There is a cross-site-request forgery vulnerability in Esri Portal for ArcGIS Versions 11.0 and below that may allow an attacker to trick an authorized user into executing unwanted actions. 

CVE-2023-25832: Portal for ArcGIS Security 2023 Update 1 Patch

Buffer Overflow vulnerability found in Libming swftophp v.0.4.8 allows a local attacker to cause a denial of service via the newVar_N in util/decompile.c.

Heap buffer overflow in the latest version of libming at function newVar\_N in util/decompile.c:654.

**Environment**

Ubuntu 18.04, 64 bit  
libming 0.4.8

**Steps to reproduce**

1.  download file

    wget https://github.com/libming/libming/archive/refs/tags/ming-0_4_8.tar.gz
    tar -zxvf ming-0_4_8.tar.gz
    

2.  compile libming with ASAN

    cd libming-ming-0_4_8
    ./autogen.sh
    export FORCE_UNSAFE_CONFIGURE=1
    export LLVM_COMPILER=clang
    CC=wllvm CXX=wllvm++ CFLAGS="-g -O0 -fcommon -Wno-error" ./configure --prefix=`pwd`/obj-bc --with-php-config=/usr/bin/php-config7.2 --enable-static --disable-shared
    make
    make install
    
    cd obj-bc/bin/
    extract-bc swftophp
    clang -fsanitize=address -lz -lm swftophp.bc -o swftophp_asan
    

3.  command for reproducing the error

Download poc:  
libming\_0-4-8\_swftophp\_heap-buffer-overflow\_decompile654.zip

**ASAN report**

    root@2413df779df0:~/compiler1804/libming-ming-0_4_8/obj-bc/bin# ./swftophp_asan libming_0-4-8_swftophp_heap-buffer-overflow_decompile654.swf 
    header indicates a filesize of 0 but filesize is 166
    <?php
    $m = new SWFMovie(0);
    
    ming_setscale(1.0);
    $m->setRate(0.000000);
    $m->setDimension(0, 1);
    
    /* Note: xMin and/or yMin are not 0! */
    
    $m->setFrames(0);
    
    /* SWF_DOACTION */
        16:SWFACTION_FSCOMMAND2
      Can't get int for type: 10
    =================================================================
    ==60490==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000001880 at pc 0x000000439494 bp 0x7ffd310a9d90 sp 0x7ffd310a9540
    READ of size 1025 at 0x619000001880 thread T0
        #0 0x439493 in __interceptor_strlen.part.36 /root/LLVM/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:372
        #1 0x5022e5 in newVar_N /root/compiler1804/libming-ming-0_4_8/util/decompile.c:654:11
        #2 0x4fbe07 in decompileNEWOBJECT /root/compiler1804/libming-ming-0_4_8/util/decompile.c:1588:7
        #3 0x4fab64 in decompileAction /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3190:3
        #4 0x501b27 in decompileActions /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3401:6
        #5 0x503b31 in decompile5Action /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3423:2
        #6 0x4f7865 in outputSWF_DOACTION /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:1548:29
        #7 0x4f72ac in outputBlock /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:2079:4
        #8 0x4f9d21 in readMovie /root/compiler1804/libming-ming-0_4_8/util/main.c:277:4
        #9 0x4f984d in main /root/compiler1804/libming-ming-0_4_8/util/main.c:350:2
        #10 0x7fe2276bdc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #11 0x41b8d9 in _start (/root/compiler1804/libming-ming-0_4_8/obj-bc/bin/swftophp_asan+0x41b8d9)
    
    0x619000001880 is located 0 bytes to the right of 1024-byte region [0x619000001480,0x619000001880)
    allocated by thread T0 here:
        #0 0x4ae288 in realloc /root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164
        #1 0x502330 in newVar_N /root/compiler1804/libming-ming-0_4_8/util/decompile.c:657:18
        #2 0x4fbe07 in decompileNEWOBJECT /root/compiler1804/libming-ming-0_4_8/util/decompile.c:1588:7
        #3 0x4fab64 in decompileAction /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3190:3
        #4 0x501b27 in decompileActions /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3401:6
        #5 0x503b31 in decompile5Action /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3423:2
        #6 0x4f7865 in outputSWF_DOACTION /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:1548:29
        #7 0x4f72ac in outputBlock /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:2079:4
        #8 0x4f9d21 in readMovie /root/compiler1804/libming-ming-0_4_8/util/main.c:277:4
        #9 0x4f984d in main /root/compiler1804/libming-ming-0_4_8/util/main.c:350:2
        #10 0x7fe2276bdc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/LLVM/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:372 in __interceptor_strlen.part.36
    Shadow bytes around the buggy address:
      0x0c327fff82c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff82d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff82e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff82f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff8300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c327fff8310:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==60490==ABORTING

CVE-2023-30083: Heap buffer overflow in newVar_N() at decompile.c:654 · Issue #266 · libming/libming

Buffer Overflow vulnerability found in Libming swftophp v.0.4.8 allows a local attacker to cause a denial of service via the cws2fws function in util/decompile.c.

Allocation size overflow in the latest version of libming at function cws2fws in util/main.c:111.

