Red Hat Security Advisory 2022-7005-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Issues addressed include a randomization vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: java-1.8.0-openjdk security update  
Advisory ID:       RHSA-2022:7005-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7005  
Issue date:        2022-10-19  
CVE Names:         CVE-2022-21619 CVE-2022-21624 CVE-2022-21626  
                   CVE-2022-21628  
====================================================================  
1. Summary:

An update for java-1.8.0-openjdk is now available for Red Hat Enterprise  
Linux 8.4 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder EUS (v. 8.4) - aarch64, ppc64le, x86_64  
Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime  
Environment and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

* OpenJDK: excessive memory allocation in X.509 certificate parsing  
(Security, 8286533) (CVE-2022-21626)

* OpenJDK: HttpServer no connection count limit (Lightweight HTTP Server,  
8286918) (CVE-2022-21628)

* OpenJDK: improper handling of long NTLM client hostnames (Security,  
8286526) (CVE-2022-21619)

* OpenJDK: insufficient randomization of JNDI DNS port numbers (JNDI,  
8286910) (CVE-2022-21624)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of OpenJDK Java must be restarted for this update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2133745 - CVE-2022-21619 OpenJDK: improper handling of long NTLM client hostnames (Security, 8286526)  
2133753 - CVE-2022-21626 OpenJDK: excessive memory allocation in X.509 certificate parsing (Security, 8286533)  
2133765 - CVE-2022-21624 OpenJDK: insufficient randomization of JNDI DNS port numbers (JNDI, 8286910)  
2133769 - CVE-2022-21628 OpenJDK: HttpServer no connection count limit (Lightweight HTTP Server, 8286918)

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.4):

Source:  
java-1.8.0-openjdk-1.8.0.352.b08-2.el8_4.src.rpm

aarch64:  
java-1.8.0-openjdk-1.8.0.352.b08-2.el8_4.aarch64.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.352.b08-2.el8_4.aarch64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.352.b08-2.el8_4.aarch64.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.352.b08-2.el8_4.aarch64.rpm  
java-1.8.0-openjdk-demo-1.8.0.352.b08-2.el8_4.aarch64.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.352.b08-2.el8_4.aarch64.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.352.b08-2.el8_4.aarch64.rpm  
java-1.8.0-openjdk-devel-1.8.0.352.b08-2.el8_4.aarch64.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.352.b08-2.el8_4.aarch64.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.352.b08-2.el8_4.aarch64.rpm  
java-1.8.0-openjdk-headless-1.8.0.352.b08-2.el8_4.aarch64.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.352.b08-2.el8_4.aarch64.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.352.b08-2.el8_4.aarch64.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.352.b08-2.el8_4.aarch64.rpm  
java-1.8.0-openjdk-src-1.8.0.352.b08-2.el8_4.aarch64.rpm

noarch:  
java-1.8.0-openjdk-javadoc-1.8.0.352.b08-2.el8_4.noarch.rpm  
java-1.8.0-openjdk-javadoc-zip-1.8.0.352.b08-2.el8_4.noarch.rpm

ppc64le:  
java-1.8.0-openjdk-1.8.0.352.b08-2.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.352.b08-2.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.352.b08-2.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.352.b08-2.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-demo-1.8.0.352.b08-2.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.352.b08-2.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.352.b08-2.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-devel-1.8.0.352.b08-2.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.352.b08-2.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.352.b08-2.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-headless-1.8.0.352.b08-2.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.352.b08-2.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.352.b08-2.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.352.b08-2.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-src-1.8.0.352.b08-2.el8_4.ppc64le.rpm

s390x:  
java-1.8.0-openjdk-1.8.0.352.b08-2.el8_4.s390x.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.352.b08-2.el8_4.s390x.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.352.b08-2.el8_4.s390x.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.352.b08-2.el8_4.s390x.rpm  
java-1.8.0-openjdk-demo-1.8.0.352.b08-2.el8_4.s390x.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.352.b08-2.el8_4.s390x.rpm  
java-1.8.0-openjdk-devel-1.8.0.352.b08-2.el8_4.s390x.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.352.b08-2.el8_4.s390x.rpm  
java-1.8.0-openjdk-headless-1.8.0.352.b08-2.el8_4.s390x.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.352.b08-2.el8_4.s390x.rpm  
java-1.8.0-openjdk-src-1.8.0.352.b08-2.el8_4.s390x.rpm

x86_64:  
java-1.8.0-openjdk-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-demo-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-devel-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-headless-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-src-1.8.0.352.b08-2.el8_4.x86_64.rpm

Red Hat CodeReady Linux Builder EUS (v. 8.4):

aarch64:  
java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.352.b08-2.el8_4.aarch64.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.352.b08-2.el8_4.aarch64.rpm  
java-1.8.0-openjdk-demo-slowdebug-1.8.0.352.b08-2.el8_4.aarch64.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.352.b08-2.el8_4.aarch64.rpm  
java-1.8.0-openjdk-devel-slowdebug-1.8.0.352.b08-2.el8_4.aarch64.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.352.b08-2.el8_4.aarch64.rpm  
java-1.8.0-openjdk-headless-slowdebug-1.8.0.352.b08-2.el8_4.aarch64.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.352.b08-2.el8_4.aarch64.rpm  
java-1.8.0-openjdk-slowdebug-1.8.0.352.b08-2.el8_4.aarch64.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.352.b08-2.el8_4.aarch64.rpm  
java-1.8.0-openjdk-src-slowdebug-1.8.0.352.b08-2.el8_4.aarch64.rpm

ppc64le:  
java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.352.b08-2.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.352.b08-2.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-demo-slowdebug-1.8.0.352.b08-2.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.352.b08-2.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-devel-slowdebug-1.8.0.352.b08-2.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.352.b08-2.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-headless-slowdebug-1.8.0.352.b08-2.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.352.b08-2.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-slowdebug-1.8.0.352.b08-2.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.352.b08-2.el8_4.ppc64le.rpm  
java-1.8.0-openjdk-src-slowdebug-1.8.0.352.b08-2.el8_4.ppc64le.rpm

x86_64:  
java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-demo-fastdebug-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-demo-slowdebug-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-devel-fastdebug-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-devel-slowdebug-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-fastdebug-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-headless-fastdebug-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-headless-slowdebug-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-slowdebug-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-src-fastdebug-1.8.0.352.b08-2.el8_4.x86_64.rpm  
java-1.8.0-openjdk-src-slowdebug-1.8.0.352.b08-2.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-21619  
https://access.redhat.com/security/cve/CVE-2022-21624  
https://access.redhat.com/security/cve/CVE-2022-21626  
https://access.redhat.com/security/cve/CVE-2022-21628  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1C45tzjgjWX9erEAQgeBA/+Jg4lDZYbAiH1xNPGqwJQdaDuPADdtKyB  
+G4CNz7mJ5/IHS+IjupRL2vuAybdGmd3sI2Mu6pI4dcEPPQ/mI/ub7jvmQPMJH0D  
9rwIWUqwfuDvPWHjskVWazUJHtTGwoRiFXacOUDtCmr4QS4ZhfVz1HYkmZoiIJiN  
11rU0pLnEcQi60Di+5rDl3rokCT5qlVLghaS5yPawdga9r88SWZBkcsQlYdUBdtj  
CaQVhzyBlf9LZkpVE+TI9DYSTpSvFxW8i8HRJb+YEdO2Ka5zod16wPmYbWkfmy5n  
3kfqkxHIJoiH8MLenaWvHMHsU36RQLYdfdnDFlyDSX53dN90EjRx52WwaSpt4UAb  
U3wRkm+b26BgdG74vD+QybPniLbw4RrHZbFCoDwcMQf/6UNXtA8N9jTP6mXNE/DB  
JDI1yl976P4Q1DWBI0ehRhF9v5WgU//smrjgj7pyPrvA2cqGK59zgdwKQP/b2G44  
ZX5ZiI7Fcyxnvyubuy9HyGBO4NBv7gb7x0j4jxk6AVxSeSdQ+Go4zNHSSN7W4sW7  
hLpao+PpYssg/woSOYo5c8/ivYaMLMdr7g4CsmuuDOXhjlvv96JEkv5LRgHJA6QB  
sOkDgCRXxrR+qQRESukB4G+wxgzCzr7MovofYNtqBAAk3MRbkIdUWaEirFGYEW55  
dX4Zb3IP+M0=T1In  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7005-01

