Red Hat Security Advisory 2023-2948-01 - The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices. Issues addressed include an insecure handling vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: device-mapper-multipath security and bug fix update  
Advisory ID:       RHSA-2023:2948-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2948  
Issue date:        2023-05-16  
CVE Names:         CVE-2022-41973  
====================================================================  
1. Summary:

An update for device-mapper-multipath is now available for Red Hat  
Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux CRB (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

The device-mapper-multipath packages provide tools that use the  
device-mapper multipath kernel module to manage multipath devices.

Security Fix(es):

* device-mapper-multipath: multipathd: insecure handling of files in  
/dev/shm leading to symlink attack (CVE-2022-41973)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 8.8 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2110485 - when running iscsiadm login and quick logout the logout didn't run as expected  
2123446 - [RHEL8.4] system hung at Started cancel waiting for multipath siblings of x [rhel-8.8.0]  
2123894 - CVE-2022-41973 device-mapper-multipath: multipathd: insecure handling of files in /dev/shm leading to symlink attack  
2126714 - Multipath segfault after running newest patched version  
2128885 - Race condition causes kpartx to create a dm device which uses itself as part of the target, creating an infinite recursion  
2141996 - There is no historical-service-time path selector in multipath.conf man page  
2155560 - multipath doesn't verify the argument count in config option strings it passes to the kernel  
2166468 - multipath devices that need both a table reload and a rename only get renamed on multipathd startup

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 8):

Source:  
device-mapper-multipath-0.8.4-37.el8.src.rpm

aarch64:  
device-mapper-multipath-0.8.4-37.el8.aarch64.rpm  
device-mapper-multipath-debuginfo-0.8.4-37.el8.aarch64.rpm  
device-mapper-multipath-debugsource-0.8.4-37.el8.aarch64.rpm  
device-mapper-multipath-libs-0.8.4-37.el8.aarch64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-37.el8.aarch64.rpm  
kpartx-0.8.4-37.el8.aarch64.rpm  
kpartx-debuginfo-0.8.4-37.el8.aarch64.rpm  
libdmmp-0.8.4-37.el8.aarch64.rpm  
libdmmp-debuginfo-0.8.4-37.el8.aarch64.rpm

ppc64le:  
device-mapper-multipath-0.8.4-37.el8.ppc64le.rpm  
device-mapper-multipath-debuginfo-0.8.4-37.el8.ppc64le.rpm  
device-mapper-multipath-debugsource-0.8.4-37.el8.ppc64le.rpm  
device-mapper-multipath-libs-0.8.4-37.el8.ppc64le.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-37.el8.ppc64le.rpm  
kpartx-0.8.4-37.el8.ppc64le.rpm  
kpartx-debuginfo-0.8.4-37.el8.ppc64le.rpm  
libdmmp-0.8.4-37.el8.ppc64le.rpm  
libdmmp-debuginfo-0.8.4-37.el8.ppc64le.rpm

s390x:  
device-mapper-multipath-0.8.4-37.el8.s390x.rpm  
device-mapper-multipath-debuginfo-0.8.4-37.el8.s390x.rpm  
device-mapper-multipath-debugsource-0.8.4-37.el8.s390x.rpm  
device-mapper-multipath-libs-0.8.4-37.el8.s390x.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-37.el8.s390x.rpm  
kpartx-0.8.4-37.el8.s390x.rpm  
kpartx-debuginfo-0.8.4-37.el8.s390x.rpm  
libdmmp-0.8.4-37.el8.s390x.rpm  
libdmmp-debuginfo-0.8.4-37.el8.s390x.rpm

x86_64:  
device-mapper-multipath-0.8.4-37.el8.x86_64.rpm  
device-mapper-multipath-debuginfo-0.8.4-37.el8.i686.rpm  
device-mapper-multipath-debuginfo-0.8.4-37.el8.x86_64.rpm  
device-mapper-multipath-debugsource-0.8.4-37.el8.i686.rpm  
device-mapper-multipath-debugsource-0.8.4-37.el8.x86_64.rpm  
device-mapper-multipath-libs-0.8.4-37.el8.i686.rpm  
device-mapper-multipath-libs-0.8.4-37.el8.x86_64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-37.el8.i686.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-37.el8.x86_64.rpm  
kpartx-0.8.4-37.el8.x86_64.rpm  
kpartx-debuginfo-0.8.4-37.el8.i686.rpm  
kpartx-debuginfo-0.8.4-37.el8.x86_64.rpm  
libdmmp-0.8.4-37.el8.i686.rpm  
libdmmp-0.8.4-37.el8.x86_64.rpm  
libdmmp-debuginfo-0.8.4-37.el8.i686.rpm  
libdmmp-debuginfo-0.8.4-37.el8.x86_64.rpm

Red Hat Enterprise Linux CRB (v. 8):

aarch64:  
device-mapper-multipath-debuginfo-0.8.4-37.el8.aarch64.rpm  
device-mapper-multipath-debugsource-0.8.4-37.el8.aarch64.rpm  
device-mapper-multipath-devel-0.8.4-37.el8.aarch64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-37.el8.aarch64.rpm  
kpartx-debuginfo-0.8.4-37.el8.aarch64.rpm  
libdmmp-debuginfo-0.8.4-37.el8.aarch64.rpm

ppc64le:  
device-mapper-multipath-debuginfo-0.8.4-37.el8.ppc64le.rpm  
device-mapper-multipath-debugsource-0.8.4-37.el8.ppc64le.rpm  
device-mapper-multipath-devel-0.8.4-37.el8.ppc64le.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-37.el8.ppc64le.rpm  
kpartx-debuginfo-0.8.4-37.el8.ppc64le.rpm  
libdmmp-debuginfo-0.8.4-37.el8.ppc64le.rpm

s390x:  
device-mapper-multipath-debuginfo-0.8.4-37.el8.s390x.rpm  
device-mapper-multipath-debugsource-0.8.4-37.el8.s390x.rpm  
device-mapper-multipath-devel-0.8.4-37.el8.s390x.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-37.el8.s390x.rpm  
kpartx-debuginfo-0.8.4-37.el8.s390x.rpm  
libdmmp-debuginfo-0.8.4-37.el8.s390x.rpm

x86_64:  
device-mapper-multipath-debuginfo-0.8.4-37.el8.i686.rpm  
device-mapper-multipath-debuginfo-0.8.4-37.el8.x86_64.rpm  
device-mapper-multipath-debugsource-0.8.4-37.el8.i686.rpm  
device-mapper-multipath-debugsource-0.8.4-37.el8.x86_64.rpm  
device-mapper-multipath-devel-0.8.4-37.el8.i686.rpm  
device-mapper-multipath-devel-0.8.4-37.el8.x86_64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-37.el8.i686.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-37.el8.x86_64.rpm  
kpartx-debuginfo-0.8.4-37.el8.i686.rpm  
kpartx-debuginfo-0.8.4-37.el8.x86_64.rpm  
libdmmp-debuginfo-0.8.4-37.el8.i686.rpm  
libdmmp-debuginfo-0.8.4-37.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-41973  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZGNurtzjgjWX9erEAQh1NBAAjFEezuYNzkff7HhFepe9UFCcgjFd6G4K  
3xgCjuaECViFZMNtRwoasbVVSez9ZTARyq+uDXVi8B/YbpBYNwh7700BD9ySiqBZ  
0ISV00BUXTu957vIiuQxJaKI4tX4dcllllRyN5TW29Ura3bzsYKaNUlx3sypw7oS  
6qcJ+PKrg+DA9+SkfF27EEHilEp6ob/lD58Fbp8rtzfexsY0c1/qr0xOr/84oBfN  
GHGQvPjM6ofpYZemz4ANkqTaoX5PXpYmSzJXQwzuT54pejckliAni8PyhQ1Ev9/y  
dEb/hFnhQkZMW01xqg/tLXSo088IdyQ4WmmKfhRQBT/yvr3VapX555SrBGS+TzgA  
3w+u9CSKH3dDvU3xIei1+LdPvc1mZsyXTS70GD4OnPYdHlVLpDKMeJpZN9gX0WY5  
+pu4oMlQoF8KcGW9K3EV56C5k6oF+jOvC4ri/MN3zVxeMk3c8PpyjavWyVsIsuQQ  
kzavaqKSZ4reMURpSx0ydBd/AsnXbCXuir6exaUNXJBtZsK097vKZDCkxR9N1Gqa  
eTd5DzjaB4THLwDpaOK83IF3GzFDPxqE5okd5nGjP8qsfKHloCrUiHlmK/zkBL8t  
615pqJrZu9AgN40da6VWpRNdjPg6S+hh7HnwFln3T2YD557QT4OfNTiindWh+kn1  
SeixpAMu2Cc=rOow  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-2948-01

Red Hat Security Advisory 2023-2870-01 - FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User Service server, designed to allow centralized authentication and authorization for a network. Issues addressed include an information leakage vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: freeradius:3.0 security update  
Advisory ID:       RHSA-2023:2870-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2870  
Issue date:        2023-05-16  
CVE Names:         CVE-2022-41859 CVE-2022-41860 CVE-2022-41861  
====================================================================  
1. Summary:

An update for the freeradius:3.0 module is now available for Red Hat  
Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

FreeRADIUS is a high-performance and highly configurable free Remote  
Authentication Dial In User Service (RADIUS) server, designed to allow  
centralized authentication and authorization for a network.

