Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Tue, 15 Nov 2022 18:40:52 +0100
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

\* CloudBees Docker Hub/Registry Notification Plugin 2.6.2.1
\* JUnit Plugin 1160.vf1f01a\_a\_ea\_b\_7f
\* Naginator Plugin 1.18.2
\* NS-ND Integration Performance Publisher Plugin 4.8.0.146
\* Pipeline Utility Steps Plugin 2.13.1 and 2.13.2
\* Reverse Proxy Auth Plugin 1.7.4
\* Script Security Plugin 1190.v65867a\_a\_47126
\* Support Core Plugin 1206.1208.v9b\_7a\_1d48db\_0f

Additionally, we announce unresolved security issues in the following
plugins:

\* Associated Files Plugin
\* BART Plugin
\* CCCC Plugin
\* Cluster Statistics Plugin
\* Config Rotator Plugin
\* Delete log Plugin
\* JAPEX Plugin
\* loader.io Plugin
\* NS-ND Integration Performance Publisher Plugin
\* OSF Builder Suite :: XML Linter Plugin
\* SourceMonitor Plugin
\* Violations Plugin
\* XP-Dev Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2022-11-15/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-2564 / CVE-2022-45379
Script Security Plugin 1189.vb\_a\_b\_7c8fd5fde and earlier stores
whole-script approvals as the SHA-1 hash of the approved script. SHA-1 no
longer meets the security standards for producing a cryptographically
secure message digest.


SECURITY-2888 / CVE-2022-45380
JUnit Plugin 1159.v0b\_396e1e07dd and earlier converts HTTP(S) URLs in test
report output to clickable links.

This is done in an unsafe manner, resulting in a stored cross-site
scripting (XSS) vulnerability exploitable by attackers with Item/Configure
permission.


SECURITY-2948 / CVE-2022-33980
Pipeline Utility Steps Plugin implements a \`readProperties\` Pipeline step
that supports interpolation of variables using the Apache Commons
Configuration library.

Pipeline Utility Steps Plugin 2.13.0 and earlier does not restrict the set
of enabled prefix interpolators and bundles versions of this library with
the vulnerability CVE-2022-33980.

This vulnerability allows attackers able to configure Pipelines to execute
arbitrary code in the context of the Jenkins controller JVM.


SECURITY-2949 / CVE-2022-45381
Pipeline Utility Steps Plugin implements a \`readProperties\` Pipeline step
that supports interpolation of variables using the Apache Commons
Configuration library.

Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set
of enabled prefix interpolators and bundles versions of this library that
enable the \`file:\` prefix interpolator by default.

This allows attackers able to configure Pipelines to read arbitrary files
from the Jenkins controller file system.


SECURITY-2946 / CVE-2022-45382
Naginator Plugin 1.18.1 and earlier does not escape display names of source
builds in builds that were triggered via Retry action.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to edit build display names.


SECURITY-2804 / CVE-2022-45383
Support Core Plugin defines the permission Support/DownloadBundle that
allows users without Overall/Administer permission to create and download
support bundles containing a limited set of diagnostic information.

Support Core Plugin 1206.v14049fa\_b\_d860 and earlier does not correctly
perform permission checks in several HTTP endpoints.

This allows attackers with Support/DownloadBundle permission to download a
previously created support bundle containing information limited to users
with Overall/Administer permission.


SECURITY-2094 / CVE-2022-45384
Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager
password unencrypted in the global \`config.xml\` file on the Jenkins
controller as part of its configuration.

This password can be viewed by attackers with access to the Jenkins
controller file system.


SECURITY-2843 / CVE-2022-45385
CloudBees Docker Hub/Registry Notification Plugin provides several webhook
endpoints that can be used to trigger builds when Docker images used by a
job have been rebuilt.

In CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier,
these endpoints can be accessed without authentication.

This allows unauthenticated attackers to trigger builds of jobs
corresponding to the attacker-specified repository.


SECURITY-766 / CVE-2022-45386
Violations Plugin 0.7.11 and earlier does not configure its XML parser to
prevent XML external entity (XXE) attacks.

This allows attackers to to control XML input files for the 'Report
Violations' post-build step to have agent processes parse a crafted file
that uses external entities for extraction of secrets from the Jenkins
agent or server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-2802 / CVE-2022-45387
BART Plugin 1.0.3 and earlier does not escape the parsed content of build
logs before rendering it on the Jenkins UI.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix.


SECURITY-2842 / CVE-2022-45388
Config Rotator Plugin 2.0.1 and earlier does not restrict a file name query
parameter in an HTTP endpoint.

This allows unauthenticated attackers to read arbitrary files with \`.xml\`
extension on the Jenkins controller file system.

As of publication of this advisory, there is no fix.


SECURITY-2853 / CVE-2022-45389
XP-Dev Plugin provides a webhook endpoint at \`/xpdev-webhook\` that can be
used to trigger builds configured to use a specified repository.

In XP-Dev Plugin 1.0 and earlier, this endpoint can be accessed without
authentication.

This allows unauthenticated attackers to trigger builds of jobs
corresponding to an attacker-specified repository.

As of publication of this advisory, there is no fix.


SECURITY-2857 / CVE-2022-45390
loader.io Plugin 1.0.1 and earlier does not perform a permission check in
an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2910 (1) / CVE-2022-45391
NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier
globally and unconditionally disables SSL/TLS certificate and hostname
validation for the entire Jenkins controller JVM.


SECURITY-2910 (2) / CVE-2022-38666
NS-ND Integration Performance Publisher Plugin 4.8.0.146 and earlier
unconditionally disables SSL/TLS certificate and hostname validation for
several features.

As of publication of this advisory, there is no fix.


SECURITY-2912 / CVE-2022-45392
NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores
passwords unencrypted in job \`config.xml\` files on the Jenkins controller
as part of its configuration.

These passwords can be viewed by attackers with Item/Extended Read
permission or access to the Jenkins controller file system.


SECURITY-2920 / CVE-2022-45393 (CSRF) & CVE-2022-45394 (missing permission check)
Delete log Plugin 1.0 and earlier does not perform a permission check in an
HTTP endpoint.

This allows attackers with Item/Read permission to delete build logs.

Additionally, this HTTP endpoint does not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2921 / CVE-2022-45395
CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent
XML external entity (XXE) attacks.

This allows attackers able to control the contents of the report file for
the 'Publish CCCC Report' post-build step to have agent processes parse a
crafted file that uses external entities for extraction of secrets from the
Jenkins agent or server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-2927 / CVE-2022-45396
SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to
prevent XML external entity (XXE) attacks.

This allows attackers able to control XML input files for the 'Publish
SourceMonitor results' post-build step to have agent processes parse a
crafted file that uses external entities for extraction of secrets from the
Jenkins agent or server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-2937 / CVE-2022-45397
OSF Builder Suite :: XML Linter 1.0.2 and earlier does not configure its
XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control XML files that get processed by the
'OSF Builder Suite :: XML Linter' build step to have agent processes parse
a crafted file that uses external entities for extraction of secrets from
the Jenkins agent or server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-2938 / CVE-2022-45398 (CSRF) & CVE-2022-45399 (missing permission check)
Cluster Statistics Plugin 0.4.6 and earlier does not perform a permission
check in an HTTP endpoint.

