Missing Authorization vulnerability in One Hand Operation + prior to version 6.1.21 allows multi-users to access owner&#39;s widget without authorization via gesture setting.

This Cookie Policy describes the different types of cookies that may be used in connection with Samsung Mobile Security website which is owned and controlled by Samsung Electronics Co., Ltd (“Samsung Electronics”). This Cookie Policy also describes how you can manage cookies.

It’s important that you check back often for updates to the Policy as we may change it from time to time to reflect changes to our use of cookies. Please check the date at the top of this page to see when this Policy was last revised. Any changes to this Policy will become effective when we make the revised Policy available on our website.

Samsung Electronics has offices across Europe, so we can ensure that your request or query will be handled by the data protection team based in your region. If you have any questions, the easiest way to contact us is through our Privacy Support Page at https://www.samsung.com/request-desk.

You can also contact us at:

European Data Protection Officer  
Samsung Electronics (UK) Limited  
Samsung House, 2000 Hillswood Drive, Chertsey, Surrey KT16 0RS

**Cookies**

Cookies are small files that store information on your computer, TV, mobile phone, or other device. They enable the entity that put the cookie on your device to recognize you across different websites, services, devices, and/or browsing sessions.

We use the following types of cookies on this website:

**Essential Cookies**: enable you to receive the services you request via our website. Without these cookies, services that you have asked for cannot be provided. For example, these enable to identify users and provide proper service for each user. These cookies are automatically enabled and cannot be turned off because they are essential to enable you to browse our website. Without these cookies this Samsung Mobile Security website could not be provided.

Cookie

Domain

Purpose

JSESSIONID

security.samsungmobile.com

to keep login session

lastActivityTime

security.samsungmobile.com

to save the user's last activity time to automatically logout after 30 minutes of inactivity

**Managing Cookies and Other Technologies**

You can also update your browser settings at any time, if you want to remove or block cookies from your device (consult your browser's "help" menu to learn how to remove or block cookies). Samsung Electronics is not responsible for your browser settings. You can find good and simple instructions on how to manage cookies on the different types of web browsers at http://www.allaboutcookies.org.

CVE-2023-21450: Samsung Mobile Security

Improper access control vulnerability in WindowManagerService prior to SMR Feb-2023 Release 1 allows attackers to take a screen capture.

CVE-2023-21440: Samsung Mobile Security

An improper implementation logic in Secure Folder prior to SMR Jan-2023 Release 1 allows the Secure Folder container remain unlocked under certain condition.

CVE-2023-21419: Samsung Mobile Security

Improper input validation vulnerability in Galaxy Store prior to version 4.5.49.8 allows local attackers to execute JavaScript by launching a web page.

CVE-2023-21434: Samsung Mobile Security

Red Hat Security Advisory 2023-0691-01 - Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic. Issues addressed include an out of bounds read vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: openvswitch2.17 security, bug fix and enhancement update  
Advisory ID:       RHSA-2023:0691-01  
Product:           Fast Datapath  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0691  
Issue date:        2023-02-09  
CVE Names:         CVE-2022-4337 CVE-2022-4338   
=====================================================================

1. Summary:

An update for openvswitch2.17 is now available for Fast Datapath for Red  
Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Fast Datapath for Red Hat Enterprise Linux 9 - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Open vSwitch provides standard network bridging functions and support for  
the OpenFlow protocol for remote per-flow control of traffic.

Security Fix(es):

* openvswitch: Out-of-Bounds Read in Organization Specific TLV  
(CVE-2022-4337)  
* openvswitch: Integer Underflow in Organization Specific TLV  
(CVE-2022-4338)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2155378 - CVE-2022-4337 openvswitch: Out-of-Bounds Read in Organization Specific TLV  
2155381 - CVE-2022-4338 openvswitch: Integer Underflow in Organization Specific TLV  
2159419 - [ovs2.11][RHEL7.7] PF/VF Port statistics get over-run in OVS offload datapath  
2162035 - [23.A RHEL-9] Fast Datapath Release

6. Package List:

Fast Datapath for Red Hat Enterprise Linux 9:

Source:  
openvswitch2.17-2.17.0-62.el9fdp.src.rpm

aarch64:  
openvswitch2.17-2.17.0-62.el9fdp.aarch64.rpm  
openvswitch2.17-debuginfo-2.17.0-62.el9fdp.aarch64.rpm  
openvswitch2.17-debugsource-2.17.0-62.el9fdp.aarch64.rpm  
openvswitch2.17-devel-2.17.0-62.el9fdp.aarch64.rpm  
openvswitch2.17-ipsec-2.17.0-62.el9fdp.aarch64.rpm  
python3-openvswitch2.17-2.17.0-62.el9fdp.aarch64.rpm  
python3-openvswitch2.17-debuginfo-2.17.0-62.el9fdp.aarch64.rpm

