Red Hat Security Advisory 2024-8928-03 - An update for mod_jk is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include denial of service and information leakage vulnerabilities.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8928.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: mod_jk security updateAdvisory ID:        RHSA-2024:8928-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8928Issue date:         2024-11-06Revision:           03CVE Names:          CVE-2024-46544====================================================================Summary: An update for mod_jk is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The mod_jk module is a plugin for the Apache HTTP Server to connect it with the Apache Tomcat servlet engine.Security Fix(es):* mod_jk: information Disclosure / DoS (CVE-2024-46544)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-46544References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2314194https://issues.redhat.com/browse/RHEL-65726

Red Hat Security Advisory 2024-8928-03

Red Hat Security Advisory 2024-8922-03 - An update for bzip2 is now available for Red Hat Enterprise Linux 8. Issues addressed include an out of bounds write vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8922.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Low: bzip2 security updateAdvisory ID:        RHSA-2024:8922-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8922Issue date:         2024-11-06Revision:           03CVE Names:          CVE-2019-12900====================================================================Summary: An update for bzip2 is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The bzip2 packages contain a freely available, high-quality data compressor. It provides both standalone compression and decompression utilities, as well as a shared library for use with other programs. Security Fix(es):* bzip2: out-of-bounds write in function BZ2_decompress (CVE-2019-12900)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2019-12900References:https://access.redhat.com/security/updates/classification/#lowhttps://bugzilla.redhat.com/show_bug.cgi?id=1724459

Red Hat Security Advisory 2024-8922-03

Red Hat Security Advisory 2024-8914-03 - An update for libtiff is now available for Red Hat Enterprise Linux 9. Issues addressed include a null pointer vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8914.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: libtiff security updateAdvisory ID:        RHSA-2024:8914-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8914Issue date:         2024-11-06Revision:           03CVE Names:          CVE-2024-7006====================================================================Summary: An update for libtiff is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files.Security Fix(es):* libtiff: NULL pointer dereference in tif_dirinfo.c (CVE-2024-7006)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-7006References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2302996

Red Hat Security Advisory 2024-8914-03

Red Hat Security Advisory 2024-8906-03 - A new release is now available for Red Hat Satellite 6.16 for RHEL 8 and 9. Issues addressed include bypass, denial of service, memory leak, remote SQL injection, and traversal vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8906.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Critical: Satellite 6.16.0 release  
Advisory ID:        RHSA-2024:8906-03  
Product:            Red Hat Satellite 6  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8906  
Issue date:         2024-11-06  
Revision:           03  
CVE Names:          CVE-2024-4067  
====================================================================

Summary: 

A new release is now available for Red Hat Satellite 6.16 for RHEL 8 and 9.

Red Hat Product Security has rated this update as having a security impact  
of  Critical. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

Description:

Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments.

Security Fix(es):

* mosquitto: sending specific sequences of packets may trigger memory leak  
(CVE-2024-8376)  
* micromatch: vulnerable to Regular Expression Denial of Service (CVE-2024-4067)  
urllib3: proxy-authorization request header is not stripped during cross-origin redirects (CVE-2024-37891)  
* node-tar: denial of service while parsing a tar file due to lack of folders depth validation (CVE-2024-28863)  
* python-django: Potential denial-of-service in django.utils.html.urlize() (CVE-2024-38875)   
* python-django: Username enumeration through timing difference for users with unusable passwords (CVE-2024-39329)  
* python-django: Potential directory-traversal in django.core.files.storage.Storage.save() (CVE-2024-39330)  
* python-django: Potential denial-of-service in django.utils.translation.get_supported_language_variant() (CVE-2024-39614)  
* github.com/jaraco/zipp: Denial of Service (infinite loop) via crafted zip file in jaraco/zipp (CVE-2024-5569)  
* puppet-foreman: An authentication bypass vulnerability exists in Foreman (CVE-2024-7012)  
* python-django: Potential SQL injection in QuerySet.values() and values_list() (CVE-2024-42005)  
* grpc: client communicating with a HTTP/2 proxy can poison the HPACK table between the proxy and the backend (CVE-2024-7246)  
* puppet-pulpcore: An authentication bypass vulnerability exists in pulpcore (CVE-2024-7923)  
* foreman: Read-only access to entire DB from templates (CVE-2024-8553)

Users of Red Hat Satellite are advised to upgrade to these updated packages, which fix these bugs.