This allows attackers with Overall/Read permission to delete recorded
Jenkins Cluster Statistics.

Additionally, this HTTP endpoint does not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2941 / CVE-2022-45400
JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent
XML external entity (XXE) attacks.

This allows attackers able to control XML input files for the 'Record Japex
test report' post-build step to have Jenkins parse a crafted file that uses
external entities for extraction of secrets from the Jenkins controller or
server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-2947 / CVE-2022-45401
Associated Files Plugin 0.2.1 and earlier does not escape names of
associated files.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-45391: security - Multiple vulnerabilities in Jenkins plugins

Apple Security Advisory 2022-11-09-2 - macOS Ventura 13.0.1 addresses code execution and integer overflow vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-11-09-2 macOS Ventura 13.0.1

macOS Ventura 13.0.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213504.

libxml2  
Available for: macOS Ventura  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: An integer overflow was addressed through improved input  
validation.  
CVE-2022-40303: Maddie Stone of Google Project Zero

libxml2  
Available for: macOS Ventura  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project  
Zero

All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNsFNQACgkQ4RjMIDke  
NxkkbBAAsAYMux+v/27NK6+FvyxrTRLkR0yyzp8SorMSfPwZInNGkkEmQxjSzI0+  
D3rK9usf/pouEV9LMnR+Uf37pEdlpSDD7uXZ81m1vhN6RPkz2qD5WdM46RaWTbAS  
/xe3ZEu8+Jpr5SQSWuI+QIBr/vn9Txu/N6l/WQVxnWS+RSWO6tZLLOXMEyVk9vPx  
XJGyQywt3XYoVksvzwAgm/2yslQ+0OWphWjLp73bjQGrrIiClphxmtyvA0SN8Nds  
Ah0+X8SRjCErSN4736U1htKtClSHDowdaD2wevGGUrdRSLJQLTPPkqUPF3P/4/8i  
xW42Zgf9qucN9O89P7ONvHOIe8swtD9vf1AjFXvsDqQvMZQVFDBNXbG138V4LLws  
f5UdpUmY/0lSnVpAZQlo+xuMJSb3SMWYIB2ozhzDLHgBKTxERFB7uyrEYQgXs9XB  
1qg+BbW5uooEoMKbutw36/II/JTFRM34QxWiOJHw4cCypmuaGkSJ/8jsTJDlRvG/  
T9BchgHjBvqHFtCVNLGikkVYzEVQnQLXQAZoZMCYV0benebEIFLIaObaciQqA3F2  
N7/rvpXd5l6G3sEGwqMPT5aYj6Vm/0LBnxuTlN1xN1wgOQoS+LWL8bW+8/HjtJLa  
eyWMh8yD0o02Hf6dNIl9RTuoAKwZvmJbeqi/1uEaoL8sAP9gK1s=CjcG  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-11-09-2

Apple Security Advisory 2022-11-09-1 - iOS 16.1.1 and iPadOS 16.1.1 addresses code execution and integer overflow vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2022-11-09-1 iOS 16.1.1 and iPadOS 16.1.1iOS 16.1.1 and iPadOS 16.1.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213505.libxml2Available for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: A remote user may be able to cause unexpected app terminationor arbitrary code executionDescription: An integer overflow was addressed through improved inputvalidation.CVE-2022-40303: Maddie Stone of Google Project Zerolibxml2Available for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: A remote user may be able to cause unexpected app terminationor arbitrary code executionDescription: This issue was addressed with improved checks.CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google ProjectZeroAll information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNsFNIACgkQ4RjMIDkeNxl2og/7Bwq+DwNmc4conLeNZ/4RVZ8Abf2kKMj71ZJrSov1lvW6W9l3NswznKc9pV0Cack8zm1she6dr+HNMYFcsSbFF/OTPKsf2jlZ3aZY5on7FpDdzB8bLDbw0dvSnO2Oc1mgcsBMIuSJBliUfgF0d6L6Hrj7L8Ja0pQP0W5BhcbWbd91wgj2KAQpaX6rgh7oEy7W5GRPJwLAdOfHmpzWws+PjZ3DMlLuGvGRLwEyizsLbq6rX166KG+asXZzCeWygTuKKcpZHG6FwahogBFnfl1ccTGJv4UV/9Ks3WEaZCGx5lpkgw+5H9Wx2HgXTr9Sh01CQVADadfeGp/Iat0TE2hscMZaTm2A1ZdmOeyK70r0jXvCCHtna9spbPO7N0OBERsqS9fC+X/XVHuehIzoUXxFUJAuaXD2weBZHJZBZ7MoUqNm50taDqoYUX0yB2BU0uWOitKfghLRBuFhpuUZtRaZdRfDLSEjSxCTCtGwWnIj4lLlZbE9RAwNNCU12+z6pHHlTxZ9c6IiQF8mrIx4IJ0OMIk6oH3gm71l8T5FSMiLCcuInL0XwC5ragJ/irrxq3GuXL8x+3BjgxnRy4kKy6KUwZsLFp7OI71X/hyjEIyhcXopiRz0PXrooluRUtooyxSCV8M9u3658pFT2+X4WvQASmk3z+ZUnTBQXrfNgWkxyUs=JERa-----END PGP SIGNATURE-----

Apple Security Advisory 2022-11-09-1

Red Hat Security Advisory 2022-7970-01 - The protobuf packages provide Protocol Buffers, Google's data interchange format. Protocol Buffers can encode structured data in an efficient yet extensible format, and provide a flexible, efficient, and automated mechanism for serializing structured data.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: protobuf security update  
Advisory ID:       RHSA-2022:7970-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7970  
Issue date:        2022-11-15  
CVE Names:         CVE-2021-22570  
====================================================================  
1. Summary:

An update for protobuf is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The protobuf packages provide Protocol Buffers, Google's data interchange  
format. Protocol Buffers can encode structured data in an efficient yet  
extensible format, and provide a flexible, efficient, and automated  
mechanism for serializing structured data.