**Environment**

Ubuntu 18.04, 64 bit  
libming 0.4.8

**Steps to reproduce**

1.  download file

    wget https://github.com/libming/libming/archive/refs/tags/ming-0_4_8.tar.gz
    tar -zxvf ming-0_4_8.tar.gz
    

2.  compile libming with ASAN

    cd libming-ming-0_4_8
    ./autogen.sh
    export FORCE_UNSAFE_CONFIGURE=1
    export LLVM_COMPILER=clang
    CC=wllvm CXX=wllvm++ CFLAGS="-g -O0 -fcommon -Wno-error" ./configure --prefix=`pwd`/obj-bc --with-php-config=/usr/bin/php-config7.2 --enable-static --disable-shared
    make
    make install
    
    cd obj-bc/bin/
    extract-bc swftophp
    clang -fsanitize=address -lz -lm swftophp.bc -o swftophp_asan
    

3.  command for reproducing the error

Download poc:  
libming\_0-4-8\_swftophp\_allocation-size-overflow\_main111.zip

**ASAN report**

    root@2413df779df0:~/compiler1804/libming-ming-0_4_8/obj-bc/bin# ./swftophp_asan libming_0-4-8_swftophp_allocation-size-overflow_main111.swf 
    =================================================================
    ==60493==ERROR: AddressSanitizer: requested allocation size 0xffffffffff000533 (0xffffffffff001538 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
        #0 0x4ae288 in realloc /root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164
        #1 0x4f9334 in cws2fws /root/compiler1804/libming-ming-0_4_8/util/main.c:111:15
        #2 0x4f99dd in readMovieHeader /root/compiler1804/libming-ming-0_4_8/util/main.c:198:18
        #3 0x4f97ee in main /root/compiler1804/libming-ming-0_4_8/util/main.c:346:5
        #4 0x7f6a64b67c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    ==60493==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: allocation-size-too-big /root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164 in realloc
    ==60493==ABORTING

CVE-2023-30085: Allocation size overflow in cws2fws() at main.c:111 · Issue #267 · libming/libming

Red Hat Security Advisory 2023-2378-01 - PostgreSQL is an advanced object-relational database management system. The postgresql-jdbc package includes the .jar files needed for Java programs to access a PostgreSQL database. Issues addressed include an information leakage vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: postgresql-jdbc security update  
Advisory ID:       RHSA-2023:2378-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2378  
Issue date:        2023-05-09  
CVE Names:         CVE-2022-41946  
====================================================================  
1. Summary:

An update for postgresql-jdbc is now available for Red Hat Enterprise Linux  
9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - noarch

3. Description:

PostgreSQL is an advanced object-relational database management system. The  
postgresql-jdbc package includes the .jar files needed for Java programs to  
access a PostgreSQL database.

Security Fix(es):

* postgresql-jdbc: Information leak of prepared statement data due to  
insecure temporary file permissions (CVE-2022-41946)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.2 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

If the postgresql service is running, it will be automatically restarted  
after installing this update.

5. Bugs fixed (https://bugzilla.redhat.com/):

2153399 - CVE-2022-41946 postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
postgresql-jdbc-42.2.27-1.el9.src.rpm

noarch:  
postgresql-jdbc-42.2.27-1.el9.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-41946  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZFo06dzjgjWX9erEAQj1ew//SSqyiG2F9381NuBWDUZscJSyWQyXXUOY  
XGvYf/En+Ax2B4/A2VGUkmoV5Ya//bEVGdbnz8UQK10qM5huh6BZiFAZuoL8IK/P  
3z68yJJR4aSTQEuVJ6Jo19tgM+dTZGduE4AeMbwPPGguLKioeVA0Y1H7vpDlLg6u  
sixnty4dXImrUUoN2nW4kCbKloiC0PEby/uPbQ4gsE2BNC2ToO0AfL0w66Ekq/0S  
+uECWRZZ3EWUjzoHxQmobMKF/10tUvAArZItuVv0QeMmPelpBa3+UtCOzZkUIiZa  
zl8bIlouaUSezRXKiMBPd2vi7Nwxu+GauJhtVQP6DG/m/p8uLkiD99xxLqCUnLHt  
5GWxuvDsKADA00dWOPTPMlidN2X7OX70Kn0h/5+8wyDHPhMxhSm3yL/6kjd3mbbn  
SCZrszZiQLJVohQFxngnvnWlU5HDTiizRlll0t+WSIB0Sliwneqv/jspuhwGydO/  
Y/yxqayMtN5C4CaGaVN0JKIWnpVvwBRpVpGkKxN+p3yiQ4OGnS2JGEVz+NZKuE9u  
fAS+SDJTtPdP3o1mloQbjIpzQS/uxydO7SqMD8aQpikTVEFKsBSM5adOC7jgvL4k  
g2igVthELmdQyJLytMoZCnihKhUqRGs/5Y8oZ205qYfHB0wmvRj8oUFP+pYT95qs  
6a/x/2+juhU=z8Sy  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-2378-01

Red Hat Security Advisory 2023-2259-01 - Poppler is a Portable Document Format rendering library, used by applications such as Evince. Issues addressed include an integer overflow vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: poppler security and bug fix update  
Advisory ID:       RHSA-2023:2259-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2259  
Issue date:        2023-05-09  
CVE Names:         CVE-2022-38784  
====================================================================  
1. Summary:

An update for poppler is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux CRB (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

Poppler is a Portable Document Format (PDF) rendering library, used by  
applications such as Evince.