Solution:

https://access.redhat.com/documentation/en-us/red_hat_satellite/6.16/html/updating_red_hat_satellite/index

CVEs:

CVE-2024-4067

References:

https://access.redhat.com/security/updates/classification/#critical  
https://bugzilla.redhat.com/show_bug.cgi?id=2280601  
https://bugzilla.redhat.com/show_bug.cgi?id=2292788  
https://bugzilla.redhat.com/show_bug.cgi?id=2293200  
https://bugzilla.redhat.com/show_bug.cgi?id=2295935  
https://bugzilla.redhat.com/show_bug.cgi?id=2295936  
https://bugzilla.redhat.com/show_bug.cgi?id=2295937  
https://bugzilla.redhat.com/show_bug.cgi?id=2295938  
https://bugzilla.redhat.com/show_bug.cgi?id=2296413  
https://bugzilla.redhat.com/show_bug.cgi?id=2299429  
https://bugzilla.redhat.com/show_bug.cgi?id=2302436  
https://bugzilla.redhat.com/show_bug.cgi?id=2305718  
https://bugzilla.redhat.com/show_bug.cgi?id=2312524  
https://bugzilla.redhat.com/show_bug.cgi?id=2318080  
https://issues.redhat.com/browse/SAT-12847  
https://issues.redhat.com/browse/SAT-15089  
https://issues.redhat.com/browse/SAT-15466  
https://issues.redhat.com/browse/SAT-15467  
https://issues.redhat.com/browse/SAT-15549  
https://issues.redhat.com/browse/SAT-16224  
https://issues.redhat.com/browse/SAT-16247  
https://issues.redhat.com/browse/SAT-16381  
https://issues.redhat.com/browse/SAT-16537  
https://issues.redhat.com/browse/SAT-16593  
https://issues.redhat.com/browse/SAT-17442  
https://issues.redhat.com/browse/SAT-17443  
https://issues.redhat.com/browse/SAT-17785  
https://issues.redhat.com/browse/SAT-18093  
https://issues.redhat.com/browse/SAT-18270  
https://issues.redhat.com/browse/SAT-18327  
https://issues.redhat.com/browse/SAT-18410  
https://issues.redhat.com/browse/SAT-18461  
https://issues.redhat.com/browse/SAT-18568  
https://issues.redhat.com/browse/SAT-18610  
https://issues.redhat.com/browse/SAT-18705  
https://issues.redhat.com/browse/SAT-18721  
https://issues.redhat.com/browse/SAT-18859  
https://issues.redhat.com/browse/SAT-18993  
https://issues.redhat.com/browse/SAT-19018  
https://issues.redhat.com/browse/SAT-19269  
https://issues.redhat.com/browse/SAT-19342  
https://issues.redhat.com/browse/SAT-19389  
https://issues.redhat.com/browse/SAT-19394  
https://issues.redhat.com/browse/SAT-19501  
https://issues.redhat.com/browse/SAT-19502  
https://issues.redhat.com/browse/SAT-19504  
https://issues.redhat.com/browse/SAT-19511  
https://issues.redhat.com/browse/SAT-19592  
https://issues.redhat.com/browse/SAT-19614  
https://issues.redhat.com/browse/SAT-19621  
https://issues.redhat.com/browse/SAT-19748  
https://issues.redhat.com/browse/SAT-19789  
https://issues.redhat.com/browse/SAT-19922  
https://issues.redhat.com/browse/SAT-19993  
https://issues.redhat.com/browse/SAT-19999  
https://issues.redhat.com/browse/SAT-20099  
https://issues.redhat.com/browse/SAT-20361  
https://issues.redhat.com/browse/SAT-20445  
https://issues.redhat.com/browse/SAT-20553  
https://issues.redhat.com/browse/SAT-21261  
https://issues.redhat.com/browse/SAT-21266  
https://issues.redhat.com/browse/SAT-21268  
https://issues.redhat.com/browse/SAT-21273  
https://issues.redhat.com/browse/SAT-21353  
https://issues.redhat.com/browse/SAT-21374  
https://issues.redhat.com/browse/SAT-21375  
https://issues.redhat.com/browse/SAT-21395  
https://issues.redhat.com/browse/SAT-21396  
https://issues.redhat.com/browse/SAT-21421  
https://issues.redhat.com/browse/SAT-21463  
https://issues.redhat.com/browse/SAT-21682  
https://issues.redhat.com/browse/SAT-21757  
https://issues.redhat.com/browse/SAT-21920  
https://issues.redhat.com/browse/SAT-21994  
https://issues.redhat.com/browse/SAT-22047  
https://issues.redhat.com/browse/SAT-22048  
https://issues.redhat.com/browse/SAT-22156  
https://issues.redhat.com/browse/SAT-22172  
https://issues.redhat.com/browse/SAT-22358  
https://issues.redhat.com/browse/SAT-22442  
https://issues.redhat.com/browse/SAT-22491  
https://issues.redhat.com/browse/SAT-22554  
https://issues.redhat.com/browse/SAT-22579  