Security Fix(es):

* protobuf: Incorrect parsing of nullchar in the proto symbol leads to  
Nullptr dereference (CVE-2021-22570)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.1 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2049429 - CVE-2021-22570 protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
protobuf-3.14.0-13.el9.src.rpm

aarch64:  
protobuf-3.14.0-13.el9.aarch64.rpm  
protobuf-compiler-debuginfo-3.14.0-13.el9.aarch64.rpm  
protobuf-debuginfo-3.14.0-13.el9.aarch64.rpm  
protobuf-debugsource-3.14.0-13.el9.aarch64.rpm  
protobuf-lite-3.14.0-13.el9.aarch64.rpm  
protobuf-lite-debuginfo-3.14.0-13.el9.aarch64.rpm

noarch:  
python3-protobuf-3.14.0-13.el9.noarch.rpm

ppc64le:  
protobuf-3.14.0-13.el9.ppc64le.rpm  
protobuf-compiler-debuginfo-3.14.0-13.el9.ppc64le.rpm  
protobuf-debuginfo-3.14.0-13.el9.ppc64le.rpm  
protobuf-debugsource-3.14.0-13.el9.ppc64le.rpm  
protobuf-lite-3.14.0-13.el9.ppc64le.rpm  
protobuf-lite-debuginfo-3.14.0-13.el9.ppc64le.rpm

s390x:  
protobuf-3.14.0-13.el9.s390x.rpm  
protobuf-compiler-debuginfo-3.14.0-13.el9.s390x.rpm  
protobuf-debuginfo-3.14.0-13.el9.s390x.rpm  
protobuf-debugsource-3.14.0-13.el9.s390x.rpm  
protobuf-lite-3.14.0-13.el9.s390x.rpm  
protobuf-lite-debuginfo-3.14.0-13.el9.s390x.rpm

x86_64:  
protobuf-3.14.0-13.el9.i686.rpm  
protobuf-3.14.0-13.el9.x86_64.rpm  
protobuf-compiler-debuginfo-3.14.0-13.el9.i686.rpm  
protobuf-compiler-debuginfo-3.14.0-13.el9.x86_64.rpm  
protobuf-debuginfo-3.14.0-13.el9.i686.rpm  
protobuf-debuginfo-3.14.0-13.el9.x86_64.rpm  
protobuf-debugsource-3.14.0-13.el9.i686.rpm  
protobuf-debugsource-3.14.0-13.el9.x86_64.rpm  
protobuf-lite-3.14.0-13.el9.i686.rpm  
protobuf-lite-3.14.0-13.el9.x86_64.rpm  
protobuf-lite-debuginfo-3.14.0-13.el9.i686.rpm  
protobuf-lite-debuginfo-3.14.0-13.el9.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 9):

aarch64:  
protobuf-compiler-3.14.0-13.el9.aarch64.rpm  
protobuf-compiler-debuginfo-3.14.0-13.el9.aarch64.rpm  
protobuf-debuginfo-3.14.0-13.el9.aarch64.rpm  
protobuf-debugsource-3.14.0-13.el9.aarch64.rpm  
protobuf-devel-3.14.0-13.el9.aarch64.rpm  
protobuf-lite-debuginfo-3.14.0-13.el9.aarch64.rpm  
protobuf-lite-devel-3.14.0-13.el9.aarch64.rpm

ppc64le:  
protobuf-compiler-3.14.0-13.el9.ppc64le.rpm  
protobuf-compiler-debuginfo-3.14.0-13.el9.ppc64le.rpm  
protobuf-debuginfo-3.14.0-13.el9.ppc64le.rpm  
protobuf-debugsource-3.14.0-13.el9.ppc64le.rpm  
protobuf-devel-3.14.0-13.el9.ppc64le.rpm  
protobuf-lite-debuginfo-3.14.0-13.el9.ppc64le.rpm  
protobuf-lite-devel-3.14.0-13.el9.ppc64le.rpm

s390x:  
protobuf-compiler-3.14.0-13.el9.s390x.rpm  
protobuf-compiler-debuginfo-3.14.0-13.el9.s390x.rpm  
protobuf-debuginfo-3.14.0-13.el9.s390x.rpm  
protobuf-debugsource-3.14.0-13.el9.s390x.rpm  
protobuf-devel-3.14.0-13.el9.s390x.rpm  
protobuf-lite-debuginfo-3.14.0-13.el9.s390x.rpm  
protobuf-lite-devel-3.14.0-13.el9.s390x.rpm

x86_64:  
protobuf-compiler-3.14.0-13.el9.i686.rpm  
protobuf-compiler-3.14.0-13.el9.x86_64.rpm  
protobuf-compiler-debuginfo-3.14.0-13.el9.i686.rpm  
protobuf-compiler-debuginfo-3.14.0-13.el9.x86_64.rpm  
protobuf-debuginfo-3.14.0-13.el9.i686.rpm  
protobuf-debuginfo-3.14.0-13.el9.x86_64.rpm  
protobuf-debugsource-3.14.0-13.el9.i686.rpm  
protobuf-debugsource-3.14.0-13.el9.x86_64.rpm  
protobuf-devel-3.14.0-13.el9.i686.rpm  
protobuf-devel-3.14.0-13.el9.x86_64.rpm  
protobuf-lite-debuginfo-3.14.0-13.el9.i686.rpm  
protobuf-lite-debuginfo-3.14.0-13.el9.x86_64.rpm  
protobuf-lite-devel-3.14.0-13.el9.i686.rpm  
protobuf-lite-devel-3.14.0-13.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-22570  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3OMf9zjgjWX9erEAQjPrxAAn/Wr7VqkJ14hap/PSkN2C1Ltwp5Jpwms  
RUgoqJhr0JI19nD6WME9H0sSJNLMAaS/jaMY5iaBEUURv0KTHX+UHdsJDSAMjKtK  
iqIwky9Db1EJSTAY+oR9DbUkK5A491GsmXL32Su/Bktf+7LCEu7pFoCo1aPIrIGT  
PUJmj/oxy4OwHN6qATEEHvGV8U2eoACZHjeuHDwF3y+rwzsg7Yk/xci01xq9PVhf  
vRtMYtJO5J1MFtLLS9Tgq9XqqhZkrJ2Yfbo6QXawZdWLgrB+flbrImZJPfkILe8X  
FKao9rbZEfJ7EUvIgFevtNsUMBhpb1ZzwmcpjigjqgHWW4HWWFOqgZ4Y7p26TejV  
7T42NbJccqFJ0UUQvPAAOeg331CgQfeps/ZUbakXkUzTB3xhfMwFbXmjEkycwCN+  
a5y6aQDWabrjANNjP2x78iESf6Ra2/WNWyTETat/KjONKWTmpkBrnJsHSscYnIC+  
g3Br7EYXKcRC6Gqrcripv2l2HY9FR/G31uQzG40NipnduzbKzhEeFv3FaVJR6P7c  
5T6BcLQLC7gu1LPL/ztgB42KpdtVycCfwQoGcvz2tlih9jlDqH1/RbhayPXrvvR5  
KwDlz6Xyov7I1VRWn33oKlSyFsh5WyiLVE1NxcgHA/sV3zQbC+4T+MqUKTYGcG/D  
iXcioojD/tg"7y  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7970-01

A misleading location-tracking practice ensnared the search-engine giant in massive privacy case spanning 40 states.

Google has agreed to pay $391.5 million in a settlement with 40 US state attorneys general, over its eyebrow-raising location-tracking practices. State officials are calling it a "historic" consumer privacy case.

The search-engine giant was penalized for misleading users that they were no longer being geo-tracked when they disabled location tracking in their Google account settings. In reality, Google was still collecting their location data. As part of the settlement, Google also must clarify and revamp the way it discloses tracking policy and user controls, beginning in 2023.

"For years Google has prioritized profit over their users' privacy," said Oregon Attorney General Ellen Rosenblum, who led the case along with Nebraska Attorney General Doug Peterson, in a statement. "They have been crafty and deceptive. Consumers thought they had turned off their location tracking features on Google, but the company continued to secretly record their movements and use that information for advertisers."