Red Hat Security Advisory 2022-7009-01 - The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Issues addressed include buffer overflow and randomization vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: java-11-openjdk security update  
Advisory ID:       RHSA-2022:7009-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7009  
Issue date:        2022-10-19  
CVE Names:         CVE-2022-21618 CVE-2022-21619 CVE-2022-21624  
                   CVE-2022-21626 CVE-2022-21628 CVE-2022-39399  
====================================================================  
1. Summary:

An update for java-11-openjdk is now available for Red Hat Enterprise Linux  
8.1 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.1) - aarch64, ppc64le, s390x, x86_64

3. Description:

The java-11-openjdk packages provide the OpenJDK 11 Java Runtime  
Environment and the OpenJDK 11 Java Software Development Kit.

Security Fix(es):

* OpenJDK: improper MultiByte conversion can lead to buffer overflow (JGSS,  
8286077) (CVE-2022-21618)

* OpenJDK: excessive memory allocation in X.509 certificate parsing  
(Security, 8286533) (CVE-2022-21626)

* OpenJDK: HttpServer no connection count limit (Lightweight HTTP Server,  
8286918) (CVE-2022-21628)

* OpenJDK: improper handling of long NTLM client hostnames (Security,  
8286526) (CVE-2022-21619)

* OpenJDK: insufficient randomization of JNDI DNS port numbers (JNDI,  
8286910) (CVE-2022-21624)

* OpenJDK: missing SNI caching in HTTP/2 (Networking, 8289366)  
(CVE-2022-39399)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of OpenJDK Java must be restarted for this update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2133745 - CVE-2022-21619 OpenJDK: improper handling of long NTLM client hostnames (Security, 8286526)  
2133753 - CVE-2022-21626 OpenJDK: excessive memory allocation in X.509 certificate parsing (Security, 8286533)  
2133765 - CVE-2022-21624 OpenJDK: insufficient randomization of JNDI DNS port numbers (JNDI, 8286910)  
2133769 - CVE-2022-21628 OpenJDK: HttpServer no connection count limit (Lightweight HTTP Server, 8286918)  
2133776 - CVE-2022-39399 OpenJDK: missing SNI caching in HTTP/2 (Networking, 8289366)  
2133817 - CVE-2022-21618 OpenJDK: improper MultiByte conversion can lead to buffer overflow (JGSS, 8286077)

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.1):

Source:  
java-11-openjdk-11.0.17.0.8-2.el8_1.src.rpm

aarch64:  
java-11-openjdk-11.0.17.0.8-2.el8_1.aarch64.rpm  
java-11-openjdk-debuginfo-11.0.17.0.8-2.el8_1.aarch64.rpm  
java-11-openjdk-debugsource-11.0.17.0.8-2.el8_1.aarch64.rpm  
java-11-openjdk-demo-11.0.17.0.8-2.el8_1.aarch64.rpm  
java-11-openjdk-devel-11.0.17.0.8-2.el8_1.aarch64.rpm  
java-11-openjdk-devel-debuginfo-11.0.17.0.8-2.el8_1.aarch64.rpm  
java-11-openjdk-devel-slowdebug-debuginfo-11.0.17.0.8-2.el8_1.aarch64.rpm  
java-11-openjdk-headless-11.0.17.0.8-2.el8_1.aarch64.rpm  
java-11-openjdk-headless-debuginfo-11.0.17.0.8-2.el8_1.aarch64.rpm  
java-11-openjdk-headless-slowdebug-debuginfo-11.0.17.0.8-2.el8_1.aarch64.rpm  
java-11-openjdk-javadoc-11.0.17.0.8-2.el8_1.aarch64.rpm  
java-11-openjdk-javadoc-zip-11.0.17.0.8-2.el8_1.aarch64.rpm  
java-11-openjdk-jmods-11.0.17.0.8-2.el8_1.aarch64.rpm  
java-11-openjdk-slowdebug-debuginfo-11.0.17.0.8-2.el8_1.aarch64.rpm  
java-11-openjdk-src-11.0.17.0.8-2.el8_1.aarch64.rpm

ppc64le:  
java-11-openjdk-11.0.17.0.8-2.el8_1.ppc64le.rpm  
java-11-openjdk-debuginfo-11.0.17.0.8-2.el8_1.ppc64le.rpm  
java-11-openjdk-debugsource-11.0.17.0.8-2.el8_1.ppc64le.rpm  
java-11-openjdk-demo-11.0.17.0.8-2.el8_1.ppc64le.rpm  
java-11-openjdk-devel-11.0.17.0.8-2.el8_1.ppc64le.rpm  
java-11-openjdk-devel-debuginfo-11.0.17.0.8-2.el8_1.ppc64le.rpm  
java-11-openjdk-devel-slowdebug-debuginfo-11.0.17.0.8-2.el8_1.ppc64le.rpm  
java-11-openjdk-headless-11.0.17.0.8-2.el8_1.ppc64le.rpm  
java-11-openjdk-headless-debuginfo-11.0.17.0.8-2.el8_1.ppc64le.rpm  
java-11-openjdk-headless-slowdebug-debuginfo-11.0.17.0.8-2.el8_1.ppc64le.rpm  
java-11-openjdk-javadoc-11.0.17.0.8-2.el8_1.ppc64le.rpm  
java-11-openjdk-javadoc-zip-11.0.17.0.8-2.el8_1.ppc64le.rpm  
java-11-openjdk-jmods-11.0.17.0.8-2.el8_1.ppc64le.rpm  
java-11-openjdk-slowdebug-debuginfo-11.0.17.0.8-2.el8_1.ppc64le.rpm  
java-11-openjdk-src-11.0.17.0.8-2.el8_1.ppc64le.rpm