noarch:  
openvswitch2.17-test-2.17.0-62.el9fdp.noarch.rpm

ppc64le:  
openvswitch2.17-2.17.0-62.el9fdp.ppc64le.rpm  
openvswitch2.17-debuginfo-2.17.0-62.el9fdp.ppc64le.rpm  
openvswitch2.17-debugsource-2.17.0-62.el9fdp.ppc64le.rpm  
openvswitch2.17-devel-2.17.0-62.el9fdp.ppc64le.rpm  
openvswitch2.17-ipsec-2.17.0-62.el9fdp.ppc64le.rpm  
python3-openvswitch2.17-2.17.0-62.el9fdp.ppc64le.rpm  
python3-openvswitch2.17-debuginfo-2.17.0-62.el9fdp.ppc64le.rpm

s390x:  
openvswitch2.17-2.17.0-62.el9fdp.s390x.rpm  
openvswitch2.17-debuginfo-2.17.0-62.el9fdp.s390x.rpm  
openvswitch2.17-debugsource-2.17.0-62.el9fdp.s390x.rpm  
openvswitch2.17-devel-2.17.0-62.el9fdp.s390x.rpm  
openvswitch2.17-ipsec-2.17.0-62.el9fdp.s390x.rpm  
python3-openvswitch2.17-2.17.0-62.el9fdp.s390x.rpm  
python3-openvswitch2.17-debuginfo-2.17.0-62.el9fdp.s390x.rpm

x86_64:  
openvswitch2.17-2.17.0-62.el9fdp.x86_64.rpm  
openvswitch2.17-debuginfo-2.17.0-62.el9fdp.x86_64.rpm  
openvswitch2.17-debugsource-2.17.0-62.el9fdp.x86_64.rpm  
openvswitch2.17-devel-2.17.0-62.el9fdp.x86_64.rpm  
openvswitch2.17-ipsec-2.17.0-62.el9fdp.x86_64.rpm  
python3-openvswitch2.17-2.17.0-62.el9fdp.x86_64.rpm  
python3-openvswitch2.17-debuginfo-2.17.0-62.el9fdp.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-4337  
https://access.redhat.com/security/cve/CVE-2022-4338  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY+RnytzjgjWX9erEAQh83hAAn7wZtp4GczoBt9pm1Cbl8ug0NFzax2Ve  
D1VedORejT43jl84X2tHGsMx95heFU0eCmIMD88Szqj9Vx3Yi3IZPX1htRNVb2mC  
4u27n+uAaIGFVkNcx1aWfKO2qitYmCCSsg2zQenJqhe+Pt4gUmvRy2R7feiyW91Q  
u7xo3kHyaOof9J+87WWq+xxmEXp6gAOl7/pzClew38cq/f7bUmHiMZE4o+nlM6rJ  
jhCvDQSr4PVaHBqiHsh1dH4npuXqkBzlqi0uG2qgU4sAhfEMhmG0eI52q7TzUm4w  
ASCz3c6aOYLQq4e0CXrB4+tHf2tN1SJCA4YBjhvFnPUbidxfdAOqvImj3dAJAvvc  
Oc93W74Zb1zIxHBkRWeVNzOEKQT8WOHrAzMbWEYObndTvKcvv6xn582dIbwgT4oy  
Z62tl6VHDTbemWkN+BcTAIllIqyamhBNv9VgzUpIeIk9TGj5Mh7qDn2dL9pJv//o  
n4D9FUfal2elVLjFqlJ23m0nU9S6EYNGv8FisfUA32sFu2HxRRmDoC7AoBPxUzQj  
U5o8RIEPVnwWfjvuKC9LymDKRU4AQV11GIEGq6zEvZYP2A8j/oDpfEmTmg5NhUeI  
Z8QlezHTOyMfGjsFfkz+8MzKuwabA7phwvYk/MRRE81Pr7cpDebKHy37NfAhaEp9  
w9uYO6IHLig=  
=B0kT  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0691-01

Red Hat Security Advisory 2023-0688-01 - Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic. Issues addressed include an out of bounds read vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: openvswitch2.17 security, bug fix and enhancement update  
Advisory ID:       RHSA-2023:0688-01  
Product:           Fast Datapath  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0688  
Issue date:        2023-02-09  
CVE Names:         CVE-2022-4337 CVE-2022-4338   
=====================================================================

1. Summary:

An update for openvswitch2.17 is now available for Fast Datapath for Red  
Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Fast Datapath for Red Hat Enterprise Linux 8 - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Open vSwitch provides standard network bridging functions and support for  
the OpenFlow protocol for remote per-flow control of traffic.