As part of the settlement, Google is required to:  

1.  Show additional information to users whenever they turn a location-related account setting on or off;
2.  Make key information about location tracking unavoidable for users (i.e., not hidden); and
3.  Give users detailed information about the types of location data Google collects and how it’s used at an enhanced “Location Technologies” webpage.

Besides Oregon and Nebraska, the states working on the case were: Arkansas, Florida, Illinois, Louisiana, New Jersey, North Carolina, Pennsylvania, and Tennessee. The settlement is also joined by Alabama, Alaska, Colorado, Connecticut, Delaware, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Nevada, New Mexico, New York, North Dakota, Ohio, Oklahoma, South Carolina, South Dakota, Utah, Vermont, Virginia, and Wisconsin.

Google Forks Over $391.5M in Record-Setting US Consumer Privacy Settlement

Patched bug could have leaked credentials

Jessica Haworth 15 November 2022 at 15:39 UTC  
Updated: 15 November 2022 at 15:47 UTC

Patched bug could have leaked credentials

  

Attackers could steal password credentials from Mastodon users due to a vulnerability in Glitch, a fork of Mastodon, a researcher has warned.

Mastodon has risen in popularity in recent weeks, as many users moved to the social media platform as a replacement for Twitter, recently acquired by controversial businessman Elon Musk.

“Everybody on infosec Twitter seemed to be jumping ship to the infosec.exchange Mastodon server, so I decided to see what the fuss was all about,” Gareth Heyes, of PortSwigger Research\*, wrote in a blog post released today.

Heyes found he was able to steal users’ stored credentials using Chrome’s autofill feature by tricking them into clicking a malicious element he had disguised as a toolbar.

Read more of the latest news about web security vulnerabilities

  
After discovering that Mastodon allows users to post HTML, Heyes found out from other users that he was able to spoof a blue ‘official’ tick in his username by inputting .

He placed the string inside an anchor text node that was inside the title attribute by doing the following:

Input:

Output:

This allowed Heyes to successfully bypass the HTML filter due to the replacement of the verified placeholder with an image that contained double quotes.

“The filter was completely destroyed as I could just inject arbitrary HTML, but one last thing stood in my way: they used a relatively strict Content Security Policy (CSP),” wrote Heyes.

“Pretty much each resource was limited to infosec.exchange, with the exception of iframes which allowed any HTTPS URL.”

**Spoofed**

Heyes then realised he could inject form elements, allowing him to spoof a password form which, when combined with Chrome autofill, would allow an attacker access to the credentials.

Worse still, the researcher was able to spoof the toolbar below. Where a user clicked on any elements of the spoofed toolbar, it would send their credentials to an attacker's server.

Heyes tested Chrome to see if it would still autofill the credentials when the inputs were invisible. If an attacker used an opacity value of zero, Chrome would still conveniently fill in the credentials.

Due to the CSP, Heyes couldn’t use inline styles. However, looking at the CSS files, he found a class that had “in a couple of seconds”, which “worked perfectly”.

He explained to The Daily Swig: “Add the PoC code into post text area and hit publish – \[the\] user sees \[the\] post and clicks on what they think is a Mastodon toolbar. Credentials are \[then\] sent to an external server.

“In a real attack the credentials will be stored and the user redirected back to the site.”

**Mitigations**

Any Mastodon instance using the Gitch fork of Mastodon is vulnerable, Heyes explained, adding that since the server is vulnerable, “there’s not much a user can do to protect themselves”.

He added: “However, it would be a good idea to only autofill your password with user interaction to prevent credentials from being stolen.”

Heyes reported the bug directly to Glitch. Contributors have released a patch for the issue, which is available on the Glitch repo.

\* PortSwigger Research is the research arm of PortSwigger Ltd, the parent company of The Daily Swig.

YOU MAY ALSO LIKE Google Pixel screen-lock hack earns researcher $70k

Mastodon users vulnerable to password-stealing attacks

Vyacheslav “Tank” Penchukov, the accused 40-year-old Ukrainian leader of a prolific cybercriminal group that stole tens of millions of dollars from small to mid-sized businesses in the United States and Europe, has been arrested in Switzerland, according to multiple sources.

**Vyacheslav “Tank” Penchukov**, the accused 40-year-old Ukrainian leader of a prolific cybercriminal group that stole tens of millions of dollars from small to mid-sized businesses in the United States and Europe, has been arrested in Switzerland, according to multiple sources.

Wanted Ukrainian cybercrime suspect Vyacheslav “Tank” Penchukov (right) was arrested in Geneva, Switzerland. Tank was the day-to-day manager of a cybercriminal group that stole tens of millions of dollars from small to mid-sized businesses.

Penchukov was named in a 2014 indictment by the **U.S. Department of Justice** as a top figure in the **JabberZeus Crew**, a small but potent cybercriminal collective from Ukraine and Russia that attacked victim companies with a powerful, custom-made version of the **Zeus** banking trojan.

The **U.S. Federal Bureau of Investigation** (FBI) declined to comment for this story. But according to multiple sources, Penchukov was arrested in Geneva, Switzerland roughly three weeks ago as he was traveling to meet up with his wife there.

Penchukov is from Donetsk, a traditionally Russia-leaning region in Eastern Ukraine that was recently annexed by Russia. In his hometown, Penchukov was a well-known deejay (“DJ Slava Rich“) who enjoyed being seen riding around in his high-end BMWs and Porsches. More recently, Penchukov has been investing quite a bit in local businesses.

The JabberZeus crew’s name is derived from the malware they used, which was configured to send them a Jabber instant message each time a new victim entered a one-time password code into a phishing page mimicking their bank. The JabberZeus gang targeted mostly small to mid-sized businesses, and they were an early pioneer of so-called “man-in-the-browser” attacks, malware that can silently siphon any data that victims submit via a web-based form.

Once inside a victim company’s bank accounts, the crooks would modify the firm’s payroll to add dozens of “**money mules**,” people recruited through work-at-home schemes to handle bank transfers. The mules in turn would forward any stolen payroll deposits — minus their commissions — via wire transfer overseas.

Tank, a.k.a. “DJ Slava Rich,” seen here performing as a DJ in Ukraine in an undated photo from social media.

The JabberZeus malware was custom-made for the crime group by the alleged author of the Zeus trojan — **Evgeniy Mikhailovich Bogachev**, a top Russian cybercriminal with a $3 million bounty on his head from the FBI. Bogachev is accused of running the Gameover Zeus botnet, a massive crime machine of 500,000 to 1 million infected PCs that was used for large DDoS attacks and for spreading Cryptolocker — a peer-to-peer ransomware threat that was years ahead of its time.

Investigators knew Bogachev and JabberZeus were linked because for many years they were reading the private Jabber chats between and among members of the JabberZeus crew, and Bogachev’s monitored aliases were in semi-regular contact with the group about updates to the malware.