s390x:  
java-11-openjdk-11.0.17.0.8-2.el8_1.s390x.rpm  
java-11-openjdk-debuginfo-11.0.17.0.8-2.el8_1.s390x.rpm  
java-11-openjdk-debugsource-11.0.17.0.8-2.el8_1.s390x.rpm  
java-11-openjdk-demo-11.0.17.0.8-2.el8_1.s390x.rpm  
java-11-openjdk-devel-11.0.17.0.8-2.el8_1.s390x.rpm  
java-11-openjdk-devel-debuginfo-11.0.17.0.8-2.el8_1.s390x.rpm  
java-11-openjdk-devel-slowdebug-debuginfo-11.0.17.0.8-2.el8_1.s390x.rpm  
java-11-openjdk-headless-11.0.17.0.8-2.el8_1.s390x.rpm  
java-11-openjdk-headless-debuginfo-11.0.17.0.8-2.el8_1.s390x.rpm  
java-11-openjdk-headless-slowdebug-debuginfo-11.0.17.0.8-2.el8_1.s390x.rpm  
java-11-openjdk-javadoc-11.0.17.0.8-2.el8_1.s390x.rpm  
java-11-openjdk-javadoc-zip-11.0.17.0.8-2.el8_1.s390x.rpm  
java-11-openjdk-jmods-11.0.17.0.8-2.el8_1.s390x.rpm  
java-11-openjdk-slowdebug-debuginfo-11.0.17.0.8-2.el8_1.s390x.rpm  
java-11-openjdk-src-11.0.17.0.8-2.el8_1.s390x.rpm

x86_64:  
java-11-openjdk-11.0.17.0.8-2.el8_1.x86_64.rpm  
java-11-openjdk-debuginfo-11.0.17.0.8-2.el8_1.x86_64.rpm  
java-11-openjdk-debugsource-11.0.17.0.8-2.el8_1.x86_64.rpm  
java-11-openjdk-demo-11.0.17.0.8-2.el8_1.x86_64.rpm  
java-11-openjdk-devel-11.0.17.0.8-2.el8_1.x86_64.rpm  
java-11-openjdk-devel-debuginfo-11.0.17.0.8-2.el8_1.x86_64.rpm  
java-11-openjdk-devel-slowdebug-debuginfo-11.0.17.0.8-2.el8_1.x86_64.rpm  
java-11-openjdk-headless-11.0.17.0.8-2.el8_1.x86_64.rpm  
java-11-openjdk-headless-debuginfo-11.0.17.0.8-2.el8_1.x86_64.rpm  
java-11-openjdk-headless-slowdebug-debuginfo-11.0.17.0.8-2.el8_1.x86_64.rpm  
java-11-openjdk-javadoc-11.0.17.0.8-2.el8_1.x86_64.rpm  
java-11-openjdk-javadoc-zip-11.0.17.0.8-2.el8_1.x86_64.rpm  
java-11-openjdk-jmods-11.0.17.0.8-2.el8_1.x86_64.rpm  
java-11-openjdk-slowdebug-debuginfo-11.0.17.0.8-2.el8_1.x86_64.rpm  
java-11-openjdk-src-11.0.17.0.8-2.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-21618  
https://access.redhat.com/security/cve/CVE-2022-21619  
https://access.redhat.com/security/cve/CVE-2022-21624  
https://access.redhat.com/security/cve/CVE-2022-21626  
https://access.redhat.com/security/cve/CVE-2022-21628  
https://access.redhat.com/security/cve/CVE-2022-39399  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1C5htzjgjWX9erEAQhCfg/9EqbWP5tiIoi/7YiEkHujY66akFBmdfzO  
XMGsqKv4jlTPXm7rvtLetSMK0ewqxezFhMJsIg2CxyyIMwxpGSIeg6WDqzkV0dFy  
aNkUcExtzjXyLQu6thSPMsHLyDOYhXl463Ld4k3JVkl32tQX46vDHfd8gOPoEU8O  
pXTJw9+VU2ngj9waqHUPuID6J5yb+oYSwJj+V0Ax2d/bFBKMxQ+jttvNn+bfx0fH  
HI7EI/ldn4Qx65hfwdIbnmA8oEw9aBhsRaaKHmUoPrXBJDSNkYN9FLPVcbHkSUFW  
4EZdisSQqgMp39IxXQB5BbO9W183rDlHuMyh5V6f4pKL+QKUD+FmGDW56ov4XNLt  
Go7GpqR8g1drFE/M98own9fAYhiYyUQ4+JmHLnlu/thiNWRWFi5mx12ibBGng25E  
TghYWE8gRdIc6PI1FjJh0asZrbOaKyy8mWMpcfdIhhdIYy5q9x+XtmfAX+a8Bl2G  
pITp2U3FVWbSW73K/8ZuGPvgpGS3tBAZMnHBibIuPgZUPbE5BP2rixDRo3/wDP87  
x1lA/c735MtIprx1s9p4Ppm8dLa72gFUmCQPR3Mkrj8jy1kev0W9LC68KzuU9IA1  
qa7oDzGug//DmLU2RlezvbAdvK7/kOzHgYwm5tmOrJu929yMaSRQkgCWEfGUn06v  
Wybg+iwOkNYî9N  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7009-01

Red Hat Security Advisory 2022-7002-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Issues addressed include a randomization vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: java-1.8.0-openjdk security and bug fix update  
Advisory ID:       RHSA-2022:7002-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7002  
Issue date:        2022-10-19  
CVE Names:         CVE-2022-21619 CVE-2022-21624 CVE-2022-21626  
                   CVE-2022-21628  
====================================================================  
1. Summary:

An update for java-1.8.0-openjdk is now available for Red Hat Enterprise  
Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64  
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64

3. Description:

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime  
Environment and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

* OpenJDK: excessive memory allocation in X.509 certificate parsing  
(Security, 8286533) (CVE-2022-21626)

* OpenJDK: HttpServer no connection count limit (Lightweight HTTP Server,  
8286918) (CVE-2022-21628)

* OpenJDK: improper handling of long NTLM client hostnames (Security,  
8286526) (CVE-2022-21619)

* OpenJDK: insufficient randomization of JNDI DNS port numbers (JNDI,  
8286910) (CVE-2022-21624)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Prepare for the next quarterly OpenJDK upstream release (2022-10, 8u352)  
(BZ#2130371)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of OpenJDK Java must be restarted for this update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2130371 - Prepare for the next quarterly OpenJDK upstream release (2022-10, 8u352) [rhel-7.9.z]  
2133745 - CVE-2022-21619 OpenJDK: improper handling of long NTLM client hostnames (Security, 8286526)  
2133753 - CVE-2022-21626 OpenJDK: excessive memory allocation in X.509 certificate parsing (Security, 8286533)  
2133765 - CVE-2022-21624 OpenJDK: insufficient randomization of JNDI DNS port numbers (JNDI, 8286910)  
2133769 - CVE-2022-21628 OpenJDK: HttpServer no connection count limit (Lightweight HTTP Server, 8286918)

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
java-1.8.0-openjdk-1.8.0.352.b08-2.el7_9.src.rpm

x86_64:  
java-1.8.0-openjdk-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-1.8.0.352.b08-2.el7_9.x86_64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.352.b08-2.el7_9.x86_64.rpm  
java-1.8.0-openjdk-headless-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-headless-1.8.0.352.b08-2.el7_9.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

noarch:  
java-1.8.0-openjdk-javadoc-1.8.0.352.b08-2.el7_9.noarch.rpm  
java-1.8.0-openjdk-javadoc-zip-1.8.0.352.b08-2.el7_9.noarch.rpm

x86_64:  
java-1.8.0-openjdk-accessibility-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.352.b08-2.el7_9.x86_64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.352.b08-2.el7_9.x86_64.rpm  
java-1.8.0-openjdk-demo-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-demo-1.8.0.352.b08-2.el7_9.x86_64.rpm  
java-1.8.0-openjdk-devel-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-devel-1.8.0.352.b08-2.el7_9.x86_64.rpm  
java-1.8.0-openjdk-src-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-src-1.8.0.352.b08-2.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:  
java-1.8.0-openjdk-1.8.0.352.b08-2.el7_9.src.rpm