Security Fix(es):

* freeradius: Information leakage in EAP-PWD (CVE-2022-41859)

* freeradius: Crash on unknown option in EAP-SIM (CVE-2022-41860)

* freeradius: Crash on invalid abinary data (CVE-2022-41861)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 8.8 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2078483 - CVE-2022-41859 freeradius: Information leakage in EAP-PWD  
2078485 - CVE-2022-41860 freeradius: Crash on unknown option in EAP-SIM  
2078487 - CVE-2022-41861 freeradius: Crash on invalid abinary data

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
freeradius-3.0.20-14.module+el8.8.0+17558+3f8a93b9.src.rpm

aarch64:  
freeradius-3.0.20-14.module+el8.8.0+17558+3f8a93b9.aarch64.rpm  
freeradius-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.aarch64.rpm  
freeradius-debugsource-3.0.20-14.module+el8.8.0+17558+3f8a93b9.aarch64.rpm  
freeradius-devel-3.0.20-14.module+el8.8.0+17558+3f8a93b9.aarch64.rpm  
freeradius-doc-3.0.20-14.module+el8.8.0+17558+3f8a93b9.aarch64.rpm  
freeradius-krb5-3.0.20-14.module+el8.8.0+17558+3f8a93b9.aarch64.rpm  
freeradius-krb5-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.aarch64.rpm  
freeradius-ldap-3.0.20-14.module+el8.8.0+17558+3f8a93b9.aarch64.rpm  
freeradius-ldap-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.aarch64.rpm  
freeradius-mysql-3.0.20-14.module+el8.8.0+17558+3f8a93b9.aarch64.rpm  
freeradius-mysql-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.aarch64.rpm  
freeradius-perl-3.0.20-14.module+el8.8.0+17558+3f8a93b9.aarch64.rpm  
freeradius-perl-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.aarch64.rpm  
freeradius-postgresql-3.0.20-14.module+el8.8.0+17558+3f8a93b9.aarch64.rpm  
freeradius-postgresql-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.aarch64.rpm  
freeradius-rest-3.0.20-14.module+el8.8.0+17558+3f8a93b9.aarch64.rpm  
freeradius-rest-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.aarch64.rpm  
freeradius-sqlite-3.0.20-14.module+el8.8.0+17558+3f8a93b9.aarch64.rpm  
freeradius-sqlite-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.aarch64.rpm  
freeradius-unixODBC-3.0.20-14.module+el8.8.0+17558+3f8a93b9.aarch64.rpm  
freeradius-unixODBC-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.aarch64.rpm  
freeradius-utils-3.0.20-14.module+el8.8.0+17558+3f8a93b9.aarch64.rpm  
freeradius-utils-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.aarch64.rpm  
python3-freeradius-3.0.20-14.module+el8.8.0+17558+3f8a93b9.aarch64.rpm  
python3-freeradius-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.aarch64.rpm

ppc64le:  
freeradius-3.0.20-14.module+el8.8.0+17558+3f8a93b9.ppc64le.rpm  
freeradius-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.ppc64le.rpm  
freeradius-debugsource-3.0.20-14.module+el8.8.0+17558+3f8a93b9.ppc64le.rpm  
freeradius-devel-3.0.20-14.module+el8.8.0+17558+3f8a93b9.ppc64le.rpm  
freeradius-doc-3.0.20-14.module+el8.8.0+17558+3f8a93b9.ppc64le.rpm  
freeradius-krb5-3.0.20-14.module+el8.8.0+17558+3f8a93b9.ppc64le.rpm  
freeradius-krb5-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.ppc64le.rpm  
freeradius-ldap-3.0.20-14.module+el8.8.0+17558+3f8a93b9.ppc64le.rpm  
freeradius-ldap-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.ppc64le.rpm  
freeradius-mysql-3.0.20-14.module+el8.8.0+17558+3f8a93b9.ppc64le.rpm  
freeradius-mysql-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.ppc64le.rpm  
freeradius-perl-3.0.20-14.module+el8.8.0+17558+3f8a93b9.ppc64le.rpm  
freeradius-perl-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.ppc64le.rpm  
freeradius-postgresql-3.0.20-14.module+el8.8.0+17558+3f8a93b9.ppc64le.rpm  
freeradius-postgresql-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.ppc64le.rpm  
freeradius-rest-3.0.20-14.module+el8.8.0+17558+3f8a93b9.ppc64le.rpm  
freeradius-rest-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.ppc64le.rpm  
freeradius-sqlite-3.0.20-14.module+el8.8.0+17558+3f8a93b9.ppc64le.rpm  
freeradius-sqlite-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.ppc64le.rpm  
freeradius-unixODBC-3.0.20-14.module+el8.8.0+17558+3f8a93b9.ppc64le.rpm  
freeradius-unixODBC-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.ppc64le.rpm  
freeradius-utils-3.0.20-14.module+el8.8.0+17558+3f8a93b9.ppc64le.rpm  
freeradius-utils-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.ppc64le.rpm  
python3-freeradius-3.0.20-14.module+el8.8.0+17558+3f8a93b9.ppc64le.rpm  
python3-freeradius-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.ppc64le.rpm

s390x:  
freeradius-3.0.20-14.module+el8.8.0+17558+3f8a93b9.s390x.rpm  
freeradius-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.s390x.rpm  
freeradius-debugsource-3.0.20-14.module+el8.8.0+17558+3f8a93b9.s390x.rpm  
freeradius-devel-3.0.20-14.module+el8.8.0+17558+3f8a93b9.s390x.rpm  
freeradius-doc-3.0.20-14.module+el8.8.0+17558+3f8a93b9.s390x.rpm  
freeradius-krb5-3.0.20-14.module+el8.8.0+17558+3f8a93b9.s390x.rpm  
freeradius-krb5-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.s390x.rpm  
freeradius-ldap-3.0.20-14.module+el8.8.0+17558+3f8a93b9.s390x.rpm  
freeradius-ldap-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.s390x.rpm  
freeradius-mysql-3.0.20-14.module+el8.8.0+17558+3f8a93b9.s390x.rpm  
freeradius-mysql-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.s390x.rpm  
freeradius-perl-3.0.20-14.module+el8.8.0+17558+3f8a93b9.s390x.rpm  
freeradius-perl-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.s390x.rpm  
freeradius-postgresql-3.0.20-14.module+el8.8.0+17558+3f8a93b9.s390x.rpm  
freeradius-postgresql-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.s390x.rpm  
freeradius-rest-3.0.20-14.module+el8.8.0+17558+3f8a93b9.s390x.rpm  
freeradius-rest-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.s390x.rpm  
freeradius-sqlite-3.0.20-14.module+el8.8.0+17558+3f8a93b9.s390x.rpm  
freeradius-sqlite-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.s390x.rpm  
freeradius-unixODBC-3.0.20-14.module+el8.8.0+17558+3f8a93b9.s390x.rpm  
freeradius-unixODBC-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.s390x.rpm  
freeradius-utils-3.0.20-14.module+el8.8.0+17558+3f8a93b9.s390x.rpm  
freeradius-utils-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.s390x.rpm  
python3-freeradius-3.0.20-14.module+el8.8.0+17558+3f8a93b9.s390x.rpm  
python3-freeradius-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.s390x.rpm