Security Fix(es):

* poppler: integer overflow in JBIG2 decoder using malformed files  
(CVE-2022-38784)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.2 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2124527 - CVE-2022-38784 poppler: integer overflow in JBIG2 decoder using malformed files  
2144768 - Please add various devel packages to CRB 9 to build Scribus in EPEL

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
poppler-21.01.0-14.el9.src.rpm

aarch64:  
poppler-21.01.0-14.el9.aarch64.rpm  
poppler-cpp-21.01.0-14.el9.aarch64.rpm  
poppler-cpp-debuginfo-21.01.0-14.el9.aarch64.rpm  
poppler-debuginfo-21.01.0-14.el9.aarch64.rpm  
poppler-debugsource-21.01.0-14.el9.aarch64.rpm  
poppler-glib-21.01.0-14.el9.aarch64.rpm  
poppler-glib-debuginfo-21.01.0-14.el9.aarch64.rpm  
poppler-qt5-21.01.0-14.el9.aarch64.rpm  
poppler-qt5-debuginfo-21.01.0-14.el9.aarch64.rpm  
poppler-utils-21.01.0-14.el9.aarch64.rpm  
poppler-utils-debuginfo-21.01.0-14.el9.aarch64.rpm

ppc64le:  
poppler-21.01.0-14.el9.ppc64le.rpm  
poppler-cpp-21.01.0-14.el9.ppc64le.rpm  
poppler-cpp-debuginfo-21.01.0-14.el9.ppc64le.rpm  
poppler-debuginfo-21.01.0-14.el9.ppc64le.rpm  
poppler-debugsource-21.01.0-14.el9.ppc64le.rpm  
poppler-glib-21.01.0-14.el9.ppc64le.rpm  
poppler-glib-debuginfo-21.01.0-14.el9.ppc64le.rpm  
poppler-qt5-21.01.0-14.el9.ppc64le.rpm  
poppler-qt5-debuginfo-21.01.0-14.el9.ppc64le.rpm  
poppler-utils-21.01.0-14.el9.ppc64le.rpm  
poppler-utils-debuginfo-21.01.0-14.el9.ppc64le.rpm

s390x:  
poppler-21.01.0-14.el9.s390x.rpm  
poppler-cpp-21.01.0-14.el9.s390x.rpm  
poppler-cpp-debuginfo-21.01.0-14.el9.s390x.rpm  
poppler-debuginfo-21.01.0-14.el9.s390x.rpm  
poppler-debugsource-21.01.0-14.el9.s390x.rpm  
poppler-glib-21.01.0-14.el9.s390x.rpm  
poppler-glib-debuginfo-21.01.0-14.el9.s390x.rpm  
poppler-qt5-21.01.0-14.el9.s390x.rpm  
poppler-qt5-debuginfo-21.01.0-14.el9.s390x.rpm  
poppler-utils-21.01.0-14.el9.s390x.rpm  
poppler-utils-debuginfo-21.01.0-14.el9.s390x.rpm

x86_64:  
poppler-21.01.0-14.el9.i686.rpm  
poppler-21.01.0-14.el9.x86_64.rpm  
poppler-cpp-21.01.0-14.el9.i686.rpm  
poppler-cpp-21.01.0-14.el9.x86_64.rpm  
poppler-cpp-debuginfo-21.01.0-14.el9.i686.rpm  
poppler-cpp-debuginfo-21.01.0-14.el9.x86_64.rpm  
poppler-debuginfo-21.01.0-14.el9.i686.rpm  
poppler-debuginfo-21.01.0-14.el9.x86_64.rpm  
poppler-debugsource-21.01.0-14.el9.i686.rpm  
poppler-debugsource-21.01.0-14.el9.x86_64.rpm  
poppler-glib-21.01.0-14.el9.i686.rpm  
poppler-glib-21.01.0-14.el9.x86_64.rpm  
poppler-glib-debuginfo-21.01.0-14.el9.i686.rpm  
poppler-glib-debuginfo-21.01.0-14.el9.x86_64.rpm  
poppler-qt5-21.01.0-14.el9.i686.rpm  
poppler-qt5-21.01.0-14.el9.x86_64.rpm  
poppler-qt5-debuginfo-21.01.0-14.el9.i686.rpm  
poppler-qt5-debuginfo-21.01.0-14.el9.x86_64.rpm  
poppler-utils-21.01.0-14.el9.x86_64.rpm  
poppler-utils-debuginfo-21.01.0-14.el9.i686.rpm  
poppler-utils-debuginfo-21.01.0-14.el9.x86_64.rpm

Red Hat Enterprise Linux CRB (v. 9):

aarch64:  
poppler-cpp-debuginfo-21.01.0-14.el9.aarch64.rpm  
poppler-cpp-devel-21.01.0-14.el9.aarch64.rpm  
poppler-debuginfo-21.01.0-14.el9.aarch64.rpm  
poppler-debugsource-21.01.0-14.el9.aarch64.rpm  
poppler-devel-21.01.0-14.el9.aarch64.rpm  
poppler-glib-debuginfo-21.01.0-14.el9.aarch64.rpm  
poppler-glib-devel-21.01.0-14.el9.aarch64.rpm  
poppler-qt5-debuginfo-21.01.0-14.el9.aarch64.rpm  
poppler-qt5-devel-21.01.0-14.el9.aarch64.rpm  
poppler-utils-debuginfo-21.01.0-14.el9.aarch64.rpm

ppc64le:  
poppler-cpp-debuginfo-21.01.0-14.el9.ppc64le.rpm  
poppler-cpp-devel-21.01.0-14.el9.ppc64le.rpm  
poppler-debuginfo-21.01.0-14.el9.ppc64le.rpm  
poppler-debugsource-21.01.0-14.el9.ppc64le.rpm  
poppler-devel-21.01.0-14.el9.ppc64le.rpm  
poppler-glib-debuginfo-21.01.0-14.el9.ppc64le.rpm  
poppler-glib-devel-21.01.0-14.el9.ppc64le.rpm  
poppler-qt5-debuginfo-21.01.0-14.el9.ppc64le.rpm  
poppler-qt5-devel-21.01.0-14.el9.ppc64le.rpm  
poppler-utils-debuginfo-21.01.0-14.el9.ppc64le.rpm