x86_64:  
java-1.8.0-openjdk-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-1.8.0.352.b08-2.el7_9.x86_64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.352.b08-2.el7_9.x86_64.rpm  
java-1.8.0-openjdk-headless-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-headless-1.8.0.352.b08-2.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

noarch:  
java-1.8.0-openjdk-javadoc-1.8.0.352.b08-2.el7_9.noarch.rpm  
java-1.8.0-openjdk-javadoc-zip-1.8.0.352.b08-2.el7_9.noarch.rpm

x86_64:  
java-1.8.0-openjdk-accessibility-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.352.b08-2.el7_9.x86_64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.352.b08-2.el7_9.x86_64.rpm  
java-1.8.0-openjdk-demo-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-demo-1.8.0.352.b08-2.el7_9.x86_64.rpm  
java-1.8.0-openjdk-devel-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-devel-1.8.0.352.b08-2.el7_9.x86_64.rpm  
java-1.8.0-openjdk-src-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-src-1.8.0.352.b08-2.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
java-1.8.0-openjdk-1.8.0.352.b08-2.el7_9.src.rpm

ppc64:  
java-1.8.0-openjdk-1.8.0.352.b08-2.el7_9.ppc64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.352.b08-2.el7_9.ppc64.rpm  
java-1.8.0-openjdk-devel-1.8.0.352.b08-2.el7_9.ppc64.rpm  
java-1.8.0-openjdk-headless-1.8.0.352.b08-2.el7_9.ppc64.rpm

ppc64le:  
java-1.8.0-openjdk-1.8.0.352.b08-2.el7_9.ppc64le.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.352.b08-2.el7_9.ppc64le.rpm  
java-1.8.0-openjdk-devel-1.8.0.352.b08-2.el7_9.ppc64le.rpm  
java-1.8.0-openjdk-headless-1.8.0.352.b08-2.el7_9.ppc64le.rpm

s390x:  
java-1.8.0-openjdk-1.8.0.352.b08-2.el7_9.s390x.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.352.b08-2.el7_9.s390x.rpm  
java-1.8.0-openjdk-devel-1.8.0.352.b08-2.el7_9.s390x.rpm  
java-1.8.0-openjdk-headless-1.8.0.352.b08-2.el7_9.s390x.rpm

x86_64:  
java-1.8.0-openjdk-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-1.8.0.352.b08-2.el7_9.x86_64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.352.b08-2.el7_9.x86_64.rpm  
java-1.8.0-openjdk-devel-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-devel-1.8.0.352.b08-2.el7_9.x86_64.rpm  
java-1.8.0-openjdk-headless-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-headless-1.8.0.352.b08-2.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

noarch:  
java-1.8.0-openjdk-javadoc-1.8.0.352.b08-2.el7_9.noarch.rpm  
java-1.8.0-openjdk-javadoc-zip-1.8.0.352.b08-2.el7_9.noarch.rpm

ppc64:  
java-1.8.0-openjdk-accessibility-1.8.0.352.b08-2.el7_9.ppc64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.352.b08-2.el7_9.ppc64.rpm  
java-1.8.0-openjdk-demo-1.8.0.352.b08-2.el7_9.ppc64.rpm  
java-1.8.0-openjdk-src-1.8.0.352.b08-2.el7_9.ppc64.rpm

ppc64le:  
java-1.8.0-openjdk-accessibility-1.8.0.352.b08-2.el7_9.ppc64le.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.352.b08-2.el7_9.ppc64le.rpm  
java-1.8.0-openjdk-demo-1.8.0.352.b08-2.el7_9.ppc64le.rpm  
java-1.8.0-openjdk-src-1.8.0.352.b08-2.el7_9.ppc64le.rpm

s390x:  
java-1.8.0-openjdk-accessibility-1.8.0.352.b08-2.el7_9.s390x.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.352.b08-2.el7_9.s390x.rpm  
java-1.8.0-openjdk-demo-1.8.0.352.b08-2.el7_9.s390x.rpm  
java-1.8.0-openjdk-src-1.8.0.352.b08-2.el7_9.s390x.rpm

x86_64:  
java-1.8.0-openjdk-accessibility-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.352.b08-2.el7_9.x86_64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.352.b08-2.el7_9.x86_64.rpm  
java-1.8.0-openjdk-demo-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-demo-1.8.0.352.b08-2.el7_9.x86_64.rpm  
java-1.8.0-openjdk-src-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-src-1.8.0.352.b08-2.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
java-1.8.0-openjdk-1.8.0.352.b08-2.el7_9.src.rpm

x86_64:  
java-1.8.0-openjdk-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-1.8.0.352.b08-2.el7_9.x86_64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.352.b08-2.el7_9.x86_64.rpm  
java-1.8.0-openjdk-devel-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-devel-1.8.0.352.b08-2.el7_9.x86_64.rpm  
java-1.8.0-openjdk-headless-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-headless-1.8.0.352.b08-2.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

noarch:  
java-1.8.0-openjdk-javadoc-1.8.0.352.b08-2.el7_9.noarch.rpm  
java-1.8.0-openjdk-javadoc-zip-1.8.0.352.b08-2.el7_9.noarch.rpm

x86_64:  
java-1.8.0-openjdk-accessibility-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.352.b08-2.el7_9.x86_64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.352.b08-2.el7_9.x86_64.rpm  
java-1.8.0-openjdk-demo-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-demo-1.8.0.352.b08-2.el7_9.x86_64.rpm  
java-1.8.0-openjdk-src-1.8.0.352.b08-2.el7_9.i686.rpm  
java-1.8.0-openjdk-src-1.8.0.352.b08-2.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-21619  
https://access.redhat.com/security/cve/CVE-2022-21624  
https://access.redhat.com/security/cve/CVE-2022-21626  
https://access.redhat.com/security/cve/CVE-2022-21628  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1C5ptzjgjWX9erEAQglaQ//aIrZksrqQa48J5ywEK1CEjN3KLcYyjW0  
SNfIT2bJxR13BkGkY3HqiBwyODODIjsfl2Gmu9mYVkyCA/1eUrHP0MauSwv2sLKX  
2KaIa3L+oh7fhJDRNK4xFARZDvPdlqutUv+LcBBrO0KLCiN42IiaVm7/NeNcqO4H  
mv6DpiELGL/4zq/ZO8lC2WK0op0ATDfb6MrIxcRa6meQNDh7uTrTIfkCqFdC8Yy6  
+qF6lN6+ABADqW8bBtYCog0EZLR52NVFKZxX/CjpMLu7FU8+VbbBIwQCHoOZVhPO  
cYHJF2Gy6KS047ARg/pkBhbnzTR8WwjjJ0dd1edNPAqMyo4sob4OwxMLSjJuh11w  
N1rsIpnydNYuPh7siUm759Yp8vrjNlJyiLaG5ljzO9KbY1y9eeSrWp/VvGiaGaRj  
QAZqD8Xait3vq5qZ3o90AYTcTUGMntYWE7xa+jMR0NFwWLeDy2VmJ6lekHS1vOHG  
nkiU2THj8eyGf4qJe13VRo3J5eL71XeLKGBu+KTeuY0405pJ0vDzJUT66NKc/QgW  
ksHwsHRvz+6afzAmdY0sUMx/G1y8D3fZOMfj4JBC1UJlle56tFX+PozWp8YrRSJK  
BcRlOkdKMWwPFCjUCnQT5ZFIw/CJZXuXSO7wbMYrKzHs6VT4QINKcipCa/18qweF  
PWgfk18Jz9c=SimZ  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7002-01

Red Hat Security Advisory 2022-7012-01 - The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Issues addressed include buffer overflow and randomization vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: java-11-openjdk security and bug fix update  
Advisory ID:       RHSA-2022:7012-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7012  
Issue date:        2022-10-19  
CVE Names:         CVE-2022-21618 CVE-2022-21619 CVE-2022-21624  
                   CVE-2022-21626 CVE-2022-21628 CVE-2022-39399  
====================================================================  
1. Summary:

An update for java-11-openjdk is now available for Red Hat Enterprise Linux  
8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

The java-11-openjdk packages provide the OpenJDK 11 Java Runtime  
Environment and the OpenJDK 11 Java Software Development Kit.

