO9NO18cN69lOMA/sG3haMMkVKRpZFIaEl+F8t0WIqlAog4JjiivrhkFL3Px4uthuD0HzAzxveHvC9rgqPWUOre2eLBONo74Wsx5kY+gY7RZyNJRQ7VRk71lRlqAlGSofJ9ckfOincXV8lT7DEEcki42Qhrx8Fw682z5m+ozyaI0FBK4yiKiZ44bgjIb166paoxhA+H9WiubhR70Z2SMUG2x7IqktbTa+oboSXOc2zYDFpIa5XWXWJz6OspHBxGE7JF+Zs/eRhxXsAJb/diJB6msgDGTFAmynvAifcfDHczRqG56AG8jVku4nIGT0Q7INAeukhdWUU5jyqYrcF0UoPa+c+NW4g5CZNACKjpFAIwo+WJceUMsgVy8ZvIV/IRH12XtslD50K1yM==Fejb-----END PGP SIGNATURE-----

Debian Security Advisory 5699-1

Debian Linux Security Advisory 5698-1 - Multiple security issues were found in Rack, an interface for developing web applications in Ruby, which could result in denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5698-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMay 24, 2024                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : ruby-rackCVE ID         : CVE-2024-25126 CVE-2024-26141 CVE-2024-26146Multiple security issues were found in Rack, an interface for developingweb applications in Ruby, which could result in denial of service.For the oldstable distribution (bullseye), these problems have been fixedin version 2.1.4-3+deb11u2.For the stable distribution (bookworm), these problems have been fixed inversion 2.2.6.4-1+deb12u1.We recommend that you upgrade your ruby-rack packages.For the detailed security status of ruby-rack please refer toits security tracker page at:https://security-tracker.debian.org/tracker/ruby-rackFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZQw0YACgkQEMKTtsN8TjaEDQ/+In6arFD5sCgR6IZW2RiwAgBlLY9SAPlcuSI4qYkoN3JDMsm3dWV38UEOIwhvEiNpOXRiHCi4V15Eo92I1ayKJIZYM9n5B1pjGQrci5tl1cnFIfhfkIEjRET7OFRgL6TYgzsc5PKmlBNmff/yQOPXdw2q8dfgJkBb9Nc7GUxrhnsAdy/5mrW9NgSPerd65rYZ3NcGpSCiKcUcweatBalf2GycXFXSNzUlYw4nGuEOM5P4uyB8TI0lhaxy+hQA24fVGfKIldSHvQu4gs2jN2CaCNp4KyV5SkAtK7lBTxWMihmXwhzvpGeKF/ABokicqj4AC/T1BhjqS7S5/CjScmJwwkOcpaNhcqoI9wmFkx/bVYbQGmFuYPibziBHfBeucZhCFW2zhxSGYX/oWx/V4J3kBwMMUll4pI3AM0SEs/loeU3k+eLR7mq1ElcLt+IOmQpwNIIuvy/r8wvSySBLXu07b1lS29LMtqk3qXdb3HO6e2QznIdW6CatcewEc6uWOAzUBSFwvA1kgXWFqT9gj17RQ6VdMAdOw+5dkWIbJrWeJfiDdlT6R0KWpAfExQFzLbywtKJAtOnS7v+jyBkPlTg5Rz6z7o6PCf5fYA42FnI6p5AAryPvEupbiE6N72K1+8x+mDeiPFLlmrlP3tUsdhVwSfD5AEO+Qiyi04rYY7w55RM==9BYJ-----END PGP SIGNATURE-----

Debian Security Advisory 5698-1

Debian Linux Security Advisory 5697-1 - A security issue was discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure. Google is aware that an exploit for CVE-2024-5274 exists in the wild.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5697-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonMay 24, 2024                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-5274A security issue was discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure. Google is aware that an exploit for CVE-2024-5274 existsin the wild.For the stable distribution (bookworm), this problem has been fixed inversion 125.0.6422.112-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmZQvDgACgkQZF0CR8NudjemlQ//Q1bTXczbYNw/gT4PCqkr956Xe0sR9tQ660X/281kR132ri1mfMfU7WT8HCmvM3aL7r9gy5ia9RCtvThRjde7CNrI4fDux6YIsv5xnfyalcxDDjXN9uz2Iy1JMq3fRjH2MhR0zK6vNiovc8DI0BcC2sWiBy3OiXIewkzO0sq54Z8g3Q/VZq9waNAAhbW7GhznVCqC1KQOzYT6/bLi9WshF9x8tOmfbNVzqBVQ2vQIJsr02gQ+kygohuNBqJjHvkt7IgkawsdQCcxLrlM/Wwa+YYTSKtjEmFG4uoL3jvFS3uRiXoSmFBrawaS/KVQ267IiXu9qt5gn/SfXLgH2/ERau9csmLW0hlX3QeHodLD/msFNRHpMKgIplkvehP0qYqcDLGhgvP2ZmaBJMq0eU/SVB+2BKYN9SrWGSG+AHalkCGqmFzlEgbhui2zsoH9hf41uaFiRSs9sr8eMVCP2q8JXXlZAEoCi1HfP0/nbwyfsKGQ2+vn4/kzQd/HaML9JeY57rfOS7E2F2hO2xpadYJtzA6+FY8nlv9Jh6UmgpvOMTYDdITuIS5nUy2AAhIBMgHVBnIrkcxFhbkfBCyDkDKIvQeIVxy6zFpRwvBaGpJCWsMgaTs2ibWX67G6tVZmu0iDpaS86cHK4OnQmgXY6HX02iSM6te88FGl61g7qbk7hbK4==JmnS-----END PGP SIGNATURE-----