x86_64:  
freeradius-3.0.20-14.module+el8.8.0+17558+3f8a93b9.x86_64.rpm  
freeradius-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.x86_64.rpm  
freeradius-debugsource-3.0.20-14.module+el8.8.0+17558+3f8a93b9.x86_64.rpm  
freeradius-devel-3.0.20-14.module+el8.8.0+17558+3f8a93b9.x86_64.rpm  
freeradius-doc-3.0.20-14.module+el8.8.0+17558+3f8a93b9.x86_64.rpm  
freeradius-krb5-3.0.20-14.module+el8.8.0+17558+3f8a93b9.x86_64.rpm  
freeradius-krb5-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.x86_64.rpm  
freeradius-ldap-3.0.20-14.module+el8.8.0+17558+3f8a93b9.x86_64.rpm  
freeradius-ldap-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.x86_64.rpm  
freeradius-mysql-3.0.20-14.module+el8.8.0+17558+3f8a93b9.x86_64.rpm  
freeradius-mysql-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.x86_64.rpm  
freeradius-perl-3.0.20-14.module+el8.8.0+17558+3f8a93b9.x86_64.rpm  
freeradius-perl-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.x86_64.rpm  
freeradius-postgresql-3.0.20-14.module+el8.8.0+17558+3f8a93b9.x86_64.rpm  
freeradius-postgresql-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.x86_64.rpm  
freeradius-rest-3.0.20-14.module+el8.8.0+17558+3f8a93b9.x86_64.rpm  
freeradius-rest-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.x86_64.rpm  
freeradius-sqlite-3.0.20-14.module+el8.8.0+17558+3f8a93b9.x86_64.rpm  
freeradius-sqlite-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.x86_64.rpm  
freeradius-unixODBC-3.0.20-14.module+el8.8.0+17558+3f8a93b9.x86_64.rpm  
freeradius-unixODBC-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.x86_64.rpm  
freeradius-utils-3.0.20-14.module+el8.8.0+17558+3f8a93b9.x86_64.rpm  
freeradius-utils-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.x86_64.rpm  
python3-freeradius-3.0.20-14.module+el8.8.0+17558+3f8a93b9.x86_64.rpm  
python3-freeradius-debuginfo-3.0.20-14.module+el8.8.0+17558+3f8a93b9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-41859  
https://access.redhat.com/security/cve/CVE-2022-41860  
https://access.redhat.com/security/cve/CVE-2022-41861  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZGNw09zjgjWX9erEAQgtzRAAjlyD8uI8FfESOtIeR1n/NpQY9LXdp2J8  
gu8Zb2WITaVFMHMuXcWHn+PdDywpsmJyTtv8kVd3/c51KiAWnIW2efb1kmsOpY+h  
3igUWG00vfnixCvV1ghk5IHvY3e0QUtzinC5HVtcZqhBIP/ek5ZxXR328q69/gmf  
hWgT3HHWh0QMRBTwYhj09wWdVXz87zb3Pc/ZkoWEMWMNDdY00iV2OZW09HRzP+zq  
Qn8YBMHGX+yuX3SnOrjCYg1RXsn+Lev0iYz6gAHhuMTwmknCRAKhhvtmaeaOu43G  
jlMiS6mZWRbyzcAbKHjbw+PJXGF1M5WfMRjSSUsbQzcfiNKA3HDiHF/bXnZDFhPu  
Mo6nhgX1ofAUYUnbGMZnrE3uLm1Bw8tGS30lXjn+LxWO03c+94mS3xV1KslukCgA  
p0k1e+sPAEbOcNEuo+SE+HUnt+1zebfaSkdZPalJKunUeD29vjbUHQ7yE0eC/VXd  
YtppGvnZSFAcy0noOElvDHl0p2RcrJYZQeVjZMbWb6VqBMLfYGmzpLJGzU+IcHeC  
i153a+ArRi+4FmkBMne/wRg1SzfjlOSUZR2cbFCOkh70ugSU98VPJ0H5CHjiNxb3  
QSI16Q8647Ckn5pC5ctoFF/vY2o0ivJVS/K75f4/qv5JiLnk0KAGeG2RgAVuYeNk  
KOFlmlXluBY=1hXc  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-2870-01

Red Hat Security Advisory 2023-3082-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: pcs security and bug fix update  
Advisory ID:       RHSA-2023:3082-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3082  
Issue date:        2023-05-16  
CVE Names:         CVE-2023-27530 CVE-2023-27539  
====================================================================  
1. Summary:

An update for pcs is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux HighAvailability (v. 8) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux ResilientStorage (v. 8) - ppc64le, s390x, x86_64

3. Description:

The pcs packages provide a command-line configuration system for the  
Pacemaker and Corosync utilities.

Security Fix(es):

* rubygem-rack: Denial of service in Multipart MIME parsing  
(CVE-2023-27530)

* rubygem-rack: denial of service in header parsing (CVE-2023-27539)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Command 'pcs config checkpoint diff' does not show configuration  
differences between checkpoints (BZ#2180700)

* Need a way to add a scsi fencing device to a cluster without requiring a  
restart of all cluster resources (BZ#2180706)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2176477 - CVE-2023-27530 rubygem-rack: Denial of service in Multipart MIME parsing  
2179649 - CVE-2023-27539 rubygem-rack: denial of service in header parsing  
2180700 - Command 'pcs config checkpoint diff' does not show configuration differences between checkpoints [rhel-8.8.0.z]  
2180706 - Need a way to add a scsi fencing device to a cluster without requiring a restart of all cluster resources [rhel-8.8.0.z]

6. Package List:

Red Hat Enterprise Linux HighAvailability (v. 8):

Source:  
pcs-0.10.15-4.el8_8.1.src.rpm

aarch64:  
pcs-0.10.15-4.el8_8.1.aarch64.rpm  
pcs-snmp-0.10.15-4.el8_8.1.aarch64.rpm

ppc64le:  
pcs-0.10.15-4.el8_8.1.ppc64le.rpm  
pcs-snmp-0.10.15-4.el8_8.1.ppc64le.rpm

s390x:  
pcs-0.10.15-4.el8_8.1.s390x.rpm  
pcs-snmp-0.10.15-4.el8_8.1.s390x.rpm

x86_64:  
pcs-0.10.15-4.el8_8.1.x86_64.rpm  
pcs-snmp-0.10.15-4.el8_8.1.x86_64.rpm

Red Hat Enterprise Linux ResilientStorage (v. 8):

Source:  
pcs-0.10.15-4.el8_8.1.src.rpm

ppc64le:  
pcs-0.10.15-4.el8_8.1.ppc64le.rpm  
pcs-snmp-0.10.15-4.el8_8.1.ppc64le.rpm

s390x:  
pcs-0.10.15-4.el8_8.1.s390x.rpm  
pcs-snmp-0.10.15-4.el8_8.1.s390x.rpm

x86_64:  
pcs-0.10.15-4.el8_8.1.x86_64.rpm  
pcs-snmp-0.10.15-4.el8_8.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-27530  
https://access.redhat.com/security/cve/CVE-2023-27539  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZGNwn9zjgjWX9erEAQiygQ//SizIkPiJosft8wEg3jebfO9mnMcfGnND  
OpG7/lNOB1fubeNbmwW/6hgiaLB/awDn0hSlGpQKrq5QwUSZMTFfd/zDvqz2zTFF  
ZaZ5h5OqrEN72fZgyxQASFcCA8ULFb5kyApwM6NhDK8Oc0UtUMepl2EGAiC+/ntk  
XONpEtuxwjV70amakG/J9vz1O+yDQefjp4Wt+icMpQaBkMpLsoQQYiJYgpRA7LbL  
mswi75ULMDcxOVogQGIeQHRAvqWOvTUvYx6k4sJXzgj0X0paQol+NguYdv+VMyZg  
CkKiyWx5pB1zXaz2WUuNOjBrCK34mpxcDt2g8mI7X6zzefgqqcRSN04Lg39Okq5n  
bbmIZ657nBfb/o/U83PvCZmaicFkP+Jt8laeQhnezILdCZxv9wKkX0HAT63xwlWB  
x0xeTErH0xO+u8VOW125aAjETkG6CkyNy8i40HvLZxEpblXs+Owm6zIRhG6jGhk/  
VCQljMYNTvbnlg7lXH9bEjV/1urEFucg5mwHmYvVXpKllyZ94MXtFuwbYdSRCICg  
o3MqpAW4MapWjEWkzyR04UeX4J55UjF5tThrME3qWhTkvND0NDwB7b6Z7QlVjlfN  
Tf5v/CCqboxw+CS0E8Ek8pND/qBKbq4uk+C/IqLWYg4iA1Hi75lK9kMxKEyqXP/H  
yL5/UtysFBQÚZf  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3082-01

Red Hat Security Advisory 2023-2834-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include buffer overflow, bypass, code execution, information leakage, out of bounds write, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: webkit2gtk3 security and bug fix update  
Advisory ID:       RHSA-2023:2834-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2834  
Issue date:        2023-05-16  
CVE Names:         CVE-2022-32886 CVE-2022-32888 CVE-2022-32923  
                   CVE-2022-42799 CVE-2022-42823 CVE-2022-42824  
                   CVE-2022-42826 CVE-2022-42852 CVE-2022-42863  
                   CVE-2022-42867 CVE-2022-46691 CVE-2022-46692  
                   CVE-2022-46698 CVE-2022-46699 CVE-2022-46700  
                   CVE-2023-23517 CVE-2023-23518 CVE-2023-25358  
                   CVE-2023-25360 CVE-2023-25361 CVE-2023-25362  
                   CVE-2023-25363  
====================================================================  
1. Summary:

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the  
GTK platform.