Security Fix(es):

* OpenJDK: improper MultiByte conversion can lead to buffer overflow (JGSS,  
8286077) (CVE-2022-21618)

* OpenJDK: excessive memory allocation in X.509 certificate parsing  
(Security, 8286533) (CVE-2022-21626)

* OpenJDK: HttpServer no connection count limit (Lightweight HTTP Server,  
8286918) (CVE-2022-21628)

* OpenJDK: improper handling of long NTLM client hostnames (Security,  
8286526) (CVE-2022-21619)

* OpenJDK: insufficient randomization of JNDI DNS port numbers (JNDI,  
8286910) (CVE-2022-21624)

* OpenJDK: missing SNI caching in HTTP/2 (Networking, 8289366)  
(CVE-2022-39399)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Prepare for the next quarterly OpenJDK upstream release (2022-10,  
11.0.17) [rhel-8] (BZ#2131863)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of OpenJDK Java must be restarted for this update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2131863 - Prepare for the next quarterly OpenJDK upstream release (2022-10, 11.0.17) [rhel-8] [rhel-8.6.0.z]  
2133745 - CVE-2022-21619 OpenJDK: improper handling of long NTLM client hostnames (Security, 8286526)  
2133753 - CVE-2022-21626 OpenJDK: excessive memory allocation in X.509 certificate parsing (Security, 8286533)  
2133765 - CVE-2022-21624 OpenJDK: insufficient randomization of JNDI DNS port numbers (JNDI, 8286910)  
2133769 - CVE-2022-21628 OpenJDK: HttpServer no connection count limit (Lightweight HTTP Server, 8286918)  
2133776 - CVE-2022-39399 OpenJDK: missing SNI caching in HTTP/2 (Networking, 8289366)  
2133817 - CVE-2022-21618 OpenJDK: improper MultiByte conversion can lead to buffer overflow (JGSS, 8286077)

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
java-11-openjdk-11.0.17.0.8-2.el8_6.src.rpm

aarch64:  
java-11-openjdk-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-debuginfo-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-debugsource-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-demo-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-devel-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-devel-debuginfo-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-headless-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-headless-debuginfo-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-javadoc-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-javadoc-zip-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-jmods-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-src-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-static-libs-11.0.17.0.8-2.el8_6.aarch64.rpm

ppc64le:  
java-11-openjdk-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-debuginfo-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-debugsource-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-demo-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-devel-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-devel-debuginfo-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-headless-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-headless-debuginfo-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-javadoc-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-javadoc-zip-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-jmods-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-src-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-static-libs-11.0.17.0.8-2.el8_6.ppc64le.rpm

s390x:  
java-11-openjdk-11.0.17.0.8-2.el8_6.s390x.rpm  
java-11-openjdk-debuginfo-11.0.17.0.8-2.el8_6.s390x.rpm  
java-11-openjdk-debugsource-11.0.17.0.8-2.el8_6.s390x.rpm  
java-11-openjdk-demo-11.0.17.0.8-2.el8_6.s390x.rpm  
java-11-openjdk-devel-11.0.17.0.8-2.el8_6.s390x.rpm  
java-11-openjdk-devel-debuginfo-11.0.17.0.8-2.el8_6.s390x.rpm  
java-11-openjdk-headless-11.0.17.0.8-2.el8_6.s390x.rpm  
java-11-openjdk-headless-debuginfo-11.0.17.0.8-2.el8_6.s390x.rpm  
java-11-openjdk-javadoc-11.0.17.0.8-2.el8_6.s390x.rpm  
java-11-openjdk-javadoc-zip-11.0.17.0.8-2.el8_6.s390x.rpm  
java-11-openjdk-jmods-11.0.17.0.8-2.el8_6.s390x.rpm  
java-11-openjdk-src-11.0.17.0.8-2.el8_6.s390x.rpm  
java-11-openjdk-static-libs-11.0.17.0.8-2.el8_6.s390x.rpm

x86_64:  
java-11-openjdk-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-debuginfo-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-debugsource-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-demo-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-devel-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-devel-debuginfo-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-headless-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-headless-debuginfo-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-javadoc-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-javadoc-zip-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-jmods-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-src-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-static-libs-11.0.17.0.8-2.el8_6.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

aarch64:  
java-11-openjdk-debuginfo-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-debugsource-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-demo-fastdebug-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-demo-slowdebug-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-devel-debuginfo-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-devel-fastdebug-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-devel-fastdebug-debuginfo-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-devel-slowdebug-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-devel-slowdebug-debuginfo-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-fastdebug-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-fastdebug-debuginfo-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-headless-debuginfo-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-headless-fastdebug-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-headless-fastdebug-debuginfo-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-headless-slowdebug-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-headless-slowdebug-debuginfo-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-jmods-fastdebug-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-jmods-slowdebug-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-slowdebug-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-slowdebug-debuginfo-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-src-fastdebug-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-src-slowdebug-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-static-libs-fastdebug-11.0.17.0.8-2.el8_6.aarch64.rpm  
java-11-openjdk-static-libs-slowdebug-11.0.17.0.8-2.el8_6.aarch64.rpm

ppc64le:  
java-11-openjdk-debuginfo-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-debugsource-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-demo-fastdebug-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-demo-slowdebug-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-devel-debuginfo-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-devel-fastdebug-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-devel-fastdebug-debuginfo-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-devel-slowdebug-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-devel-slowdebug-debuginfo-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-fastdebug-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-fastdebug-debuginfo-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-headless-debuginfo-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-headless-fastdebug-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-headless-fastdebug-debuginfo-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-headless-slowdebug-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-headless-slowdebug-debuginfo-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-jmods-fastdebug-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-jmods-slowdebug-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-slowdebug-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-slowdebug-debuginfo-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-src-fastdebug-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-src-slowdebug-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-static-libs-fastdebug-11.0.17.0.8-2.el8_6.ppc64le.rpm  
java-11-openjdk-static-libs-slowdebug-11.0.17.0.8-2.el8_6.ppc64le.rpm

