Red Hat Security Advisory 2024-8886-03 - An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.12. Red Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include bypass and denial of service vulnerabilities.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8886.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Product OCP Tools 4.12 Openshift Jenkins security updateAdvisory ID:        RHSA-2024:8886-03Product:            OpenShift JenkinsAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8886Issue date:         2024-11-05Revision:           03CVE Names:          CVE-2021-44549====================================================================Summary: An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.12.Red Hat Product Security has rated this update as having a security impact of important.A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating,is available for each vulnerability from the CVE link(s) in the References section.Description:Jenkins is a continuous integration server that monitors executions of repeatedjobs, such as building a software project or jobs run by cron.Security Fix(es):* jenkins: Exposure of multi-line secrets through error messages (CVE-2024-47803)* jenkins: Item creation restriction bypass vulnerability (CVE-2024-47804)* jenkins: Enabling Secure Server Identity Checks for Safer SMTPS Communication (CVE-2021-44549)* jenkins: Denial of service when processing a specially crafted Spring Expression Language expression (CVE-2024-38808)* jenkins-2-plugins: jenkins-plugin/script-security: sandbox bypass via crafted constructor bodies (CVE-2024-34144)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments,and other related information, refer to the CVE page listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2021-44549References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2024-8886-03

Red Hat Security Advisory 2024-8885-03 - An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.14. Red Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include bypass and denial of service vulnerabilities.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8885.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Product OCP Tools 4.14 Openshift Jenkins security updateAdvisory ID:        RHSA-2024:8885-03Product:            OpenShift JenkinsAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8885Issue date:         2024-11-05Revision:           03CVE Names:          CVE-2021-44549====================================================================Summary: An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.14.Red Hat Product Security has rated this update as having a security impact of important.A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating,is available for each vulnerability from the CVE link(s) in the References section.Description:Jenkins is a continuous integration server that monitors executions of repeatedjobs, such as building a software project or jobs run by cron.Security Fixes:* jenkins: Item creation restriction bypass vulnerability (CVE-2024-47804)* jenkins: Exposure of multi-line secrets through error messages(CVE-2024-47803)* jenkins: Enabling Secure Server Identity Checks for Safer SMTPS Communication (CVE-2021-44549)* jenkins: Denial of service when processing a specially crafted Spring Expression Language expression (CVE-2024-38808)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments,and other related information, refer to the CVE page listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2021-44549References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2024-8885-03

Red Hat Security Advisory 2024-8884-03 - An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.15. Red Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include bypass and denial of service vulnerabilities.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8884.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Product OCP Tools 4.15 Openshift Jenkins security updateAdvisory ID:        RHSA-2024:8884-03Product:            OpenShift JenkinsAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8884Issue date:         2024-11-05Revision:           03CVE Names:          CVE-2021-44549====================================================================Summary: An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.15.Red Hat Product Security has rated this update as having a security impact of important.A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating,is available for each vulnerability from the CVE link(s) in the References section.Description:Jenkins is a continuous integration server that monitors executions of repeatedjobs, such as building a software project or jobs run by cron.Security Fixes:* jenkins: Item creation restriction bypass vulnerability (CVE-2024-47804)* jenkins: Exposure of multi-line secrets through error messages (CVE-2024-47803)* jenkins: Enabling Secure Server Identity Checks for Safer SMTPS Communication (CVE-2021-44549)* jenkins: Denial of service when processing a specially crafted Spring Expression Language expression (CVE-2024-38808)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments,and other related information, refer to the CVE page listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2021-44549References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2024-8884-03

Red Hat Security Advisory 2024-8876-03 - An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8876.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: go-toolset:rhel8 security updateAdvisory ID:        RHSA-2024:8876-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8876Issue date:         2024-11-05Revision:           03CVE Names:          CVE-2024-24790====================================================================Summary: An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix(es):* golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses (CVE-2024-24790)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-24790References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2292787