**Gary Warner**, director of research in computer forensics at the University of Alabama at Birmingham, noted in his blog from 2014 that Tank told co-conspirators in a JabberZeus chat on July 22, 2009 that his daughter, **Miloslava**, had been born and gave her birth weight.

“A search of Ukrainian birth records only showed one girl named Miloslava with that birth weight born on that day,” Warner wrote. This was enough to positively identify Tank as Penchukov, Warner said.

Ultimately, Penchukov’s political connections helped him evade prosecution by Ukrainian cybercrime investigators for many years. The late son of former Ukrainian President **Victor Yanukovych** (Victor Yanukovych Jr.) would serve as godfather to Tank’s daughter Miloslava. Through his connections to the Yanukovych family, Tank was able to establish contact with key insiders in top tiers of the Ukrainian government, including law enforcement.

Sources briefed on the investigation into Penchukov said that in 2010 — at a time when the Security Service of Ukraine (SBU) was preparing to serve search warrants on Tank and his crew — Tank received a tip that the SBU was coming to raid his home. That warning gave Tank ample time to destroy important evidence against the group, and to avoid being home when the raids happened. Those sources also said Tank used his contacts to have the investigation into his crew moved to a different unit that was headed by his corrupt SBU contact.

Writing for _Technology Review_, **Patrick Howell O’Neil** recounted how SBU agents in 2010 were trailing Tank around the city, watching closely as he moved between nightclubs and his apartment.

“In early October, the Ukrainian surveillance team said they’d lost him,” he wrote. “The Americans were unhappy, and a little surprised. But they were also resigned to what they saw as the realities of working in Ukraine. The country had a notorious corruption problem. The running joke was that it was easy to find the SBU’s anticorruption unit—just look for the parking lot full of BMWs.”

**AUTHOR’S NOTE/BACKGROUND**

I first encountered Tank and the JabberZeus crew roughly 14 years ago as a reporter for _The Washington Post_, after a trusted source confided that he’d secretly gained access to the group’s private Jabber conversations.

From reading those discussions each day, it became clear Tank was nominally in charge of the Ukrainian crew, and that he spent much of his time overseeing the activities of the money mule recruiters — which were an integral part of their victim cashout scheme.

It was soon discovered that the phony corporate websites the money mule recruiters used to manage new hires had a security weakness that allowed anyone who signed up at the portal to view messages for every other user. A scraping tool was built to harvest these money mule recruitment messages, and at the height of the JabberZeus gang’s activity in 2010 that scraper was monitoring messages on close to a dozen different money mule recruitment sites, each managing hundreds of “employees.”

Each mule was given busy work or menial tasks for a few days or weeks prior to being asked to handle money transfers. I believe this was an effort to weed out unreliable money mules. After all, those who showed up late for work tended to cost the crooks a lot of money, as the victim’s bank would usually try to reverse any transfers that hadn’t already been withdrawn by the mules.

When it came time to transfer stolen funds, the recruiters would send a message through the fake company website saying something like: “Good morning \[mule name here\]. Our client — XYZ Corp. — is sending you some money today. Please visit your bank now and withdraw this payment in cash, and then wire the funds in equal payments — minus your commission — to these three individuals in Eastern Europe.”

Only, in every case the company mentioned as the “client” was in fact a small business whose payroll accounts they’d already hacked into.

So, each day for several years my morning routine went as follows: Make a pot of coffee; shuffle over to the computer and view the messages Tank and his co-conspirators had sent to their money mules over the previous 12-24 hours; look up the victim company names in Google; pick up the phone to warn each that they were in the process of being robbed by the Russian Cyber Mob.

My spiel on all of these calls was more or less the same: “You probably have no idea who I am, but here’s all my contact info and what I do. Your payroll accounts have been hacked, and you’re about to lose a great deal of money. You should contact your bank immediately and have them put a hold on any pending transfers before it’s too late. Feel free to call me back afterwards if you want more information about how I know all this, but for now please just call or visit your bank.”

In many instances, my call would come in just minutes or hours before an unauthorized payroll batch was processed by the victim company’s bank, and some of those notifications prevented what otherwise would have been enormous losses — often several times the amount of the organization’s normal weekly payroll. At some point I stopped counting how many tens of thousands of dollars those calls saved victims, but over several years it was probably in the millions.

Just as often, the victim company would suspect that I was somehow involved in the robbery, and soon after alerting them I would receive a call from an FBI agent or from a police officer in the victim’s hometown. Those were always interesting conversations.

Collectively, these notifications to victims led to dozens of stories over several years about small businesses battling their financial institutions to recover their losses. I never wrote about a single victim that wasn’t okay with my calling attention to their plight and to the sophistication of the threat facing other companies.

This incessant meddling on my part very much aggravated Tank, who on more than one occasion expressed mystification as to how I knew so much about their operations and victims. Here’s a snippet from one of their Jabber chats in 2009, after I’d written a story for The Washington Post about their efforts to steal $415,000 from the coffers of Bullitt County, Kentucky. In the chat below, “lucky12345” is the Zeus author Bogachev:

> tank: Are you there?  
> tank: This is what they damn wrote about me.  
> tank: http://voices.washingtonpost.com/securityfix/2009/07/an\_odyssey\_of\_fraud\_part\_ii.html#more  
> tank: I’ll take a quick look at history  
> tank: Originator: BULLITT COUNTY FISCAL Company: Bullitt County Fiscal Court  
> tank: Well, you got \[it\] from that cash-in.  
> lucky12345: From 200K?  
> tank: Well, they are not the right amounts and the cash out from that account was shitty.  
> tank: Levak was written there.  
> tank: Because now the entire USA knows about Zeus.  
> tank: 😀  
> lucky12345: It’s fucked.

On Dec. 13, 2009, one of Tank’s top money mule recruiters — a crook who used the pseudonym “Jim Rogers” — told his boss something I hadn’t shared beyond a few trusted confidants at that point: That The Washington Post had eliminated my job in the process of merging the newspaper’s Web site (where I worked at the time) with the dead tree edition.

> jim\_rogers: There is a rumor that our favorite (Brian) didn’t get his contract extension at Washington Post. We are giddily awaiting confirmation 🙂 Good news expected exactly by the New Year! Besides us no one reads his column 🙂
> 
> tank: Mr. Fucking Brian Fucking Kerbs!

Another member of the JabberZeus crew — Ukrainian-born **Maksim “Aqua” Yakubets** — also is currently wanted by the FBI, which is offering a $5 million reward for information leading to his arrest and conviction.

Alleged “Evil Corp” bigwig Maksim “Aqua” Yakubets. Image: FBI

Top Zeus Botnet Suspect “Tank” Arrested in Geneva

Extends cyber asset attack surface management solution to multi-cloud environments,

**SAN JOSE, Calif., Nov. 15, 2022 /PRNewswire/ —** Balbix, provider of the world's leading platform for cybersecurity posture automation, announced today the general availability of support for Google Cloud Platform (GCP). Security teams can now use Balbix to easily quantify, prioritize and mitigate risks in their Google Cloud environments. With this announcement, Balbix has also extended its Cyber Asset Attack Surface Management (CAASM) solution to support multi-cloud environments that span both GCP and Amazon Web Services.

