Red Hat Security Advisory 2022-7581-01 - Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.

Red Hat Security Advisory 2022-7581-01

Red Hat Security Advisory 2022-7618-01 - GStreamer is a streaming media framework based on graphs of filters that operate on media data. The gstreamer1-plugins-good packages contain a collection of well-supported plug-ins of good quality and under the LGPL license. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: gstreamer1-plugins-good security update  
Advisory ID:       RHSA-2022:7618-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7618  
Issue date:        2022-11-08  
CVE Names:         CVE-2021-3497  
====================================================================  
1. Summary:

An update for gstreamer1-plugins-good is now available for Red Hat  
Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

GStreamer is a streaming media framework based on graphs of filters that  
operate on media data. The gstreamer1-plugins-good packages contain a  
collection of well-supported plug-ins of good quality and under the LGPL  
license.

Security Fix(es):

* gstreamer-plugins-good: Use-after-free in matroska demuxing  
(CVE-2021-3497)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 8.7 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1945339 - CVE-2021-3497 gstreamer-plugins-good: Use-after-free in matroska demuxing

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
gstreamer1-plugins-good-1.16.1-3.el8.src.rpm

aarch64:  
gstreamer1-plugins-good-1.16.1-3.el8.aarch64.rpm  
gstreamer1-plugins-good-debuginfo-1.16.1-3.el8.aarch64.rpm  
gstreamer1-plugins-good-debugsource-1.16.1-3.el8.aarch64.rpm  
gstreamer1-plugins-good-gtk-1.16.1-3.el8.aarch64.rpm  
gstreamer1-plugins-good-gtk-debuginfo-1.16.1-3.el8.aarch64.rpm

ppc64le:  
gstreamer1-plugins-good-1.16.1-3.el8.ppc64le.rpm  
gstreamer1-plugins-good-debuginfo-1.16.1-3.el8.ppc64le.rpm  
gstreamer1-plugins-good-debugsource-1.16.1-3.el8.ppc64le.rpm  
gstreamer1-plugins-good-gtk-1.16.1-3.el8.ppc64le.rpm  
gstreamer1-plugins-good-gtk-debuginfo-1.16.1-3.el8.ppc64le.rpm

s390x:  
gstreamer1-plugins-good-1.16.1-3.el8.s390x.rpm  
gstreamer1-plugins-good-debuginfo-1.16.1-3.el8.s390x.rpm  
gstreamer1-plugins-good-debugsource-1.16.1-3.el8.s390x.rpm  
gstreamer1-plugins-good-gtk-1.16.1-3.el8.s390x.rpm  
gstreamer1-plugins-good-gtk-debuginfo-1.16.1-3.el8.s390x.rpm

x86_64:  
gstreamer1-plugins-good-1.16.1-3.el8.i686.rpm  
gstreamer1-plugins-good-1.16.1-3.el8.x86_64.rpm  
gstreamer1-plugins-good-debuginfo-1.16.1-3.el8.i686.rpm  
gstreamer1-plugins-good-debuginfo-1.16.1-3.el8.x86_64.rpm  
gstreamer1-plugins-good-debugsource-1.16.1-3.el8.i686.rpm  
gstreamer1-plugins-good-debugsource-1.16.1-3.el8.x86_64.rpm  
gstreamer1-plugins-good-gtk-1.16.1-3.el8.i686.rpm  
gstreamer1-plugins-good-gtk-1.16.1-3.el8.x86_64.rpm  
gstreamer1-plugins-good-gtk-debuginfo-1.16.1-3.el8.i686.rpm  
gstreamer1-plugins-good-gtk-debuginfo-1.16.1-3.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-3497  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.7_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2pSHNzjgjWX9erEAQjtHQ/7BRxZoAp9L8id/LtrbyxJ8aFWu0fG60gO  
cc56Lib0iOE3W0jgyMr7fz/tGWzNlt7hK9KyiDpS2NmyqAkHIU2nf+5MWx9EAQno  
2VN9eB0cq5MvBbbBRhk5Cp3ZhGY5cM1BTmp9TBQ4qgUN9RirtAu4jCnLNUEEi3Ev  
TlI3ljir/7CQORrBd1sMixy4RnXzkEp/J8W0y2Jl+SKIqVPSqURuBEksRhetqRwt  
z2m5VfpxDsnLdPVpIjX/LIoko4d2WrY9I9vSuueSa75xZjKJ1t0E9WvgkgKPukFJ  
DnGVj5SDM86BI2eK0A3VJ6CgLIpjTp676BPxpCq5RAkk0TaVjz1tmm3kIk0nLPaX  
AxQvgphaWejqULu12ebMbblxfT/qtId1B18sdu/hoDIgsiorf18o0B4VWRrzXPuE  
PvwZIEZllDLnQOj/YKe+cMlt2LREs9p08n3EcqXnAgY0b10TBYC+gx7ksATamnFM  
NlcvHxnWhGDV9YtbFwAAZ95M0x72eITg7onwy7abYw0c4r41bCrs0Ym8B/bgLy5d  
rPzgUNxhi/pzo2lEQ+MBM1tjuVBhgxCRjEdZlAcJ4gsmTItVy2TNpaexmREi0ha3  
q26THhrmYaARKidUJJBf79YpJ0odt9+UjiGSdmy9sa1FKdP593Hs+7L/qCCXRAKB  
KZ/Lxlxk0Mw/2A  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7618-01

Red Hat Security Advisory 2022-7793-01 - The rsync utility enables the users to copy and synchronize files locally or across a network. Synchronization with rsync is fast because rsync only sends the differences in files over the network instead of sending whole files. The rsync utility is also used as a mirroring tool. Issues addressed include a buffer over-read vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: rsync security and enhancement update  
Advisory ID:       RHSA-2022:7793-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7793  
Issue date:        2022-11-08  
CVE Names:         CVE-2022-37434  
====================================================================  
1. Summary:

An update for rsync is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The rsync utility enables the users to copy and synchronize files locally  
or across a network. Synchronization with rsync is fast because rsync only  
sends the differences in files over the network instead of sending whole  
files. The rsync utility is also used as a mirroring tool.