Debian Security Advisory 5697-1

Debian Linux Security Advisory 5696-1 - Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5696-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonMay 22, 2024                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-5157 CVE-2024-5158 CVE-2024-5159 CVE-2024-5160Security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 125.0.6422.76-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmZOH24ACgkQZF0CR8Nudjeemg//Y1GqBjx++55D6XDRa23a2g0T4Y7TxemSEojcb8jR7JaVfFroql0d8fFymFyHjS9tk2dV2naoKjaOWmm87IHjGv1bQxr8b9/2qjPp5+cf7lu02jTEwSo6SroqserY1NuuJUyQfCs6K48wOjAoRDsrYHMXt2Db7Pu+nev0KB3mFWBfWrTErRQf5yoh0PxSik3hutUn8pGuLiiZZxrWsHopi+qyPSWPQU0O9o+u5jvtsmuVH1lmbu8B/QC66UWcEAWPlzstnJWf5i+4OoJA+go8jo/Z2UvRn7gEmMeUb0ykrVLJB3DY22iNrb+/801KxD2qrwZHOGR0Xm7ImnZrYG4VlWPJZjZ1AcMSZYb/cvMLaQ8Y+5k0wBipep1ICCD4/WvTN00a0D3OHIwpS2T5+gxRfQ3TWhQ6pfH90lzZZdxELOXeuiFZebW22aBjd+h5a97WPvYKoDpgM+em7a1k3cixfFucakEQA7FL5ovPmwFc9N59l/rjeFtu5QOptgq//rgj0N1EC7REAL7FWtiu8u8KOSB/sF5P9+GfWEEroHpm8ScfzBzV95Z6bYrET8qQnvGnSGz9ESaEb6W83v5oMPU54h03Xwm3gQRJqf89ke6UJYEIVkyeN5x6F2T+DUqTHhqQ5eZP8nl320BG516JXmw6jjsBF4SJeYXn/R/KFAg5Lq0==lRoo-----END PGP SIGNATURE-----

Debian Security Advisory 5696-1

Debian Linux Security Advisory 5695-1 - Manfred Paul discovered that an attacker with arbitrary read and write capability may be able to bypass Pointer Authentication in the WebKitGTK web engine.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5695-1                   security@debian.org  
https://www.debian.org/security/                           Alberto Garcia  
May 22, 2024                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : webkit2gtk  
CVE ID         : CVE-2024-27834

The following vulnerabilities have been discovered in the WebKitGTK  
web engine:

CVE-2024-27834

   Manfred Paul discovered that an attacker with arbitrary read and  
   write capability may be able to bypass Pointer Authentication.

For the oldstable distribution (bullseye), this problem has been fixed  
in version 2.44.2-1~deb11u1.

For the stable distribution (bookworm), this problem has been fixed in  
version 2.44.2-1~deb12u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmZNsSQACgkQAAyEYu0C  
2AL2wxAAnx+ORCkML2MQZukV0lBt7yHzBHWaZHDWF8C3hbo8DPxqpNPGSRwpLb6M  
xzRbW+7LvdlQUuSEMs0ms00jh1wkmQh1cAa09n778+pYhu5oLm09HOU51ybWaWRM  
gojJiHC6svqhov5vxtqbSTUrpXzGQhp9ZYUAyCI49eJSzROIdk188CHHY1PxHZH1  
nwlQddTeaL63f+0nyXzHomFtgOhyA6ESmVgunS8/yoIxQUOn3T6MQOvdKlizMJAr  
watZ4fQq69AEqFMC2x8cCIZ6zZAhu4dLwagnundEdwZxeKRa6vAv6N5BLFx9lC8q  
HARmaMttDl1+3AMHwMiZDqdNt++L4Ldgy26PJQa8hsDlAmXQsR5qtR/xmS7+l6AN  
euXWeyF2DBM3GZgRzsACFJsnqYkQ9snQZdSYzHi2//xyskTpyHxYwMp/wFp4Kirt  
F05d66TocWkWviuYddytl0cRGb3X1I7pB+8vkw90ugIMJKFxh6cXDDPch6kTdMLg  
YPsSxV8/h1jcxr5MgST1LntvvhgGT70YV9HWJleQ33bmWqEQ6xF7vrIsKy3MiFx1  
jKGoI7GvgOrWRDUIZuw4680f9Hv4Cpz4R0uKMOS4wTbrEQkhv96E/sAcER8P9VYm  
9U6AuFAoA5KRU8BysUD3A/PzHo+wKwTSBUuKUGex8HnPIfmUEyw=  
=yLoR  
-----END PGP SIGNATURE-----

Debian Security Advisory 5695-1

Red Hat Security Advisory 2024-3347-03 - An update for python3 is now available for Red Hat Enterprise Linux 8. Issues addressed include denial of service and traversal vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3347.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: python3 security updateAdvisory ID:        RHSA-2024:3347-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3347Issue date:         2024-05-23Revision:           03CVE Names:          CVE-2023-6597====================================================================Summary: An update for python3 is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.Security Fix(es):* python: Path traversal on tempfile.TemporaryDirectory (CVE-2023-6597)* python: The zipfile module is vulnerable to zip-bombs leading to denial of service (CVE-2024-0450)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-6597References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2276518https://bugzilla.redhat.com/show_bug.cgi?id=2276525

Tag

#linux