The mission to run any containerized application on any infrastructure makes security a challenge on Kubernetes.

Kubernetes is the de facto container management platform in the modern cloud-native world. It makes it possible to develop, deploy, and manage microservices flexibly and scalably. Kubernetes works with various cloud providers, container runtime interfaces, authentication providers, and extensible integration points.

However, Kubernetes still has one major drawback: security. The integrator approach of Kubernetes to run any containerized application on any infrastructure makes it challenging to create holistic security around Kubernetes and the application stack living on it.

According to Red Hat's 2022 "State of Kubernetes" security report, the majority of Kubernetes users had their delivery halted due to unaddressed security concerns. In addition, over the course of the previous 12 months, almost every Kubernetes user in the study experienced at least one security incident. Therefore, it is fair to say that Kubernetes environments are not secure by default and are open to risks.

This article discusses the top 10 security risks with real-life examples and tips on how to avoid them.

**1\. Kubernetes Secrets**

Secrets are one of the core building blocks of Kubernetes for storing sensitive data like passwords, certificates, or tokens and using them inside containers. There are three critical issues related to Kubernetes secrets:

*   Secrets store sensitive data as base-64 encoded strings, but they are not encrypted by default. Kubernetes does offer encryption of the resources for storage, but you need to configure it. Furthermore, the biggest threat about secrets is that any pod — and any applications running inside the pod — in the same namespace can access and read them.
*   Role-based access control (RBAC) allows you to regulate who is granted access to Kubernetes resources. You need to properly configure RBAC rules so that only the relevant people and applications will have access to secrets.
*   Secrets and ConfigMaps are the two methods of passing data to running containers. If there are old and unused secrets or ConfigMap resources, it can create confusion and leak vulnerable data. For instance, if you delete your back-end application deployment but forget to delete the secret that has your database passwords, any malicious pod can use them in the future.

**2\. Container Images With Vulnerabilities**

Kubernetes is a container orchestration platform that distributes and runs containers on the worker nodes. However, it does not check the contents of containers for whether they have security vulnerabilities or exposures.

Therefore, it is necessary to scan the images before deployment to ensure that only images from trusted registries with no critical vulnerabilities (like remote code execution) will run on the cluster. Container image scanning should also be integrated into CI/CD systems for automation and detecting flaws earlier.

**3\. Runtime Threats**

Kubernetes workloads — namely, containers — run on the worker nodes, and the containers are controlled by the host operating system in the runtime. If there are permissive policies or container images with vulnerabilities, they can open backdoors into your whole cluster. Therefore, OS-level runtime protection is required to enforce security in runtime, and the most important protection against runtime threats and vulnerabilities is to implement the least-privileged principle throughout Kubernetes.

Open source and widely accepted tools like Seccomp, SELinux, and AppArmor in the Linux kernel level are available to implement policies and restrict access. These tools are not internal to Kubernetes and require external configuration and effort to enable protection against runtime threats. In order to secure Kubernetes in an automated fashion, try employing the Kubernetes Security Posture Management (KSPM) approach. KSPM leverages automation tools to detect, fix, and alert security, configuration, and compliance issues using a holistic approach.

**4\. Cluster Misconfiguration and Default Settings**

The Kubernetes API and its components consist of a complex set of resource definitions and configuration options. Therefore, Kubernetes offers default values for most of its configuration parameters and tries to remove the burden of creating long YAML files.

However, you need to be careful about three critical issues related to cluster and resource configuration:

*   Default Kubernetes configurations are helpful, as they try to increase flexibility and agility, but they are not always the most secure options.
*   Online examples for Kubernetes resources are helpful to get started, but it is necessary to double-check what these example resource definitions will deploy to your cluster.
*   It is customary to make changes to Kubernetes resources using "kubectl edit" commands while working on the clusters. However, if you forget to update the source files, the changes will be overwritten in the next deployment, and the untracked modifications could lead to unpredictable behavior.

**5\. Kubernetes RBAC Policies**

RBAC is the Kubernetes-native method of managing and controlling authorization to Kubernetes resources. Therefore, configuring and maintaining RBAC policies is essential to secure the clusters from unwanted access.

There are two critical points to consider while working with RBAC policies. First, some RBAC policies are too permissive, such as the cluster\_admin role, which can do basically everything in the cluster. These roles are assigned to regular developers to make them more agile. However, in the event of a security breach, attackers quickly get high-level access to the clusters using cluster\_admin. To avoid this, you should configure RBAC policies for specific resources and assign them to particular user groups.

Second, in general, various environments, like development, testing, staging, and production, exist in the software development life cycle. In addition, there are multiple teams with different focuses, such as developers, testers, operators, and cloud admins. RBAC policies should be assigned correctly for each group and each environment to limit exposure.

**6\. Network Access**

In Kubernetes, a pod can connect to other pods and external addresses outside the cluster; others can connect to this pod from inside the cluster by default. Network policies are the Kubernetes-native resources to manage and restrict the network access between pods, namespaces, and IP blocks.

Network policies can also work with the labels on the pods, so inefficient use of labels could lead to unwanted access. In addition, when the clusters live in cloud providers, the cluster network should also be isolated from the rest of the virtual private cloud (VPC).