Security Fix(es):

* webkitgtk: use-after-free issue leading to arbitrary code execution  
(CVE-2022-42826)

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2023-23517)

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2023-23518)

* webkitgtk: buffer overflow issue was addressed with improved memory  
handling (CVE-2022-32886)

* webkitgtk: out-of-bounds write issue was addressed with improved bounds  
checking (CVE-2022-32888)

* webkitgtk: correctness issue in the JIT was addressed with improved  
checks (CVE-2022-32923)

* webkitgtk: issue was addressed with improved UI handling (CVE-2022-42799)

* webkitgtk: type confusion issue leading to arbitrary code execution  
(CVE-2022-42823)

* webkitgtk: sensitive information disclosure issue (CVE-2022-42824)

* webkitgtk: memory disclosure issue was addressed with improved memory  
handling (CVE-2022-42852)

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2022-42863)

* webkitgtk: use-after-free issue leading to arbitrary code execution  
(CVE-2022-42867)

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2022-46691)

* webkitgtk: Same Origin Policy bypass issue (CVE-2022-46692)

* webkitgtk: logic issue leading to user information disclosure  
(CVE-2022-46698)

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2022-46699)

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2022-46700)

* webkitgtk: heap-use-after-free in WebCore::RenderLayer::addChild()  
(CVE-2023-25358)

* webkitgtk: heap-use-after-free in WebCore::RenderLayer::renderer()  
(CVE-2023-25360)

* webkitgtk: heap-use-after-free in WebCore::RenderLayer::setNextSibling()  
(CVE-2023-25361)

* webkitgtk: heap-use-after-free in  
WebCore::RenderLayer::repaintBlockSelectionGaps() (CVE-2023-25362)

* webkitgtk: heap-use-after-free in  
WebCore::RenderLayer::updateDescendantDependentFlags() (CVE-2023-25363)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 8.8 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2127468 - Upgrade WebKitGTK for RHEL 8.8  
2128643 - CVE-2022-32886 webkitgtk: buffer overflow issue was addressed with improved memory handling  
2140501 - CVE-2022-32888 webkitgtk: out-of-bounds write issue was addressed with improved bounds checking  
2140502 - CVE-2022-32923 webkitgtk: correctness issue in the JIT was addressed with improved checks  
2140503 - CVE-2022-42799 webkitgtk: issue was addressed with improved UI handling  
2140504 - CVE-2022-42824 webkitgtk: sensitive information disclosure issue  
2140505 - CVE-2022-42823 webkitgtk: type confusion issue leading to arbitrary code execution  
2150970 - Can't create Google account  
2156986 - CVE-2022-42852 webkitgtk: memory disclosure issue was addressed with improved memory handling  
2156987 - CVE-2022-42863 webkitgtk: memory corruption issue leading to arbitrary code execution  
2156989 - CVE-2022-42867 webkitgtk: use-after-free issue leading to arbitrary code execution  
2156990 - CVE-2022-46691 webkitgtk: memory corruption issue leading to arbitrary code execution  
2156991 - CVE-2022-46692 webkitgtk: Same Origin Policy bypass issue  
2156992 - CVE-2022-46698 webkitgtk: logic issue leading to user information disclosure  
2156993 - CVE-2022-46699 webkitgtk: memory corruption issue leading to arbitrary code execution  
2156994 - CVE-2022-46700 webkitgtk: memory corruption issue leading to arbitrary code execution  
2167715 - CVE-2023-23518 webkitgtk: memory corruption issue leading to arbitrary code execution  
2167716 - CVE-2022-42826 webkitgtk: use-after-free issue leading to arbitrary code execution  
2167717 - CVE-2023-23517 webkitgtk: memory corruption issue leading to arbitrary code execution  
2175099 - CVE-2023-25358 webkitgtk: heap-use-after-free in WebCore::RenderLayer::addChild()  
2175101 - CVE-2023-25360 webkitgtk: heap-use-after-free in WebCore::RenderLayer::renderer()  
2175103 - CVE-2023-25361 webkitgtk: heap-use-after-free in WebCore::RenderLayer::setNextSibling()  
2175105 - CVE-2023-25362 webkitgtk: heap-use-after-free in WebCore::RenderLayer::repaintBlockSelectionGaps()  
2175107 - CVE-2023-25363 webkitgtk: heap-use-after-free in WebCore::RenderLayer::updateDescendantDependentFlags()

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
webkit2gtk3-2.38.5-1.el8.src.rpm

aarch64:  
webkit2gtk3-2.38.5-1.el8.aarch64.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8.aarch64.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8.aarch64.rpm  
webkit2gtk3-devel-2.38.5-1.el8.aarch64.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8.aarch64.rpm  
webkit2gtk3-jsc-2.38.5-1.el8.aarch64.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8.aarch64.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8.aarch64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8.aarch64.rpm

ppc64le:  
webkit2gtk3-2.38.5-1.el8.ppc64le.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8.ppc64le.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8.ppc64le.rpm  
webkit2gtk3-devel-2.38.5-1.el8.ppc64le.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8.ppc64le.rpm  
webkit2gtk3-jsc-2.38.5-1.el8.ppc64le.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8.ppc64le.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8.ppc64le.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8.ppc64le.rpm

s390x:  
webkit2gtk3-2.38.5-1.el8.s390x.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8.s390x.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8.s390x.rpm  
webkit2gtk3-devel-2.38.5-1.el8.s390x.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8.s390x.rpm  
webkit2gtk3-jsc-2.38.5-1.el8.s390x.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8.s390x.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8.s390x.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8.s390x.rpm

x86_64:  
webkit2gtk3-2.38.5-1.el8.i686.rpm  
webkit2gtk3-2.38.5-1.el8.x86_64.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8.i686.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8.x86_64.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8.i686.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8.x86_64.rpm  
webkit2gtk3-devel-2.38.5-1.el8.i686.rpm  
webkit2gtk3-devel-2.38.5-1.el8.x86_64.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8.i686.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8.x86_64.rpm  
webkit2gtk3-jsc-2.38.5-1.el8.i686.rpm  
webkit2gtk3-jsc-2.38.5-1.el8.x86_64.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8.i686.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8.x86_64.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8.i686.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8.x86_64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8.i686.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-32886  
https://access.redhat.com/security/cve/CVE-2022-32888  
https://access.redhat.com/security/cve/CVE-2022-32923  
https://access.redhat.com/security/cve/CVE-2022-42799  
https://access.redhat.com/security/cve/CVE-2022-42823  
https://access.redhat.com/security/cve/CVE-2022-42824  
https://access.redhat.com/security/cve/CVE-2022-42826  
https://access.redhat.com/security/cve/CVE-2022-42852  
https://access.redhat.com/security/cve/CVE-2022-42863  
https://access.redhat.com/security/cve/CVE-2022-42867  
https://access.redhat.com/security/cve/CVE-2022-46691  
https://access.redhat.com/security/cve/CVE-2022-46692  
https://access.redhat.com/security/cve/CVE-2022-46698  
https://access.redhat.com/security/cve/CVE-2022-46699  
https://access.redhat.com/security/cve/CVE-2022-46700  
https://access.redhat.com/security/cve/CVE-2023-23517  
https://access.redhat.com/security/cve/CVE-2023-23518  
https://access.redhat.com/security/cve/CVE-2023-25358  
https://access.redhat.com/security/cve/CVE-2023-25360  
https://access.redhat.com/security/cve/CVE-2023-25361  
https://access.redhat.com/security/cve/CVE-2023-25362  
https://access.redhat.com/security/cve/CVE-2023-25363  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZGNwwdzjgjWX9erEAQi3tBAAjImojT9z/AQ07EueAkwPWY9qnR++Q8+p  
CVRVlNDkP/wfqxA1GthBBKCrholfiWqbk4HWgyoZCN/WaSD0T1I2asc/Y4bbBoc8  
U1+0blOxRvZrSKQin22U/XW2wS8xYqBQLRuokwB0VSYhG5H2Q+zVqMp1AncKmTFb  
hS9WLdX4e4JDp+WLgvSmr3uDSnAjp67oXdjxtPhE1Buf/MU8GpHfvmQPAFe50HAm  
kf50Zf8dQK2XgRgefNBKgNM/xXPOQI+dozNwyNV+XZxOlIQX5N+wyuRVsIWOrOPu  
KJkSSugX+FuVAYdNBY0sRxT5kmPao4jUqPPZ8gsHlySCOpRj18IAnuQwEfHoxZKf  
xbTlGkhHjqfsCm7M4s/iDuJPd1tiXAJCbxZpPqP5ky6n0qTAq3O65fwFHgp/uGZp  
8nmvkD3nuZhEk2GcCkAxUkIqpaYvLqHUX+sH7ujQ0tZNONOYTEVNsMQmCZqNkSVv  
CdAnDx4iwR2KtLKamRo5EIVA72lksLTNVz7dFZy497CMcapX5yR7E1c2ht11vQS0  
U0tYmvklWwTxqV9QGHnXblEWki631sOfO+Ku87INm5E75RGpzT8lc9LxHgwn4rV5  
KQ7/AGQWND349MlDqM6WP/B3JHzxSH/S3uMIlUvcNjqYwqSjv8sjU96SiZaEAtRp  
TrPuMTnh/ro=FlQx  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-2834-01