s390x:  
poppler-cpp-debuginfo-21.01.0-14.el9.s390x.rpm  
poppler-cpp-devel-21.01.0-14.el9.s390x.rpm  
poppler-debuginfo-21.01.0-14.el9.s390x.rpm  
poppler-debugsource-21.01.0-14.el9.s390x.rpm  
poppler-devel-21.01.0-14.el9.s390x.rpm  
poppler-glib-debuginfo-21.01.0-14.el9.s390x.rpm  
poppler-glib-devel-21.01.0-14.el9.s390x.rpm  
poppler-qt5-debuginfo-21.01.0-14.el9.s390x.rpm  
poppler-qt5-devel-21.01.0-14.el9.s390x.rpm  
poppler-utils-debuginfo-21.01.0-14.el9.s390x.rpm

x86_64:  
poppler-cpp-debuginfo-21.01.0-14.el9.i686.rpm  
poppler-cpp-debuginfo-21.01.0-14.el9.x86_64.rpm  
poppler-cpp-devel-21.01.0-14.el9.i686.rpm  
poppler-cpp-devel-21.01.0-14.el9.x86_64.rpm  
poppler-debuginfo-21.01.0-14.el9.i686.rpm  
poppler-debuginfo-21.01.0-14.el9.x86_64.rpm  
poppler-debugsource-21.01.0-14.el9.i686.rpm  
poppler-debugsource-21.01.0-14.el9.x86_64.rpm  
poppler-devel-21.01.0-14.el9.i686.rpm  
poppler-devel-21.01.0-14.el9.x86_64.rpm  
poppler-glib-debuginfo-21.01.0-14.el9.i686.rpm  
poppler-glib-debuginfo-21.01.0-14.el9.x86_64.rpm  
poppler-glib-devel-21.01.0-14.el9.i686.rpm  
poppler-glib-devel-21.01.0-14.el9.x86_64.rpm  
poppler-qt5-debuginfo-21.01.0-14.el9.i686.rpm  
poppler-qt5-debuginfo-21.01.0-14.el9.x86_64.rpm  
poppler-qt5-devel-21.01.0-14.el9.i686.rpm  
poppler-qt5-devel-21.01.0-14.el9.x86_64.rpm  
poppler-utils-debuginfo-21.01.0-14.el9.i686.rpm  
poppler-utils-debuginfo-21.01.0-14.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-38784  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZFo1C9zjgjWX9erEAQhAwQ//cfv5/zXlIjJrcAFRz+tzee74vEaDBPxp  
UehYiSUH/JSa2UcKqV9rICA22UaefU8uCOVusmkzTxrwK2oDpeq+Zw/OHUhM1VYJ  
l9jcMODBKUwqJov99AcJIKpCB8CU4CYmWoykc59RokgzHQdUorCDu4w4Es9GXuZo  
9pZiT3iHFTngFuk4XKnIYe91npn2WJwYELxWyOM3UE1u7M66TCaeMLHDc6sCqwB2  
wINr9CRarBc2cdQ7o+G4Y6VWAl3VGwEe582eTljEDYTxfLcE6CY588pjpzpfmt5j  
kVuUdYYVaDAoNpqr5P6dzzdpAoQFY62MkXij5Mz9xV+ey0beP231cCBjwNdkfWE4  
Uj7zMxzb6wpE9//bUIcRJkmjf+sO9Y1awffQAKX6sqmV6s/CdwgHNomxLPj+rgud  
qN8gzP/b1Pr84DZo7VcBqdeySiqod9zFX95h5slmo+9m0h+BH3XGf5Va4HPfmkXu  
6peoRfPnV0EHdkVxZ2zrIqs4dTpjF4qIhMe3fvrfoWppQas/HHEbD4M5x1YcD2MV  
iIazPIWwLJSZcJv/8NP3HS0zltGjEDfd1UTjnXwAyEvQLfCwDGn9FNtY1eKxWhmZ  
eRR4HwAnZfdg33DXinkn9ddwGTps6+y2dYYLx0mmSVWaYb1eiorGBFXJ5e4ALOA5  
gT7mgghhSao=YdPw  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-2259-01

Red Hat Security Advisory 2023-2283-01 - The skopeo command lets you inspect images from container image registries, get images and image layers, and use signatures to create and verify files.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: skopeo security and bug fix update  
Advisory ID:       RHSA-2023:2283-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2283  
Issue date:        2023-05-09  
CVE Names:         CVE-2022-30629 CVE-2022-41717  
====================================================================  
1. Summary:

An update for skopeo is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

The skopeo command lets you inspect images from container image registries,  
get images and image layers, and use signatures to create and verify files.