Red Hat Security Advisory 2024-8876-03

Red Hat Security Advisory 2024-8874-03 - An update for haproxy is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8874.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: haproxy security updateAdvisory ID:        RHSA-2024:8874-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8874Issue date:         2024-11-05Revision:           03CVE Names:          CVE-2023-45539====================================================================Summary: An update for haproxy is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The haproxy packages provide a reliable, high-performance network load balancer for TCP and HTTP-based applications.Security Fix(es):* haproxy: untrimmed URI fragments may lead to exposure of confidential data on static servers (CVE-2023-45539)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-45539References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2253037

Red Hat Security Advisory 2024-8874-03

Red Hat Security Advisory 2024-8870-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 8. Issues addressed include buffer overflow, null pointer, and out of bounds access vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8870.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: kernel-rt security update  
Advisory ID:        RHSA-2024:8870-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8870  
Issue date:         2024-11-05  
Revision:           03  
CVE Names:          CVE-2022-48773  
====================================================================

Summary: 

An update for kernel-rt is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: net/bluetooth: race condition in conn_info_{min,max}_age_set() (CVE-2024-24857)

* kernel: dmaengine: fix NULL pointer in channel unregistration function (CVE-2023-52492)

* kernel: netfilter: nf_conntrack_h323: Add protection for bmp length out of range (CVE-2024-26851)

* kernel: netfilter: nft_set_pipapo: do not free live element (CVE-2024-26924)

* kernel: netfilter: nft_set_pipapo: walk over current view on netlink dump (CVE-2024-27017)

* kernel: KVM: Always flush async #PF workqueue when vCPU is being destroyed (CVE-2024-26976)

* kernel: nouveau: lock the client object tree. (CVE-2024-27062)

* kernel: netfilter: bridge: replace physindev with physinif in nf_bridge_info (CVE-2024-35839)

* kernel: netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() (CVE-2024-35898)

* kernel: dma-direct: Leak pages on dma_set_decrypted() failure (CVE-2024-35939)

* kernel: net/mlx5e: Fix netif state handling (CVE-2024-38608)

* kernel: r8169: Fix possible ring buffer corruption on fragmented Tx packets. (CVE-2024-38586)

* kernel: of: module: add buffer overflow check in of_modalias() (CVE-2024-38541)

* kernel: bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq (CVE-2024-38540)

* kernel: netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type (CVE-2024-39503)

* kernel: drm/i915/dpt: Make DPT object unshrinkable (CVE-2024-40924)

* kernel: ipv6: prevent possible NULL deref in fib6_nh_init() (CVE-2024-40961)

* kernel: tipc: force a dst refcount before doing decryption (CVE-2024-40983)

* kernel: ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine." (CVE-2024-40984)

* kernel: xprtrdma: fix pointer derefs in error cases of rpcrdma_ep_create (CVE-2022-48773)

* kernel: bpf: Fix overrunning reservations in ringbuf (CVE-2024-41009)

* kernel: netfilter: nf_tables: prefer nft_chain_validate (CVE-2024-41042)

* kernel: ibmvnic: Add tx check to prevent skb leak (CVE-2024-41066)

* kernel: drm/i915/gt: Fix potential UAF by revoke of fence registers (CVE-2024-41092)

* kernel: drm/amdgpu: avoid using null object of framebuffer (CVE-2024-41093)

* kernel: netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers (CVE-2024-42070)

* kernel: gfs2: Fix NULL pointer dereference in gfs2_log_flush (CVE-2024-42079)

* kernel: USB: serial: mos7840: fix crash on resume (CVE-2024-42244)

* kernel: tipc: Return non-zero value from tipc_udp_addr2str() on error (CVE-2024-42284)

* kernel: kobject_uevent: Fix OOB access within zap_modalias_env() (CVE-2024-42292)

* kernel: dev/parport: fix the array out-of-bounds risk (CVE-2024-42301)

* kernel: block: initialize integrity buffer to zero before writing it to media (CVE-2024-43854)

* kernel: mlxsw: spectrum_acl_erp: Fix object nesting warning (CVE-2024-43880)

* kernel: gso: do not skip outer ip header in case of ipip and net_failover (CVE-2022-48936)

* kernel: padata: Fix possible divide-by-0 panic in padata_mt_helper() (CVE-2024-43889)