**7\. Holistic Monitoring and Audit Logging**

When you deploy an application to a Kubernetes cluster, it's not sufficient to only monitor the application metrics. You must also watch the Kubernetes cluster's status, cloud infrastructure, and cloud controllers to have a holistic view of the complete stack. It is also important to watch for breaches and detect anomalies since intruders will be testing to access your clusters from every possible opening.

Kubernetes provides out-of-the-box audit logs for security-related incidents in the cluster. Still, you also need to collect the records from various applications and monitor their health in a central place.

**8\. Kubernetes API**

Kubernetes API is the core of the entire system, where all internal and external clients connect and communicate with Kubernetes. If you deploy and manage Kubernetes components in-house, you need to be more careful because the Kubernetes API server and its components are open source tools with potential — and actual — vulnerabilities. Therefore, you should use the latest stable version of Kubernetes and patch live clusters as early as possible.

If you use cloud providers, the Kubernetes control plane is in control of the provider itself, so the cloud infrastructure updates and patches automatically. However, users are responsible for upgrading worker nodes in most cases. Therefore, you can use automation and resource provisioning tools to upgrade nodes easily or replace them with new ones.

**9\. Kubernetes Resource Requests and Limits**

In addition to scheduling and running containers, Kubernetes can also limit the resource usage of containers in terms of CPU and memory. Although Kubernetes users mostly neglect them, resource requests and limits are critical for two reasons:

*   **Security:** When the pods and namespaces are not restricted, even a single container with a security vulnerability could access sensitive data inside your cluster.
*   **Cost:** When the requested resources are more than the actual usage, the nodes will run out of available resources. This will lead to an increase in the node pool if autoscaling is enabled, and the new nodes will increase your cloud bill inevitably.

When the resource requests are calculated and assigned correctly, the whole cluster works efficiently in terms of CPU and memory. In addition, when resource limits are set, both faulty applications and intruders will be limited in terms of resource usage. For instance, if there are no resource limitations, a malicious container could consume nearly all of the resources in the node and make your application unusable.

**10\. Data and Storage**

Although containers are designed to be ephemeral, Kubernetes makes it possible to run stateful containerized applications scalably and reliably. With the StatefulSet resource, you can deploy databases, data analytics tools, and machine-learning applications into Kubernetes quickly. The data will be accessible to the pods as volumes attached to the containers.

However, it is critical to limit access by policies and labels to avoid unwanted access by other pods in the cluster. In addition, storage in Kubernetes is provided by external systems, so you should consider using encryption for critical data in the cluster. If you manage your storage plugins, you should also check the security parameters to ensure that they are enabled.

**Conclusion**

Kubernetes is the indisputable container management platform for running microservice applications. However, holistic security is still one of its drawbacks, as it is not the core focus of the project. Therefore, you need to take extra steps to make your clusters and applications more secure.

Top 10 Kubernetes Security Risks Every DevSecOps Pro Should Know

Red Hat Security Advisory 2022-7209-01 - KSBA is a library to make X.509 certificates as well as the CMS easily accessible by other applications. Both specifications are building blocks of S/MIME and TLS. Issues addressed include code execution and integer overflow vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: libksba security update  
Advisory ID:       RHSA-2022:7209-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7209  
Issue date:        2022-10-26  
CVE Names:         CVE-2022-3515  
====================================================================  
1. Summary:

An update for libksba is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS E4S (v. 8.1) - aarch64, ppc64le, s390x, x86_64

3. Description:

KSBA (pronounced Kasbah) is a library to make X.509 certificates as well as  
the CMS easily accessible by other applications.  Both specifications are  
building blocks of S/MIME and TLS.

Security Fix(es):

* libksba: integer overflow may lead to remote code execution  
(CVE-2022-3515)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2135610 - CVE-2022-3515 libksba: integer overflow may lead to remote code execution

6. Package List:

Red Hat Enterprise Linux BaseOS E4S (v. 8.1):

Source:  
libksba-1.3.5-8.el8_1.src.rpm

aarch64:  
libksba-1.3.5-8.el8_1.aarch64.rpm  
libksba-debuginfo-1.3.5-8.el8_1.aarch64.rpm  
libksba-debugsource-1.3.5-8.el8_1.aarch64.rpm

ppc64le:  
libksba-1.3.5-8.el8_1.ppc64le.rpm  
libksba-debuginfo-1.3.5-8.el8_1.ppc64le.rpm  
libksba-debugsource-1.3.5-8.el8_1.ppc64le.rpm

s390x:  
libksba-1.3.5-8.el8_1.s390x.rpm  
libksba-debuginfo-1.3.5-8.el8_1.s390x.rpm  
libksba-debugsource-1.3.5-8.el8_1.s390x.rpm