Red Hat Security Advisory 2023-2792-01 - The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: bind9.16 security and bug fix update  
Advisory ID:       RHSA-2023:2792-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2792  
Issue date:        2023-05-16  
CVE Names:         CVE-2022-2795 CVE-2022-3094 CVE-2022-3736  
                   CVE-2022-3924  
====================================================================  
1. Summary:

An update for bind9.16 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux CRB (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain  
Name System (DNS) protocols. BIND includes a DNS server (named); a resolver  
library (routines for applications to use when interfacing with DNS); and  
tools for verifying that the DNS server is operating correctly.

Security Fix(es):

* bind: processing large delegations may severely degrade resolver  
performance (CVE-2022-2795)

* bind: flooding with UPDATE requests may lead to DoS (CVE-2022-3094)

* bind: sending specific queries to the resolver may cause a DoS  
(CVE-2022-3736)

* bind: sending specific queries to the resolver may cause a DoS  
(CVE-2022-3924)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 8.8 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2115322 - bind9.16-dnssec-utils should be in AppStream repository  
2128584 - CVE-2022-2795 bind: processing large delegations may severely degrade resolver performance  
2164032 - CVE-2022-3094 bind: flooding with UPDATE requests may lead to DoS  
2164038 - CVE-2022-3736 bind: sending specific queries to the resolver may cause a DoS  
2164039 - CVE-2022-3924 bind: sending specific queries to the resolver may cause a DoS

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
bind9.16-9.16.23-0.14.el8.src.rpm

aarch64:  
bind9.16-9.16.23-0.14.el8.aarch64.rpm  
bind9.16-chroot-9.16.23-0.14.el8.aarch64.rpm  
bind9.16-debuginfo-9.16.23-0.14.el8.aarch64.rpm  
bind9.16-debugsource-9.16.23-0.14.el8.aarch64.rpm  
bind9.16-dnssec-utils-9.16.23-0.14.el8.aarch64.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.14.el8.aarch64.rpm  
bind9.16-libs-9.16.23-0.14.el8.aarch64.rpm  
bind9.16-libs-debuginfo-9.16.23-0.14.el8.aarch64.rpm  
bind9.16-utils-9.16.23-0.14.el8.aarch64.rpm  
bind9.16-utils-debuginfo-9.16.23-0.14.el8.aarch64.rpm

noarch:  
bind9.16-license-9.16.23-0.14.el8.noarch.rpm  
python3-bind9.16-9.16.23-0.14.el8.noarch.rpm

ppc64le:  
bind9.16-9.16.23-0.14.el8.ppc64le.rpm  
bind9.16-chroot-9.16.23-0.14.el8.ppc64le.rpm  
bind9.16-debuginfo-9.16.23-0.14.el8.ppc64le.rpm  
bind9.16-debugsource-9.16.23-0.14.el8.ppc64le.rpm  
bind9.16-dnssec-utils-9.16.23-0.14.el8.ppc64le.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.14.el8.ppc64le.rpm  
bind9.16-libs-9.16.23-0.14.el8.ppc64le.rpm  
bind9.16-libs-debuginfo-9.16.23-0.14.el8.ppc64le.rpm  
bind9.16-utils-9.16.23-0.14.el8.ppc64le.rpm  
bind9.16-utils-debuginfo-9.16.23-0.14.el8.ppc64le.rpm

s390x:  
bind9.16-9.16.23-0.14.el8.s390x.rpm  
bind9.16-chroot-9.16.23-0.14.el8.s390x.rpm  
bind9.16-debuginfo-9.16.23-0.14.el8.s390x.rpm  
bind9.16-debugsource-9.16.23-0.14.el8.s390x.rpm  
bind9.16-dnssec-utils-9.16.23-0.14.el8.s390x.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.14.el8.s390x.rpm  
bind9.16-libs-9.16.23-0.14.el8.s390x.rpm  
bind9.16-libs-debuginfo-9.16.23-0.14.el8.s390x.rpm  
bind9.16-utils-9.16.23-0.14.el8.s390x.rpm  
bind9.16-utils-debuginfo-9.16.23-0.14.el8.s390x.rpm

x86_64:  
bind9.16-9.16.23-0.14.el8.x86_64.rpm  
bind9.16-chroot-9.16.23-0.14.el8.x86_64.rpm  
bind9.16-debuginfo-9.16.23-0.14.el8.x86_64.rpm  
bind9.16-debugsource-9.16.23-0.14.el8.x86_64.rpm  
bind9.16-dnssec-utils-9.16.23-0.14.el8.x86_64.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.14.el8.x86_64.rpm  
bind9.16-libs-9.16.23-0.14.el8.x86_64.rpm  
bind9.16-libs-debuginfo-9.16.23-0.14.el8.x86_64.rpm  
bind9.16-utils-9.16.23-0.14.el8.x86_64.rpm  
bind9.16-utils-debuginfo-9.16.23-0.14.el8.x86_64.rpm

Red Hat Enterprise Linux CRB (v. 8):

aarch64:  
bind9.16-debuginfo-9.16.23-0.14.el8.aarch64.rpm  
bind9.16-debugsource-9.16.23-0.14.el8.aarch64.rpm  
bind9.16-devel-9.16.23-0.14.el8.aarch64.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.14.el8.aarch64.rpm  
bind9.16-libs-debuginfo-9.16.23-0.14.el8.aarch64.rpm  
bind9.16-utils-debuginfo-9.16.23-0.14.el8.aarch64.rpm

noarch:  
bind9.16-doc-9.16.23-0.14.el8.noarch.rpm

ppc64le:  
bind9.16-debuginfo-9.16.23-0.14.el8.ppc64le.rpm  
bind9.16-debugsource-9.16.23-0.14.el8.ppc64le.rpm  
bind9.16-devel-9.16.23-0.14.el8.ppc64le.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.14.el8.ppc64le.rpm  
bind9.16-libs-debuginfo-9.16.23-0.14.el8.ppc64le.rpm  
bind9.16-utils-debuginfo-9.16.23-0.14.el8.ppc64le.rpm

s390x:  
bind9.16-debuginfo-9.16.23-0.14.el8.s390x.rpm  
bind9.16-debugsource-9.16.23-0.14.el8.s390x.rpm  
bind9.16-devel-9.16.23-0.14.el8.s390x.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.14.el8.s390x.rpm  
bind9.16-libs-debuginfo-9.16.23-0.14.el8.s390x.rpm  
bind9.16-utils-debuginfo-9.16.23-0.14.el8.s390x.rpm

x86_64:  
bind9.16-debuginfo-9.16.23-0.14.el8.i686.rpm  
bind9.16-debuginfo-9.16.23-0.14.el8.x86_64.rpm  
bind9.16-debugsource-9.16.23-0.14.el8.i686.rpm  
bind9.16-debugsource-9.16.23-0.14.el8.x86_64.rpm  
bind9.16-devel-9.16.23-0.14.el8.i686.rpm  
bind9.16-devel-9.16.23-0.14.el8.x86_64.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.14.el8.i686.rpm  
bind9.16-dnssec-utils-debuginfo-9.16.23-0.14.el8.x86_64.rpm  
bind9.16-libs-9.16.23-0.14.el8.i686.rpm  
bind9.16-libs-debuginfo-9.16.23-0.14.el8.i686.rpm  
bind9.16-libs-debuginfo-9.16.23-0.14.el8.x86_64.rpm  
bind9.16-utils-debuginfo-9.16.23-0.14.el8.i686.rpm  
bind9.16-utils-debuginfo-9.16.23-0.14.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2795  
https://access.redhat.com/security/cve/CVE-2022-3094  
https://access.redhat.com/security/cve/CVE-2022-3736  
https://access.redhat.com/security/cve/CVE-2022-3924  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZGNwDdzjgjWX9erEAQjtLw/+PYuxFSTDU73fNFerO75+cLHrq5jLCfyn  
fre364mVTzn5IrXHt0Alvtec3vkZw8AZIbo5JYvvfVt3NSV+euBo/vLm7heYGeaS  
7plTpiKjR55nB9iWATYE9leD4LZssWVRZT2jOf3bR1wQ0F3pkpn/Kp2KM+XwNVMZ  
hzPIVIbDf18D9+wM6OQUFd8BulCPQW4YfSG4VJJA0JvEooWUIdxYehT9Ps7Skuw0  
OAKQ46oAVt85oJkG3rIt/k3zgEwxgT/9p9Td8ti7784S87544DIhvPeTioiMSL3y  
AcBYnG3rK/WKlvzV+L/fJRJWjipKZ/ghIazhdVmP/2+8eWLcQ79UYPXZ600ibNcU  
GeFLHcVIqhDQakAk1iiVGF1ZcEfiuBaYttDMWvH3+863FB2Cn04Se5unbV8yVtMy  
ROLfjG2iJNlp7xT6g+Vt96IHZAuVaFJKFGPFK1+HldU+D+cUod38489+mjt5/Azg  
etJdo/X2V/N6z5njVkK7gcn09p+hRgmPHsnkQdJAf8OOjlP+j4qojeKvAL6ovy5F  
ek6V1H4wq3iSyg7s4UgeUuFhpvSXczWr4RidggpYJr9/lvF8N+CqrIEPFJQ6688W  
Ky0gb6ZTtAAdvw3j97OIfCafdyEHhb7oEluHbt47Ro63rdGY919mjnTe62wZCarw  
JKUtkMxKHi8=mXwA  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-2792-01