* kernel: memcg: protect concurrent access to mem_cgroup_idr (CVE-2024-43892)

* kernel: sctp: Fix null-ptr-deref in reuseport_add_sock(). (CVE-2024-44935)

* kernel: bonding: fix xfrm real_dev null pointer dereference (CVE-2024-44989)

* kernel: bonding: fix null pointer deref in bond_ipsec_offload_ok (CVE-2024-44990)

* kernel: netfilter: flowtable: initialise extack before use (CVE-2024-45018)

* kernel: ELF: fix kernel.randomize_va_space double read (CVE-2024-46826)

* kernel: lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc() (CVE-2024-47668)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-48773

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2266247  
https://bugzilla.redhat.com/show_bug.cgi?id=2269183  
https://bugzilla.redhat.com/show_bug.cgi?id=2275750  
https://bugzilla.redhat.com/show_bug.cgi?id=2277168  
https://bugzilla.redhat.com/show_bug.cgi?id=2278262  
https://bugzilla.redhat.com/show_bug.cgi?id=2278350  
https://bugzilla.redhat.com/show_bug.cgi?id=2278387  
https://bugzilla.redhat.com/show_bug.cgi?id=2281284  
https://bugzilla.redhat.com/show_bug.cgi?id=2281669  
https://bugzilla.redhat.com/show_bug.cgi?id=2281817  
https://bugzilla.redhat.com/show_bug.cgi?id=2293356  
https://bugzilla.redhat.com/show_bug.cgi?id=2293402  
https://bugzilla.redhat.com/show_bug.cgi?id=2293458  
https://bugzilla.redhat.com/show_bug.cgi?id=2293459  
https://bugzilla.redhat.com/show_bug.cgi?id=2297475  
https://bugzilla.redhat.com/show_bug.cgi?id=2297508  
https://bugzilla.redhat.com/show_bug.cgi?id=2297545  
https://bugzilla.redhat.com/show_bug.cgi?id=2297567  
https://bugzilla.redhat.com/show_bug.cgi?id=2297568  
https://bugzilla.redhat.com/show_bug.cgi?id=2298109  
https://bugzilla.redhat.com/show_bug.cgi?id=2298412  
https://bugzilla.redhat.com/show_bug.cgi?id=2300412  
https://bugzilla.redhat.com/show_bug.cgi?id=2300442  
https://bugzilla.redhat.com/show_bug.cgi?id=2300487  
https://bugzilla.redhat.com/show_bug.cgi?id=2300488  
https://bugzilla.redhat.com/show_bug.cgi?id=2300508  
https://bugzilla.redhat.com/show_bug.cgi?id=2300517  
https://bugzilla.redhat.com/show_bug.cgi?id=2307862  
https://bugzilla.redhat.com/show_bug.cgi?id=2307865  
https://bugzilla.redhat.com/show_bug.cgi?id=2307892  
https://bugzilla.redhat.com/show_bug.cgi?id=2309852  
https://bugzilla.redhat.com/show_bug.cgi?id=2309853  
https://bugzilla.redhat.com/show_bug.cgi?id=2311715  
https://bugzilla.redhat.com/show_bug.cgi?id=2315178  
https://bugzilla.redhat.com/show_bug.cgi?id=2317601

Red Hat Security Advisory 2024-8870-03

Red Hat Security Advisory 2024-8860-03 - An update for krb5 is now available for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8860.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: krb5 security updateAdvisory ID:        RHSA-2024:8860-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8860Issue date:         2024-11-05Revision:           03CVE Names:          CVE-2024-3596====================================================================Summary: An update for krb5 is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC).Security Fix(es):* freeradius: forgery attack (CVE-2024-3596)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-3596References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263240https://issues.redhat.com/browse/RHEL-50253