https://issues.redhat.com/browse/SAT-22626  
https://issues.redhat.com/browse/SAT-22849  
https://issues.redhat.com/browse/SAT-22872  
https://issues.redhat.com/browse/SAT-22889  
https://issues.redhat.com/browse/SAT-22900  
https://issues.redhat.com/browse/SAT-23047  
https://issues.redhat.com/browse/SAT-23077  
https://issues.redhat.com/browse/SAT-23093  
https://issues.redhat.com/browse/SAT-23096  
https://issues.redhat.com/browse/SAT-23109  
https://issues.redhat.com/browse/SAT-23124  
https://issues.redhat.com/browse/SAT-23167  
https://issues.redhat.com/browse/SAT-23211  
https://issues.redhat.com/browse/SAT-23228  
https://issues.redhat.com/browse/SAT-23279  
https://issues.redhat.com/browse/SAT-23288  
https://issues.redhat.com/browse/SAT-23302  
https://issues.redhat.com/browse/SAT-23335  
https://issues.redhat.com/browse/SAT-23405  
https://issues.redhat.com/browse/SAT-23407  
https://issues.redhat.com/browse/SAT-23424  
https://issues.redhat.com/browse/SAT-23426  
https://issues.redhat.com/browse/SAT-23487  
https://issues.redhat.com/browse/SAT-23505  
https://issues.redhat.com/browse/SAT-23544  
https://issues.redhat.com/browse/SAT-23573  
https://issues.redhat.com/browse/SAT-23592  
https://issues.redhat.com/browse/SAT-23610  
https://issues.redhat.com/browse/SAT-23752  
https://issues.redhat.com/browse/SAT-23841  
https://issues.redhat.com/browse/SAT-23894  
https://issues.redhat.com/browse/SAT-23943  
https://issues.redhat.com/browse/SAT-23947  
https://issues.redhat.com/browse/SAT-23951  
https://issues.redhat.com/browse/SAT-23954  
https://issues.redhat.com/browse/SAT-23957  
https://issues.redhat.com/browse/SAT-23990  
https://issues.redhat.com/browse/SAT-23992  
https://issues.redhat.com/browse/SAT-24050  
https://issues.redhat.com/browse/SAT-24064  
https://issues.redhat.com/browse/SAT-24073  
https://issues.redhat.com/browse/SAT-24111  
https://issues.redhat.com/browse/SAT-24132  
https://issues.redhat.com/browse/SAT-24197  
https://issues.redhat.com/browse/SAT-24470  
https://issues.redhat.com/browse/SAT-24478  
https://issues.redhat.com/browse/SAT-24479  
https://issues.redhat.com/browse/SAT-24489  
https://issues.redhat.com/browse/SAT-24521  
https://issues.redhat.com/browse/SAT-24526  
https://issues.redhat.com/browse/SAT-24531  
https://issues.redhat.com/browse/SAT-24545  
https://issues.redhat.com/browse/SAT-24548  
https://issues.redhat.com/browse/SAT-24577  
https://issues.redhat.com/browse/SAT-24600  
https://issues.redhat.com/browse/SAT-24769  
https://issues.redhat.com/browse/SAT-24771  
https://issues.redhat.com/browse/SAT-24774  
https://issues.redhat.com/browse/SAT-24779  
https://issues.redhat.com/browse/SAT-24781  
https://issues.redhat.com/browse/SAT-24786  
https://issues.redhat.com/browse/SAT-24787  
https://issues.redhat.com/browse/SAT-24801  
https://issues.redhat.com/browse/SAT-24805  
https://issues.redhat.com/browse/SAT-24837  
https://issues.redhat.com/browse/SAT-24854  
https://issues.redhat.com/browse/SAT-24878  
https://issues.redhat.com/browse/SAT-24884  
https://issues.redhat.com/browse/SAT-24893  
https://issues.redhat.com/browse/SAT-24917  
https://issues.redhat.com/browse/SAT-24918  
https://issues.redhat.com/browse/SAT-24919  
https://issues.redhat.com/browse/SAT-24920  
https://issues.redhat.com/browse/SAT-24932  
https://issues.redhat.com/browse/SAT-24936  
https://issues.redhat.com/browse/SAT-24943  
https://issues.redhat.com/browse/SAT-24988  
https://issues.redhat.com/browse/SAT-25032  
https://issues.redhat.com/browse/SAT-25129  
https://issues.redhat.com/browse/SAT-25152  
https://issues.redhat.com/browse/SAT-25155  
https://issues.redhat.com/browse/SAT-25159  
https://issues.redhat.com/browse/SAT-25160  
https://issues.redhat.com/browse/SAT-25194  
https://issues.redhat.com/browse/SAT-25213  
https://issues.redhat.com/browse/SAT-25217  
https://issues.redhat.com/browse/SAT-25243  
https://issues.redhat.com/browse/SAT-25250  
https://issues.redhat.com/browse/SAT-25328  