Security Fix(es):

* openvswitch: Out-of-Bounds Read in Organization Specific TLV  
(CVE-2022-4337)  
* openvswitch: Integer Underflow in Organization Specific TLV  
(CVE-2022-4338)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2155378 - CVE-2022-4337 openvswitch: Out-of-Bounds Read in Organization Specific TLV  
2155381 - CVE-2022-4338 openvswitch: Integer Underflow in Organization Specific TLV  
2162034 - [23.A RHEL-8] Fast Datapath Release

6. Package List:

Fast Datapath for Red Hat Enterprise Linux 8:

Source:  
openvswitch2.17-2.17.0-71.el8fdp.src.rpm

aarch64:  
network-scripts-openvswitch2.17-2.17.0-71.el8fdp.aarch64.rpm  
openvswitch2.17-2.17.0-71.el8fdp.aarch64.rpm  
openvswitch2.17-debuginfo-2.17.0-71.el8fdp.aarch64.rpm  
openvswitch2.17-debugsource-2.17.0-71.el8fdp.aarch64.rpm  
openvswitch2.17-devel-2.17.0-71.el8fdp.aarch64.rpm  
openvswitch2.17-ipsec-2.17.0-71.el8fdp.aarch64.rpm  
python3-openvswitch2.17-2.17.0-71.el8fdp.aarch64.rpm  
python3-openvswitch2.17-debuginfo-2.17.0-71.el8fdp.aarch64.rpm

noarch:  
openvswitch2.17-test-2.17.0-71.el8fdp.noarch.rpm

ppc64le:  
network-scripts-openvswitch2.17-2.17.0-71.el8fdp.ppc64le.rpm  
openvswitch2.17-2.17.0-71.el8fdp.ppc64le.rpm  
openvswitch2.17-debuginfo-2.17.0-71.el8fdp.ppc64le.rpm  
openvswitch2.17-debugsource-2.17.0-71.el8fdp.ppc64le.rpm  
openvswitch2.17-devel-2.17.0-71.el8fdp.ppc64le.rpm  
openvswitch2.17-ipsec-2.17.0-71.el8fdp.ppc64le.rpm  
python3-openvswitch2.17-2.17.0-71.el8fdp.ppc64le.rpm  
python3-openvswitch2.17-debuginfo-2.17.0-71.el8fdp.ppc64le.rpm

s390x:  
network-scripts-openvswitch2.17-2.17.0-71.el8fdp.s390x.rpm  
openvswitch2.17-2.17.0-71.el8fdp.s390x.rpm  
openvswitch2.17-debuginfo-2.17.0-71.el8fdp.s390x.rpm  
openvswitch2.17-debugsource-2.17.0-71.el8fdp.s390x.rpm  
openvswitch2.17-devel-2.17.0-71.el8fdp.s390x.rpm  
openvswitch2.17-ipsec-2.17.0-71.el8fdp.s390x.rpm  
python3-openvswitch2.17-2.17.0-71.el8fdp.s390x.rpm  
python3-openvswitch2.17-debuginfo-2.17.0-71.el8fdp.s390x.rpm

x86_64:  
network-scripts-openvswitch2.17-2.17.0-71.el8fdp.x86_64.rpm  
openvswitch2.17-2.17.0-71.el8fdp.x86_64.rpm  
openvswitch2.17-debuginfo-2.17.0-71.el8fdp.x86_64.rpm  
openvswitch2.17-debugsource-2.17.0-71.el8fdp.x86_64.rpm  
openvswitch2.17-devel-2.17.0-71.el8fdp.x86_64.rpm  
openvswitch2.17-ipsec-2.17.0-71.el8fdp.x86_64.rpm  
python3-openvswitch2.17-2.17.0-71.el8fdp.x86_64.rpm  
python3-openvswitch2.17-debuginfo-2.17.0-71.el8fdp.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-4337  
https://access.redhat.com/security/cve/CVE-2022-4338  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY+RnxNzjgjWX9erEAQiAng/8CEF0s+9tyHZJ5vvhbA4EMhTBY30BvlWf  
WPyybqxk2tucXuk4ARfruStnf/AZpL8xtf9aznCOhP4vacrpWYp7PJausIRfLKwG  
Jk1xsOJs3imyKSMkJR9ilJBvuyG6GFD9e/RR/2z5H1vpcw1ldL9MpizDyVLy0I3F  
XYjgMIHJDC66PwJRua4ABeiIrX2P8+tCm3cynXxrA/08DvVsQ/HZMnO5XMZh6+uw  
QXubvp6ThkNJBLi5fENErJWAlpu31c/sI6njP7VZdInRX+mDh99aDFFvAGZ4RetQ  
DslipMvHpe7niXEJ9EEXirAZkGOHhNQmh5e3wXYjc4Fn1lq+hLDB2friB0rNdBlR  
e4BG3m3wK9TebgvpLkK7mt3jdn8zlxAtY33Wg2SYSHLwpFj0kxQ0tZAKQTTpwc9l  
Ek/yfFubEGfZoYIhqCBFOEnEb635SVXQYFL2QQw4JGZf46xEewBxLxftp/SZ4H7D  
eLQXmrBHflEALaqnazOPObNNw2jB7gQmm5svAatZd1fy1vcFVIqB7hdy701SpWBm  
jzlvazTq59t3UmlUPs9OhkIOR//BaUuuSLqNm3xPGxE2hHOsC/yURdYBcfFRRBcf  
zqWOHIRNysHcyzBMtixtnbB9S4uf5EKo9RGf2TLGRW1ZdFYN2TsA7ryklWo/9RRD  
QliC+OVLpHo=  
=mmIf  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0688-01