x86_64:  
libksba-1.3.5-8.el8_1.i686.rpm  
libksba-1.3.5-8.el8_1.x86_64.rpm  
libksba-debuginfo-1.3.5-8.el8_1.i686.rpm  
libksba-debuginfo-1.3.5-8.el8_1.x86_64.rpm  
libksba-debugsource-1.3.5-8.el8_1.i686.rpm  
libksba-debugsource-1.3.5-8.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-3515  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1klltzjgjWX9erEAQivSxAAgzKR6f0zSUXg33N9wnNA6a0Lb4bEsIF7  
al4nC4pjng1Mp/saxg4m7/pH98bX5fQkRVqBirGUsHRbGTT9ThUgQkhO2iIwL6dS  
21qzdeOPOZzw9HCeXtltUk+fs+RGUGnUIbN08wCn0Qsi6eqNmSqOx8lDf7AYL5CU  
4K5O3S7fYg1uFe1iwoZ3+myv0TYGcDuQ8Qsu9MoGigTU7cy4HFWkte72FtJQUd1y  
LClk7tOw0qMIgzAoTli1RqV8GKWO96HbuaQwQ+c+uKt+oc3tM2K9CMXnO5v3lkhn  
Fm7Si+iKnCw5vuwLmLOnpYCnsGkqIDx1FjwBlnkV8VUO7q3RTwFoq7422PV9/uqp  
uDrsmrHaykT1h28gczlR/iwDV9Xfk5gw9xBIyQC49pFtGOeJCeXweyYUL5i3GD3x  
SnE6WfD82XST1exLu4ptNJ6eyoSBzNawsW6bxrUEOHhAU7aWCFiddgt5/NZ9Hw/6  
TMkheHN8OVmMEA4+iVxjZcSQL32T/8g4LZZGCCNTY00lzVbpfLezufeLu5ZtivZ4  
+4hDOCXx9P9U2HdCRhCtbDP0gSrv3atb/6jy8B8rSlPIDabq6sreJQIQjI8auxKB  
HQbRZoiZrpNesS8hpmKEQuVUkFIsXY2/TLOxrfDIXJucNMRNXHJv2LB5BqqneDyl  
T2k6Cn0IE1E=UF8/  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7209-01

Ubuntu Security Notice 5700-1 - David Bouman and Billy Jheng Bing Jhong discovered that a race condition existed in the io_uring subsystem in the Linux kernel, leading to a use- after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Soenke Huster discovered that an integer overflow vulnerability existed in the WiFi driver stack in the Linux kernel, leading to a buffer overflow. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5700-1October 26, 2022linux, linux-aws, linux-azure, linux-gcp, linux-ibm, linux-kvm,linux-lowlatency, linux-oracle, linux-raspi vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.10Summary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-kvm: Linux kernel for cloud environments- linux-lowlatency: Linux low latency kernel- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systemsDetails:David Bouman and Billy Jheng Bing Jhong discovered that a race conditionexisted in the io_uring subsystem in the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denialof service (system crash) or possibly execute arbitrary code.(CVE-2022-2602)Sönke Huster discovered that an integer overflow vulnerability existed inthe WiFi driver stack in the Linux kernel, leading to a buffer overflow. Aphysically proximate attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2022-41674)Sönke Huster discovered that a use-after-free vulnerability existed in theWiFi driver stack in the Linux kernel. A physically proximate attackercould use this to cause a denial of service (system crash) or possiblyexecute arbitrary code. (CVE-2022-42719)Sönke Huster discovered that the WiFi driver stack in the Linux kernel didnot properly perform reference counting in some situations, leading to ause-after-free vulnerability. A physically proximate attacker could usethis to cause a denial of service (system crash) or possibly executearbitrary code. (CVE-2022-42720)Sönke Huster discovered that the WiFi driver stack in the Linux kernel didnot properly handle BSSID/SSID lists in some situations. A physicallyproximate attacker could use this to cause a denial of service (infiniteloop). (CVE-2022-42721)Sönke Huster discovered that the WiFi driver stack in the Linux kernelcontained a NULL pointer dereference vulnerability in certain situations. Aphysically proximate attacker could use this to cause a denial of service(system crash). (CVE-2022-42722)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.10:  linux-image-5.19.0-1006-raspi   5.19.0-1006.13  linux-image-5.19.0-1006-raspi-nolpae  5.19.0-1006.13  linux-image-5.19.0-1009-lowlatency  5.19.0-1009.10  linux-image-5.19.0-1009-lowlatency-64k  5.19.0-1009.10  linux-image-5.19.0-1010-azure   5.19.0-1010.11  linux-image-5.19.0-1010-gcp     5.19.0-1010.11  linux-image-5.19.0-1010-ibm     5.19.0-1010.11  linux-image-5.19.0-1010-kvm     5.19.0-1010.11  linux-image-5.19.0-1010-oracle  5.19.0-1010.11  linux-image-5.19.0-1011-aws     5.19.0-1011.12  linux-image-5.19.0-23-generic   5.19.0-23.24  linux-image-5.19.0-23-generic-64k  5.19.0-23.24  linux-image-5.19.0-23-generic-lpae  5.19.0-23.24  linux-image-aws                 5.19.0.1011.10  linux-image-azure               5.19.0.1010.9  linux-image-gcp                 5.19.0.1010.9  linux-image-generic             5.19.0.23.22  linux-image-generic-64k         5.19.0.23.22  linux-image-generic-lpae        5.19.0.23.22  linux-image-ibm                 5.19.0.1010.9  linux-image-kvm                 5.19.0.1010.9  linux-image-lowlatency          5.19.0.1009.8  linux-image-lowlatency-64k      5.19.0.1009.8  linux-image-oem-22.04           5.19.0.23.22  linux-image-oracle              5.19.0.1010.9  linux-image-raspi               5.19.0.1006.7  linux-image-raspi-nolpae        5.19.0.1006.7  linux-image-virtual             5.19.0.23.22After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-5700-1  CVE-2022-2602, CVE-2022-41674, CVE-2022-42719, CVE-2022-42720,  CVE-2022-42721, CVE-2022-42722Package Information:  https://launchpad.net/ubuntu/+source/linux/5.19.0-23.24  https://launchpad.net/ubuntu/+source/linux-aws/5.19.0-1011.12  https://launchpad.net/ubuntu/+source/linux-azure/5.19.0-1010.11  https://launchpad.net/ubuntu/+source/linux-gcp/5.19.0-1010.11  https://launchpad.net/ubuntu/+source/linux-ibm/5.19.0-1010.11  https://launchpad.net/ubuntu/+source/linux-kvm/5.19.0-1010.11  https://launchpad.net/ubuntu/+source/linux-lowlatency/5.19.0-1009.10  https://launchpad.net/ubuntu/+source/linux-oracle/5.19.0-1010.11  https://launchpad.net/ubuntu/+source/linux-raspi/5.19.0-1006.13