Security Fix(es):

* zlib: heap-based buffer over-read and overflow in inflate() in inflate.c  
via a large gzip header extra field (CVE-2022-37434)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 8.7 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2043753 - [RFE] Improve defaults for sparse file buffering.  
2116639 - CVE-2022-37434 zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 8):

Source:  
rsync-3.1.3-19.el8.src.rpm

aarch64:  
rsync-3.1.3-19.el8.aarch64.rpm  
rsync-debuginfo-3.1.3-19.el8.aarch64.rpm  
rsync-debugsource-3.1.3-19.el8.aarch64.rpm

noarch:  
rsync-daemon-3.1.3-19.el8.noarch.rpm

ppc64le:  
rsync-3.1.3-19.el8.ppc64le.rpm  
rsync-debuginfo-3.1.3-19.el8.ppc64le.rpm  
rsync-debugsource-3.1.3-19.el8.ppc64le.rpm

s390x:  
rsync-3.1.3-19.el8.s390x.rpm  
rsync-debuginfo-3.1.3-19.el8.s390x.rpm  
rsync-debugsource-3.1.3-19.el8.s390x.rpm

x86_64:  
rsync-3.1.3-19.el8.x86_64.rpm  
rsync-debuginfo-3.1.3-19.el8.x86_64.rpm  
rsync-debugsource-3.1.3-19.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-37434  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.7_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2pSJ9zjgjWX9erEAQhctA/+LG9CKJG+ronMeYqaYry5AZbiLDWwxSoI  
N2WXEREzS8K0QNNPXpDVUGvaPcH45veL2eSxboIyarv9HzYrgB9QmEMB6TlLQdah  
T0bign9+51kyZXzP+QNxO09pv5ps0AUTZADy67pw2YCz3/NFVLKxAY35BoyBS7po  
eqvWSQXYrNjFzDrDfPL8hpPBQN+l6fZ4d3loF9aq06DNC/LYIDJ68JJLTkiwehjV  
ad/MqywMu26entrvK/CO1veaQkWi64WeKQSC8lCf97HONvgQKk75xJ20Z6p/RNou  
82WQd2pKa9m6NwZPgIA6H+/S2yNGZnDLHitWzT5V7OfPpoOrh1sQnReuhT0F8bXh  
vsoGCyj+aVO/J4o/CdxWIcGxjd6SPx5wnmQPUdRNgbL/tBIxUIHjLj2CDrHgIH8S  
YikOcfquQ6os9OPdVS6P2KIIZJngmwCrxoJgk6fIgSSh+KcVhvjtLsqV6juGpuPw  
Jp0PK86R11LwjvCIHHUZbvTTIa4zpsQw+PQyIIv0N3qxnji5iog90zAm4MmTvjnA  
OJJu8CX1ayVzSc4Vh5wzDVaJG5wneHvVKmEa39OF+RGOB8vx5Dvn3dLFZNdK5Uko  
qINCliFhY2+nAj0wkUyhi8a2Ycsllerh4U5suqigGtzQXU6+hF9le2qymERCmkaT  
VzceG5KCVt4=u5mb  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7793-01

Red Hat Security Advisory 2022-7813-01 - The zlib packages provide a general-purpose lossless data compression library that is used by many different programs.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: mingw-zlib security update  
Advisory ID:       RHSA-2022:7813-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7813  
Issue date:        2022-11-08  
CVE Names:         CVE-2018-25032  
====================================================================  
1. Summary:

An update for mingw-zlib is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - noarch

3. Description:

The zlib packages provide a general-purpose lossless data compression  
library that is used by many different programs.

Security Fix(es):

* zlib: A flaw found in zlib when compressing (not decompressing) certain  
inputs (CVE-2018-25032)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 8.7 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2067945 - CVE-2018-25032 zlib: A flaw found in zlib when compressing (not decompressing) certain inputs

6. Package List:

Red Hat CodeReady Linux Builder (v. 8):