Red Hat Security Advisory 2024-8860-03

Red Hat Security Advisory 2024-8859-03 - An update for xmlrpc-c is now available for Red Hat Enterprise Linux 8. Issues addressed include an integer overflow vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8859.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: xmlrpc-c security updateAdvisory ID:        RHSA-2024:8859-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8859Issue date:         2024-11-05Revision:           03CVE Names:          CVE-2024-45491====================================================================Summary: An update for xmlrpc-c is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:XML-RPC is a remote procedure call (RPC) protocol that uses XML to encode its calls and HTTP as a transport mechanism. The xmlrpc-c packages provide a network protocol to allow a client program to make a simple RPC (remote procedure call) over the Internet. It converts an RPC into an XML document, sends it to a remote server using HTTP, and gets back the response in XML.Security Fix(es):* libexpat: Integer Overflow or Wraparound (CVE-2024-45491)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-45491References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2308616

Red Hat Security Advisory 2024-8859-03

Red Hat Security Advisory 2024-8856-03 - An update for kernel is now available for Red Hat Enterprise Linux 8. Issues addressed include buffer overflow, null pointer, and out of bounds access vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8856.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: kernel security update  
Advisory ID:        RHSA-2024:8856-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8856  
Issue date:         2024-11-05  
Revision:           03  
CVE Names:          CVE-2022-48773  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: net/bluetooth: race condition in conn_info_{min,max}_age_set() (CVE-2024-24857)

* kernel: dmaengine: fix NULL pointer in channel unregistration function (CVE-2023-52492)

* kernel: netfilter: nf_conntrack_h323: Add protection for bmp length out of range (CVE-2024-26851)

* kernel: netfilter: nft_set_pipapo: do not free live element (CVE-2024-26924)

* kernel: netfilter: nft_set_pipapo: walk over current view on netlink dump (CVE-2024-27017)

* kernel: KVM: Always flush async #PF workqueue when vCPU is being destroyed (CVE-2024-26976)

* kernel: nouveau: lock the client object tree. (CVE-2024-27062)

* kernel: netfilter: bridge: replace physindev with physinif in nf_bridge_info (CVE-2024-35839)

* kernel: netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() (CVE-2024-35898)

* kernel: dma-direct: Leak pages on dma_set_decrypted() failure (CVE-2024-35939)

* kernel: net/mlx5e: Fix netif state handling (CVE-2024-38608)

* kernel: r8169: Fix possible ring buffer corruption on fragmented Tx packets. (CVE-2024-38586)

* kernel: of: module: add buffer overflow check in of_modalias() (CVE-2024-38541)

* kernel: bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq (CVE-2024-38540)

* kernel: netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type (CVE-2024-39503)

* kernel: drm/i915/dpt: Make DPT object unshrinkable (CVE-2024-40924)

* kernel: ipv6: prevent possible NULL deref in fib6_nh_init() (CVE-2024-40961)

* kernel: tipc: force a dst refcount before doing decryption (CVE-2024-40983)

* kernel: ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine." (CVE-2024-40984)

* kernel: xprtrdma: fix pointer derefs in error cases of rpcrdma_ep_create (CVE-2022-48773)

* kernel: bpf: Fix overrunning reservations in ringbuf (CVE-2024-41009)

* kernel: netfilter: nf_tables: prefer nft_chain_validate (CVE-2024-41042)

* kernel: ibmvnic: Add tx check to prevent skb leak (CVE-2024-41066)

* kernel: drm/i915/gt: Fix potential UAF by revoke of fence registers (CVE-2024-41092)

* kernel: drm/amdgpu: avoid using null object of framebuffer (CVE-2024-41093)

* kernel: netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers (CVE-2024-42070)

* kernel: gfs2: Fix NULL pointer dereference in gfs2_log_flush (CVE-2024-42079)

* kernel: USB: serial: mos7840: fix crash on resume (CVE-2024-42244)

* kernel: tipc: Return non-zero value from tipc_udp_addr2str() on error (CVE-2024-42284)

* kernel: kobject_uevent: Fix OOB access within zap_modalias_env() (CVE-2024-42292)

* kernel: dev/parport: fix the array out-of-bounds risk (CVE-2024-42301)

* kernel: block: initialize integrity buffer to zero before writing it to media (CVE-2024-43854)

* kernel: mlxsw: spectrum_acl_erp: Fix object nesting warning (CVE-2024-43880)