Ubuntu Security Notice USN-5700-1

Red Hat Security Advisory 2022-7184-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.4.0. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:7184-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7184  
Issue date:        2022-10-25  
CVE Names:         CVE-2022-39236 CVE-2022-39249 CVE-2022-39250  
                   CVE-2022-39251 CVE-2022-42927 CVE-2022-42928  
                   CVE-2022-42929 CVE-2022-42932  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64le, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.4.0.

Security Fix(es):

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an  
impersonation attack by malicious server administrators (CVE-2022-39249)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a device  
verification attack (CVE-2022-39250)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an  
impersonation attack (CVE-2022-39251)

* Mozilla: Same-origin policy violation could have leaked cross-origin URLs  
(CVE-2022-42927)

* Mozilla: Memory Corruption in JS Engine (CVE-2022-42928)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a data  
corruption issue (CVE-2022-39236)

* Mozilla: Denial of Service via window.print (CVE-2022-42929)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.4 and Thunderbird  
102.4 (CVE-2022-42932)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2135391 - CVE-2022-39236 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a data corruption issue  
2135393 - CVE-2022-39249 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack by malicious server administrators  
2135395 - CVE-2022-39250 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a device verification attack  
2135396 - CVE-2022-39251 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack  
2136156 - CVE-2022-42927 Mozilla: Same-origin policy violation could have leaked cross-origin URLs  
2136157 - CVE-2022-42928 Mozilla: Memory Corruption in JS Engine  
2136158 - CVE-2022-42929 Mozilla: Denial of Service via window.print  
2136159 - CVE-2022-42932 Mozilla: Memory safety bugs fixed in Firefox ESR 102.4 and Thunderbird 102.4

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
thunderbird-102.4.0-1.el7_9.src.rpm

x86_64:  
thunderbird-102.4.0-1.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.4.0-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

Source:  
thunderbird-102.4.0-1.el7_9.src.rpm

ppc64le:  
thunderbird-102.4.0-1.el7_9.ppc64le.rpm  
thunderbird-debuginfo-102.4.0-1.el7_9.ppc64le.rpm

x86_64:  
thunderbird-102.4.0-1.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.4.0-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
thunderbird-102.4.0-1.el7_9.src.rpm

x86_64:  
thunderbird-102.4.0-1.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.4.0-1.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-39236  
https://access.redhat.com/security/cve/CVE-2022-39249  
https://access.redhat.com/security/cve/CVE-2022-39250  
https://access.redhat.com/security/cve/CVE-2022-39251  
https://access.redhat.com/security/cve/CVE-2022-42927  
https://access.redhat.com/security/cve/CVE-2022-42928  
https://access.redhat.com/security/cve/CVE-2022-42929  
https://access.redhat.com/security/cve/CVE-2022-42932  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1gpUdzjgjWX9erEAQgBkA/+NRpXw0CEdEyyhbWgGRAihB37cl5G/5pp  
/qXA6QnVENRBBVYgmY/7/p0Rw3Ptm0Vh6W42KUyE0Rn4W+DSKzqrdL7lITanZJZu  
jxMvBvjKNBynlmhPEOBodQbn6IkqUrH4qGfHrxbFguruzF1i/Gxc/4nZjbSkw7+c  
M6Cs5ReGcH4B+O5zqYUHYPM/l5FI8dY+5ZF6sq7YSpby57vjHP9XChzY7R3rlMwz  
Oi+1P5/mAquGyzDw5u1s8ogNGVF1jv+KLKktrf0UczUaGF+w0avysD/PJxNQQHXF  
Bu/FJvHK2cTlOjJgv/Mujysz0F28I/WZYM7+iulbQOZ+FSzjeQQsO5rOcCvFdKHE  
JqXI8UWRp4/DONAIla1drdTwKJS0IPyBmU3/CagiZ/HdtfXWaHrz8XJ9meE+79zb  
T9qbXM9SWPON1e5sMIfvXBCnzjDc28bhgYGBlJX2EU3FIEYrMN7DKygfk3+5FxDd  
l5P3khj1LZrrawRgUlRWU8d5oRACs55A0z/lSzMSjKDGHAi0f+uPdNWDfNkN+zg9  
yOS7d/a8pUdUo/XHRA6WOj5OO3wtpc6h+Y6TYLS4EoTp2XeM3zGhAdpkKKfa8lA5  
bDY5le7J53zQTV5trVjc9WJl+u/f9eC1m1rCiGT0PfjC8hkwPKey1n/ZogKB+U9i  
00XEbkeHy8Q=ghrh  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7184-01

Red Hat Security Advisory 2022-7183-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.4.0. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:7183-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7183  
Issue date:        2022-10-25  
CVE Names:         CVE-2022-39236 CVE-2022-39249 CVE-2022-39250  
                   CVE-2022-39251 CVE-2022-42927 CVE-2022-42928  
                   CVE-2022-42929 CVE-2022-42932  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.1) - ppc64le, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.4.0.