Security Fix(es):

* golang: net/http: excessive memory growth in a Go server accepting HTTP/2  
requests (CVE-2022-41717)

* golang: crypto/tls: session tickets lack random ticket_age_add  
(CVE-2022-30629)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.2 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add  
2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests  
2182318 - skopeo-1.11.2 required in RHEL9.2.0

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
skopeo-1.11.2-0.1.el9.src.rpm

aarch64:  
skopeo-1.11.2-0.1.el9.aarch64.rpm  
skopeo-debuginfo-1.11.2-0.1.el9.aarch64.rpm  
skopeo-debugsource-1.11.2-0.1.el9.aarch64.rpm  
skopeo-tests-1.11.2-0.1.el9.aarch64.rpm

ppc64le:  
skopeo-1.11.2-0.1.el9.ppc64le.rpm  
skopeo-debuginfo-1.11.2-0.1.el9.ppc64le.rpm  
skopeo-debugsource-1.11.2-0.1.el9.ppc64le.rpm  
skopeo-tests-1.11.2-0.1.el9.ppc64le.rpm

s390x:  
skopeo-1.11.2-0.1.el9.s390x.rpm  
skopeo-debuginfo-1.11.2-0.1.el9.s390x.rpm  
skopeo-debugsource-1.11.2-0.1.el9.s390x.rpm  
skopeo-tests-1.11.2-0.1.el9.s390x.rpm

x86_64:  
skopeo-1.11.2-0.1.el9.x86_64.rpm  
skopeo-debuginfo-1.11.2-0.1.el9.x86_64.rpm  
skopeo-debugsource-1.11.2-0.1.el9.x86_64.rpm  
skopeo-tests-1.11.2-0.1.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-30629  
https://access.redhat.com/security/cve/CVE-2022-41717  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZFo08NzjgjWX9erEAQgWOg//fccJBQ9s9bwxbqVmM7c6Z7DqWyekfzZS  
b1XjA6XcNIDQaYD6d9qvLpMEKmpQg8aeNeIpfvSQWmJPARkYU8sJIrc24yHklE5n  
pgFJ6FbRJccWpjRVKay/0Spwo7KQwB5o9cZXLR6oFDFRpxT/BvLtNqEHZ1n7ugFQ  
aE1SFS/nd7x6HvYI0ymhQmpNRURltAdFgmtauUKECN7tc8UsFxMHxpVG4JT7CyOx  
bLRoMR3LFLjEsNr+VMIjHGAMSGa1fyjp/bifR2qj+QUm2CuaR1+whXTjBMEHE9t8  
KmWt29dQ4PdyVmuuBz4uxdy1EmeChS4dxKnJ2DQJaPzmMcN0f2IfTR8p17jLSlhf  
RwIJQC5bobz5sJwlojxMLTafHQ9+XoTFFxHnebOW6omCjkiyFzQ2Vjebr5QYAJQ1  
19ca/1eXVdlYNAZSCRfpw3oGb9LJBuA7Ad/3+AgfTLGWN809T309eOVM6fVL5ICL  
mIzxzDrFr2IXQV6cRPapsMov5CD19h9gpxL63eBhOLasbmH8eotani+2Xx+kSrzt  
e3H56EdgOHE5ckCogsaZDUUw+5M12O2NjYRFYoUu112z0qif9QGYXuV0UNd93oKr  
fwuxCnI1CJmFV2KBqNZQ2CAr4pihjzl5c7NHUZGvVG/OQYw/z8QaCUa/2VBD+hI8  
TsacnXu2QB0RIy  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-2283-01

Red Hat Security Advisory 2023-2177-01 - The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: grafana-pcp security and enhancement update  
Advisory ID:       RHSA-2023:2177-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2177  
Issue date:        2023-05-09  
CVE Names:         CVE-2022-27664  
====================================================================  
1. Summary:

An update for grafana-pcp is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

The Grafana plugin for Performance Co-Pilot includes datasources for  
scalable time series from pmseries and Redis, live PCP metrics and bpftrace  
scripts from pmdabpftrace, as well as several dashboards.

Security Fix(es):

* golang: net/http: handle server errors after sending GOAWAY  
(CVE-2022-27664)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.2 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY  
2127038 - grafana pcp plugin is wiped from rpmostree /var during install in rhel edge

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
grafana-pcp-5.1.1-1.el9.src.rpm

aarch64:  
grafana-pcp-5.1.1-1.el9.aarch64.rpm  
grafana-pcp-debuginfo-5.1.1-1.el9.aarch64.rpm  
grafana-pcp-debugsource-5.1.1-1.el9.aarch64.rpm

ppc64le:  
grafana-pcp-5.1.1-1.el9.ppc64le.rpm  
grafana-pcp-debuginfo-5.1.1-1.el9.ppc64le.rpm  
grafana-pcp-debugsource-5.1.1-1.el9.ppc64le.rpm

s390x:  
grafana-pcp-5.1.1-1.el9.s390x.rpm  
grafana-pcp-debuginfo-5.1.1-1.el9.s390x.rpm  
grafana-pcp-debugsource-5.1.1-1.el9.s390x.rpm

x86_64:  
grafana-pcp-5.1.1-1.el9.x86_64.rpm  
grafana-pcp-debuginfo-5.1.1-1.el9.x86_64.rpm  
grafana-pcp-debugsource-5.1.1-1.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-27664  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZFo0mNzjgjWX9erEAQi6Kg//WADx+EpHhZ82vYF8Jb30kgWpypWH9B4t  
5c/1i8fZQDjXdTcaXZ0rrMoJD4SXvWONxXZWNTPP99/hwGw+SzSa4wCNTBXY+GA2  
BhlvrAktiDQCckq5AsMGR8RxM01VXlNI1oaos0Yoql6Da9V6jnEVO3tuupGEMdUA  
KqHyzvE2fmtKGFbxeKVgI6bq+AYrvztsEJozHnvjItaAcZ9SU10uD+YFwHYDJPVL  
iais5PpZ7xAd8I59nsiokrizQ0d1esAAU8CJFJgn3hCFiZ+8XfpzkU7VBrkFlC3X  
deQZb4uzNKAQ70yK3Zcl+TW02Ps8Wo1ArnVvMZhx1oLPt+W2B4ZSXkM/IS6wgPGY  
gT3QmGlElFHXA7cJdZ9LKTxFpWBalJgfPNjtPcmNFx9EOVerE5pUN04YbHfdBP91  
0rC3zbyFmtEtuui+yJjt8WkVUs5T6w12hdF7kM37JW+DeXl5zUrpCLV8oi+XiutH  
WAG+oGqF4214SxsQkglsUAGaOh0l1pl/vvllgsmSXCi7+IEpj+J9EPjujNfOE3jh  
iEzaVW9RyfySAsBDn6qPj5gLyqAD3hhJ8Gd6q1HQsAjlawzL++49y5b0Ia407wDv  
O7xpiA+4YRqsZN0628JGlpXOdrK8xrMaKhz19LIlYR5fSPEBxh921gelhBuYxzKs  
edtb4EJ/1js=udLv  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-2177-01