Source:  
mingw-zlib-1.2.8-10.el8.src.rpm

noarch:  
mingw32-zlib-1.2.8-10.el8.noarch.rpm  
mingw32-zlib-debuginfo-1.2.8-10.el8.noarch.rpm  
mingw32-zlib-static-1.2.8-10.el8.noarch.rpm  
mingw64-zlib-1.2.8-10.el8.noarch.rpm  
mingw64-zlib-debuginfo-1.2.8-10.el8.noarch.rpm  
mingw64-zlib-static-1.2.8-10.el8.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-25032  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.7_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2pSGdzjgjWX9erEAQgUwA/+I0Yfh7SE/3ex1OCbDRi+Y7TQV6LPIfaY  
Wf+3Kq1gTm3ApB7ZgN8oTrIEfIN/NjQ+NUKhLM6X3jEi8gVxzZloOnk3B6liK1wg  
0N3LY0PW1VdJB44WaX/ZfB/vu2sTEJfux9CgKphAm10G7vIv9gxlbRRZ8+vRXeMN  
/ATsBoATo8OaK9yzAMBLnSpbxHJvimEr0AGoU4ixZTeF91p9ypMT59yuF+GmOu+r  
Qw7DxvJSnhrz2RrekBuBCqli84SzM8y9w8PCPojrIuIkcZDmZfgXhplAgZNCs2Tm  
j8KGbjHawDhgHQEs5zHJMI+3uBjsrm6bq9G81qdUQto8o/GmLkZj36B6CpmSfk6Z  
lIUItBHDd9gEt4aHNJzBoOIPUq6KMyKqOK20t4o95Nx+Uyoww6VQoVfDaGS+x/Th  
DIufW2cA53/3r47jF91Hm2365WkEKfF2Jx1oAJFdBwaaIp2JRk0WtKkHOmsDN1//  
h0dMMMo/+sUeIAHBz0xpiP9AMLhujmCPfObU29GaB2HNPhz7SffcE6vDPs2Zq6pC  
DwivNCrBfiVDfPpC2CMwK0FZSuV3UFq56MeCbSMaqUczsPWWxESeEVxOV9AJXl6Y  
jhyoYbtM1/n8L05zLXU7d50ig6oKZ/eZoMULg7Q2LboKYjWMk0+ashgqhdOigTup  
tIaNurRUEawioM  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7813-01

Red Hat Security Advisory 2022-7830-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: nodejs:14 security update  
Advisory ID:       RHSA-2022:7830-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7830  
Issue date:        2022-11-08  
CVE Names:         CVE-2021-44531 CVE-2021-44532 CVE-2021-44533  
                   CVE-2022-21824 CVE-2022-35256  
====================================================================  
1. Summary:

An update for the nodejs:14 module is now available for Red Hat Enterprise  
Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable  
network applications in the JavaScript programming language.

Security Fix(es):

* nodejs: Improper handling of URI Subject Alternative Names  
(CVE-2021-44531)

* nodejs: Certificate Verification Bypass via String Injection  
(CVE-2021-44532)

* nodejs: Incorrect handling of certificate subject and issuer fields  
(CVE-2021-44533)

* nodejs: HTTP Request Smuggling due to incorrect parsing of header fields  
(CVE-2022-35256)

* nodejs: Prototype pollution via console.table properties (CVE-2022-21824)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2040839 - CVE-2021-44531 nodejs: Improper handling of URI Subject Alternative Names  
2040846 - CVE-2021-44532 nodejs: Certificate Verification Bypass via String Injection  
2040856 - CVE-2021-44533 nodejs: Incorrect handling of certificate subject and issuer fields  
2040862 - CVE-2022-21824 nodejs: Prototype pollution via console.table properties  
2130518 - CVE-2022-35256 nodejs: HTTP Request Smuggling due to incorrect parsing of header fields

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
nodejs-14.20.1-2.module+el8.7.0+16991+b0a68a3e.src.rpm  
nodejs-nodemon-2.0.19-2.module+el8.7.0+16991+b0a68a3e.src.rpm  
nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.src.rpm

aarch64:  
nodejs-14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64.rpm  
nodejs-debuginfo-14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64.rpm  
nodejs-debugsource-14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64.rpm  
nodejs-devel-14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64.rpm  
nodejs-full-i18n-14.20.1-2.module+el8.7.0+16991+b0a68a3e.aarch64.rpm  
npm-6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.aarch64.rpm

noarch:  
nodejs-docs-14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch.rpm  
nodejs-nodemon-2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch.rpm  
nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.noarch.rpm

ppc64le:  
nodejs-14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le.rpm  
nodejs-debuginfo-14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le.rpm  
nodejs-debugsource-14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le.rpm  
nodejs-devel-14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le.rpm  
nodejs-full-i18n-14.20.1-2.module+el8.7.0+16991+b0a68a3e.ppc64le.rpm  
npm-6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.ppc64le.rpm

s390x:  
nodejs-14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x.rpm  
nodejs-debuginfo-14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x.rpm  
nodejs-debugsource-14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x.rpm  
nodejs-devel-14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x.rpm  
nodejs-full-i18n-14.20.1-2.module+el8.7.0+16991+b0a68a3e.s390x.rpm  
npm-6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.s390x.rpm

x86_64:  
nodejs-14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64.rpm  
nodejs-debuginfo-14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64.rpm  
nodejs-debugsource-14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64.rpm  
nodejs-devel-14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64.rpm  
nodejs-full-i18n-14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64.rpm  
npm-6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-44531  
https://access.redhat.com/security/cve/CVE-2021-44532  
https://access.redhat.com/security/cve/CVE-2021-44533  
https://access.redhat.com/security/cve/CVE-2022-21824  
https://access.redhat.com/security/cve/CVE-2022-35256  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2pSMNzjgjWX9erEAQiFmA/+PFsIM04d2Gzf9L0EzhYopvP+2hpQ3oXe  
rxs1jY17w/shvRUvBEcfFGwjqkw+9BROLnY76riBWXvS4cLdic/GaVoDYA053Swv  
qg47PgZuYgyM6Vj0ggqnN4pmN+4ydnGQnfCY5enQMZuUEEtkoP1kKj/r0b14G2Qb  
QAfRjS4kIBsIqdfWVLmB2ADyG4/RErrmQznmqnI+NgyVed+EcHQwKDXWJxQAcf1d  
bSWPPiYxKDMjl4prvFCIO4j5HIMcSxX2ydCuzU+unzdAzEVfhksJvug4vJOhI/tj  
vLbNYpb32szyWDF8RKqBCxqtpSFL+Rj1dSB9S8vLRD1vdme8GcY0bb4RMT5A7rxG  
vxboN1UnFBVasytToFrVMb6YI0hRIbY6u/AEDr7FpuZlc75IeBDuTrd513g0/JV2  
3s7uSktUx+5CLE6yTcbjNFzyxt/CWlXYRLxDjei4PAgTHUob0XV4ceegiSQtIrJR  
BsDZ92Rl3fL0h5ifQyX852F4aYDdN4wUNeaOL6dDh8I/O7YTdmwVrFJOsCaJbuW2  
eEEezk6n3EsGA0GUu3g4llzynyE+kbEVM03ZycSVeL5Rg14p05nabXiYy22r3fKq  
oKo6QsdExSS+8yzDLVpug1B8LUbQ9KjA3TwkuSpAFzLFF4Gdf9TDT81cXMnxoYbU  
9kKLmbdmAnM=ZgF8  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7830-01