Security Fix(es):

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an  
impersonation attack by malicious server administrators (CVE-2022-39249)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a device  
verification attack (CVE-2022-39250)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an  
impersonation attack (CVE-2022-39251)

* Mozilla: Same-origin policy violation could have leaked cross-origin URLs  
(CVE-2022-42927)

* Mozilla: Memory Corruption in JS Engine (CVE-2022-42928)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a data  
corruption issue (CVE-2022-39236)

* Mozilla: Denial of Service via window.print (CVE-2022-42929)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.4 and Thunderbird  
102.4 (CVE-2022-42932)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2135391 - CVE-2022-39236 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a data corruption issue  
2135393 - CVE-2022-39249 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack by malicious server administrators  
2135395 - CVE-2022-39250 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a device verification attack  
2135396 - CVE-2022-39251 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack  
2136156 - CVE-2022-42927 Mozilla: Same-origin policy violation could have leaked cross-origin URLs  
2136157 - CVE-2022-42928 Mozilla: Memory Corruption in JS Engine  
2136158 - CVE-2022-42929 Mozilla: Denial of Service via window.print  
2136159 - CVE-2022-42932 Mozilla: Memory safety bugs fixed in Firefox ESR 102.4 and Thunderbird 102.4

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.1):

Source:  
thunderbird-102.4.0-1.el8_1.src.rpm

ppc64le:  
thunderbird-102.4.0-1.el8_1.ppc64le.rpm  
thunderbird-debuginfo-102.4.0-1.el8_1.ppc64le.rpm  
thunderbird-debugsource-102.4.0-1.el8_1.ppc64le.rpm

x86_64:  
thunderbird-102.4.0-1.el8_1.x86_64.rpm  
thunderbird-debuginfo-102.4.0-1.el8_1.x86_64.rpm  
thunderbird-debugsource-102.4.0-1.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-39236  
https://access.redhat.com/security/cve/CVE-2022-39249  
https://access.redhat.com/security/cve/CVE-2022-39250  
https://access.redhat.com/security/cve/CVE-2022-39251  
https://access.redhat.com/security/cve/CVE-2022-42927  
https://access.redhat.com/security/cve/CVE-2022-42928  
https://access.redhat.com/security/cve/CVE-2022-42929  
https://access.redhat.com/security/cve/CVE-2022-42932  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1go6NzjgjWX9erEAQjVRw//Yk2rJA0Dzf3HfI55D93gio6R57HpiydD  
V0PRvN2Om+I0EAG+qwqBcft3DPKWbD+oICs/f4y7DkPbLGsI9N9EbvnI6yUrWABn  
S3b1mq2QHN8Od3xC3ehS48TPVkLqRRErC87x0tBmm+mtBBNJdT950A/PtVH8xj+p  
y32bOAOj8G5pLQb8PBM06mpT2u3vZpNVqHA23BWISVDVPgkuA7gXLxXu11iYRWRt  
bhKkgj81QJpB8o8OwGtDQqkN9QFLyWo3I6+D6scfihHEOBiP3bAukeKtHcHm2W47  
y2Q006CsZDmHSEBeY4YpHz8H0IqhEOF8drTF4RVDxCoApSvgv1ntAxUO6+tWnfwA  
wTceJAXop1JAA/GVF/QQ4d3EZIs8NbjwMZd8P98do8HF4WYCxJAtA0L4H17WPCkM  
0IwVmDHvV4xU/S/6qJrdq/OiZEwXGx1JT7Zu9h8Qn+jA81kIAvgOBlFOkk8UMXFR  
oOF+EkUDNsYNdSIYBRxaNZ/JahEHnzxuJc0l9O0wfhDk6wrrI2AwGteH6VHgXINJ  
oEK9gnRlgc0QIK5EsuIcV0TYuErHC6mS1+tiCl4t0pcf1Yt53VZWkilNlAv4isAt  
iwFbQFSnbzCuKiYo1My5ZGA5CYwE9L4PzAdRbIasAlb2XIeJ+uCFCCIaqJLbPwKd  
GR9GNZWj+Fo=Z1ER  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7183-01

Red Hat Security Advisory 2022-7186-01 - The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: device-mapper-multipath security update  
Advisory ID:       RHSA-2022:7186-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7186  
Issue date:        2022-10-25  
CVE Names:         CVE-2022-41974  
====================================================================  
1. Summary:

An update for device-mapper-multipath is now available for Red Hat  
Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64  
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64  
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

The device-mapper-multipath packages provide tools that use the  
device-mapper multipath kernel module to manage multipath devices.