Red Hat Security Advisory 2023-2963-01 - The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Issues addressed include file download and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Low: curl security and bug fix update  
Advisory ID:       RHSA-2023:2963-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2963  
Issue date:        2023-05-16  
CVE Names:         CVE-2022-35252 CVE-2022-43552  
====================================================================  
1. Summary:

An update for curl is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Low. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

The curl packages provide the libcurl library and the curl utility for  
downloading files from servers using various protocols, including HTTP,  
FTP, and LDAP.

Security Fix(es):

* curl: Incorrect handling of control code characters in cookies  
(CVE-2022-35252)

* curl: Use-after-free triggered by an HTTP proxy deny response  
(CVE-2022-43552)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 8.8 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2120718 - CVE-2022-35252 curl: Incorrect handling of control code characters in cookies  
2139337 - Fall back automagically to HTTP1.1 from HTTP2.0 when performing auth method  
2152652 - CVE-2022-43552 curl: Use-after-free triggered by an HTTP proxy deny response  
2166254 - curl fails large file downloads for some http2 server

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 8):

Source:  
curl-7.61.1-30.el8.src.rpm

aarch64:  
curl-7.61.1-30.el8.aarch64.rpm  
curl-debuginfo-7.61.1-30.el8.aarch64.rpm  
curl-debugsource-7.61.1-30.el8.aarch64.rpm  
curl-minimal-debuginfo-7.61.1-30.el8.aarch64.rpm  
libcurl-7.61.1-30.el8.aarch64.rpm  
libcurl-debuginfo-7.61.1-30.el8.aarch64.rpm  
libcurl-devel-7.61.1-30.el8.aarch64.rpm  
libcurl-minimal-7.61.1-30.el8.aarch64.rpm  
libcurl-minimal-debuginfo-7.61.1-30.el8.aarch64.rpm

ppc64le:  
curl-7.61.1-30.el8.ppc64le.rpm  
curl-debuginfo-7.61.1-30.el8.ppc64le.rpm  
curl-debugsource-7.61.1-30.el8.ppc64le.rpm  
curl-minimal-debuginfo-7.61.1-30.el8.ppc64le.rpm  
libcurl-7.61.1-30.el8.ppc64le.rpm  
libcurl-debuginfo-7.61.1-30.el8.ppc64le.rpm  
libcurl-devel-7.61.1-30.el8.ppc64le.rpm  
libcurl-minimal-7.61.1-30.el8.ppc64le.rpm  
libcurl-minimal-debuginfo-7.61.1-30.el8.ppc64le.rpm

s390x:  
curl-7.61.1-30.el8.s390x.rpm  
curl-debuginfo-7.61.1-30.el8.s390x.rpm  
curl-debugsource-7.61.1-30.el8.s390x.rpm  
curl-minimal-debuginfo-7.61.1-30.el8.s390x.rpm  
libcurl-7.61.1-30.el8.s390x.rpm  
libcurl-debuginfo-7.61.1-30.el8.s390x.rpm  
libcurl-devel-7.61.1-30.el8.s390x.rpm  
libcurl-minimal-7.61.1-30.el8.s390x.rpm  
libcurl-minimal-debuginfo-7.61.1-30.el8.s390x.rpm

x86_64:  
curl-7.61.1-30.el8.x86_64.rpm  
curl-debuginfo-7.61.1-30.el8.i686.rpm  
curl-debuginfo-7.61.1-30.el8.x86_64.rpm  
curl-debugsource-7.61.1-30.el8.i686.rpm  
curl-debugsource-7.61.1-30.el8.x86_64.rpm  
curl-minimal-debuginfo-7.61.1-30.el8.i686.rpm  
curl-minimal-debuginfo-7.61.1-30.el8.x86_64.rpm  
libcurl-7.61.1-30.el8.i686.rpm  
libcurl-7.61.1-30.el8.x86_64.rpm  
libcurl-debuginfo-7.61.1-30.el8.i686.rpm  
libcurl-debuginfo-7.61.1-30.el8.x86_64.rpm  
libcurl-devel-7.61.1-30.el8.i686.rpm  
libcurl-devel-7.61.1-30.el8.x86_64.rpm  
libcurl-minimal-7.61.1-30.el8.i686.rpm  
libcurl-minimal-7.61.1-30.el8.x86_64.rpm  
libcurl-minimal-debuginfo-7.61.1-30.el8.i686.rpm  
libcurl-minimal-debuginfo-7.61.1-30.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-35252  
https://access.redhat.com/security/cve/CVE-2022-43552  
https://access.redhat.com/security/updates/classification/#low  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZGNu7NzjgjWX9erEAQiiYA/+LOTmv9yZK6GKeddwdBQrjC+qTqPXVS3w  
HI4pz5FK7aDXOd1eC3ekH62/lH+0kvJZluY7JEyZr+HBdIPo/KUcKGtZsADsxjZ+  
xqD1p8ywfSGPsbgU1sRUnBLy3ViGfvacfRgsiQHOtV523po+u8Mh3D0xz7IMKpNf  
56xoq3r8vpzvzdy3G+S+frcDcf0msQz1U9TWegKtbS807FAaBCpyaUS25X4LJYik  
g9baa6BuGqXT4abYPgCK+URiQlMFAidSvfg5Er8cBZQveYvp7CLbq04I/h17RYHt  
aBcvohkP4BmAHbKWte16YUbzxoOOvAw2sgTOh7gT4P1cbe9WY+ugVDKc823Ze14D  
gGjkaSR1bTZmX2FkGXG6JiwwZRJ3DX4LJAjyGsNx9GrE8BSHI5W50wqasDuSgFyB  
rT1s/aBK0F6sZXpJVg5URUYVNG6RcnvS5S3SSvkzA+jviKxYraqPIuWhTQ2ygQlt  
dQFsuLwZcWJ4Fi59wb1Q/J5cYxfrnf/scIrwuNY/WOGn1peXm5nFRTc1hXegmYLr  
/uqbatNZsLPNME8x9TnMf6IhnnYdL5YeVQe/VqaRFK1XgjI3t4sI7serChavrIHS  
a/Nxf0PXwvLAOMYflvb7WKH5UukyzhypIqshvTLCie1ZjIyyG5POMruxxLvLGLXY  
oqTE0cKjbSo=mFLP  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-2963-01

Red Hat Security Advisory 2023-2802-01 - The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Issues addressed include denial of service and information leakage vulnerabilities.

Red Hat Security Advisory 2023-2802-01

Red Hat Security Advisory 2023-2867-01 - PostgreSQL is an advanced object-relational database management system. The postgresql-jdbc package includes the .jar files needed for Java programs to access a PostgreSQL database. Issues addressed include an information leakage vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: postgresql-jdbc security update  
Advisory ID:       RHSA-2023:2867-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2867  
Issue date:        2023-05-16  
CVE Names:         CVE-2022-41946  
====================================================================  
1. Summary:

An update for postgresql-jdbc is now available for Red Hat Enterprise Linux  
8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - noarch

3. Description:

PostgreSQL is an advanced object-relational database management system. The  
postgresql-jdbc package includes the .jar files needed for Java programs to  
access a PostgreSQL database.