Red Hat Security Advisory 2023-2502-01 - The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and administer DHCP on a network. Issues addressed include a memory leak vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: dhcp security and enhancement update  
Advisory ID:       RHSA-2023:2502-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2502  
Issue date:        2023-05-09  
CVE Names:         CVE-2022-2928 CVE-2022-2929  
====================================================================  
1. Summary:

An update for dhcp is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows  
individual devices on an IP network to get their own network configuration  
information, including an IP address, a subnet mask, and a broadcast  
address. The dhcp packages provide a relay agent and ISC DHCP service  
required to enable and administer DHCP on a network.

Security Fix(es):

* dhcp: option refcount overflow when leasequery is enabled leading to  
dhcpd abort (CVE-2022-2928)

* dhcp: DHCP memory leak (CVE-2022-2929)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.2 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2095396 - [RFE] dhcp use systemd-sysusers  
2132001 - CVE-2022-2929 dhcp: DHCP memory leak  
2132002 - CVE-2022-2928 dhcp: option refcount overflow when leasequery is enabled leading to dhcpd abort

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 9):

Source:  
dhcp-4.4.2-18.b1.el9.src.rpm

aarch64:  
dhcp-client-4.4.2-18.b1.el9.aarch64.rpm  
dhcp-client-debuginfo-4.4.2-18.b1.el9.aarch64.rpm  
dhcp-debuginfo-4.4.2-18.b1.el9.aarch64.rpm  
dhcp-debugsource-4.4.2-18.b1.el9.aarch64.rpm  
dhcp-relay-4.4.2-18.b1.el9.aarch64.rpm  
dhcp-relay-debuginfo-4.4.2-18.b1.el9.aarch64.rpm  
dhcp-server-4.4.2-18.b1.el9.aarch64.rpm  
dhcp-server-debuginfo-4.4.2-18.b1.el9.aarch64.rpm

noarch:  
dhcp-common-4.4.2-18.b1.el9.noarch.rpm

ppc64le:  
dhcp-client-4.4.2-18.b1.el9.ppc64le.rpm  
dhcp-client-debuginfo-4.4.2-18.b1.el9.ppc64le.rpm  
dhcp-debuginfo-4.4.2-18.b1.el9.ppc64le.rpm  
dhcp-debugsource-4.4.2-18.b1.el9.ppc64le.rpm  
dhcp-relay-4.4.2-18.b1.el9.ppc64le.rpm  
dhcp-relay-debuginfo-4.4.2-18.b1.el9.ppc64le.rpm  
dhcp-server-4.4.2-18.b1.el9.ppc64le.rpm  
dhcp-server-debuginfo-4.4.2-18.b1.el9.ppc64le.rpm

s390x:  
dhcp-client-4.4.2-18.b1.el9.s390x.rpm  
dhcp-client-debuginfo-4.4.2-18.b1.el9.s390x.rpm  
dhcp-debuginfo-4.4.2-18.b1.el9.s390x.rpm  
dhcp-debugsource-4.4.2-18.b1.el9.s390x.rpm  
dhcp-relay-4.4.2-18.b1.el9.s390x.rpm  
dhcp-relay-debuginfo-4.4.2-18.b1.el9.s390x.rpm  
dhcp-server-4.4.2-18.b1.el9.s390x.rpm  
dhcp-server-debuginfo-4.4.2-18.b1.el9.s390x.rpm

x86_64:  
dhcp-client-4.4.2-18.b1.el9.x86_64.rpm  
dhcp-client-debuginfo-4.4.2-18.b1.el9.x86_64.rpm  
dhcp-debuginfo-4.4.2-18.b1.el9.x86_64.rpm  
dhcp-debugsource-4.4.2-18.b1.el9.x86_64.rpm  
dhcp-relay-4.4.2-18.b1.el9.x86_64.rpm  
dhcp-relay-debuginfo-4.4.2-18.b1.el9.x86_64.rpm  
dhcp-server-4.4.2-18.b1.el9.x86_64.rpm  
dhcp-server-debuginfo-4.4.2-18.b1.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2928  
https://access.redhat.com/security/cve/CVE-2022-2929  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZFo0xdzjgjWX9erEAQjo7hAAkuIXb+7jvbfgVporTFkoXaCBJlNY4LRb  
ugTIUnzZ0xBBmaU6OpNz50atMV447UpihQXZEVcQ5KTtxpyJj0cuP61cz22XTxhm  
gByefYdayJqR5Ey7e7jBYuEK40/W186f4PPA6kpsYs4+eEtD2hGSlQvnGbjH7zPe  
rcrZ3sedLG6ea3NkgWPVaQeZ8wzl2xpAXezHn954/bngjQC30ouBQod+VkYNujH9  
c89ovLgEyYei1TUdveEStGNnxhZwtAj+OxuL5fCj4VEAV75KfhCGNBC1WKv2gTs0  
V7PTH+xT9GEEV1XR7I5A0RJqi3pVCsGAYEILyP1s5UhAohHLpfvH6QBUvOcRc3z7  
eagfX/DmiMAtWhGvzh6+qamZsy2AhgPot8WYu7mRMW2VW/fC1j+8ZAAH/deloGNw  
L38UBLWFbEuWUprcSsun2UfHYjsYsugrgF3u5R4e7V4s5kfF4pUJLkMkLsxZmoQf  
y6dPdvHi8suO1rJtf2gQ29E8nQKHFnMq1fhPYhJZNVoeK7+Tv6kl0kbVmIQPcFIs  
AfXBt0vqMA70JHTSk25jRin1utajkX1PjAIIL2Co3NbKQLSACT+mJMIhBEBbr2yY  
t8rcCQJng+yqYwbwLIo33LnII06krJBlmO7Y9jMyJQixOTFmixEmX8Wf26C9cTFY  
zUtFx7TRzEY=wJde  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-2502-01

