Red Hat Security Advisory 2024-1803-03 - Updates for bind and bind-dyndb-ldap are now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1803.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: bind and bind-dyndb-ldap security updates  
Advisory ID:        RHSA-2024:1803-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1803  
Issue date:         2024-04-15  
Revision:           03  
CVE Names:          CVE-2023-4408  
====================================================================

Summary: 

Updates for bind and bind-dyndb-ldap are now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

Bind-dyndb-ldap provides an LDAP back-end plug-in for BIND. It features support for dynamic updates and internal caching, to lift the load off of your LDAP server.

Security Fix(es):

* bind9: Parsing large DNS messages may cause excessive CPU load (CVE-2023-4408)

* bind9: Querying RFC 1918 reverse zones may cause an assertion failure when \"nxdomain-redirect\" is enabled (CVE-2023-5517)

* bind9: Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution (CVE-2023-5679)

* bind9: Specific recursive query patterns may lead to an out-of-memory condition (CVE-2023-6516)

* bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)

* bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-4408

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2263896  
https://bugzilla.redhat.com/show_bug.cgi?id=2263897  
https://bugzilla.redhat.com/show_bug.cgi?id=2263909  
https://bugzilla.redhat.com/show_bug.cgi?id=2263911  
https://bugzilla.redhat.com/show_bug.cgi?id=2263914  
https://bugzilla.redhat.com/show_bug.cgi?id=2263917

Red Hat Security Advisory 2024-1803-03

Red Hat Security Advisory 2024-1802-03 - An update for unbound is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1802.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: unbound security updateAdvisory ID:        RHSA-2024:1802-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1802Issue date:         2024-04-15Revision:           03CVE Names:          CVE-2024-1488====================================================================Summary: An update for unbound is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. Security Fix(es):* A vulnerability was found in Unbound due to incorrect default permissions,allowing any process outside the unbound group to modify the unbound runtimeconfiguration. The default combination of the \"control-use-cert: no\" option witheither explicit or implicit use of an IP address in the \"control-interface\"option could allow improper access. If a process can connect over localhost toport 8953, it can alter the configuration of unbound.service. This flaw allowsan unprivileged local process to manipulate a running instance, potentiallyaltering forwarders, allowing them to track all queries forwarded by the localresolver, and, in some cases, disrupting resolving altogether.To mitigate the vulnerability, a new file\"/etc/unbound/conf.d/remote-control.conf\" has been added and included in themain unbound configuration file, \"unbound.conf\". The file contains twodirectives that should limit access to unbound.conf:    control-interface: \"/run/unbound/control\"    control-use-cert: \"yes\"For details about these directives, run \"man unbound.conf\".Updating to the version of unbound provided by this advisory should, in mostcases, address the vulnerability. To verify that your configuration is notvulnerable, use the \"unbound-control status | grep control\" command. If theoutput contains \"control(ssl)\" or \"control(namedpipe)\", your configuration isnot vulnerable. If the command output returns only \"control\", the configurationis vulnerable because it does not enforce access only to the unbound groupmembers. To fix your configuration, add the line \"include:/etc/unbound/conf.d/remote-control.conf\" to the end of the file\"/etc/unbound/unbound.conf\". If you use a custom\"/etc/unbound/conf.d/remote-control.conf\" file, add the new directives to thisfile. (CVE-2024-1488)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-1488References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2264183