Security Fix(es):

* device-mapper-multipath: Authorization bypass, multipathd daemon listens  
for client connections on an abstract Unix socket (CVE-2022-41974)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2133988 - CVE-2022-41974 device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
device-mapper-multipath-0.4.9-136.el7_9.src.rpm

x86_64:  
device-mapper-multipath-0.4.9-136.el7_9.x86_64.rpm  
device-mapper-multipath-debuginfo-0.4.9-136.el7_9.i686.rpm  
device-mapper-multipath-debuginfo-0.4.9-136.el7_9.x86_64.rpm  
device-mapper-multipath-libs-0.4.9-136.el7_9.i686.rpm  
device-mapper-multipath-libs-0.4.9-136.el7_9.x86_64.rpm  
kpartx-0.4.9-136.el7_9.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:  
device-mapper-multipath-debuginfo-0.4.9-136.el7_9.i686.rpm  
device-mapper-multipath-debuginfo-0.4.9-136.el7_9.x86_64.rpm  
device-mapper-multipath-devel-0.4.9-136.el7_9.i686.rpm  
device-mapper-multipath-devel-0.4.9-136.el7_9.x86_64.rpm  
device-mapper-multipath-sysvinit-0.4.9-136.el7_9.x86_64.rpm  
libdmmp-0.4.9-136.el7_9.i686.rpm  
libdmmp-0.4.9-136.el7_9.x86_64.rpm  
libdmmp-devel-0.4.9-136.el7_9.i686.rpm  
libdmmp-devel-0.4.9-136.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:  
device-mapper-multipath-0.4.9-136.el7_9.src.rpm

x86_64:  
device-mapper-multipath-0.4.9-136.el7_9.x86_64.rpm  
device-mapper-multipath-debuginfo-0.4.9-136.el7_9.i686.rpm  
device-mapper-multipath-debuginfo-0.4.9-136.el7_9.x86_64.rpm  
device-mapper-multipath-libs-0.4.9-136.el7_9.i686.rpm  
device-mapper-multipath-libs-0.4.9-136.el7_9.x86_64.rpm  
kpartx-0.4.9-136.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

x86_64:  
device-mapper-multipath-debuginfo-0.4.9-136.el7_9.i686.rpm  
device-mapper-multipath-debuginfo-0.4.9-136.el7_9.x86_64.rpm  
device-mapper-multipath-devel-0.4.9-136.el7_9.i686.rpm  
device-mapper-multipath-devel-0.4.9-136.el7_9.x86_64.rpm  
device-mapper-multipath-sysvinit-0.4.9-136.el7_9.x86_64.rpm  
libdmmp-0.4.9-136.el7_9.i686.rpm  
libdmmp-0.4.9-136.el7_9.x86_64.rpm  
libdmmp-devel-0.4.9-136.el7_9.i686.rpm  
libdmmp-devel-0.4.9-136.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
device-mapper-multipath-0.4.9-136.el7_9.src.rpm

ppc64:  
device-mapper-multipath-0.4.9-136.el7_9.ppc64.rpm  
device-mapper-multipath-debuginfo-0.4.9-136.el7_9.ppc.rpm  
device-mapper-multipath-debuginfo-0.4.9-136.el7_9.ppc64.rpm  
device-mapper-multipath-libs-0.4.9-136.el7_9.ppc.rpm  
device-mapper-multipath-libs-0.4.9-136.el7_9.ppc64.rpm  
kpartx-0.4.9-136.el7_9.ppc64.rpm

ppc64le:  
device-mapper-multipath-0.4.9-136.el7_9.ppc64le.rpm  
device-mapper-multipath-debuginfo-0.4.9-136.el7_9.ppc64le.rpm  
device-mapper-multipath-libs-0.4.9-136.el7_9.ppc64le.rpm  
kpartx-0.4.9-136.el7_9.ppc64le.rpm

s390x:  
device-mapper-multipath-0.4.9-136.el7_9.s390x.rpm  
device-mapper-multipath-debuginfo-0.4.9-136.el7_9.s390.rpm  
device-mapper-multipath-debuginfo-0.4.9-136.el7_9.s390x.rpm  
device-mapper-multipath-libs-0.4.9-136.el7_9.s390.rpm  
device-mapper-multipath-libs-0.4.9-136.el7_9.s390x.rpm  
kpartx-0.4.9-136.el7_9.s390x.rpm

x86_64:  
device-mapper-multipath-0.4.9-136.el7_9.x86_64.rpm  
device-mapper-multipath-debuginfo-0.4.9-136.el7_9.i686.rpm  
device-mapper-multipath-debuginfo-0.4.9-136.el7_9.x86_64.rpm  
device-mapper-multipath-libs-0.4.9-136.el7_9.i686.rpm  
device-mapper-multipath-libs-0.4.9-136.el7_9.x86_64.rpm  
kpartx-0.4.9-136.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

ppc64:  
device-mapper-multipath-debuginfo-0.4.9-136.el7_9.ppc.rpm  
device-mapper-multipath-debuginfo-0.4.9-136.el7_9.ppc64.rpm  
device-mapper-multipath-devel-0.4.9-136.el7_9.ppc.rpm  
device-mapper-multipath-devel-0.4.9-136.el7_9.ppc64.rpm  
device-mapper-multipath-sysvinit-0.4.9-136.el7_9.ppc64.rpm  
libdmmp-0.4.9-136.el7_9.ppc.rpm  
libdmmp-0.4.9-136.el7_9.ppc64.rpm  
libdmmp-devel-0.4.9-136.el7_9.ppc.rpm  
libdmmp-devel-0.4.9-136.el7_9.ppc64.rpm