The rapid move to the cloud has made IT environments more complex to manage and secure. As a result, security teams struggle to get a consolidated view of risk. Yet, 63 percent of organizations say they look at security posture in the cloud separately from on-premises, according to Cybersecurity Insiders' 2002 State of Security Posture Report.

"Our customers' environments can include over 1 million assets, spread across multiple clouds and their own facilities. Managing an attack surface this large is no longer a human-scale problem," said Gaurav Banga, Founder and CEO of Balbix. "With Balbix's new support for GCP, our customers can use automation to manage cybersecurity posture across more of their environment."

**Cyber Security Posture Automation for Google Cloud Platform  
**Balbix now provides support for popular Google Cloud services, including Compute Engine, Cloud Storage, Cloud SQL, Google Kubernetes Engine (GKE) Cluster & Deployments, Cloud Functions, Cloud Key Management Service (KMS), Pub/Sub and Secret Manager. As a result, Balbix customers with Google Cloud environments can use automation and advanced analytics to:

*   Get comprehensive, near real-time visibility of their Google Cloud assets.
*   Combine data from Google Cloud with their other IT and security tools to gain security and business context for their assets.
*   Discover misconfigurations – the most exploited attack vector for the cloud – as well as unpatched software vulnerabilities, weak credentials and trust issues.
*   Measure risk in terms of breach likelihood and business impact in order to prioritize remediation.
*   Calculate and report on cyber risk quantified in dollars (or other currencies) instead of risk scores

**Cyber Asset Attack Surface Management for Multi-Cloud Environments  
**The addition of support for GCP extends Balbix's CAASM solution to multi-cloud environments. Security practitioners no longer need to use multiple tools or combine data manually from these tools in a custom spreadsheet to understand their security posture. They can see the relationships between assets, applications and users no matter where the assets are in the cloud or on-premises. They can also identify any gaps in coverage for security controls.

Balbix provides more than just visibility. Unlike other vendors, Balbix combines CAASM with Risk-Based Vulnerability Management (RBVM) and Cyber Risk Qualification (CRQ) solutions so security teams are able to immediately take action to reduce their cyber risk. They can continuously identify, prioritize and mitigate security issues as they emerge, while quantifying and tracking residual cyber risk in dollars. Daily cybersecurity decisions – operational as well as executive – can be made using a unified and up-to-date view of cyber risk.

"By adding support for Google Cloud, Balbix has broadened its risk model to be inclusive of multiple public cloud platforms and allowed organizations to better measure their overall cyber risk," said Ed Amoroso, Founder and CEO of research and advisory firm TAG Cyber. "Customers can leverage this unified risk model to quantify cyber risk by business unit, geography, site, asset type or business owner – and quickly remediate those risks."

The API-based Balbix Connector for Google Cloud Platform collects asset inventory and misconfiguration data and is available now. Visibility into other types of vulnerabilities is provided by optional Balbix sensors. These sensors also catalog the software bill of materials (SBOM) of applications running in GCP. Data collected by Balbix connectors and sensors is automatically deduplicated, correlated and inferenced to provide security teams with an accurate and unified view of risk.

To learn more about Balbix and its CAASM solution, visit https://www.balbix.com.

**About Balbix  
**Balbix enables businesses to reduce cyber risk by identifying and mitigating their riskiest cybersecurity issues faster. Our SaaS platform, the Balbix Security Cloud™, ingests data from businesses' security and IT tools so they can understand every aspect of their cybersecurity posture, build a unified cyber risk model and obtain actionable insights for risk reduction. With Balbix, businesses can automate inventory of their cloud and on-premise assets, conduct continuous risk-based vulnerability management and quantify cyber risk in dollars. Executives and operational teams can make cybersecurity decisions based on data not opinions.

A rapidly growing set of Fortune 500 companies trust Balbix as the "brain" of their infosec programs and are realizing the benefits of maximally automated workflows and reduced cyber risk. Balbix was recognized in CNBC's 2022 list of Top 25 Startups for the Enterprise and ranked #32 on the 2021 Deloitte Fast 500 North America.

Balbix Announces Cybersecurity Posture Automation Support for Google Cloud Platform

The "Follow Me Plugin" plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.1.1. This is due to missing nonce validation on the FollowMeIgniteSocialMedia_options_page() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2022-3240: follow-me.php in follow-me/trunk – WordPress Plugin Repository

An update for protobuf is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2021-22570: protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference


**Synopsis**

Moderate: protobuf security update

**Type/Severity**

Security Advisory: Moderate

**Red Hat Insights patch analysis**

Identify and remediate systems affected by this advisory.

View affected systems

**Topic**

An update for protobuf is now available for Red Hat Enterprise Linux 9.  

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

The protobuf packages provide Protocol Buffers, Google's data interchange format. Protocol Buffers can encode structured data in an efficient yet extensible format, and provide a flexible, efficient, and automated mechanism for serializing structured data.  

Security Fix(es):  

*   protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference (CVE-2021-22570)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.  

Additional Changes:  

For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section.

**Affected Products**

*   Red Hat Enterprise Linux for x86\_64 9 x86\_64
*   Red Hat Enterprise Linux for IBM z Systems 9 s390x
*   Red Hat Enterprise Linux for Power, little endian 9 ppc64le
*   Red Hat Enterprise Linux for ARM 64 9 aarch64
*   Red Hat CodeReady Linux Builder for x86\_64 9 x86\_64
*   Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le
*   Red Hat CodeReady Linux Builder for ARM 64 9 aarch64
*   Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x

**Fixes**

*   BZ - 2049429 - CVE-2021-22570 protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference

**References**

*   https://access.redhat.com/security/updates/classification/#moderate
*   https://access.redhat.com/documentation/en-us/red\_hat\_enterprise\_linux/9/html/9.1\_release\_notes/index