Red Hat Security Advisory 2022-7585-01 - The libtiff packages contain a library of functions for manipulating Tagged Image File Format files. Issues addressed include buffer overflow, denial of service, and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: libtiff security update  
Advisory ID:       RHSA-2022:7585-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7585  
Issue date:        2022-11-08  
CVE Names:         CVE-2022-0561 CVE-2022-0562 CVE-2022-0865  
                   CVE-2022-0891 CVE-2022-0908 CVE-2022-0909  
                   CVE-2022-0924 CVE-2022-1355 CVE-2022-22844  
====================================================================  
1. Summary:

An update for libtiff is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

The libtiff packages contain a library of functions for manipulating Tagged  
Image File Format (TIFF) files.

Security Fix(es):

* libtiff: Denial of Service via crafted TIFF file (CVE-2022-0561)

* libtiff: Null source pointer lead to Denial of Service via crafted TIFF  
file (CVE-2022-0562)

* libtiff: reachable assertion (CVE-2022-0865)

* libtiff: Out-of-bounds Read error in tiffcp (CVE-2022-0924)

* libtiff: stack-buffer-overflow in tiffcp.c in main() (CVE-2022-1355)

* libtiff: out-of-bounds read in _TIFFmemcpy() in tif_unix.c  
(CVE-2022-22844)

* libtiff: heap buffer overflow in extractImageSection (CVE-2022-0891)

* tiff: Null source pointer passed as an argument to memcpy in  
TIFFFetchNormalTag() in tif_dirread.c (CVE-2022-0908)

* tiff: Divide By Zero error in tiffcrop (CVE-2022-0909)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 8.7 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running applications linked against libtiff must be restarted for this  
update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2042603 - CVE-2022-22844 libtiff: out-of-bounds read in _TIFFmemcpy() in tif_unix.c  
2054494 - CVE-2022-0561 libtiff: Denial of Service via crafted TIFF file  
2054495 - CVE-2022-0562 libtiff: Null source pointer lead to Denial of Service via crafted TIFF file  
2064145 - CVE-2022-0908 tiff: Null source pointer passed as an argument to memcpy in TIFFFetchNormalTag() in tif_dirread.c  
2064146 - CVE-2022-0909 tiff: Divide By Zero error in tiffcrop  
2064148 - CVE-2022-0924 libtiff: Out-of-bounds Read error in tiffcp  
2064406 - CVE-2022-0865 libtiff: reachable assertion  
2064411 - CVE-2022-0891 libtiff: heap buffer overflow in extractImageSection  
2074415 - CVE-2022-1355 libtiff: stack-buffer-overflow in tiffcp.c in main()

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
libtiff-4.0.9-23.el8.src.rpm

aarch64:  
libtiff-4.0.9-23.el8.aarch64.rpm  
libtiff-debuginfo-4.0.9-23.el8.aarch64.rpm  
libtiff-debugsource-4.0.9-23.el8.aarch64.rpm  
libtiff-devel-4.0.9-23.el8.aarch64.rpm  
libtiff-tools-debuginfo-4.0.9-23.el8.aarch64.rpm

ppc64le:  
libtiff-4.0.9-23.el8.ppc64le.rpm  
libtiff-debuginfo-4.0.9-23.el8.ppc64le.rpm  
libtiff-debugsource-4.0.9-23.el8.ppc64le.rpm  
libtiff-devel-4.0.9-23.el8.ppc64le.rpm  
libtiff-tools-debuginfo-4.0.9-23.el8.ppc64le.rpm

s390x:  
libtiff-4.0.9-23.el8.s390x.rpm  
libtiff-debuginfo-4.0.9-23.el8.s390x.rpm  
libtiff-debugsource-4.0.9-23.el8.s390x.rpm  
libtiff-devel-4.0.9-23.el8.s390x.rpm  
libtiff-tools-debuginfo-4.0.9-23.el8.s390x.rpm

x86_64:  
libtiff-4.0.9-23.el8.i686.rpm  
libtiff-4.0.9-23.el8.x86_64.rpm  
libtiff-debuginfo-4.0.9-23.el8.i686.rpm  
libtiff-debuginfo-4.0.9-23.el8.x86_64.rpm  
libtiff-debugsource-4.0.9-23.el8.i686.rpm  
libtiff-debugsource-4.0.9-23.el8.x86_64.rpm  
libtiff-devel-4.0.9-23.el8.i686.rpm  
libtiff-devel-4.0.9-23.el8.x86_64.rpm  
libtiff-tools-debuginfo-4.0.9-23.el8.i686.rpm  
libtiff-tools-debuginfo-4.0.9-23.el8.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