ppc64le:  
device-mapper-multipath-debuginfo-0.4.9-136.el7_9.ppc64le.rpm  
device-mapper-multipath-devel-0.4.9-136.el7_9.ppc64le.rpm  
device-mapper-multipath-sysvinit-0.4.9-136.el7_9.ppc64le.rpm  
libdmmp-0.4.9-136.el7_9.ppc64le.rpm  
libdmmp-devel-0.4.9-136.el7_9.ppc64le.rpm

s390x:  
device-mapper-multipath-debuginfo-0.4.9-136.el7_9.s390.rpm  
device-mapper-multipath-debuginfo-0.4.9-136.el7_9.s390x.rpm  
device-mapper-multipath-devel-0.4.9-136.el7_9.s390.rpm  
device-mapper-multipath-devel-0.4.9-136.el7_9.s390x.rpm  
device-mapper-multipath-sysvinit-0.4.9-136.el7_9.s390x.rpm  
libdmmp-0.4.9-136.el7_9.s390.rpm  
libdmmp-0.4.9-136.el7_9.s390x.rpm  
libdmmp-devel-0.4.9-136.el7_9.s390.rpm  
libdmmp-devel-0.4.9-136.el7_9.s390x.rpm

x86_64:  
device-mapper-multipath-debuginfo-0.4.9-136.el7_9.i686.rpm  
device-mapper-multipath-debuginfo-0.4.9-136.el7_9.x86_64.rpm  
device-mapper-multipath-devel-0.4.9-136.el7_9.i686.rpm  
device-mapper-multipath-devel-0.4.9-136.el7_9.x86_64.rpm  
device-mapper-multipath-sysvinit-0.4.9-136.el7_9.x86_64.rpm  
libdmmp-0.4.9-136.el7_9.i686.rpm  
libdmmp-0.4.9-136.el7_9.x86_64.rpm  
libdmmp-devel-0.4.9-136.el7_9.i686.rpm  
libdmmp-devel-0.4.9-136.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
device-mapper-multipath-0.4.9-136.el7_9.src.rpm

x86_64:  
device-mapper-multipath-0.4.9-136.el7_9.x86_64.rpm  
device-mapper-multipath-debuginfo-0.4.9-136.el7_9.i686.rpm  
device-mapper-multipath-debuginfo-0.4.9-136.el7_9.x86_64.rpm  
device-mapper-multipath-libs-0.4.9-136.el7_9.i686.rpm  
device-mapper-multipath-libs-0.4.9-136.el7_9.x86_64.rpm  
kpartx-0.4.9-136.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:  
device-mapper-multipath-debuginfo-0.4.9-136.el7_9.i686.rpm  
device-mapper-multipath-debuginfo-0.4.9-136.el7_9.x86_64.rpm  
device-mapper-multipath-devel-0.4.9-136.el7_9.i686.rpm  
device-mapper-multipath-devel-0.4.9-136.el7_9.x86_64.rpm  
device-mapper-multipath-sysvinit-0.4.9-136.el7_9.x86_64.rpm  
libdmmp-0.4.9-136.el7_9.i686.rpm  
libdmmp-0.4.9-136.el7_9.x86_64.rpm  
libdmmp-devel-0.4.9-136.el7_9.i686.rpm  
libdmmp-devel-0.4.9-136.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-41974  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1gpG9zjgjWX9erEAQgMzQ//Q/iLVKSzeXypnL500ie7uo9YyHTlaeIt  
wu7iWluFzMRtEVgO9EUC23D6Ts31WTtpF96DPdp3O0wfKtZaAgGnyieQ9Krj8hsW  
6QpKBNm77p/IkOH9VtQD8CxJujQDbm2UAxL82N7tJooq8rXHhXrbt6qY6v0eZwx3  
WJcoOMjBeU6BCEQqTRuiPxcZxhWllWVZtmCE7wdxiGMktRKswb5YFMdbJh+JbwHT  
fHDbPAU+MBm4htDC+7U2et3SKjsZPhjPb89F6O3kKw6hrVj/dVpbcO1MzMQ3EKOu  
ZKLb/UBmlgQvuzjzK+W/dh3yeRgJMyFTG57+79eEkMZTCR+q3sAAp+AqREQR8Zeg  
LNxrVHjScknMY2reBGa0BGMkna6D/jsYcCJjijpf1qi987NIZLcotHRPBIqNvXoL  
BtAlXCVVb3J1cvPXRrkVQLs8kN2NLpw8WC6TEYAhL2EZs68iPVHbvJz1NoCENNfa  
06FkN0L89UDhBa3JQkb36qvv3IVGBIgKQRBCJwMQX9WXvbR2RWCnE5IIP4+H5jW2  
l9QV3QYK6jqucGSqinAXOKpbzr+aUXd5wNdKJOhR3GFIO+SPc/kWrLJPbxomZAaU  
2XA599Gp03n1k6rd1L3BYpAGzcR28M9LqU5KKpbrjFvxi+kkGx/p2uVgYyigd6ar  
dihUETdfe2w=J3Nl  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7186-01

Red Hat Security Advisory 2022-7171-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include privilege escalation and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: kernel security and bug fix update  
Advisory ID:       RHSA-2022:7171-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7171  
Issue date:        2022-10-25  
CVE Names:         CVE-2022-2588  
====================================================================  
1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 7.6  
Advanced Update Support, Red Hat Enterprise Linux 7.6 Telco Extended Update  
Support, and Red Hat Enterprise Linux 7.6 Update Services for SAP  
Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server AUS (v. 7.6) - noarch, x86_64  
Red Hat Enterprise Linux Server E4S (v. 7.6) - noarch, ppc64le, x86_64  
Red Hat Enterprise Linux Server Optional AUS (v. 7.6) - x86_64  
Red Hat Enterprise Linux Server Optional E4S (v. 7.6) - ppc64le, x86_64  
Red Hat Enterprise Linux Server Optional TUS (v. 7.6) - x86_64  
Red Hat Enterprise Linux Server TUS (v. 7.6) - noarch, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux  
operating system.