s390x:  
java-11-openjdk-debuginfo-11.0.17.0.8-2.el8_6.s390x.rpm  
java-11-openjdk-debugsource-11.0.17.0.8-2.el8_6.s390x.rpm  
java-11-openjdk-demo-slowdebug-11.0.17.0.8-2.el8_6.s390x.rpm  
java-11-openjdk-devel-debuginfo-11.0.17.0.8-2.el8_6.s390x.rpm  
java-11-openjdk-devel-slowdebug-11.0.17.0.8-2.el8_6.s390x.rpm  
java-11-openjdk-devel-slowdebug-debuginfo-11.0.17.0.8-2.el8_6.s390x.rpm  
java-11-openjdk-headless-debuginfo-11.0.17.0.8-2.el8_6.s390x.rpm  
java-11-openjdk-headless-slowdebug-11.0.17.0.8-2.el8_6.s390x.rpm  
java-11-openjdk-headless-slowdebug-debuginfo-11.0.17.0.8-2.el8_6.s390x.rpm  
java-11-openjdk-jmods-slowdebug-11.0.17.0.8-2.el8_6.s390x.rpm  
java-11-openjdk-slowdebug-11.0.17.0.8-2.el8_6.s390x.rpm  
java-11-openjdk-slowdebug-debuginfo-11.0.17.0.8-2.el8_6.s390x.rpm  
java-11-openjdk-src-slowdebug-11.0.17.0.8-2.el8_6.s390x.rpm  
java-11-openjdk-static-libs-slowdebug-11.0.17.0.8-2.el8_6.s390x.rpm

x86_64:  
java-11-openjdk-debuginfo-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-debugsource-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-demo-fastdebug-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-demo-slowdebug-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-devel-debuginfo-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-devel-fastdebug-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-devel-fastdebug-debuginfo-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-devel-slowdebug-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-devel-slowdebug-debuginfo-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-fastdebug-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-fastdebug-debuginfo-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-headless-debuginfo-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-headless-fastdebug-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-headless-fastdebug-debuginfo-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-headless-slowdebug-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-headless-slowdebug-debuginfo-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-jmods-fastdebug-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-jmods-slowdebug-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-slowdebug-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-slowdebug-debuginfo-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-src-fastdebug-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-src-slowdebug-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-static-libs-fastdebug-11.0.17.0.8-2.el8_6.x86_64.rpm  
java-11-openjdk-static-libs-slowdebug-11.0.17.0.8-2.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-21618  
https://access.redhat.com/security/cve/CVE-2022-21619  
https://access.redhat.com/security/cve/CVE-2022-21624  
https://access.redhat.com/security/cve/CVE-2022-21626  
https://access.redhat.com/security/cve/CVE-2022-21628  
https://access.redhat.com/security/cve/CVE-2022-39399  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1C5O9zjgjWX9erEAQgoCQ/+P5DMYqjDHIbiQ1axXBMGvQy5k8/8dl+Q  
7G8C/7I0XhIjBg9yZ0ilJBl8Y5JEuo97iMufy4skb4ujZrAnkJPMJPtzvy+5dOBr  
xq8Zig8bN3eZ7/Zhcht3tkasW/cpyrB+H0f1z6dB7xWDJ95/ztPU9fAz7avr5Fwk  
Mr8rvZQCpIKQ4XaAlqGoNQlcKXsgjsS/1JqOG5hD1JUz9XwZkhLhZ7ItNG09LM8Y  
Ujc6k5QInE6pSO5uluhkPYAKrX9VTxmqurSttYuaNRMS2CCKZHIyeqzscEavoOfR  
9cc/wyLg1Qbbhz/guzrmq1CHmH1s7bC4U2NB5An6IujeZA9ibCXnP1OpDcphM7zh  
80Ak70/M9Qrm7lR00ajCGSoRmDDbuYpZXfEd9EpkKNw0ZwOuq/exQ+2UfyuWCKQR  
DskLGtUtgYw2xazFZvdkzAIm0UluHLXVDkTE8Lx8ZENPAGs9eW92nyoXqsDeXhON  
jj4fApY2jVJQLLCRcdsyT1FfXGDerhOff4QB9LKFCEecUTekoPK30uNBLVdKxmyE  
W5kqQId6Srb8KaEIh0TRv9Fixu+jQ4TjiRc0bQwVZaYeyPE+4lRxV678JnNkiMHu  
zMPhH14z27V83hv6v+8h2OuaUPXt/aOXc8AFbzm7fFpKEDsiBm8B4jj5icBVU2En  
kKmeP2Ig9Ok=yG45  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7012-01

Red Hat Security Advisory 2022-7044-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: rh-nodejs14-nodejs security update  
Advisory ID:       RHSA-2022:7044-01  
Product:           Red Hat Software Collections  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7044  
Issue date:        2022-10-19  
CVE Names:         CVE-2021-44531 CVE-2021-44532 CVE-2021-44533  
                   CVE-2021-44906 CVE-2022-21824 CVE-2022-35256  
====================================================================  
1. Summary:

An update for rh-nodejs14-nodejs is now available for Red Hat Software  
Collections.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64le, s390x, x86_64  
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable  
network applications in the JavaScript programming language.

Security Fix(es):

* nodejs: Improper handling of URI Subject Alternative Names  
(CVE-2021-44531)

* nodejs: Certificate Verification Bypass via String Injection  
(CVE-2021-44532)

* nodejs: Incorrect handling of certificate subject and issuer fields  
(CVE-2021-44533)

* minimist: prototype pollution (CVE-2021-44906)

* nodejs: HTTP Request Smuggling due to incorrect parsing of header fields  
(CVE-2022-35256)

* nodejs: Prototype pollution via console.table properties (CVE-2022-21824)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2040839 - CVE-2021-44531 nodejs: Improper handling of URI Subject Alternative Names  
2040846 - CVE-2021-44532 nodejs: Certificate Verification Bypass via String Injection  
2040856 - CVE-2021-44533 nodejs: Incorrect handling of certificate subject and issuer fields  
2040862 - CVE-2022-21824 nodejs: Prototype pollution via console.table properties  
2066009 - CVE-2021-44906 minimist: prototype pollution  
2130518 - CVE-2022-35256 nodejs: HTTP Request Smuggling due to incorrect parsing of header fields

6. Package List:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):

Source:  
rh-nodejs14-nodejs-14.20.1-2.el7.src.rpm

noarch:  
rh-nodejs14-nodejs-docs-14.20.1-2.el7.noarch.rpm

ppc64le:  
rh-nodejs14-nodejs-14.20.1-2.el7.ppc64le.rpm  
rh-nodejs14-nodejs-debuginfo-14.20.1-2.el7.ppc64le.rpm  
rh-nodejs14-nodejs-devel-14.20.1-2.el7.ppc64le.rpm  
rh-nodejs14-npm-6.14.17-14.20.1.2.el7.ppc64le.rpm

s390x:  
rh-nodejs14-nodejs-14.20.1-2.el7.s390x.rpm  
rh-nodejs14-nodejs-debuginfo-14.20.1-2.el7.s390x.rpm  
rh-nodejs14-nodejs-devel-14.20.1-2.el7.s390x.rpm  
rh-nodejs14-npm-6.14.17-14.20.1.2.el7.s390x.rpm

x86_64:  
rh-nodejs14-nodejs-14.20.1-2.el7.x86_64.rpm  
rh-nodejs14-nodejs-debuginfo-14.20.1-2.el7.x86_64.rpm  
rh-nodejs14-nodejs-devel-14.20.1-2.el7.x86_64.rpm  
rh-nodejs14-npm-6.14.17-14.20.1.2.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):