Security Fix(es):

* postgresql-jdbc: Information leak of prepared statement data due to  
insecure temporary file permissions (CVE-2022-41946)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 8.8 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

If the postgresql service is running, it will be automatically restarted  
after installing this update.

5. Bugs fixed (https://bugzilla.redhat.com/):

2153399 - CVE-2022-41946 postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
postgresql-jdbc-42.2.14-2.el8.src.rpm

noarch:  
postgresql-jdbc-42.2.14-2.el8.noarch.rpm  
postgresql-jdbc-javadoc-42.2.14-2.el8.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-41946  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZGNwZdzjgjWX9erEAQhNSQ//YpPuZFt7iaxfqGkipUlmOP14UPB+gBTl  
ee6H9lypCT/7/67n/P5TdEPj52l1oFPuBBx7dJLqNidn6TvUKh5RFtED94eNOtS5  
r3ICcN1rI4EOS6UUD6z0qy4GdGpX4FzpvQ+7Po7vMjSWfPqJh/JtFZ+83Bf4L/eR  
sgs5mEqNCC6Hfu4IJWEtlDsxBB4uaSFS/tppbCvAvPPqtcUFxxNElukNhNyiUdy8  
CYyNb3jHNmL8x62NfdW2AMWGiD2adK/5CzNxHSUhjSWTJLCe8a19M+maptVUGvhv  
kb/VlO4xIE3LTihCVgC/Ja5pab/bsBkZRiFDohp3Rb9uggET1m2AK+T5s2HVjOxE  
QlK1B6W9JDlTN9NtR4QKPYh+FPBFjilgFQWVuwWhbfrJHQIN4x9nKh0Dd8XSvx2u  
Kc38hcRYDMGfw8nLvdQ/yHjZ8GJUQkK+RjXJrury6IEZaT4y1pRpFSLMmDRXXrnh  
hv8jEUH1VlqV2qXF8FlmDtJKbIXzAatm78ipAqdM7T8tTo4nDXukjggMij13ECRA  
XAnFDRzTWDozUMMY7daQVKgKgFLV96Lwnq/mniy/8X14Umk83AHpNM+E/EQrr+59  
nux7O9WC5Kax2fQ8CVr8tj0/curJRVBArPnnHQ0qN7HNWyZqpUYPii21ayGI7KA4  
wom10Fuhj7Q=Jop5  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-2867-01

Red Hat Security Advisory 2023-2771-01 - The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: unbound security and bug fix update  
Advisory ID:       RHSA-2023:2771-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2771  
Issue date:        2023-05-16  
CVE Names:         CVE-2022-3204  
====================================================================  
1. Summary:

An update for unbound is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

The unbound packages provide a validating, recursive, and caching DNS or  
DNSSEC resolver.

Security Fix(es):

* unbound: NRDelegation attack leads to uncontrolled resource consumption  
(Non-Responsive Delegation Attack) (CVE-2022-3204)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 8.8 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2128947 - CVE-2022-3204 unbound: NRDelegation attack leads to uncontrolled resource consumption (Non-Responsive Delegation Attack)  
2135322 - failing devel man pages for rhel 8

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
unbound-1.16.2-5.el8.src.rpm

aarch64:  
python3-unbound-1.16.2-5.el8.aarch64.rpm  
python3-unbound-debuginfo-1.16.2-5.el8.aarch64.rpm  
unbound-1.16.2-5.el8.aarch64.rpm  
unbound-debuginfo-1.16.2-5.el8.aarch64.rpm  
unbound-debugsource-1.16.2-5.el8.aarch64.rpm  
unbound-devel-1.16.2-5.el8.aarch64.rpm  
unbound-libs-1.16.2-5.el8.aarch64.rpm  
unbound-libs-debuginfo-1.16.2-5.el8.aarch64.rpm

ppc64le:  
python3-unbound-1.16.2-5.el8.ppc64le.rpm  
python3-unbound-debuginfo-1.16.2-5.el8.ppc64le.rpm  
unbound-1.16.2-5.el8.ppc64le.rpm  
unbound-debuginfo-1.16.2-5.el8.ppc64le.rpm  
unbound-debugsource-1.16.2-5.el8.ppc64le.rpm  
unbound-devel-1.16.2-5.el8.ppc64le.rpm  
unbound-libs-1.16.2-5.el8.ppc64le.rpm  
unbound-libs-debuginfo-1.16.2-5.el8.ppc64le.rpm

s390x:  
python3-unbound-1.16.2-5.el8.s390x.rpm  
python3-unbound-debuginfo-1.16.2-5.el8.s390x.rpm  
unbound-1.16.2-5.el8.s390x.rpm  
unbound-debuginfo-1.16.2-5.el8.s390x.rpm  
unbound-debugsource-1.16.2-5.el8.s390x.rpm  
unbound-devel-1.16.2-5.el8.s390x.rpm  
unbound-libs-1.16.2-5.el8.s390x.rpm  
unbound-libs-debuginfo-1.16.2-5.el8.s390x.rpm

x86_64:  
python3-unbound-1.16.2-5.el8.x86_64.rpm  
python3-unbound-debuginfo-1.16.2-5.el8.i686.rpm  
python3-unbound-debuginfo-1.16.2-5.el8.x86_64.rpm  
unbound-1.16.2-5.el8.x86_64.rpm  
unbound-debuginfo-1.16.2-5.el8.i686.rpm  
unbound-debuginfo-1.16.2-5.el8.x86_64.rpm  
unbound-debugsource-1.16.2-5.el8.i686.rpm  
unbound-debugsource-1.16.2-5.el8.x86_64.rpm  
unbound-devel-1.16.2-5.el8.i686.rpm  
unbound-devel-1.16.2-5.el8.x86_64.rpm  
unbound-libs-1.16.2-5.el8.i686.rpm  
unbound-libs-1.16.2-5.el8.x86_64.rpm  
unbound-libs-debuginfo-1.16.2-5.el8.i686.rpm  
unbound-libs-debuginfo-1.16.2-5.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-3204  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZGNwC9zjgjWX9erEAQiZGQ/+PwvyBCGfx+saizKfgrSwslCDfGUB2X6x  
4SDvt3L7YB6VdYMS8sZWTBh8VPWVGsS2vSxHhInYwzO6G5z+RhWNzvSU1F2ochKW  
ukqTRzKhWT6+ASZNbMqhPaYvWEctBUIAOLS+u0c1o4la7tZYj3gSgwApaFqc/hqO  
Hqf4UUNGxFLjUqip/1Ja5UbFhv6PaSjwZonxL3rEZtsUKTXIBLtPGshQi5tNILr7  
JD758VmPgxOrP9ixBiAkJPO+LQRJtg1tHSdLhRjmQAoUIh7MImqBXeVSQBtKGhaS  
IsuLDBG4UXC9dMSwzBazYnvPiTE4V+XYizIqlrlZAdKy5+qq3Kzj/HaHyRtVBb2P  
o7pGen9dyw0Rnfs4bQI1vU4pMflws7MLXkGRdhmu+CMLNv4SppDfhN8tOj6cYiVx  
3/TnCy19qQGfNNEeuOAeYCLeiKYvN7IeBWvOkrAT6OWcThp7GFhSoEtGn91AM5qN  
pJ20/3KhkWvHMmNPxBVDtCh4XfQtcda9WSKMcBjt7SopwJ2FM2ddZi48JJRZ+LBZ  
RljejbB4+bMeU8gD3bkMBSkULWren6izuCti1CXvPcmTb+c39LwByOTFeofjnaqz  
K9mZrvqagb2A6NpB21r5VLrqaflRGxyQ5MXSn2bGPvymS++xguVd0AvjLXjFPHwE  
7qQthjxNwZI=O8Dd  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-2771-01

Red Hat Security Advisory 2023-2851-01 - FreeRDP is a free implementation of the Remote Desktop Protocol, released under the Apache license. The xfreerdp client can connect to RDP servers such as Microsoft Windows machines, xrdp, and VirtualBox. Issues addressed include buffer overflow and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: freerdp security update  
Advisory ID:       RHSA-2023:2851-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2851  
Issue date:        2023-05-16  
CVE Names:         CVE-2022-39282 CVE-2022-39283 CVE-2022-39316  
                   CVE-2022-39317 CVE-2022-39318 CVE-2022-39319  
                   CVE-2022-39320 CVE-2022-39347 CVE-2022-41877  
====================================================================  
1. Summary:

An update for freerdp is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux CRB (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP),  
released under the Apache license. The xfreerdp client can connect to RDP  
servers such as Microsoft Windows machines, xrdp, and VirtualBox.