https://issues.redhat.com/browse/SAT-25368  
https://issues.redhat.com/browse/SAT-25429  
https://issues.redhat.com/browse/SAT-25437  
https://issues.redhat.com/browse/SAT-25455  
https://issues.redhat.com/browse/SAT-25467  
https://issues.redhat.com/browse/SAT-25503  
https://issues.redhat.com/browse/SAT-25569  
https://issues.redhat.com/browse/SAT-25583  
https://issues.redhat.com/browse/SAT-25655  
https://issues.redhat.com/browse/SAT-25658  
https://issues.redhat.com/browse/SAT-25678  
https://issues.redhat.com/browse/SAT-25713  
https://issues.redhat.com/browse/SAT-25774  
https://issues.redhat.com/browse/SAT-25789  
https://issues.redhat.com/browse/SAT-25795  
https://issues.redhat.com/browse/SAT-25813  
https://issues.redhat.com/browse/SAT-25869  
https://issues.redhat.com/browse/SAT-25936  
https://issues.redhat.com/browse/SAT-25946  
https://issues.redhat.com/browse/SAT-26012  
https://issues.redhat.com/browse/SAT-26031  
https://issues.redhat.com/browse/SAT-26040  
https://issues.redhat.com/browse/SAT-26064  
https://issues.redhat.com/browse/SAT-26078  
https://issues.redhat.com/browse/SAT-26084  
https://issues.redhat.com/browse/SAT-26105  
https://issues.redhat.com/browse/SAT-26202  
https://issues.redhat.com/browse/SAT-26242  
https://issues.redhat.com/browse/SAT-26269  
https://issues.redhat.com/browse/SAT-26397  
https://issues.redhat.com/browse/SAT-26417  
https://issues.redhat.com/browse/SAT-26493  
https://issues.redhat.com/browse/SAT-26563  
https://issues.redhat.com/browse/SAT-26588  
https://issues.redhat.com/browse/SAT-26758  
https://issues.redhat.com/browse/SAT-26762  
https://issues.redhat.com/browse/SAT-26767  
https://issues.redhat.com/browse/SAT-26834  
https://issues.redhat.com/browse/SAT-26835  
https://issues.redhat.com/browse/SAT-26837  
https://issues.redhat.com/browse/SAT-26901  
https://issues.redhat.com/browse/SAT-26967  
https://issues.redhat.com/browse/SAT-27144  
https://issues.redhat.com/browse/SAT-27182  
https://issues.redhat.com/browse/SAT-27211  
https://issues.redhat.com/browse/SAT-27276  
https://issues.redhat.com/browse/SAT-27384  
https://issues.redhat.com/browse/SAT-27401  
https://issues.redhat.com/browse/SAT-27411  
https://issues.redhat.com/browse/SAT-27485  
https://issues.redhat.com/browse/SAT-27506  
https://issues.redhat.com/browse/SAT-27512  
https://issues.redhat.com/browse/SAT-27569  
https://issues.redhat.com/browse/SAT-27593  
https://issues.redhat.com/browse/SAT-27595  
https://issues.redhat.com/browse/SAT-27604  
https://issues.redhat.com/browse/SAT-27622  
https://issues.redhat.com/browse/SAT-27676  
https://issues.redhat.com/browse/SAT-27677  
https://issues.redhat.com/browse/SAT-27702  
https://issues.redhat.com/browse/SAT-27752  
https://issues.redhat.com/browse/SAT-27778  
https://issues.redhat.com/browse/SAT-27779  
https://issues.redhat.com/browse/SAT-27814  
https://issues.redhat.com/browse/SAT-27830  
https://issues.redhat.com/browse/SAT-27834  
https://issues.redhat.com/browse/SAT-27836  
https://issues.redhat.com/browse/SAT-27891  
https://issues.redhat.com/browse/SAT-27900  
https://issues.redhat.com/browse/SAT-27901  
https://issues.redhat.com/browse/SAT-27940  
https://issues.redhat.com/browse/SAT-27943  
https://issues.redhat.com/browse/SAT-27981  
https://issues.redhat.com/browse/SAT-28012  
https://issues.redhat.com/browse/SAT-28046  
https://issues.redhat.com/browse/SAT-28048  
https://issues.redhat.com/browse/SAT-28162  
https://issues.redhat.com/browse/SAT-28269  
https://issues.redhat.com/browse/SAT-28275  
https://issues.redhat.com/browse/SAT-28336  
https://issues.redhat.com/browse/SAT-28361  
https://issues.redhat.com/browse/SAT-28362  
https://issues.redhat.com/browse/SAT-28367  
https://issues.redhat.com/browse/SAT-28394  
https://issues.redhat.com/browse/SAT-28435  
https://issues.redhat.com/browse/SAT-28467  
https://issues.redhat.com/browse/SAT-28667  
https://issues.redhat.com/browse/SAT-7770  
https://issues.redhat.com/browse/SAT-8076