aarch64:  
libtiff-debuginfo-4.0.9-23.el8.aarch64.rpm  
libtiff-debugsource-4.0.9-23.el8.aarch64.rpm  
libtiff-tools-4.0.9-23.el8.aarch64.rpm  
libtiff-tools-debuginfo-4.0.9-23.el8.aarch64.rpm

ppc64le:  
libtiff-debuginfo-4.0.9-23.el8.ppc64le.rpm  
libtiff-debugsource-4.0.9-23.el8.ppc64le.rpm  
libtiff-tools-4.0.9-23.el8.ppc64le.rpm  
libtiff-tools-debuginfo-4.0.9-23.el8.ppc64le.rpm

s390x:  
libtiff-debuginfo-4.0.9-23.el8.s390x.rpm  
libtiff-debugsource-4.0.9-23.el8.s390x.rpm  
libtiff-tools-4.0.9-23.el8.s390x.rpm  
libtiff-tools-debuginfo-4.0.9-23.el8.s390x.rpm

x86_64:  
libtiff-debuginfo-4.0.9-23.el8.x86_64.rpm  
libtiff-debugsource-4.0.9-23.el8.x86_64.rpm  
libtiff-tools-4.0.9-23.el8.x86_64.rpm  
libtiff-tools-debuginfo-4.0.9-23.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-0561  
https://access.redhat.com/security/cve/CVE-2022-0562  
https://access.redhat.com/security/cve/CVE-2022-0865  
https://access.redhat.com/security/cve/CVE-2022-0891  
https://access.redhat.com/security/cve/CVE-2022-0908  
https://access.redhat.com/security/cve/CVE-2022-0909  
https://access.redhat.com/security/cve/CVE-2022-0924  
https://access.redhat.com/security/cve/CVE-2022-1355  
https://access.redhat.com/security/cve/CVE-2022-22844  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.7_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2pSdtzjgjWX9erEAQgceBAAgxamrzyTOP2GS3s+C1p5y6grhjvDcDiB  
myi0mTUQ8H8ivuHf84wq6o0+K4LDuZ9mbOo/HYxJv4QIUcSfDF3xpZA7siuC0wr2  
p4G5BSmPyekDnIak9m88mTeBGi0BAuruJUbXi8lyjh6ItfsbWVi5GcTcJyz5WslP  
fJl66PglBOGYSvy5Yy7NKjHZ9NURG2Uw1chyaJa334IthtXNiFOobwEAv/KaGUIs  
o5qlcr+zliRVv6k4hlwFhFegCtqWIM8vfqUkVsf/jP2+rGrZTfnqfNKvWnNYIXq4  
zrY95PD7DeX18/ZHQ6JXOmVXczXSL0yzQjvUAs0hJK98cRBYfKgUHXf4tSzW2wfU  
4XPXjUj9TNV/Ld4J8hKrxE63GoqF0wDyGXSnkLr6KDHc2kk6A6yvUpVbcoXxuZT+  
O498iq52P3NMzAZyUk342AfsdASR3nnewuusksd1avLGZ2SjsJHcezAD0IRJK+66  
7lizIhMG+GQ6n0WBwDAMhe/8SPiaIE9e3nOILVQ2eUdMf9RegowDJKWik2FDZfzM  
++UDx1ofhjOX8ASd2kYfvOaYY6Zt01r+RBfZVrRH8N4Ex6eozIDxyzssAV6yYvDr  
ZeH8hLuCeAsb1H59sLAjTjlQYE+lltNykmpZyeXAvBHIjfuigp3iqQnArnhzGTPT  
weUuSg0GqME=u7Ay  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7585-01

Red Hat Security Advisory 2022-7821-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a HTTP request smuggling vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: nodejs:18 security update  
Advisory ID:       RHSA-2022:7821-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7821  
Issue date:        2022-11-08  
CVE Names:         CVE-2022-35255 CVE-2022-35256  
====================================================================  
1. Summary:

An update for the nodejs:18 module is now available for Red Hat Enterprise  
Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable  
network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version:  
nodejs (18.9.1). (BZ#2130559, BZ#2131750)

Security Fix(es):

* nodejs: weak randomness in WebCrypto keygen (CVE-2022-35255)

* nodejs: HTTP Request Smuggling due to incorrect parsing of header fields  
(CVE-2022-35256)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2130517 - CVE-2022-35255 nodejs: weak randomness in WebCrypto keygen  
2130518 - CVE-2022-35256 nodejs: HTTP Request Smuggling due to incorrect parsing of header fields