Red Hat Security Advisory 2023-0692-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift API for Data Protection (OADP) 1.0.7 security and bug fix update  
Advisory ID:       RHSA-2023:0692-01  
Product:           OpenShift API for Data Protection  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0692  
Issue date:        2023-02-09  
CVE Names:         CVE-2022-32149 CVE-2022-41717   
=====================================================================

1. Summary:

OpenShift API for Data Protection (OADP) 1.0.7 is now available.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

OpenShift API for Data Protection (OADP) enables you to back up and restore  
application resources, persistent volume data, and internal container  
images to external backup storage. OADP enables both file system-based and  
snapshot-based backups for persistent volumes.

Security Fix(es) from Bugzilla:

* golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time  
to parse complex tags (CVE-2022-32149)

* golang: net/http: An attacker can cause excessive memory growth in a Go  
server accepting HTTP/2 requests (CVE-2022-41717)

For more details about the security issue(s), including the impact, a CVSS  
score, and other related information, refer to the CVE page(s) listed in  
the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2134010 - CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags  
2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests

5. JIRA issues fixed (https://issues.jboss.org/):

MIG-1050 - Keep the annotation "pv.kubernetes.io/provisioned-by"  
OADP-1180 - [OADP] Backup get stuck at Inprogress status, as velero pod is getting restarted due to fatal error

6. References:

https://access.redhat.com/security/cve/CVE-2022-32149  
https://access.redhat.com/security/cve/CVE-2022-41717  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY+RnwdzjgjWX9erEAQgQwg/6Aw0TWgJ8Tp1HVLBVWMo9iaPjGS1/ZufG  
YPQkgk4wwGwbtSVytQxSxABF80wCJUe9wI4OBjrFlqFLXtzH9X53H2MA1fBCbJ17  
692H/GVwLpY8fiw5sNBFEnfN3yuNvzz4K3onc0Ggk/Xr9JjFbxiYkd+vRygdQPKc  
AteQ7Bc3+0Qdzs9UX4IrJLSkC69kmBdfiA1/PhPpnzVO269Jm+9g7EOAyqciXJ19  
z9iPN8D89254KxtCnvnbDfByPt04u29yRFdFQYBlpgJzcE7hY5wW/Cwc81JOko+Q  
RsF2MR2+Pz0jCr8h/2xnyayDp0mjdkcB+DtJgPgBa1uIbb/cz109g+M/2i2flMfM  
rTDrRxYEndZ8JDMmeSCn1Gncoo29vE4Y6uiylLRwv+uj3WpmH6J3QrQ/4sEpusLO  
OHs8cvczfIcxiQXNNp+lMR1HPd1CWCiK0sRazJ7JnzK12PHOZA6v4lmm6RAtBxdY  
CGvVlgQG8tT9X70GJ6bbM0g9ozAezqTY4MLODBD+vbR0Qbf/gQWRBwMAr4SZErSH  
P1fEYDAMOpwwm7eWqGC7NYSMr1oxSJSz8Ad1Ep84/pYB9hEvHZMCpRFNOoLEUXjo  
OAsurqZnG5fYV8p+2yyOvlLSwdoq57b5Jz0ywjIbZn4bCB91OVDyqeR/X7yB+8ja  
+VdlUZO5m2s=  
=+hgQ  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0692-01

Red Hat Security Advisory 2023-0693-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: Migration Toolkit for Containers (MTC) 1.7.7 security and bug fix update  
Advisory ID:       RHSA-2023:0693-01  
Product:           Red Hat Migration Toolkit  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0693  
Issue date:        2023-02-09  
CVE Names:         CVE-2021-4235 CVE-2021-43138 CVE-2021-46848   
                   CVE-2022-2056 CVE-2022-2057 CVE-2022-2058   
                   CVE-2022-2519 CVE-2022-2520 CVE-2022-2521   
                   CVE-2022-2867 CVE-2022-2868 CVE-2022-2869   
                   CVE-2022-2879 CVE-2022-2880 CVE-2022-2953   
                   CVE-2022-2995 CVE-2022-3162 CVE-2022-3172   
                   CVE-2022-3259 CVE-2022-3466 CVE-2022-3821   
                   CVE-2022-4883 CVE-2022-27664 CVE-2022-30631   
                   CVE-2022-32148 CVE-2022-32149 CVE-2022-32189   
                   CVE-2022-32190 CVE-2022-35737 CVE-2022-40303   
                   CVE-2022-40304 CVE-2022-41715 CVE-2022-41717   
                   CVE-2022-42010 CVE-2022-42011 CVE-2022-42012   
                   CVE-2022-43680 CVE-2022-44617 CVE-2022-46285   
=====================================================================

1. Summary:

The Migration Toolkit for Containers (MTC) 1.7.7 is now available.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

The Migration Toolkit for Containers (MTC) enables you to migrate  
Kubernetes resources, persistent volume data, and internal container images  
between OpenShift Container Platform clusters, using the MTC web console or  
the Kubernetes API.