Red Hat Security Advisory 2024-1802-03

Red Hat Security Advisory 2024-1801-03 - An update for unbound is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1801.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: unbound security updateAdvisory ID:        RHSA-2024:1801-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1801Issue date:         2024-04-15Revision:           03CVE Names:          CVE-2023-50387====================================================================Summary: An update for unbound is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. Security Fix(es):* bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)* bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)* A vulnerability was found in Unbound due to incorrect default permissions,allowing any process outside the unbound group to modify the unbound runtimeconfiguration. The default combination of the \"control-use-cert: no\" option witheither explicit or implicit use of an IP address in the \"control-interface\"option could allow improper access. If a process can connect over localhost toport 8953, it can alter the configuration of unbound.service. This flaw allowsan unprivileged local process to manipulate a running instance, potentiallyaltering forwarders, allowing them to track all queries forwarded by the localresolver, and, in some cases, disrupting resolving altogether.To mitigate the vulnerability, a new file\"/etc/unbound/conf.d/remote-control.conf\" has been added and included in themain unbound configuration file, \"unbound.conf\". The file contains twodirectives that should limit access to unbound.conf:    control-interface: \"/run/unbound/control\"    control-use-cert: \"yes\"For details about these directives, run \"man unbound.conf\".Updating to the version of unbound provided by this advisory should, in mostcases, address the vulnerability. To verify that your configuration is notvulnerable, use the \"unbound-control status | grep control\" command. If theoutput contains \"control(ssl)\" or \"control(namedpipe)\", your configuration isnot vulnerable. If the command output returns only \"control\", the configurationis vulnerable because it does not enforce access only to the unbound groupmembers. To fix your configuration, add the line \"include:/etc/unbound/conf.d/remote-control.conf\" to the end of the file\"/etc/unbound/unbound.conf\". If you use a custom\"/etc/unbound/conf.d/remote-control.conf\" file, add the new directives to thisfile. (CVE-2024-1488)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-50387References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263914https://bugzilla.redhat.com/show_bug.cgi?id=2263917https://bugzilla.redhat.com/show_bug.cgi?id=2264183

Red Hat Security Advisory 2024-1801-03

Red Hat Security Advisory 2024-1800-03 - Updates for bind and bind-dyndb-ldap are now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1800.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: bind and bind-dyndb-ldap security updates  
Advisory ID:        RHSA-2024:1800-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1800  
Issue date:         2024-04-15  
Revision:           03  
CVE Names:          CVE-2023-4408  
====================================================================

Summary: 

Updates for bind and bind-dyndb-ldap are now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

Bind-dyndb-ldap provides an LDAP back-end plug-in for BIND. It features support for dynamic updates and internal caching, to lift the load off of your LDAP server.

Security Fix(es):

* bind9: Parsing large DNS messages may cause excessive CPU load (CVE-2023-4408)

* bind9: Querying RFC 1918 reverse zones may cause an assertion failure when \"nxdomain-redirect\" is enabled (CVE-2023-5517)

* bind9: Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution (CVE-2023-5679)

* bind9: Specific recursive query patterns may lead to an out-of-memory condition (CVE-2023-6516)

* bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)

* bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-4408

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2263896  
https://bugzilla.redhat.com/show_bug.cgi?id=2263897  
https://bugzilla.redhat.com/show_bug.cgi?id=2263909  
https://bugzilla.redhat.com/show_bug.cgi?id=2263911  
https://bugzilla.redhat.com/show_bug.cgi?id=2263914  
https://bugzilla.redhat.com/show_bug.cgi?id=2263917

Red Hat Security Advisory 2024-1800-03

Red Hat Security Advisory 2024-1795-03 - VolSync v0.9.1 general availability release images, which provide enhancements, security fixes, and updated container images.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1795.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: VolSync 0.9.1 security fixes and enhancements  
Advisory ID:        RHSA-2024:1795-03  
Product:            Red Hat ACM  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1795  
Issue date:         2024-04-12  
Revision:           03  
CVE Names:          CVE-2024-24786  
====================================================================

Summary: 

VolSync v0.9.1 general availability release images, which provide  
enhancements, security fixes, and updated container images.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE links in the References section.

Description:

VolSync is a Kubernetes operator that enables asynchronous replication of  
persistent volumes within a cluster, or across clusters. After deploying  
the VolSync operator, it can create and maintain copies of your persistent  
data.

For more information about VolSync, see:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.10/html/business_continuity/business-cont-overview#volsync

or the VolSync open source community website at:  
https://volsync.readthedocs.io/en/stable/.

This advisory contains enhancements and updates to the VolSync  
container images.

Security fix(es):  
* CVE-2024-24786 - golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON

Solution:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.10/html/business_continuity/business-cont-overview#volsync

CVEs:

CVE-2024-24786

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2268046  
https://issues.redhat.com/browse/ACM-10615

Red Hat Security Advisory 2024-1795-03

Red Hat Security Advisory 2024-1789-03 - An update for bind is now available for Red Hat Enterprise Linux 9.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1789.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: bind security update  
Advisory ID:        RHSA-2024:1789-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1789  
Issue date:         2024-04-11  
Revision:           03  
CVE Names:          CVE-2023-4408  
====================================================================

Summary: 

An update for bind is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

Security Fix(es):

* bind: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)

* bind: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)