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
nodejs-18.9.1-1.module+el8.7.0+16806+4109802b.src.rpm  
nodejs-nodemon-2.0.19-1.module+el8.7.0+16061+0a247725.src.rpm  
nodejs-packaging-2021.06-4.module+el8.7.0+15582+19c314fa.src.rpm

aarch64:  
nodejs-18.9.1-1.module+el8.7.0+16806+4109802b.aarch64.rpm  
nodejs-debuginfo-18.9.1-1.module+el8.7.0+16806+4109802b.aarch64.rpm  
nodejs-debugsource-18.9.1-1.module+el8.7.0+16806+4109802b.aarch64.rpm  
nodejs-devel-18.9.1-1.module+el8.7.0+16806+4109802b.aarch64.rpm  
nodejs-full-i18n-18.9.1-1.module+el8.7.0+16806+4109802b.aarch64.rpm  
npm-8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.aarch64.rpm

noarch:  
nodejs-docs-18.9.1-1.module+el8.7.0+16806+4109802b.noarch.rpm  
nodejs-nodemon-2.0.19-1.module+el8.7.0+16061+0a247725.noarch.rpm  
nodejs-packaging-2021.06-4.module+el8.7.0+15582+19c314fa.noarch.rpm  
nodejs-packaging-bundler-2021.06-4.module+el8.7.0+15582+19c314fa.noarch.rpm

ppc64le:  
nodejs-18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le.rpm  
nodejs-debuginfo-18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le.rpm  
nodejs-debugsource-18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le.rpm  
nodejs-devel-18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le.rpm  
nodejs-full-i18n-18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le.rpm  
npm-8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.ppc64le.rpm

s390x:  
nodejs-18.9.1-1.module+el8.7.0+16806+4109802b.s390x.rpm  
nodejs-debuginfo-18.9.1-1.module+el8.7.0+16806+4109802b.s390x.rpm  
nodejs-debugsource-18.9.1-1.module+el8.7.0+16806+4109802b.s390x.rpm  
nodejs-devel-18.9.1-1.module+el8.7.0+16806+4109802b.s390x.rpm  
nodejs-full-i18n-18.9.1-1.module+el8.7.0+16806+4109802b.s390x.rpm  
npm-8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.s390x.rpm

x86_64:  
nodejs-18.9.1-1.module+el8.7.0+16806+4109802b.x86_64.rpm  
nodejs-debuginfo-18.9.1-1.module+el8.7.0+16806+4109802b.x86_64.rpm  
nodejs-debugsource-18.9.1-1.module+el8.7.0+16806+4109802b.x86_64.rpm  
nodejs-devel-18.9.1-1.module+el8.7.0+16806+4109802b.x86_64.rpm  
nodejs-full-i18n-18.9.1-1.module+el8.7.0+16806+4109802b.x86_64.rpm  
npm-8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-35255  
https://access.redhat.com/security/cve/CVE-2022-35256  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2pSJNzjgjWX9erEAQjaww/9FwAgM6VhLuL/A6jOAoTuAbjXIPjLq3bf  
BycFTPsYskS5aXT7hJUyT8WJQobCaw1J0e5c/+QnjJW1/9RNeAfoVNpuGyrnunXA  
4Ferj6qFwWHtzr0b2noQW0mzuOm6Ecen9r30vl58e+mgpmolrDWtf+Wsm/5fxuC4  
9CUfdJ7doifnNbrnmBGNOaINHflSAPo+GUZvvrPozYv74uuE2hmMTzM6rtg5EXqG  
hEI0zLJzTf3KWsKW6iIOWlOA2Kppn7JRsjNK2DQIotSSTmfNhS0AybKfp30Mgyia  
fxcOV0hdFqMq7HrOd/daP61DhhmyAECgYUCrhnVl01ntLQAPmmTmSihOHxrTbZcJ  
HewcOKlos2GgnQAX+DoMREn6KnvFTXT2xU0vO/X8Pbl2TyQ8B89Jb8m3hR71OBnG  
ARBDiEG9yWQaMLqrI9YHcsOR+4DxsXgecjItc3Bd9jbBKkLgnTi1efEjW/SdjU9b  
GWhL/2DVPOT9yg/j/+/me8+3c9O7vnePN7zaxUEoZ0DmdsDKlOzrC/D69thVIqXY  
JSQ8cINZ37RiCNRxcEvMQpwm/y79OCWVGdPptsluBapNDur5qeg2KrDYeHYsMXGF  
X9D6fP1Vod455kt+TxJCijA9XYT0JG7BA+KA5esIT2reCTvgQlP5QaEWqlNI39d4  
z9dijpwH2po=+8w0  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7821-01

Red Hat Security Advisory 2022-7464-01 - The protobuf packages provide Protocol Buffers, Google's data interchange format. Protocol Buffers can encode structured data in an efficient yet extensible format, and provide a flexible, efficient, and automated mechanism for serializing structured data.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: protobuf security update  
Advisory ID:       RHSA-2022:7464-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7464  
Issue date:        2022-11-08  
CVE Names:         CVE-2021-22570  
====================================================================  
1. Summary:

An update for protobuf is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The protobuf packages provide Protocol Buffers, Google's data interchange  
format. Protocol Buffers can encode structured data in an efficient yet  
extensible format, and provide a flexible, efficient, and automated  
mechanism for serializing structured data.

Security Fix(es):

* protobuf: Incorrect parsing of nullchar in the proto symbol leads to  
Nullptr dereference (CVE-2021-22570)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 8.7 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2049429 - CVE-2021-22570 protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
protobuf-3.5.0-15.el8.src.rpm

aarch64:  
protobuf-3.5.0-15.el8.aarch64.rpm  
protobuf-compiler-3.5.0-15.el8.aarch64.rpm  
protobuf-compiler-debuginfo-3.5.0-15.el8.aarch64.rpm  
protobuf-debuginfo-3.5.0-15.el8.aarch64.rpm  
protobuf-debugsource-3.5.0-15.el8.aarch64.rpm  
protobuf-lite-3.5.0-15.el8.aarch64.rpm  
protobuf-lite-debuginfo-3.5.0-15.el8.aarch64.rpm