Red Hat Security Advisory 2024-8906-03

Red Hat Security Advisory 2024-8686-03 - Red Hat OpenShift Container Platform release 4.16.20 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service and traversal vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8686.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.16.20 packages and security update  
Advisory ID:        RHSA-2024:8686-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8686  
Issue date:         2024-11-06  
Revision:           03  
CVE Names:          CVE-2024-9675  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.16.20 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.16.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.16.20. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2024:8683

Security Fix(es):

* buildah: Buildah allows arbitrary directory mount (CVE-2024-9675)  
* Podman: Buildah: CRI-O: symlink traversal vulnerability in the  
containers/storage library can cause Denial of Service (DoS)  
(CVE-2024-9676)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.16 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.16/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html

CVEs:

CVE-2024-9675

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2317458  
https://bugzilla.redhat.com/show_bug.cgi?id=2317467

Red Hat Security Advisory 2024-8686-03

Red Hat Security Advisory 2024-8683-03 - Red Hat OpenShift Container Platform release 4.16.20 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a cross site scripting vulnerability.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8683.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.16.20 bug fix and security update  
Advisory ID:        RHSA-2024:8683-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8683  
Issue date:         2024-11-06  
Revision:           03  
CVE Names:          CVE-2024-47875  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.16.20 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.16.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.16.20. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2024:8686

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html

Security Fix(es):

* dompurify: nesting-based mutation XSS vulnerability (CVE-2024-47875)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.16 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.16/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2024-47875

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2318052  
https://issues.redhat.com/browse/OCPBUGS-31546  
https://issues.redhat.com/browse/OCPBUGS-35204  
https://issues.redhat.com/browse/OCPBUGS-42109  
https://issues.redhat.com/browse/OCPBUGS-42744  
https://issues.redhat.com/browse/OCPBUGS-43315  
https://issues.redhat.com/browse/OCPBUGS-43367  
https://issues.redhat.com/browse/OCPBUGS-43645  
https://issues.redhat.com/browse/OCPBUGS-43727  
https://issues.redhat.com/browse/OCPBUGS-43797  
https://issues.redhat.com/browse/OCPBUGS-43826  
https://issues.redhat.com/browse/OCPBUGS-43840