* kernel: gso: do not skip outer ip header in case of ipip and net_failover (CVE-2022-48936)

* kernel: padata: Fix possible divide-by-0 panic in padata_mt_helper() (CVE-2024-43889)

* kernel: memcg: protect concurrent access to mem_cgroup_idr (CVE-2024-43892)

* kernel: sctp: Fix null-ptr-deref in reuseport_add_sock(). (CVE-2024-44935)

* kernel: bonding: fix xfrm real_dev null pointer dereference (CVE-2024-44989)

* kernel: bonding: fix null pointer deref in bond_ipsec_offload_ok (CVE-2024-44990)

* kernel: netfilter: flowtable: initialise extack before use (CVE-2024-45018)

* kernel: ELF: fix kernel.randomize_va_space double read (CVE-2024-46826)

* kernel: lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc() (CVE-2024-47668)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-48773

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2266247  
https://bugzilla.redhat.com/show_bug.cgi?id=2269183  
https://bugzilla.redhat.com/show_bug.cgi?id=2275750  
https://bugzilla.redhat.com/show_bug.cgi?id=2277168  
https://bugzilla.redhat.com/show_bug.cgi?id=2278262  
https://bugzilla.redhat.com/show_bug.cgi?id=2278350  
https://bugzilla.redhat.com/show_bug.cgi?id=2278387  
https://bugzilla.redhat.com/show_bug.cgi?id=2281284  
https://bugzilla.redhat.com/show_bug.cgi?id=2281669  
https://bugzilla.redhat.com/show_bug.cgi?id=2281817  
https://bugzilla.redhat.com/show_bug.cgi?id=2293356  
https://bugzilla.redhat.com/show_bug.cgi?id=2293402  
https://bugzilla.redhat.com/show_bug.cgi?id=2293458  
https://bugzilla.redhat.com/show_bug.cgi?id=2293459  
https://bugzilla.redhat.com/show_bug.cgi?id=2297475  
https://bugzilla.redhat.com/show_bug.cgi?id=2297508  
https://bugzilla.redhat.com/show_bug.cgi?id=2297545  
https://bugzilla.redhat.com/show_bug.cgi?id=2297567  
https://bugzilla.redhat.com/show_bug.cgi?id=2297568  
https://bugzilla.redhat.com/show_bug.cgi?id=2298109  
https://bugzilla.redhat.com/show_bug.cgi?id=2298412  
https://bugzilla.redhat.com/show_bug.cgi?id=2300412  
https://bugzilla.redhat.com/show_bug.cgi?id=2300442  
https://bugzilla.redhat.com/show_bug.cgi?id=2300487  
https://bugzilla.redhat.com/show_bug.cgi?id=2300488  
https://bugzilla.redhat.com/show_bug.cgi?id=2300508  
https://bugzilla.redhat.com/show_bug.cgi?id=2300517  
https://bugzilla.redhat.com/show_bug.cgi?id=2307862  
https://bugzilla.redhat.com/show_bug.cgi?id=2307865  
https://bugzilla.redhat.com/show_bug.cgi?id=2307892  
https://bugzilla.redhat.com/show_bug.cgi?id=2309852  
https://bugzilla.redhat.com/show_bug.cgi?id=2309853  
https://bugzilla.redhat.com/show_bug.cgi?id=2311715  
https://bugzilla.redhat.com/show_bug.cgi?id=2315178  
https://bugzilla.redhat.com/show_bug.cgi?id=2317601

Red Hat Security Advisory 2024-8856-03

Red Hat Security Advisory 2024-8849-03 - An update for haproxy is now available for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8849.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: haproxy security updateAdvisory ID:        RHSA-2024:8849-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8849Issue date:         2024-11-05Revision:           03CVE Names:          CVE-2023-45539====================================================================Summary: An update for haproxy is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The haproxy packages provide a reliable, high-performance network load balancer for TCP and HTTP-based applications.Security Fix(es):* haproxy: untrimmed URI fragments may lead to exposure of confidential data on static servers (CVE-2023-45539)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-45539References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2253037

Tag

#red_hat