noarch:  
python3-protobuf-3.5.0-15.el8.noarch.rpm

ppc64le:  
protobuf-3.5.0-15.el8.ppc64le.rpm  
protobuf-compiler-3.5.0-15.el8.ppc64le.rpm  
protobuf-compiler-debuginfo-3.5.0-15.el8.ppc64le.rpm  
protobuf-debuginfo-3.5.0-15.el8.ppc64le.rpm  
protobuf-debugsource-3.5.0-15.el8.ppc64le.rpm  
protobuf-lite-3.5.0-15.el8.ppc64le.rpm  
protobuf-lite-debuginfo-3.5.0-15.el8.ppc64le.rpm

s390x:  
protobuf-3.5.0-15.el8.s390x.rpm  
protobuf-compiler-3.5.0-15.el8.s390x.rpm  
protobuf-compiler-debuginfo-3.5.0-15.el8.s390x.rpm  
protobuf-debuginfo-3.5.0-15.el8.s390x.rpm  
protobuf-debugsource-3.5.0-15.el8.s390x.rpm  
protobuf-lite-3.5.0-15.el8.s390x.rpm  
protobuf-lite-debuginfo-3.5.0-15.el8.s390x.rpm

x86_64:  
protobuf-3.5.0-15.el8.i686.rpm  
protobuf-3.5.0-15.el8.x86_64.rpm  
protobuf-compiler-3.5.0-15.el8.i686.rpm  
protobuf-compiler-3.5.0-15.el8.x86_64.rpm  
protobuf-compiler-debuginfo-3.5.0-15.el8.i686.rpm  
protobuf-compiler-debuginfo-3.5.0-15.el8.x86_64.rpm  
protobuf-debuginfo-3.5.0-15.el8.i686.rpm  
protobuf-debuginfo-3.5.0-15.el8.x86_64.rpm  
protobuf-debugsource-3.5.0-15.el8.i686.rpm  
protobuf-debugsource-3.5.0-15.el8.x86_64.rpm  
protobuf-lite-3.5.0-15.el8.i686.rpm  
protobuf-lite-3.5.0-15.el8.x86_64.rpm  
protobuf-lite-debuginfo-3.5.0-15.el8.i686.rpm  
protobuf-lite-debuginfo-3.5.0-15.el8.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

aarch64:  
protobuf-compiler-debuginfo-3.5.0-15.el8.aarch64.rpm  
protobuf-debuginfo-3.5.0-15.el8.aarch64.rpm  
protobuf-debugsource-3.5.0-15.el8.aarch64.rpm  
protobuf-devel-3.5.0-15.el8.aarch64.rpm  
protobuf-lite-debuginfo-3.5.0-15.el8.aarch64.rpm  
protobuf-lite-devel-3.5.0-15.el8.aarch64.rpm

ppc64le:  
protobuf-compiler-debuginfo-3.5.0-15.el8.ppc64le.rpm  
protobuf-debuginfo-3.5.0-15.el8.ppc64le.rpm  
protobuf-debugsource-3.5.0-15.el8.ppc64le.rpm  
protobuf-devel-3.5.0-15.el8.ppc64le.rpm  
protobuf-lite-debuginfo-3.5.0-15.el8.ppc64le.rpm  
protobuf-lite-devel-3.5.0-15.el8.ppc64le.rpm

s390x:  
protobuf-compiler-debuginfo-3.5.0-15.el8.s390x.rpm  
protobuf-debuginfo-3.5.0-15.el8.s390x.rpm  
protobuf-debugsource-3.5.0-15.el8.s390x.rpm  
protobuf-devel-3.5.0-15.el8.s390x.rpm  
protobuf-lite-debuginfo-3.5.0-15.el8.s390x.rpm  
protobuf-lite-devel-3.5.0-15.el8.s390x.rpm

x86_64:  
protobuf-compiler-debuginfo-3.5.0-15.el8.i686.rpm  
protobuf-compiler-debuginfo-3.5.0-15.el8.x86_64.rpm  
protobuf-debuginfo-3.5.0-15.el8.i686.rpm  
protobuf-debuginfo-3.5.0-15.el8.x86_64.rpm  
protobuf-debugsource-3.5.0-15.el8.i686.rpm  
protobuf-debugsource-3.5.0-15.el8.x86_64.rpm  
protobuf-devel-3.5.0-15.el8.i686.rpm  
protobuf-devel-3.5.0-15.el8.x86_64.rpm  
protobuf-lite-debuginfo-3.5.0-15.el8.i686.rpm  
protobuf-lite-debuginfo-3.5.0-15.el8.x86_64.rpm  
protobuf-lite-devel-3.5.0-15.el8.i686.rpm  
protobuf-lite-devel-3.5.0-15.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-22570  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.7_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2pRw9zjgjWX9erEAQhk6Q/7BbLJbeY4aURwM0mkAjDpideSVEGIjXJ5  
mE6JH0VL1FnnN4jMF/m/3vIr12ohYWEDy2iN7S5ZtGUDkD4Swn3RVd7OJ3adtCgM  
TDxOBbFHFzmx2HQXTU3ERP1WGPVEt0Ty4W7uDpfIqV4MlnTXyXVAkLXpLqj2kXNr  
MfQm7sS1+krcuyd/yuwgWJnMSF3hDLnM9m+UojMAPPO8FB+OdyK8PM8kpqJtf3yl  
mhforY0MX0A9Wrb2yht+OzTOqjFYxQOrcO7tZ2J5oYj1audjjzya8DxkZkPHRyGg  
pUvUW/ThCkm2+Gj1qxPzNNXUnMrphFAGSIrUimtZh3Ve5PlzNojJTcsmC2CNwfLC  
/GyJfQncvfchNJ6libdvqQ0IgjpH7MAijr358j+1Pev679ssnQDrZfXxMoTFqVSv  
CaWDNdwM/8BuNmI6lU/pgP+fIzXv6O1a8M4nQwVuirRVtCI2YCXr7mu2b2kQXdqM  
Qh0vlT7EC+CVo9Ql2VROYKHxxAWCkXrK7yMsyQZicfYfrD6cO1AEt64YdsEs+CvF  
k7SWcFT2a++hOP7nVedifgGpANKd1LQ8XIWRMeAKtu3JK3R031CZb7RVz3G+hjt7  
zs5T82mToF0gT4O0Dxt7pwTDcSCL4A53zNsgahIg7fL4qxC8vDyU9p4k/l6GJrp1  
VjKmpReRZ9Q=Mm7b  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7464-01