Security Fix(es) from Bugzilla:

* async: Prototype Pollution in async (CVE-2021-43138)

* golang: archive/tar: unbounded memory consumption when reading headers  
(CVE-2022-2879)

* golang: net/http/httputil: ReverseProxy should not forward unparseable  
query parameters (CVE-2022-2880)

* golang: net/http: handle server errors after sending GOAWAY  
(CVE-2022-27664)

* golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time  
to parse complex tags (CVE-2022-32149)

* golang: net/url: JoinPath does not strip relative path components in all  
circumstances (CVE-2022-32190)

* golang: regexp/syntax: limit memory used by parsing regexps  
(CVE-2022-41715)

* golang: net/http: An attacker can cause excessive memory growth in a Go  
server accepting HTTP/2 requests (CVE-2022-41717)

* golang: math/big: decoding big.Float and big.Rat types can panic if the  
encoded message is too short, potentially allowing a denial of service  
(CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS  
score, and other related information, refer to the CVE page(s) listed in  
the References section.

3. Solution:

For details on how to install and use MTC, refer to:

https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service  
2124668 - CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances  
2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY  
2126276 - CVE-2021-43138 async: Prototype Pollution in async  
2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers  
2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters  
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps  
2134010 - CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags  
2160662 - Velero pod crashing leading to migrations being stuck during Backup Phase  
2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests

5. JIRA issues fixed (https://issues.jboss.org/):

MIG-1275 - Update base image for hook-runner so kubernetes.core 2.3.2 or newer is present  
MIG-1281 - Allow DVM to be configured with alternative network strategies, more than an openshift route.

6. References:

https://access.redhat.com/security/cve/CVE-2021-4235  
https://access.redhat.com/security/cve/CVE-2021-43138  
https://access.redhat.com/security/cve/CVE-2021-46848  
https://access.redhat.com/security/cve/CVE-2022-2056  
https://access.redhat.com/security/cve/CVE-2022-2057  
https://access.redhat.com/security/cve/CVE-2022-2058  
https://access.redhat.com/security/cve/CVE-2022-2519  
https://access.redhat.com/security/cve/CVE-2022-2520  
https://access.redhat.com/security/cve/CVE-2022-2521  
https://access.redhat.com/security/cve/CVE-2022-2867  
https://access.redhat.com/security/cve/CVE-2022-2868  
https://access.redhat.com/security/cve/CVE-2022-2869  
https://access.redhat.com/security/cve/CVE-2022-2879  
https://access.redhat.com/security/cve/CVE-2022-2880  
https://access.redhat.com/security/cve/CVE-2022-2953  
https://access.redhat.com/security/cve/CVE-2022-2995  
https://access.redhat.com/security/cve/CVE-2022-3162  
https://access.redhat.com/security/cve/CVE-2022-3172  
https://access.redhat.com/security/cve/CVE-2022-3259  
https://access.redhat.com/security/cve/CVE-2022-3466  
https://access.redhat.com/security/cve/CVE-2022-3821  
https://access.redhat.com/security/cve/CVE-2022-4883  
https://access.redhat.com/security/cve/CVE-2022-27664  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/cve/CVE-2022-32148  
https://access.redhat.com/security/cve/CVE-2022-32149  
https://access.redhat.com/security/cve/CVE-2022-32189  
https://access.redhat.com/security/cve/CVE-2022-32190  
https://access.redhat.com/security/cve/CVE-2022-35737  
https://access.redhat.com/security/cve/CVE-2022-40303  
https://access.redhat.com/security/cve/CVE-2022-40304  
https://access.redhat.com/security/cve/CVE-2022-41715  
https://access.redhat.com/security/cve/CVE-2022-41717  
https://access.redhat.com/security/cve/CVE-2022-42010  
https://access.redhat.com/security/cve/CVE-2022-42011  
https://access.redhat.com/security/cve/CVE-2022-42012  
https://access.redhat.com/security/cve/CVE-2022-43680  
https://access.redhat.com/security/cve/CVE-2022-44617  
https://access.redhat.com/security/cve/CVE-2022-46285  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY+RnvtzjgjWX9erEAQj1Uw//Sajfr2eFvjS/4S4vFPjwT4h2vmhZx41v  
khxvUYsIiISMIdqGFyeHwGjJIVZvxLeNJFRgFwg7V/x3pK3cFf7mgFLLIFa+jZOy  
emzSTft3XWAgdAVw8PkrohPTsg49jJHklXBrekoH1HqKUQVbZxpKBjo5iGHbk+K3  
cpUF7ZJoPUa9bRmqE2DIOyQQyKmqivCh61wDQTZjR6S2xOeo0Y666pVl3cOcHpcp  
TVGsnO+o3qvqO7PezE6L1znbifO0jL6dsWFHysAKjYl0MR0hFjeloJVRq4QME49r  
qeDGGITJXfIAQzbo2CzyaP5Ifmre0O1VIAX5QyE3xhzgdn1JUeDBi3kOH1RLGXvq  
oYlkvVhV3xPBH9YK1hmTZalvy79tf9zi24sdk1/U+W/mZz/ZIKqPi+EyB3zio6Tm  
buYmultPogNVUWdRGuXxCCr2Alfw400dfmAFXWQ7JWX6XrxCwqz4YsfpZpslFMjT  
hYIH+jzVDbA3iL6nOJ3U0JnGo68KlcsnBfbGVkUWrf55O5bJp2N1Yf7KHZTcYonx  
QnQID1Xhwjye1pjV7/dCUjBjnXDcVcbfnxExK7AFHih8DBZc9DN3JP/cM1mjK6ab  
9hpMRo0NyfP1DNkpCTOFRmxmeiSvZZlxs1STin6XAbIKnIZdFGMWm7cDQgphXIVt  
Q40G6CG91Uo=  
=8Igd  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0693-01