Red Hat Security Advisory 2023-2234-01 - The sysstat packages provide the sar and iostat commands. These commands enable system monitoring of disk, network, and other I/O activity.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: sysstat security and bug fix update  
Advisory ID:       RHSA-2023:2234-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2234  
Issue date:        2023-05-09  
CVE Names:         CVE-2022-39377  
====================================================================  
1. Summary:

An update for sysstat is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

The sysstat packages provide the sar and iostat commands. These commands  
enable system monitoring of disk, network, and other I/O activity.

Security Fix(es):

* sysstat: arithmetic overflow in allocate_structures() on 32 bit systems  
(CVE-2022-39377)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.2 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2141207 - CVE-2022-39377 sysstat: arithmetic overflow in allocate_structures() on 32 bit systems

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
sysstat-12.5.4-5.el9.src.rpm

aarch64:  
sysstat-12.5.4-5.el9.aarch64.rpm  
sysstat-debuginfo-12.5.4-5.el9.aarch64.rpm  
sysstat-debugsource-12.5.4-5.el9.aarch64.rpm

ppc64le:  
sysstat-12.5.4-5.el9.ppc64le.rpm  
sysstat-debuginfo-12.5.4-5.el9.ppc64le.rpm  
sysstat-debugsource-12.5.4-5.el9.ppc64le.rpm

s390x:  
sysstat-12.5.4-5.el9.s390x.rpm  
sysstat-debuginfo-12.5.4-5.el9.s390x.rpm  
sysstat-debugsource-12.5.4-5.el9.s390x.rpm

x86_64:  
sysstat-12.5.4-5.el9.x86_64.rpm  
sysstat-debuginfo-12.5.4-5.el9.x86_64.rpm  
sysstat-debugsource-12.5.4-5.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-39377  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZFo1A9zjgjWX9erEAQir4g//XX4H0LjGGWdR0AAyuy9uG8FI0CLqk56O  
gOdGdJ8x0H0t3VASRC/ebotFIwx8LFi8hDVXQ9zPkn3CfnnfdWwD/Eyt34GIETDr  
YZa+8bClxZMQxgFFQRDJJ4FbpFRltbAfakXdWVACVgbMGs7vkbVIPPUSfcCXQfyv  
YItQew/n/wYn1Cr8uxJplx5GmQzhlEfsc1kqf7EcVftvh4UFrF7Z42nxtKirmdxK  
hqSfV9YMUvWsq2JdkDcFTiZVnK2jij4bKMwrpIvZrkZwJz3w5FcU+IwDj3B+J42p  
Z/avVq3T1qUGlBCRv0bNvL+onGqbrDmJRHbbi4Z78XIpRN3CDFlD+iMLBgpTAwSw  
Na0H1DO2ta1aUa/0ZOv6b0wcFuJEnIDLW5eOQgbL4VkYEQOGX3x2iRgpQiI++z0r  
vIn49E13rTuHcRV3RSAfFwGlO2ZZCHVAYwACadl8dTSdZiiEsHfwDbK2j7kmajQH  
+rRkb0naXa+BrVKFIfjua/y/FrUvgOnNkW2RjCFMvH4VVIFedx0OjFR11payT91S  
hwt9C2/xoDJRqPlCnbMzFVBg7yAW0foIHtb7WMQ6jJRecAKDoLhUDcNSeWUgQV/f  
bEQvB4Zlk2kqd7/dNChhxDfk5om13319h19NESJ+r/CoO/2ssRXQT9kHGbJKYudi  
vfbXV8qBX8o=K3qT  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-2234-01

Red Hat Security Advisory 2023-2626-01 - GNU Emacs is a powerful, customizable, self-documenting text editor. It provides special code editing features, a scripting language, and the capability to read e-mail and news. Issues addressed include a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: emacs security update  
Advisory ID:       RHSA-2023:2626-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2626  
Issue date:        2023-05-09  
CVE Names:         CVE-2022-48337 CVE-2022-48338 CVE-2022-48339  
                   CVE-2023-2491  
====================================================================  
1. Summary:

An update for emacs is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

GNU Emacs is a powerful, customizable, self-documenting text editor. It  
provides special code editing features, a scripting language (elisp), and  
the capability to read e-mail and news.