* bind: Specific recursive query patterns may lead to an out-of-memory condition (CVE-2023-6516)

* bind: Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution (CVE-2023-5679)

* bind: Querying RFC 1918 reverse zones may cause an assertion failure when “nxdomain-redirect” is enabled (CVE-2023-5517)

* bind: Parsing large DNS messages may cause excessive CPU load (CVE-2023-4408)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-4408

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2263896  
https://bugzilla.redhat.com/show_bug.cgi?id=2263897  
https://bugzilla.redhat.com/show_bug.cgi?id=2263909  
https://bugzilla.redhat.com/show_bug.cgi?id=2263911  
https://bugzilla.redhat.com/show_bug.cgi?id=2263914  
https://bugzilla.redhat.com/show_bug.cgi?id=2263917

Red Hat Security Advisory 2024-1789-03

Red Hat Security Advisory 2024-1787-03 - An update for squid is now available for Red Hat Enterprise Linux 7. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1787.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: squid security updateAdvisory ID:        RHSA-2024:1787-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1787Issue date:         2024-04-11Revision:           03CVE Names:          CVE-2023-46724====================================================================Summary: An update for squid is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.Security Fix(es):* squid: denial of service in HTTP header parser (CVE-2024-25617)* squid: denial of service in HTTP request parsing (CVE-2023-50269)* squid: Buffer over-read in the HTTP Message processing feature (CVE-2023-49285)* squid: Incorrect Check of Function Return Value In Helper Process management (CVE-2023-49286)* squid: NULL pointer dereference in the gopher protocol code (CVE-2023-46728)* squid: Denial of Service in SSL Certificate validation (CVE-2023-46724)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-46724References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2247567https://bugzilla.redhat.com/show_bug.cgi?id=2248521https://bugzilla.redhat.com/show_bug.cgi?id=2252923https://bugzilla.redhat.com/show_bug.cgi?id=2252926https://bugzilla.redhat.com/show_bug.cgi?id=2254663https://bugzilla.redhat.com/show_bug.cgi?id=2264309

Red Hat Security Advisory 2024-1787-03

Red Hat Security Advisory 2024-1786-03 - An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1786.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: httpd:2.4/mod_http2 security updateAdvisory ID:        RHSA-2024:1786-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1786Issue date:         2024-04-11Revision:           03CVE Names:          CVE-2024-27316====================================================================Summary: An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.Security Fix(es):* httpd: mod_http2: CONTINUATION frames DoS (CVE-2024-27316)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-27316References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2268277

Red Hat Security Advisory 2024-1786-03

Red Hat Security Advisory 2024-1785-03 - An update for xorg-x11-server is now available for Red Hat Enterprise Linux 7.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1785.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: X.Org server security updateAdvisory ID:        RHSA-2024:1785-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1785Issue date:         2024-04-11Revision:           03CVE Names:          CVE-2024-31080====================================================================Summary: An update for xorg-x11-server is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:X.Org is an open-source implementation of the X Window System. It provides thebasic low-level functionality that full-fledged graphical user interfaces aredesigned upon.Security Fix(es):* xorg-x11-server: Heap buffer overread/data leakage in ProcXIGetSelectedEvents (CVE-2024-31080)* xorg-x11-server: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice (CVE-2024-31081)* xorg-x11-server: User-after-free in ProcRenderAddGlyphs (CVE-2024-31083)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-31080References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2271997https://bugzilla.redhat.com/show_bug.cgi?id=2271998https://bugzilla.redhat.com/show_bug.cgi?id=2272000

Red Hat Security Advisory 2024-1785-03

Red Hat Security Advisory 2024-1784-03 - An update for gnutls is now available for Red Hat Enterprise Linux 8. Issues addressed include an information leakage vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1784.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: gnutls security updateAdvisory ID:        RHSA-2024:1784-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1784Issue date:         2024-04-11Revision:           03CVE Names:          CVE-2024-28834====================================================================Summary: An update for gnutls is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact ofModerate. A Common Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Description:The gnutls package provide the GNU Transport Layer Security (GnuTLS) library,which implements cryptographic algorithms and protocols such as SSL, TLS, andDTLS.This package update fixes a timing side-channel in deterministic ECDSA.Security Fix(es):* gnutls: vulnerable to Minerva side-channel information leak (CVE-2024-28834)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-28834References:https://access.redhat.com/security/updates/classification/#moderate

Tag

#red_hat