Red Hat Security Advisory 2023-0671-01 - Virtual Network Computing is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: tigervnc security update  
Advisory ID:       RHSA-2023:0671-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0671  
Issue date:        2023-02-08  
CVE Names:         CVE-2023-0494   
=====================================================================

1. Summary:

An update for tigervnc is now available for Red Hat Enterprise Linux 8.2  
Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications  
Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP  
Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream AUS (v. 8.2) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream E4S (v. 8.2) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream TUS (v. 8.2) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Virtual Network Computing (VNC) is a remote display system which allows  
users to view a computing desktop environment not only on the machine where  
it is running, but from anywhere on the Internet and from a wide variety of  
machine architectures. TigerVNC is a suite of VNC servers and clients.

Security Fix(es):

* xorg-x11-server: DeepCopyPointerClasses use-after-free leads to privilege  
elevation (CVE-2023-0494)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2165995 - CVE-2023-0494 xorg-x11-server: DeepCopyPointerClasses use-after-free leads to privilege elevation

6. Package List:

Red Hat Enterprise Linux AppStream AUS (v. 8.2):

Source:  
tigervnc-1.9.0-15.el8_2.1.src.rpm

aarch64:  
tigervnc-1.9.0-15.el8_2.1.aarch64.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.1.aarch64.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.1.aarch64.rpm  
tigervnc-server-1.9.0-15.el8_2.1.aarch64.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.1.aarch64.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.1.aarch64.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.1.aarch64.rpm  
tigervnc-server-module-1.9.0-15.el8_2.1.aarch64.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.1.aarch64.rpm

noarch:  
tigervnc-icons-1.9.0-15.el8_2.1.noarch.rpm  
tigervnc-license-1.9.0-15.el8_2.1.noarch.rpm  
tigervnc-server-applet-1.9.0-15.el8_2.1.noarch.rpm

ppc64le:  
tigervnc-1.9.0-15.el8_2.1.ppc64le.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.1.ppc64le.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.1.ppc64le.rpm  
tigervnc-server-1.9.0-15.el8_2.1.ppc64le.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.1.ppc64le.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.1.ppc64le.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.1.ppc64le.rpm  
tigervnc-server-module-1.9.0-15.el8_2.1.ppc64le.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.1.ppc64le.rpm

s390x:  
tigervnc-1.9.0-15.el8_2.1.s390x.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.1.s390x.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.1.s390x.rpm  
tigervnc-server-1.9.0-15.el8_2.1.s390x.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.1.s390x.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.1.s390x.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.1.s390x.rpm

x86_64:  
tigervnc-1.9.0-15.el8_2.1.x86_64.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.1.x86_64.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.1.x86_64.rpm  
tigervnc-server-1.9.0-15.el8_2.1.x86_64.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.1.x86_64.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.1.x86_64.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.1.x86_64.rpm  
tigervnc-server-module-1.9.0-15.el8_2.1.x86_64.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.1.x86_64.rpm

Red Hat Enterprise Linux AppStream E4S (v. 8.2):