Security Fix(es):

* emacs: Regression of CVE-2023-28617 fixes in the Red Hat Enterprise Linux  
(CVE-2023-2491)

* emacs: command execution via shell metacharacters (CVE-2022-48337)

* emacs: local command injection in ruby-mode.el (CVE-2022-48338)

* emacs: command injection vulnerability in htmlfontify.el (CVE-2022-48339)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2171987 - CVE-2022-48337 emacs: command execution via shell metacharacters  
2171988 - CVE-2022-48338 emacs: local command injection in ruby-mode.el  
2171989 - CVE-2022-48339 emacs: command injection vulnerability in htmlfontify.el  
2192873 - CVE-2023-2491 emacs: Regression of CVE-2023-28617 fixes in the Red Hat Enterprise Linux

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
emacs-27.2-8.el9_2.1.src.rpm

aarch64:  
emacs-27.2-8.el9_2.1.aarch64.rpm  
emacs-common-27.2-8.el9_2.1.aarch64.rpm  
emacs-common-debuginfo-27.2-8.el9_2.1.aarch64.rpm  
emacs-debuginfo-27.2-8.el9_2.1.aarch64.rpm  
emacs-debugsource-27.2-8.el9_2.1.aarch64.rpm  
emacs-lucid-27.2-8.el9_2.1.aarch64.rpm  
emacs-lucid-debuginfo-27.2-8.el9_2.1.aarch64.rpm  
emacs-nox-27.2-8.el9_2.1.aarch64.rpm  
emacs-nox-debuginfo-27.2-8.el9_2.1.aarch64.rpm

noarch:  
emacs-filesystem-27.2-8.el9_2.1.noarch.rpm

ppc64le:  
emacs-27.2-8.el9_2.1.ppc64le.rpm  
emacs-common-27.2-8.el9_2.1.ppc64le.rpm  
emacs-common-debuginfo-27.2-8.el9_2.1.ppc64le.rpm  
emacs-debuginfo-27.2-8.el9_2.1.ppc64le.rpm  
emacs-debugsource-27.2-8.el9_2.1.ppc64le.rpm  
emacs-lucid-27.2-8.el9_2.1.ppc64le.rpm  
emacs-lucid-debuginfo-27.2-8.el9_2.1.ppc64le.rpm  
emacs-nox-27.2-8.el9_2.1.ppc64le.rpm  
emacs-nox-debuginfo-27.2-8.el9_2.1.ppc64le.rpm

s390x:  
emacs-27.2-8.el9_2.1.s390x.rpm  
emacs-common-27.2-8.el9_2.1.s390x.rpm  
emacs-common-debuginfo-27.2-8.el9_2.1.s390x.rpm  
emacs-debuginfo-27.2-8.el9_2.1.s390x.rpm  
emacs-debugsource-27.2-8.el9_2.1.s390x.rpm  
emacs-lucid-27.2-8.el9_2.1.s390x.rpm  
emacs-lucid-debuginfo-27.2-8.el9_2.1.s390x.rpm  
emacs-nox-27.2-8.el9_2.1.s390x.rpm  
emacs-nox-debuginfo-27.2-8.el9_2.1.s390x.rpm

x86_64:  
emacs-27.2-8.el9_2.1.x86_64.rpm  
emacs-common-27.2-8.el9_2.1.x86_64.rpm  
emacs-common-debuginfo-27.2-8.el9_2.1.x86_64.rpm  
emacs-debuginfo-27.2-8.el9_2.1.x86_64.rpm  
emacs-debugsource-27.2-8.el9_2.1.x86_64.rpm  
emacs-lucid-27.2-8.el9_2.1.x86_64.rpm  
emacs-lucid-debuginfo-27.2-8.el9_2.1.x86_64.rpm  
emacs-nox-27.2-8.el9_2.1.x86_64.rpm  
emacs-nox-debuginfo-27.2-8.el9_2.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-48337  
https://access.redhat.com/security/cve/CVE-2022-48338  
https://access.redhat.com/security/cve/CVE-2022-48339  
https://access.redhat.com/security/cve/CVE-2023-2491  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZFo1BtzjgjWX9erEAQhtpxAAoYp1zA1tl18b1JFFsuK7CcZQNgmeASuh  
GoEOuOn1fS0dq5J63UuUEcVg3x2oI5hsrgsQSpEbUt+Ehm/4S9gaIm0UZQmjraE+  
8UcshzgQAku2+XKpNw63HE7iKZF8M42C9AFDkUuOAYywwMmFBF+uJKG+Brc+Ah7e  
fOtQBVu5zsDiD0GRq4p+52MJ+MxRKlIernJXlPA7TX3UV3rWBApgnXpiDsnMbEsx  
D+N9sXVnks5Gxq9K1XMqEwKTUuGCdmTZroRqrwwlPs17nXfpxadXf/6v7vLbPICs  
7tEJFHB30/KgL/vUs8Tl5iLVlH96z1FNRU1yLYkETjGuamNJGX00iMlGxIJjPrlx  
YVvgJjk0KFeNFhliJtXWgwLElsdWszIafMuCPU7OTUzpowsak3+h7oErVtoSjJpb  
EP/SouzhBqbyMI1VllcM6bcmhvU4DM8NnIL/N3lJSZwXYnubI82zlj/m82c99210  
H+WJii45v6D+h904FmWaB6Q+GsaqRYvKbZ22eMTAbye5CzIM55LrV56TVx7Ahl1Z  
zs/5MmXcmod8TiKONQtlM9BVcVf3nb1NgxKTDeRzAkwBeCrH/zVh4z0+aNeQTVJO  
1xE1bhGSDO311P6dODjOEg7HyUbsMIP2vFU7ULSqLzXtXmaICltBGhDzEGr26dq5  
qM/56o0jSioÌtx  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#linux