Red Hat Security Advisory 2024-8683-03

Red Hat Security Advisory 2024-5013-03 - Red Hat OpenShift Builds 1.1.0.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_5013.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Critical: The Red Hat OpenShift Builds Client 1.1.0 General AvailabilityAdvisory ID:        RHSA-2024:5013-03Product:            Builds for Red Hat OpenShiftAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:5013Issue date:         2024-11-06Revision:           03CVE Names:          CVE-2023-45288====================================================================Summary: Red Hat OpenShift Builds 1.1.0Description:Releases of Red Hat OpenShift Builds 1.1.0 General * https://access.redhat.com/security/updates/classification/#importantSolution:CVEs:CVE-2023-45288References:https://access.redhat.com/security/updates/classification/https://access.redhat.com/security/cve/CVE-2023-49569https://access.redhat.com/security/cve/CVE-2024-24786https://access.redhat.com/security/cve/CVE-2023-45288https://access.redhat.com/security/cve/CVE-2023-45290https://access.redhat.com/security/cve/CVE-2024-24783https://access.redhat.com/security/cve/CVE-2024-24785https://access.redhat.com/security/cve/CVE-2024-24788

Red Hat Security Advisory 2024-5013-03

Red Hat Security Advisory 2024-8887-03 - An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.13. Red Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include bypass and denial of service vulnerabilities.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8887.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Product OCP Tools 4.13 Openshift Jenkins security updateAdvisory ID:        RHSA-2024:8887-03Product:            OpenShift JenkinsAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8887Issue date:         2024-11-05Revision:           03CVE Names:          CVE-2021-44549====================================================================Summary: An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.13.Red Hat Product Security has rated this update as having a security impact of important.A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating,is available for each vulnerability from the CVE link(s) in the References section.Description:Jenkins is a continuous integration server that monitors executions of repeatedjobs, such as building a software project or jobs run by cron.Security Fix(es):* jenkins: Item creation restriction bypass vulnerability (CVE-2024-47804)* jenkins: Exposure of multi-line secrets through error messages(CVE-2024-47803)* jenkins: Enabling Secure Server Identity Checks for Safer SMTPS Communication(CVE-2021-44549)* jenkins: Denial of service when processing a specially crafted Spring Expression Language expression (CVE-2024-38808)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments,and other related information, refer to the CVE page listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2021-44549References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2024-8887-03

Red Hat Security Advisory 2024-8886-03 - An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.12. Red Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include bypass and denial of service vulnerabilities.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8886.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Product OCP Tools 4.12 Openshift Jenkins security updateAdvisory ID:        RHSA-2024:8886-03Product:            OpenShift JenkinsAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8886Issue date:         2024-11-05Revision:           03CVE Names:          CVE-2021-44549====================================================================Summary: An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.12.Red Hat Product Security has rated this update as having a security impact of important.A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating,is available for each vulnerability from the CVE link(s) in the References section.Description:Jenkins is a continuous integration server that monitors executions of repeatedjobs, such as building a software project or jobs run by cron.Security Fix(es):* jenkins: Exposure of multi-line secrets through error messages (CVE-2024-47803)* jenkins: Item creation restriction bypass vulnerability (CVE-2024-47804)* jenkins: Enabling Secure Server Identity Checks for Safer SMTPS Communication (CVE-2021-44549)* jenkins: Denial of service when processing a specially crafted Spring Expression Language expression (CVE-2024-38808)* jenkins-2-plugins: jenkins-plugin/script-security: sandbox bypass via crafted constructor bodies (CVE-2024-34144)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments,and other related information, refer to the CVE page listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2021-44549References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2024-8886-03

Red Hat Security Advisory 2024-8885-03 - An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.14. Red Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include bypass and denial of service vulnerabilities.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8885.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Product OCP Tools 4.14 Openshift Jenkins security updateAdvisory ID:        RHSA-2024:8885-03Product:            OpenShift JenkinsAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8885Issue date:         2024-11-05Revision:           03CVE Names:          CVE-2021-44549====================================================================Summary: An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.14.Red Hat Product Security has rated this update as having a security impact of important.A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating,is available for each vulnerability from the CVE link(s) in the References section.Description:Jenkins is a continuous integration server that monitors executions of repeatedjobs, such as building a software project or jobs run by cron.Security Fixes:* jenkins: Item creation restriction bypass vulnerability (CVE-2024-47804)* jenkins: Exposure of multi-line secrets through error messages(CVE-2024-47803)* jenkins: Enabling Secure Server Identity Checks for Safer SMTPS Communication (CVE-2021-44549)* jenkins: Denial of service when processing a specially crafted Spring Expression Language expression (CVE-2024-38808)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments,and other related information, refer to the CVE page listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2021-44549References:https://access.redhat.com/security/updates/classification/#important

Tag

#red_hat