**Red Hat Enterprise Linux for x86\_64 9**

SRPM

protobuf-3.14.0-13.el9.src.rpm

SHA-256: e1c0d70aaf82009015a6cb843a95f9643f18303d0d404e6611e42f7b46c0d7df

x86\_64

protobuf-3.14.0-13.el9.i686.rpm

SHA-256: 6d6ce39471ef091b67c5ae828b7eaaf0a5915e66e855e72186eabee0fdb115d2

protobuf-3.14.0-13.el9.x86\_64.rpm

SHA-256: 671f257fce903bd5c3dfb7316daa2efc7d8f5aa7de5c9dafc5a8883e246afc7e

protobuf-compiler-debuginfo-3.14.0-13.el9.i686.rpm

SHA-256: bfb355bf9f1417912eb84e36047b41232e2f9741edf400e00adec12bc1bffa03

protobuf-compiler-debuginfo-3.14.0-13.el9.x86\_64.rpm

SHA-256: ce9ad186a45622d3255022ddf2a9cb2dba6844d582e74002987d87d0e1347db6

protobuf-debuginfo-3.14.0-13.el9.i686.rpm

SHA-256: dde149f57a1880ae90c6f33f5b6fadbb4475078a4f422b5dccf5acf3922b79b7

protobuf-debuginfo-3.14.0-13.el9.x86\_64.rpm

SHA-256: 656e1e6d2f0487cda5f6a8670ebcd1097031d2fe6005c61701ea134b4364f1a1

protobuf-debugsource-3.14.0-13.el9.i686.rpm

SHA-256: 6c7da93517700a181e44fea00c56a3617ce924e0fdf5e8dc097c76102f07e9c5

protobuf-debugsource-3.14.0-13.el9.x86\_64.rpm

SHA-256: ff52e35b956ab78f0b1a1877fb9659254d3d6e31c83d80b261a55db6e0b18b00

protobuf-lite-3.14.0-13.el9.i686.rpm

SHA-256: ce83d2d37a0cc3905d93e472235bac9b0185c020d834a3022720b46ee488a908

protobuf-lite-3.14.0-13.el9.x86\_64.rpm

SHA-256: da089f8396948269b6b774c3db64b17277af9c057186ca7c23778117f348c2a5

protobuf-lite-debuginfo-3.14.0-13.el9.i686.rpm

SHA-256: 1c7f89a634998c9afd066efbe11c1c74bba60a4daedd445ff4ec82ec8467285a

protobuf-lite-debuginfo-3.14.0-13.el9.x86\_64.rpm

SHA-256: f208969ed6802b90a01fcbb4c6c0580892a84275687a43a4decbaa02a53673f0

python3-protobuf-3.14.0-13.el9.noarch.rpm

SHA-256: a715af6e01218d8d4986a7f6ac2c8a84ecd45d0f670c574393e2f5d6db72d237

**Red Hat Enterprise Linux for IBM z Systems 9**

SRPM

protobuf-3.14.0-13.el9.src.rpm

SHA-256: e1c0d70aaf82009015a6cb843a95f9643f18303d0d404e6611e42f7b46c0d7df

s390x

protobuf-3.14.0-13.el9.s390x.rpm

SHA-256: 07df2d12cbec4ff00a5a619f85a1c202df86494cdca14af701cd0db96cec64d2

protobuf-compiler-debuginfo-3.14.0-13.el9.s390x.rpm

SHA-256: 837ade8571eca1aff5c1939b9a6c9ab5c9c0ba08def566c18675bb2bd5d9396a

protobuf-debuginfo-3.14.0-13.el9.s390x.rpm

SHA-256: 599bf753809c8cac82a3a5c3a1e389d2968ce8a9493aa10ac7e3fd0f2ef4b304

protobuf-debugsource-3.14.0-13.el9.s390x.rpm

SHA-256: e6430bc52d854385b1d09882928f265fd7580b794093f544f650a0d7fbf87650

protobuf-lite-3.14.0-13.el9.s390x.rpm

SHA-256: 13f396c89344f46a8f2425d6126dcca7a02dc2a8c0b33411fc5eb19e98979b2f

protobuf-lite-debuginfo-3.14.0-13.el9.s390x.rpm

SHA-256: 24c3e105e7c6e77db062c5a8ccf3b86e2f501549fcb3510028c1ee3851f92ffb

python3-protobuf-3.14.0-13.el9.noarch.rpm

SHA-256: a715af6e01218d8d4986a7f6ac2c8a84ecd45d0f670c574393e2f5d6db72d237

**Red Hat Enterprise Linux for Power, little endian 9**

SRPM

protobuf-3.14.0-13.el9.src.rpm

SHA-256: e1c0d70aaf82009015a6cb843a95f9643f18303d0d404e6611e42f7b46c0d7df

ppc64le

protobuf-3.14.0-13.el9.ppc64le.rpm

SHA-256: 5210169e4635d1d9cdba9b8345bc5f97799957c91ab2e5f6b3fe8f6017faaa12

protobuf-compiler-debuginfo-3.14.0-13.el9.ppc64le.rpm

SHA-256: 42275536b924bd55a9e2fc0da5e8b363b58de089d9d98dedea94028870085c97

protobuf-debuginfo-3.14.0-13.el9.ppc64le.rpm

SHA-256: 3e086f652973e8f551776ae48b7e49112cfb2b29a19a4d7fd326e9a3e8987734

protobuf-debugsource-3.14.0-13.el9.ppc64le.rpm

SHA-256: 4952673b73954c11cc661ff2bc89c7bf9f003a49ba7dd16b2fd5493f75612af5

protobuf-lite-3.14.0-13.el9.ppc64le.rpm

SHA-256: f045715adfa6ca3de07dbb99dc65434ca6e47d074ffc8c82ad8135118bbe373b

protobuf-lite-debuginfo-3.14.0-13.el9.ppc64le.rpm

SHA-256: 18d9a773231b6f36ebf1b7e8f2596db3405eb811a0b06f65949847fe5f00a36d

python3-protobuf-3.14.0-13.el9.noarch.rpm

SHA-256: a715af6e01218d8d4986a7f6ac2c8a84ecd45d0f670c574393e2f5d6db72d237

**Red Hat Enterprise Linux for ARM 64 9**

SRPM

protobuf-3.14.0-13.el9.src.rpm

SHA-256: e1c0d70aaf82009015a6cb843a95f9643f18303d0d404e6611e42f7b46c0d7df

aarch64

protobuf-3.14.0-13.el9.aarch64.rpm

SHA-256: 7f751e2ba51d9a4b62668f7181c7ca0d7a487a3ba82c2f8881a60e27921af4d9

protobuf-compiler-debuginfo-3.14.0-13.el9.aarch64.rpm

SHA-256: ae4a8aeb0936a524fab3124bacabee46394c6abdef82ea4e988e330e2fef8255

protobuf-debuginfo-3.14.0-13.el9.aarch64.rpm

SHA-256: 7fa910e54d2ae23f757ae7bdd43b1c79fc3dc9d8bacc7729ab7d3f32731e82de

protobuf-debugsource-3.14.0-13.el9.aarch64.rpm

SHA-256: 537d04ba7e52c088685f93b7379aa7f8d2e2cc84609b75e41f7a81443cb45e40

protobuf-lite-3.14.0-13.el9.aarch64.rpm

SHA-256: 615e14abc0723a49277ebc9c4069a81a4a677fb6a27a31f4124f0216509094ef

protobuf-lite-debuginfo-3.14.0-13.el9.aarch64.rpm

SHA-256: b34053f0711098250497a0f2e62c830aec09a434ff74c38e1b27dc151c10fc16