Red Hat Security Advisory 2022-7811-01 - Expat is a C library for parsing XML documents. The mingw-expat packages provide a port of the Expat library for MinGW. Issues addressed include code execution and integer overflow vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: mingw-expat security update  
Advisory ID:       RHSA-2022:7811-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7811  
Issue date:        2022-11-08  
CVE Names:         CVE-2022-23990 CVE-2022-25235 CVE-2022-25236  
                   CVE-2022-25313 CVE-2022-25314 CVE-2022-25315  
====================================================================  
1. Summary:

An update for mingw-expat is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - noarch

3. Description:

Expat is a C library for parsing XML documents. The mingw-expat packages  
provide a port of the Expat library for MinGW.

The following packages have been upgraded to a later upstream version:  
mingw-expat (2.4.8). (BZ#2057023, BZ#2057037, BZ#2057127)

Security Fix(es):

* expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code  
execution (CVE-2022-25235)

* expat: Namespace-separator characters in "xmlns[:prefix]" attribute  
values can lead to arbitrary code execution (CVE-2022-25236)

* expat: Integer overflow in storeRawNames() (CVE-2022-25315)

* expat: Stack exhaustion in doctype parsing (CVE-2022-25313)

* expat: Integer overflow in copyString() (CVE-2022-25314)

* expat: Integer overflow in the doProlog function (CVE-2022-23990)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 8.7 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2048356 - CVE-2022-23990 expat: integer overflow in the doProlog function  
2056350 - CVE-2022-25313 expat: Stack exhaustion in doctype parsing  
2056354 - CVE-2022-25314 expat: Integer overflow in copyString()  
2056363 - CVE-2022-25315 expat: Integer overflow in storeRawNames()  
2056366 - CVE-2022-25235 expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution  
2056370 - CVE-2022-25236 expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution

6. Package List:

Red Hat CodeReady Linux Builder (v. 8):

Source:  
mingw-expat-2.4.8-1.el8.src.rpm

noarch:  
mingw32-expat-2.4.8-1.el8.noarch.rpm  
mingw32-expat-debuginfo-2.4.8-1.el8.noarch.rpm  
mingw64-expat-2.4.8-1.el8.noarch.rpm  
mingw64-expat-debuginfo-2.4.8-1.el8.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-23990  
https://access.redhat.com/security/cve/CVE-2022-25235  
https://access.redhat.com/security/cve/CVE-2022-25236  
https://access.redhat.com/security/cve/CVE-2022-25313  
https://access.redhat.com/security/cve/CVE-2022-25314  
https://access.redhat.com/security/cve/CVE-2022-25315  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.7_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2pSN9zjgjWX9erEAQiUug//S0FwujIXoFODWtJgEPijbfoA28JgVjcz  
lRdWl0wmXyMSlFkkBVIrOeGgxM4oLUpAwOdOPWIzb/M29xEfo4h3e8lHlwAwqklO  
lQcv663dY57lHRfbKgunlYWKTZ4+3kZbziZB/Zv58rw6bPDQ/wE96urY3/O0m1ct  
Dkk3j4zKiAnIFKWEvUHCwui7tOeUHXNAasCXifYoePimf9+lgta+pnYf86parIBg  
D3afd0S6meUnLqW6EtD0WTJPh6eztjDFEJ/9LKpXo2SL8FAYTrI9yfGQJNsHkGc4  
9NaAd3QeBKoGqcg/qBdb9FfwQqHZJGot4BtTui8/E5xnUg3F+/1PuMGxtQ4jI6X9  
ey6sWsUKCXMdlhv3TxAs/LFTR1cnkT7heEag/f58eo/W8VBow09k7cs3iktrNd+M  
4REv3cfyJ+kFAfA6N6plHb27lFP0aTMveH7FYiWpFGqPH15u3NFcPdsk8qijv4WZ  
sREJ6LgDknk80Rmla2td+l3Vo4iTCWEL7gvoY9uhzWCbuMvj1SSk5rOqVXtOEvuF  
8MpPM+xShIgGbYrFPxeMjYF16p+FxYVDcapSGrIORksAKOunAWDOHmZf+jR7iCMX  
ts3y9wxwNBObMK+Jr+ApYRohz9obamvxjlwBwXSWJ6xlsFyu5Y3e6IzSm/EJpK1i  
f25ydDFruA4=jL/2  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7811-01

Red Hat Security Advisory 2022-7822-01 - The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Issues addressed include an information leakage vulnerability.

Tag

#linux