Source:  
tigervnc-1.9.0-15.el8_2.1.src.rpm

aarch64:  
tigervnc-1.9.0-15.el8_2.1.aarch64.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.1.aarch64.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.1.aarch64.rpm  
tigervnc-server-1.9.0-15.el8_2.1.aarch64.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.1.aarch64.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.1.aarch64.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.1.aarch64.rpm  
tigervnc-server-module-1.9.0-15.el8_2.1.aarch64.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.1.aarch64.rpm

noarch:  
tigervnc-icons-1.9.0-15.el8_2.1.noarch.rpm  
tigervnc-license-1.9.0-15.el8_2.1.noarch.rpm  
tigervnc-server-applet-1.9.0-15.el8_2.1.noarch.rpm

ppc64le:  
tigervnc-1.9.0-15.el8_2.1.ppc64le.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.1.ppc64le.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.1.ppc64le.rpm  
tigervnc-server-1.9.0-15.el8_2.1.ppc64le.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.1.ppc64le.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.1.ppc64le.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.1.ppc64le.rpm  
tigervnc-server-module-1.9.0-15.el8_2.1.ppc64le.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.1.ppc64le.rpm

s390x:  
tigervnc-1.9.0-15.el8_2.1.s390x.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.1.s390x.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.1.s390x.rpm  
tigervnc-server-1.9.0-15.el8_2.1.s390x.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.1.s390x.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.1.s390x.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.1.s390x.rpm

x86_64:  
tigervnc-1.9.0-15.el8_2.1.x86_64.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.1.x86_64.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.1.x86_64.rpm  
tigervnc-server-1.9.0-15.el8_2.1.x86_64.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.1.x86_64.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.1.x86_64.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.1.x86_64.rpm  
tigervnc-server-module-1.9.0-15.el8_2.1.x86_64.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.1.x86_64.rpm

Red Hat Enterprise Linux AppStream TUS (v. 8.2):

Source:  
tigervnc-1.9.0-15.el8_2.1.src.rpm

aarch64:  
tigervnc-1.9.0-15.el8_2.1.aarch64.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.1.aarch64.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.1.aarch64.rpm  
tigervnc-server-1.9.0-15.el8_2.1.aarch64.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.1.aarch64.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.1.aarch64.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.1.aarch64.rpm  
tigervnc-server-module-1.9.0-15.el8_2.1.aarch64.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.1.aarch64.rpm

noarch:  
tigervnc-icons-1.9.0-15.el8_2.1.noarch.rpm  
tigervnc-license-1.9.0-15.el8_2.1.noarch.rpm  
tigervnc-server-applet-1.9.0-15.el8_2.1.noarch.rpm

ppc64le:  
tigervnc-1.9.0-15.el8_2.1.ppc64le.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.1.ppc64le.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.1.ppc64le.rpm  
tigervnc-server-1.9.0-15.el8_2.1.ppc64le.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.1.ppc64le.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.1.ppc64le.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.1.ppc64le.rpm  
tigervnc-server-module-1.9.0-15.el8_2.1.ppc64le.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.1.ppc64le.rpm

s390x:  
tigervnc-1.9.0-15.el8_2.1.s390x.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.1.s390x.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.1.s390x.rpm  
tigervnc-server-1.9.0-15.el8_2.1.s390x.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.1.s390x.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.1.s390x.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.1.s390x.rpm

x86_64:  
tigervnc-1.9.0-15.el8_2.1.x86_64.rpm  
tigervnc-debuginfo-1.9.0-15.el8_2.1.x86_64.rpm  
tigervnc-debugsource-1.9.0-15.el8_2.1.x86_64.rpm  
tigervnc-server-1.9.0-15.el8_2.1.x86_64.rpm  
tigervnc-server-debuginfo-1.9.0-15.el8_2.1.x86_64.rpm  
tigervnc-server-minimal-1.9.0-15.el8_2.1.x86_64.rpm  
tigervnc-server-minimal-debuginfo-1.9.0-15.el8_2.1.x86_64.rpm  
tigervnc-server-module-1.9.0-15.el8_2.1.x86_64.rpm  
tigervnc-server-module-debuginfo-1.9.0-15.el8_2.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-0494  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY+QTXtzjgjWX9erEAQiwgQ//T0eqmsNqaCB78rgK20ELopOaCfTSXD5r  
t2gDxiWOy8pn0Ah9gYKfX4DExFxL22u73N+YUHJbp6YznCdliNvP4XXZueOCbtSc  
7CIypf8NHRb5UFnFVDfqi5GJtW9zm1hqJflSGNRtjkDzRrL3+dyefAXuWXQBNVVy  
RSx/y1dkKvjaz63/vTIWLbC47p0144Sb1moblVB+tbNeopgBwMvTR8mww2PIlUfm  
uSho28KdQJ62sIw7V49LWa3+Bs06j9QuOWtR79A9QfvxKFwtY0SGX7gpxm+GwZ2d  
cm3ky4bfvacMBUeCKUbnNer1yawL2G8y7HU0lSXLF2kUsAVuwINVVc6fIs8rIoKH  
aJEGt+uQo9b/DvJXHPlgaf0ng4eeZ6WHjauBObaMUoroGtq54R+pIXXTSqN8Gf/w  
+lwRgpCSZqfrpzZIL8/ojR7iX2Kg6jp/cnk/4+byrcWfnjSBIC8PfdJp7evxGRig  
C+eaOwlDcp2ws5euOs/yE2R4LuOwAoOSsD3ZCZa+plvFQWvEBFOeW8BKECaLPAgu  
5Qn+cp++aUc5HBlfNP/lfLBgKQ0YyajiekKdrx0gAZPn5mYVO1jsFZhkyVlbTKBA  
ApRsDt9P8vip9B3TJEv7J6DWkO9Bmd/pGQXJPbjzZUWd/HSIanwnwJRsGPu99gjm  
l6qhMDHeaVE=  
=dMxu  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0671-01