python3-protobuf-3.14.0-13.el9.noarch.rpm

SHA-256: a715af6e01218d8d4986a7f6ac2c8a84ecd45d0f670c574393e2f5d6db72d237

**Red Hat CodeReady Linux Builder for x86\_64 9**

SRPM

x86\_64

protobuf-compiler-3.14.0-13.el9.i686.rpm

SHA-256: e03d4593a13a59b673e57a63769bcfd4fa1aab8032479804ef952fc6628bd78b

protobuf-compiler-3.14.0-13.el9.x86\_64.rpm

SHA-256: 5c3347d5fda16a001477b4b378c88f895488f6f0ff00432ebd302dd92f46193c

protobuf-compiler-debuginfo-3.14.0-13.el9.i686.rpm

SHA-256: bfb355bf9f1417912eb84e36047b41232e2f9741edf400e00adec12bc1bffa03

protobuf-compiler-debuginfo-3.14.0-13.el9.x86\_64.rpm

SHA-256: ce9ad186a45622d3255022ddf2a9cb2dba6844d582e74002987d87d0e1347db6

protobuf-debuginfo-3.14.0-13.el9.i686.rpm

SHA-256: dde149f57a1880ae90c6f33f5b6fadbb4475078a4f422b5dccf5acf3922b79b7

protobuf-debuginfo-3.14.0-13.el9.x86\_64.rpm

SHA-256: 656e1e6d2f0487cda5f6a8670ebcd1097031d2fe6005c61701ea134b4364f1a1

protobuf-debugsource-3.14.0-13.el9.i686.rpm

SHA-256: 6c7da93517700a181e44fea00c56a3617ce924e0fdf5e8dc097c76102f07e9c5

protobuf-debugsource-3.14.0-13.el9.x86\_64.rpm

SHA-256: ff52e35b956ab78f0b1a1877fb9659254d3d6e31c83d80b261a55db6e0b18b00

protobuf-devel-3.14.0-13.el9.i686.rpm

SHA-256: b2a27c29f1182657c8e3d73c100d9136a7b0218d7a82ac6a44dc5b0aaf272182

protobuf-devel-3.14.0-13.el9.x86\_64.rpm

SHA-256: 22e0950c16a9403005527106bb89c824c48955a64cd455d129e7d9df570ef2fb

protobuf-lite-debuginfo-3.14.0-13.el9.i686.rpm

SHA-256: 1c7f89a634998c9afd066efbe11c1c74bba60a4daedd445ff4ec82ec8467285a

protobuf-lite-debuginfo-3.14.0-13.el9.x86\_64.rpm

SHA-256: f208969ed6802b90a01fcbb4c6c0580892a84275687a43a4decbaa02a53673f0

protobuf-lite-devel-3.14.0-13.el9.i686.rpm

SHA-256: 9cc43375202dd1a4dc491c87cb13b9a0b8dfc830f9958ded9febc0bb32e6e619

protobuf-lite-devel-3.14.0-13.el9.x86\_64.rpm

SHA-256: c8b8f924a175717d7760168a3f3e6b1fb80d0e53978902a91c8c787ed49e8e43

**Red Hat CodeReady Linux Builder for Power, little endian 9**

SRPM

ppc64le

protobuf-compiler-3.14.0-13.el9.ppc64le.rpm

SHA-256: 28f8bae6a14224ac44982c12f4b51f63515652c5bb1fca11bdcb56ba672e2f9f

protobuf-compiler-debuginfo-3.14.0-13.el9.ppc64le.rpm

SHA-256: 42275536b924bd55a9e2fc0da5e8b363b58de089d9d98dedea94028870085c97

protobuf-debuginfo-3.14.0-13.el9.ppc64le.rpm

SHA-256: 3e086f652973e8f551776ae48b7e49112cfb2b29a19a4d7fd326e9a3e8987734

protobuf-debugsource-3.14.0-13.el9.ppc64le.rpm

SHA-256: 4952673b73954c11cc661ff2bc89c7bf9f003a49ba7dd16b2fd5493f75612af5

protobuf-devel-3.14.0-13.el9.ppc64le.rpm

SHA-256: 7aadafe3ba7e816ed91eb6ebf60ceeac9d544bd8e59adcdc02f5918341377505

protobuf-lite-debuginfo-3.14.0-13.el9.ppc64le.rpm

SHA-256: 18d9a773231b6f36ebf1b7e8f2596db3405eb811a0b06f65949847fe5f00a36d

protobuf-lite-devel-3.14.0-13.el9.ppc64le.rpm

SHA-256: dc311a20c992f2723db27f6dccd7905ce79d54cf91d2c4a4dbab5d606096fda5

**Red Hat CodeReady Linux Builder for ARM 64 9**

SRPM

aarch64

protobuf-compiler-3.14.0-13.el9.aarch64.rpm

SHA-256: cc3c8f5e340761a08a632d70a77a6afd4edc68f4ef92f6ed20dc5084d1cabb9f

protobuf-compiler-debuginfo-3.14.0-13.el9.aarch64.rpm

SHA-256: ae4a8aeb0936a524fab3124bacabee46394c6abdef82ea4e988e330e2fef8255

protobuf-debuginfo-3.14.0-13.el9.aarch64.rpm

SHA-256: 7fa910e54d2ae23f757ae7bdd43b1c79fc3dc9d8bacc7729ab7d3f32731e82de

protobuf-debugsource-3.14.0-13.el9.aarch64.rpm

SHA-256: 537d04ba7e52c088685f93b7379aa7f8d2e2cc84609b75e41f7a81443cb45e40

protobuf-devel-3.14.0-13.el9.aarch64.rpm

SHA-256: 8fa07b78f95628ce7313884d4c7e14cdcf2c6b952285d8345345c4aff9203ebf

protobuf-lite-debuginfo-3.14.0-13.el9.aarch64.rpm

SHA-256: b34053f0711098250497a0f2e62c830aec09a434ff74c38e1b27dc151c10fc16

protobuf-lite-devel-3.14.0-13.el9.aarch64.rpm

SHA-256: 74ee8482b64695173fe4cc2d7c8f027e60b6c90eb54a2f64fdaaf985d00cd91a

**Red Hat CodeReady Linux Builder for IBM z Systems 9**

SRPM

s390x

protobuf-compiler-3.14.0-13.el9.s390x.rpm

SHA-256: d87cc5f9e21cdf3ba95ac1917bd5134db480c57134cbbef2f5987fe164a65d17

protobuf-compiler-debuginfo-3.14.0-13.el9.s390x.rpm

SHA-256: 837ade8571eca1aff5c1939b9a6c9ab5c9c0ba08def566c18675bb2bd5d9396a

protobuf-debuginfo-3.14.0-13.el9.s390x.rpm

SHA-256: 599bf753809c8cac82a3a5c3a1e389d2968ce8a9493aa10ac7e3fd0f2ef4b304

protobuf-debugsource-3.14.0-13.el9.s390x.rpm

SHA-256: e6430bc52d854385b1d09882928f265fd7580b794093f544f650a0d7fbf87650

protobuf-devel-3.14.0-13.el9.s390x.rpm

SHA-256: 036e31c5e359c4b21407034e9d7c7fe03448e55c188a66f1fb9bc15b48289481

protobuf-lite-debuginfo-3.14.0-13.el9.s390x.rpm

SHA-256: 24c3e105e7c6e77db062c5a8ccf3b86e2f501549fcb3510028c1ee3851f92ffb

protobuf-lite-devel-3.14.0-13.el9.s390x.rpm

SHA-256: 5a5a5d962b1af5ee7f28404251f2690c817d44aa0a3fcab2c4bb644397faf1bd

Tag

#google