Source:  
rh-nodejs14-nodejs-14.20.1-2.el7.src.rpm

noarch:  
rh-nodejs14-nodejs-docs-14.20.1-2.el7.noarch.rpm

x86_64:  
rh-nodejs14-nodejs-14.20.1-2.el7.x86_64.rpm  
rh-nodejs14-nodejs-debuginfo-14.20.1-2.el7.x86_64.rpm  
rh-nodejs14-nodejs-devel-14.20.1-2.el7.x86_64.rpm  
rh-nodejs14-npm-6.14.17-14.20.1.2.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-44531  
https://access.redhat.com/security/cve/CVE-2021-44532  
https://access.redhat.com/security/cve/CVE-2021-44533  
https://access.redhat.com/security/cve/CVE-2021-44906  
https://access.redhat.com/security/cve/CVE-2022-21824  
https://access.redhat.com/security/cve/CVE-2022-35256  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1Bkk9zjgjWX9erEAQh9DQ//dSOPbtnYD3f9AvLUnQpnJb7OyGisGpPW  
von8hNiTCD5J3FP2DlY3/wGX9H1g2BXmuwpojS/sh17E2+sHldBTMk5kxT8bkBkB  
ZWnmIwqA1PfjAO4FEc7MtePJXsqCrBne63Bpo7k3ALc4hHtP2BEMkjA4ZOJJDl82  
ydj74PPr0uVuZAn0jcLKsIPq1OmUW9jNuzY0p5uqhXKVP4XfFWfpi2dd34Nej+dv  
RbSABk5jZ0R6bQlPOdG4bI8vevvmhkeAqkcWgHWBZ9n34SFdiGKFdxUI3+SM2zvl  
tB7zuDc9rsLnF7DLZq3HVG3eOVdxJ1MKwap89iQrmQCy1kz4iq3hZbAKJHIjLTEy  
gWpwYI9nCamIsNwYB1pUM5RexkKTPKDRttZh9hff2RO9QCvdnecw3386blkhsb8s  
XJMAywflJeBrTnMPQ9tSNx60CgGI8JkU40RtnfwwS5yS1upd56jYbL+W4CzbZmzd  
bj48/l+fl3Ny0bGZ6QAG0ZWrH0eTs6hL/xYKFu2Z7jDteP9ITE1kSKeISjE/G0Rb  
Hjjp6sfEiR07PEJx2/Lne+o5JvCGu7wviT2SnJIfjX9C056CtO4IjRXEqdPqZqYq  
3+T1AOLM1M2vu55WagYhnTtfGefIj5EScstARXZjz5pF0dQyhNZNO+p/S0coNUWz  
y4v1DFKlYtA=JvnP  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7044-01

Red Hat Security Advisory 2022-7055-01 - An update is now available for Red Hat Openshift distributed tracing 2.6.0. Issues addressed include denial of service and traversal vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: RHOSDT 2.6.0 operator/operand containers Security Update  
Advisory ID:       RHSA-2022:7055-01  
Product:           RHOSDT  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7055  
Issue date:        2022-10-19  
CVE Names:         CVE-2015-20107 CVE-2021-3918 CVE-2022-0391  
                   CVE-2022-0536 CVE-2022-1292 CVE-2022-1586  
                   CVE-2022-1650 CVE-2022-1785 CVE-2022-1897  
                   CVE-2022-1927 CVE-2022-2068 CVE-2022-2097  
                   CVE-2022-24785 CVE-2022-31129 CVE-2022-32206  
                   CVE-2022-32208 CVE-2022-34903  
====================================================================  
1. Summary:

An update is now available for Red Hat Openshift distributed tracing 2.6.0

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

This release of Red Hat OpenShift distributed tracing provides these  
changes:

Security Fix(es):

* nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)

* eventsource: Exposure of Sensitive Information (CVE-2022-1650)

* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)

* follow-redirects: Exposure of Sensitive Information via Authorization  
Header leak (CVE-2022-0536)

* Moment.js: Path traversal  in moment.locale (CVE-2022-24785)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2024702 - CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerability  
2053259 - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak  
2072009 - CVE-2022-24785 Moment.js: Path traversal  in moment.locale  
2085307 - CVE-2022-1650 eventsource: Exposure of Sensitive Information  
2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS

5. References:

https://access.redhat.com/security/cve/CVE-2015-20107  
https://access.redhat.com/security/cve/CVE-2021-3918  
https://access.redhat.com/security/cve/CVE-2022-0391  
https://access.redhat.com/security/cve/CVE-2022-0536  
https://access.redhat.com/security/cve/CVE-2022-1292  
https://access.redhat.com/security/cve/CVE-2022-1586  
https://access.redhat.com/security/cve/CVE-2022-1650  
https://access.redhat.com/security/cve/CVE-2022-1785  
https://access.redhat.com/security/cve/CVE-2022-1897  
https://access.redhat.com/security/cve/CVE-2022-1927  
https://access.redhat.com/security/cve/CVE-2022-2068  
https://access.redhat.com/security/cve/CVE-2022-2097  
https://access.redhat.com/security/cve/CVE-2022-24785  
https://access.redhat.com/security/cve/CVE-2022-31129  
https://access.redhat.com/security/cve/CVE-2022-32206  
https://access.redhat.com/security/cve/CVE-2022-32208  
https://access.redhat.com/security/cve/CVE-2022-34903  
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1BkhtzjgjWX9erEAQgc3A//S16S+mYr+0uhv7fBfHt1dRBkY6hManvF  
jvEIqy7HvrpaUI8aL7M7YA/NEinnqWwcqNKL5P0EhT03ZSCQkJYoN0PXWaH3QzDo  
o49VzI/V7V3x6lJmA1Uzq24jyU6Uu0xa2wYYuwjy1vpNa1sx60uMzhMn5enk0URG  
RqyrLVcx4O0Tdypnx2coDnVXQOA62en+gITpOxY5gjywKeOIV9ksejvaaA//NTL+  
K8LMmCobj+qmUhduX17OHfH7GgrXdWNNLVOZ+LcAr8NtUAtyUOddliwjFUO9Je+7  
1dTtvNyB8+scPZOvYiuGeRPtS/EZLu3AGSIeKNGGB8hDqB6iMMx4HoZg9MT23kd7  
qzbh6tEMdIUI47Sq5x7CrTW9HvSQ04XYbhA3MfaRzxjao1VDQaMSW5RnJcLqD7WS  
/lJv4pqNdUxNgZGLxNjym1ZcskSjWh3KgetYcOiHfPyFT4195i5uWcLDJk7RLD8X  
1ikbWzHqrliGTTiD5ml/nv4IL7dPjcL9ENC/p9+C/bZqR5I8WgKBigDkYQdyoCrT  
cpVa0UPsz08HtMA208Df8QkCehI3g0qPedV2PpRt/XokKMEP6eMEgd1sFYiOljYN  
BWSDLQWec9+7QqDWpTtwFUU9C3VaGaaau4LVYehmYLl3uXQzfaxjWzSntdhqDtc9  
2U9smIGtonA=uOMp  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7055-01

OpenCRX before v5.2.2 was discovered to be vulnerable to password enumeration due to the difference in error messages received during a password reset which could enable an attacker to determine if a username, email or ID is valid.

**Affected Component**

OpenCRX <=5.2.2 - https://github.com/opencrx/opencrx/

**Description**

OpenCRX before v5.2.2 was discovered to be vulnerable to password enumeration due to the difference in error messages received during a password reset which could enable an attacker to determine if a username, email or ID is valid.

**Steps to reproduce**

Navigate to password reset page on endpoint "/opencrx-core-CRX/RequestPasswordReset.jsp"

Enter an email, username or ID in the text field and click ok.