Red Hat Security Advisory 2023-0673-01 - Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: rh-varnish6-varnish security update  
Advisory ID:       RHSA-2023:0673-01  
Product:           Red Hat Software Collections  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0673  
Issue date:        2023-02-08  
CVE Names:         CVE-2022-45060   
=====================================================================

1. Summary:

An update for rh-varnish6-varnish is now available for Red Hat Software  
Collections.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - ppc64le, s390x, x86_64  
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

Varnish Cache is a high-performance HTTP accelerator. It stores web pages  
in memory so web servers don't have to create the same web page over and  
over again, giving the website a significant speed up.

Security Fix(es):

* varnish: Request Forgery Vulnerability (CVE-2022-45060)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2141844 - CVE-2022-45060 varnish: Request Forgery Vulnerability

6. Package List:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):

Source:  
rh-varnish6-varnish-6.0.8-2.el7.2.src.rpm

ppc64le:  
rh-varnish6-varnish-6.0.8-2.el7.2.ppc64le.rpm  
rh-varnish6-varnish-devel-6.0.8-2.el7.2.ppc64le.rpm  
rh-varnish6-varnish-docs-6.0.8-2.el7.2.ppc64le.rpm  
rh-varnish6-varnish-libs-6.0.8-2.el7.2.ppc64le.rpm

s390x:  
rh-varnish6-varnish-6.0.8-2.el7.2.s390x.rpm  
rh-varnish6-varnish-devel-6.0.8-2.el7.2.s390x.rpm  
rh-varnish6-varnish-docs-6.0.8-2.el7.2.s390x.rpm  
rh-varnish6-varnish-libs-6.0.8-2.el7.2.s390x.rpm

x86_64:  
rh-varnish6-varnish-6.0.8-2.el7.2.x86_64.rpm  
rh-varnish6-varnish-devel-6.0.8-2.el7.2.x86_64.rpm  
rh-varnish6-varnish-docs-6.0.8-2.el7.2.x86_64.rpm  
rh-varnish6-varnish-libs-6.0.8-2.el7.2.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):

Source:  
rh-varnish6-varnish-6.0.8-2.el7.2.src.rpm

x86_64:  
rh-varnish6-varnish-6.0.8-2.el7.2.x86_64.rpm  
rh-varnish6-varnish-devel-6.0.8-2.el7.2.x86_64.rpm  
rh-varnish6-varnish-docs-6.0.8-2.el7.2.x86_64.rpm  
rh-varnish6-varnish-libs-6.0.8-2.el7.2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-45060  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY+QTUtzjgjWX9erEAQhbdw/5Aa77Dj829eRtWXBHVXuocamZ1Ejr0rih  
0+buN5z/yvp2TcE88aBfs1mV+DIiv3syc1FGj6lwMa+jul04GoaeB4m8mta2LI+z  
nhR38FDQJ8ndUOF5Xq+HFHW+Dm62CSBFxY9VJuZ6q/m+1sQM5duf/DRh470lbSe4  
eUjVf+zqMTAYyUM/KgoDLKjzs9X/PUbYNu/woVWptVOryQWNuGoweAOyaTGjD2No  
FGO8Dbn9W045i+P/rUMgbhZVYxIwMSgLwI52XUpARkktyklII2oUJiECwotw3Ovt  
XvnATmUqz6ws3mwp4iaEqWX9i4FieWevjCqoW+Xe5SWbIP9d2AvJZ2aIQNxJRhab  
v2oS8Ac2XpXCaU7LVaCiAwaATdfZ5KWVsQdbJnY44IY6mXSBCfGX5CNSR+a9lxCe  
SmQkHM/F44rsKaw8BnwrvMecdaxiig+UbXkvbZkdY4FvkqA+79XEPQQNp+nxsMAp  
NCVjk64MRwkyNChWm9vuIwBmd0i2die7un/8N02TMWlnw2CZ+/GfXX/wod8gKq62  
acGsWH7qhnl2YRfGBJsKeCyvfoHXFuJrBXWHaf4w2MVME6D2R3mnDV8YkQ6FEXfk  
sLwvVhrEMRI6BIW5oTk60na3Tt6cM+LJqh6DCINtSD4Oei1BcxuZZ78CgliaDvUK  
NpW7dZrkDMI=  
=fnQ9  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#js