Security Fix(es):

* freerdp: clients using `/parallel` command line switch might read  
uninitialized data (CVE-2022-39282)

* freerdp: clients using the `/video` command line switch might read  
uninitialized data (CVE-2022-39283)

* freerdp: out of bounds read in zgfx decoder (CVE-2022-39316)

* freerdp: undefined behaviour in zgfx decoder (CVE-2022-39317)

* freerdp: division by zero in urbdrc channel (CVE-2022-39318)

* freerdp: missing length validation in urbdrc channel (CVE-2022-39319)

* freerdp: heap buffer overflow in urbdrc channel (CVE-2022-39320)

* freerdp: missing path sanitation with `drive` channel (CVE-2022-39347)

* freerdp: missing input length validation in `drive` channel  
(CVE-2022-41877)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 8.8 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2134713 - CVE-2022-39282 freerdp: clients using `/parallel` command line switch might read uninitialized data  
2134717 - CVE-2022-39283 freerdp: clients using the `/video` command line switch might read uninitialized data  
2143642 - CVE-2022-39316 freerdp: out of bounds read in zgfx decoder  
2143643 - CVE-2022-39317 freerdp: undefined behaviour in zgfx decoder  
2143644 - CVE-2022-39318 freerdp: division by zero in urbdrc channel  
2143645 - CVE-2022-39319 freerdp: missing length validation in urbdrc channel  
2143646 - CVE-2022-39320 freerdp: heap buffer overflow in urbdrc channel  
2143647 - CVE-2022-39347 freerdp: missing path sanitation with `drive` channel  
2143648 - CVE-2022-41877 freerdp: missing input length validation in `drive` channel

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
freerdp-2.2.0-10.el8.src.rpm

aarch64:  
freerdp-2.2.0-10.el8.aarch64.rpm  
freerdp-debuginfo-2.2.0-10.el8.aarch64.rpm  
freerdp-debugsource-2.2.0-10.el8.aarch64.rpm  
freerdp-libs-2.2.0-10.el8.aarch64.rpm  
freerdp-libs-debuginfo-2.2.0-10.el8.aarch64.rpm  
libwinpr-2.2.0-10.el8.aarch64.rpm  
libwinpr-debuginfo-2.2.0-10.el8.aarch64.rpm  
libwinpr-devel-2.2.0-10.el8.aarch64.rpm

ppc64le:  
freerdp-2.2.0-10.el8.ppc64le.rpm  
freerdp-debuginfo-2.2.0-10.el8.ppc64le.rpm  
freerdp-debugsource-2.2.0-10.el8.ppc64le.rpm  
freerdp-libs-2.2.0-10.el8.ppc64le.rpm  
freerdp-libs-debuginfo-2.2.0-10.el8.ppc64le.rpm  
libwinpr-2.2.0-10.el8.ppc64le.rpm  
libwinpr-debuginfo-2.2.0-10.el8.ppc64le.rpm  
libwinpr-devel-2.2.0-10.el8.ppc64le.rpm

s390x:  
freerdp-2.2.0-10.el8.s390x.rpm  
freerdp-debuginfo-2.2.0-10.el8.s390x.rpm  
freerdp-debugsource-2.2.0-10.el8.s390x.rpm  
freerdp-libs-2.2.0-10.el8.s390x.rpm  
freerdp-libs-debuginfo-2.2.0-10.el8.s390x.rpm  
libwinpr-2.2.0-10.el8.s390x.rpm  
libwinpr-debuginfo-2.2.0-10.el8.s390x.rpm  
libwinpr-devel-2.2.0-10.el8.s390x.rpm

x86_64:  
freerdp-2.2.0-10.el8.x86_64.rpm  
freerdp-debuginfo-2.2.0-10.el8.i686.rpm  
freerdp-debuginfo-2.2.0-10.el8.x86_64.rpm  
freerdp-debugsource-2.2.0-10.el8.i686.rpm  
freerdp-debugsource-2.2.0-10.el8.x86_64.rpm  
freerdp-libs-2.2.0-10.el8.i686.rpm  
freerdp-libs-2.2.0-10.el8.x86_64.rpm  
freerdp-libs-debuginfo-2.2.0-10.el8.i686.rpm  
freerdp-libs-debuginfo-2.2.0-10.el8.x86_64.rpm  
libwinpr-2.2.0-10.el8.i686.rpm  
libwinpr-2.2.0-10.el8.x86_64.rpm  
libwinpr-debuginfo-2.2.0-10.el8.i686.rpm  
libwinpr-debuginfo-2.2.0-10.el8.x86_64.rpm  
libwinpr-devel-2.2.0-10.el8.i686.rpm  
libwinpr-devel-2.2.0-10.el8.x86_64.rpm

Red Hat Enterprise Linux CRB (v. 8):

aarch64:  
freerdp-debuginfo-2.2.0-10.el8.aarch64.rpm  
freerdp-debugsource-2.2.0-10.el8.aarch64.rpm  
freerdp-devel-2.2.0-10.el8.aarch64.rpm  
freerdp-libs-debuginfo-2.2.0-10.el8.aarch64.rpm  
libwinpr-debuginfo-2.2.0-10.el8.aarch64.rpm

ppc64le:  
freerdp-debuginfo-2.2.0-10.el8.ppc64le.rpm  
freerdp-debugsource-2.2.0-10.el8.ppc64le.rpm  
freerdp-devel-2.2.0-10.el8.ppc64le.rpm  
freerdp-libs-debuginfo-2.2.0-10.el8.ppc64le.rpm  
libwinpr-debuginfo-2.2.0-10.el8.ppc64le.rpm

s390x:  
freerdp-debuginfo-2.2.0-10.el8.s390x.rpm  
freerdp-debugsource-2.2.0-10.el8.s390x.rpm  
freerdp-devel-2.2.0-10.el8.s390x.rpm  
freerdp-libs-debuginfo-2.2.0-10.el8.s390x.rpm  
libwinpr-debuginfo-2.2.0-10.el8.s390x.rpm

x86_64:  
freerdp-debuginfo-2.2.0-10.el8.i686.rpm  
freerdp-debuginfo-2.2.0-10.el8.x86_64.rpm  
freerdp-debugsource-2.2.0-10.el8.i686.rpm  
freerdp-debugsource-2.2.0-10.el8.x86_64.rpm  
freerdp-devel-2.2.0-10.el8.i686.rpm  
freerdp-devel-2.2.0-10.el8.x86_64.rpm  
freerdp-libs-debuginfo-2.2.0-10.el8.i686.rpm  
freerdp-libs-debuginfo-2.2.0-10.el8.x86_64.rpm  
libwinpr-debuginfo-2.2.0-10.el8.i686.rpm  
libwinpr-debuginfo-2.2.0-10.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-39282  
https://access.redhat.com/security/cve/CVE-2022-39283  
https://access.redhat.com/security/cve/CVE-2022-39316  
https://access.redhat.com/security/cve/CVE-2022-39317  
https://access.redhat.com/security/cve/CVE-2022-39318  
https://access.redhat.com/security/cve/CVE-2022-39319  
https://access.redhat.com/security/cve/CVE-2022-39320  
https://access.redhat.com/security/cve/CVE-2022-39347  
https://access.redhat.com/security/cve/CVE-2022-41877  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZGNwFtzjgjWX9erEAQiavQ/+O4yHxylDY+RhBfMyL02mMrl5HnhDYqcI  
Sf6c+WVKqoMwuGAGfOLddYyxRsgUjlVJO6v1xzySPIXm77ukUYnDcrZGNSfdnlNq  
238JNZWHhEUqY96vabfs0fFXS5l1gSmvQ5iKp+S5MSL20OohFXQWkfnfDDIU97lw  
vSrPfgqalWDow9JEg/NVG2dERskDv2ZcHqcsYCyWMu3SAUZ2/V44xtjSjGqxBrqG  
Z06SLlUrJCIX1L39doI04AuK/znxf5jJoDEAfMgJXh6FSFiR81EFKKG0DYcYPYIl  
PUIjiIpyGzXEpJrk0looJIX9GaN94YbXQRmi9peFnIVctf4sjsufEXGfKi+YgLna  
1o5ncLYaL2q16AJ6H2f25aivS543X9ZwIVN5bGiDvWaqNyADl8PDnJMagBK8atR8  
tM7MCCtF6cvj203OsjAtisHGZNxE5o6ZkQIWx49FJjTfIMFX5j9zPBH384nnq8pg  
mJxqvaw3Z2wG6rGiinWhpMeemMJ7lAhdDek0A5RrIRbcsjvWWmCe5YLXHwG2jE3T  
c10DdlwLuRGxURioThhlpG8nhtS7QL5lGUT7rkEkxGb+ng4ll8XAFbCrrddGS3tf  
+k5rw/ulUIxeRFxM/KBod3Vw1VdbS3HsC2seKQryh4DiTj/ojI3LMe6I28rfLsKp  
076nDSx3a0Y=fpa0  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#linux