If the provided email, username or ID is valid the response will be "Password reset request successful for $username".

If it's not valid then the response will be "Unable to request password reset".

**Impact**

User enumeration.

CVE-2022-40084: OpenCRX-CVE/CVE-2022-40084.md at main · ciph0x01/OpenCRX-CVE

By Waqas
The malware has been identified as I3mon, which can perform all kinds of spying operations.
This is a post from HackRead.com Read the original post: Smartphones of Iran’s protest detainees targeted with spyware

In recent months, there has been a growing number of protests in Iran after **Mahsa Amini’s death**. And while these protests have been met with a heavy crackdown by the government, it seems that they may have also been targeted by spying malware.

According to Voice of America (VoA), spyware has been detected on the Android cellphones of some individuals recently detained for protesting against the government. 

It is worth noting that on September 16th, 2022, a 22-year-old Iranian woman named **Mahsa Amini died in Tehran, Iran**, under Police custody. Amini was arrested for failure to follow government-mandated forms of the Hijab.

The malware, identified as **I3mon**, can perform all kinds of spying operations. It comes with an installation file (com.etechd.l3mon.apk).

VoA obtained a copy of the spyware. In its report, the agency noted that the malware was previously distributed on different forums and titles such as **Telegram with Free Internet**.

On the other hand, cybersecurity firms like **Kaspersky** and Dr. Web have already categorized the malware as a trojan of the Android malware family. Dr. Web **dubbed** the malware as “Android.SmsSpy.88.origin” back in August 2015.

**How Infection Occurs?**

I3mon is very common spyware among cybercriminals. They frequently deploy it to steal ID and credit card details and obtain sensitive data such as passwords. It is generally distributed via infected links, emails, or third-party platforms.

The malware may also be distributed under the guise of legitimate apps or **hidden in apps available on Google Play Store**. But it may also be manually installed on the device. It can be installed on computers and virtual servers to target cloud users.

Furthermore, the spyware is designed in JavaScript and is cloud-based. Moreover, the spyware uses a nodeJS environment and is licensed as open-source software.

VoA’s Persian language **report** claims that the malware on the devices of Iranian protestors was activated on a German server, and the data from the victim’s cellphone was transmitted outside of Iran.

**Spyware Capabilities**

If the phone is infected, it can allow attackers to access the phonebook, call logs, internet connection, microphone conversations, and SMS sent/received by the victim. In addition, it can record audio, send out location data, sub-access lists, installed apps lists, monitor typed words live, and access notification lists and mobile Wi-Fi connection details.

Spyware disguised as a fake Adobe Flash app for Android asking for administrative privileges and stealing PayPal and banking credentials (Dr.Web)

Security experts suggest users adopt preventive measures and install authentic antivirus software. If they haven’t installed **the antivirus**, it becomes essential to keep checks on battery overcharging and app accessibility features because the malware could be hidden behind an app and may cause the battery to drain quickly.

If you suspect a malware infection, run a factory reset or get the device checked by an expert.

In conclusion, this discovery raises severe concerns about the government’s use of surveillance against its own citizens. It also highlights the need for better protection for protesters and dissidents in Iran and elsewhere.

1.  **Irani and Chinese State Hackers Exploiting Log4j Vulnerability**
2.  **Iran State-Run TV’s Live Transmission Hacked by Edalate Ali Hackers**
3.  **Iranian Hackers Spread RatMilad Android Spyware Disguised as VPN**
4.  **Hackers turn to Signal, Telegram, Dark Web to assist Iranian protestors**
5.  **Iran’s COBALT MIRAGE Threat Group Behind Ransomware Attacks in US**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Smartphones of Iran’s protest detainees targeted with spyware

Categories: News
Categories: Threats
Tags: Ducktail

Tags:  infosteal

Tags:  information stealer

Tags:  Zscaler

Tags:  Trojan

Tags:  Facebook Business

Tags:  Facebook API graph

Tags:  Facebook Ads Manager

Tags:  PHP malware

An information stealer known to go after the Facebook accounts of businesses is now after crypto wallets, too.



(Read more...)




The post New PHP-based Ducktail infostealer is now after crypto wallets appeared first on Malwarebytes Labs.

Posted: October 20, 2022 by

A phishing campaign known to specifically target employees with access to their company's Facebook Business and Ads accounts has significantly widened its net and begun using a first-of-its-kind information-stealing malware to go after crypto wallets.

The Ducktail _(Woo-ooh!)_ campaign was first made public three months ago in July, but it's thought to have been active since 2018. The cybercriminal behind the campaign is thought to be from Vietnam.

**Ducktail 101**

Social engineering attacks and malware form the core of Ducktail's _modus operandi_. In previous campaigns, it used a .NET Core malware that specifically steals Facebook Business and Ads accounts and saved browser credentials. All stolen data was then exfiltrated to its command & control (C2) server, a private Telegram channel.

In this latest campaign, the cybercriminals replaced .NET Core with malware written in PHP. Not only does Ducktail continue to steal Facebook credentials and browser data, but it also steals cryptocurrency wallets, too. These are then stored on a command & control (C2) website in JSON (JavaScript Object Notation) format, wherein texts are easy to understand.

Note that Ducktail also broadened its target to include all Facebook users.

The attacker lures their target into downloading and installing a malicious installer (usually compressed in a ZIP file) by making them believe it's a video game, subtitle, adult video, or cracked MS application file (among others). This ZIP is hosted on popular file-sharing platforms.

Once the file is opened, the malware shows a fake "Checking Application Compatibility" pop-up to distract users while it installs in the background. The malware then executes two processes: The first is for establishing persistence on the affected system, meaning the malicious script is scheduled to run daily and regularly; The second is for data stealing tasks. 

Zscaler researchers broke down the kinds of data this PHP malware steals:

*   Browser information (machine ID, browser version, user profiles). In particular, this malicious script is after sensitive data stored in Chrome browsers. 
*   Information stored in browser cookies
*   Crypto account information from the _wallet.dat_ file
*   Data from various Facebook pages, such as API graph, Ads Manager, and Business, which are not limited to: 
    *   Accounts and their status
    *   Ads payment cycle
    *   Currency details
    *   Funding source
    *   Payment method
    *   PayPal payment method (email address tied to PayPal accounts)
    *   Verification status

Data stored on the C2 website is retrieved and used to conduct further information theft within the affected system. Additional stolen information is fed back to the C2 server.

**Stay safe from the Ducktail infostealer**

As Ducktail uses clever social engineering tactics as the precursor to infection and information theft, it is more important than ever for Facebook users, especially those responsible for their business's Facebook accounts, to be wary of this information stealer's risks. Prevention is key.

*   Never download files not relevant to your work, especially if you're using company-provided computers and mobile devices.
*   Be wary of downloading files from popular file-sharing sites. Malware is usually shared there, too.
*   If something seems too good to be true, it probably is. You'd be better off avoiding it.

If you suspect you've been infected by Ducktail malware and you're a Facebook Business administrator, check if any new users have been added to _Business Manager > Settings > People._ Revoke access to any unknown users with admin access.

Lastly, it is essential to have security software you can count on installed on your computer to protect against risky files that may still end up on the computer, regardless of one's vigilance. Remember that some malware campaigns don't need human intervention to infect systems. You have to watch out for those, too.

Stay safe!

**RELATED ARTICLES**

New PHP-based Ducktail infostealer is now after crypto wallets

Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tag

#js