Security Fix(es):

* a use-after-free in cls_route filter implementation may lead to privilege  
escalation (CVE-2022-2588)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* backports from upstream for netfilter (BZ#2120635)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2114849 - CVE-2022-2588 kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation

6. Package List:

Red Hat Enterprise Linux Server AUS (v. 7.6):

Source:  
kernel-3.10.0-957.99.1.el7.src.rpm

noarch:  
kernel-abi-whitelists-3.10.0-957.99.1.el7.noarch.rpm  
kernel-doc-3.10.0-957.99.1.el7.noarch.rpm

x86_64:  
bpftool-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-debug-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-debug-devel-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-devel-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-headers-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-tools-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-tools-libs-3.10.0-957.99.1.el7.x86_64.rpm  
perf-3.10.0-957.99.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm  
python-perf-3.10.0-957.99.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server E4S (v. 7.6):

Source:  
kernel-3.10.0-957.99.1.el7.src.rpm

noarch:  
kernel-abi-whitelists-3.10.0-957.99.1.el7.noarch.rpm  
kernel-doc-3.10.0-957.99.1.el7.noarch.rpm

ppc64le:  
kernel-3.10.0-957.99.1.el7.ppc64le.rpm  
kernel-bootwrapper-3.10.0-957.99.1.el7.ppc64le.rpm  
kernel-debug-3.10.0-957.99.1.el7.ppc64le.rpm  
kernel-debug-debuginfo-3.10.0-957.99.1.el7.ppc64le.rpm  
kernel-debuginfo-3.10.0-957.99.1.el7.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-3.10.0-957.99.1.el7.ppc64le.rpm  
kernel-devel-3.10.0-957.99.1.el7.ppc64le.rpm  
kernel-headers-3.10.0-957.99.1.el7.ppc64le.rpm  
kernel-tools-3.10.0-957.99.1.el7.ppc64le.rpm  
kernel-tools-debuginfo-3.10.0-957.99.1.el7.ppc64le.rpm  
kernel-tools-libs-3.10.0-957.99.1.el7.ppc64le.rpm  
perf-3.10.0-957.99.1.el7.ppc64le.rpm  
perf-debuginfo-3.10.0-957.99.1.el7.ppc64le.rpm  
python-perf-3.10.0-957.99.1.el7.ppc64le.rpm  
python-perf-debuginfo-3.10.0-957.99.1.el7.ppc64le.rpm

x86_64:  
kernel-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-debug-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-debug-devel-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-devel-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-headers-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-tools-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-tools-libs-3.10.0-957.99.1.el7.x86_64.rpm  
perf-3.10.0-957.99.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm  
python-perf-3.10.0-957.99.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server TUS (v. 7.6):

Source:  
kernel-3.10.0-957.99.1.el7.src.rpm

noarch:  
kernel-abi-whitelists-3.10.0-957.99.1.el7.noarch.rpm  
kernel-doc-3.10.0-957.99.1.el7.noarch.rpm

x86_64:  
bpftool-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-debug-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-debug-devel-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-devel-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-headers-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-tools-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-tools-libs-3.10.0-957.99.1.el7.x86_64.rpm  
perf-3.10.0-957.99.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm  
python-perf-3.10.0-957.99.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional AUS (v. 7.6):

x86_64:  
kernel-debug-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-tools-libs-devel-3.10.0-957.99.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional E4S (v. 7.6):

ppc64le:  
kernel-debug-debuginfo-3.10.0-957.99.1.el7.ppc64le.rpm  
kernel-debug-devel-3.10.0-957.99.1.el7.ppc64le.rpm  
kernel-debuginfo-3.10.0-957.99.1.el7.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-3.10.0-957.99.1.el7.ppc64le.rpm  
kernel-tools-debuginfo-3.10.0-957.99.1.el7.ppc64le.rpm  
kernel-tools-libs-devel-3.10.0-957.99.1.el7.ppc64le.rpm  
perf-debuginfo-3.10.0-957.99.1.el7.ppc64le.rpm  
python-perf-debuginfo-3.10.0-957.99.1.el7.ppc64le.rpm

x86_64:  
kernel-debug-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-tools-libs-devel-3.10.0-957.99.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional TUS (v. 7.6):

x86_64:  
kernel-debug-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm  
kernel-tools-libs-devel-3.10.0-957.99.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-957.99.1.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2588  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1gohNzjgjWX9erEAQh9jxAAo0hX0U836zHymb/7X8cI2lgKfgeq8NPl  
lmjvq+JVJ60emyzSrM/tU6/pWrr59SuMN2YuSLU9WgMOFn5q3kMzF0Puht0Vg299  
Uv7UOMhzgJgJIPcZIjfSKULD++vINonnMSEKg5mxEr9YXKHx+wxnYG+1quullwif  
bhxPZFpeNaaovzgGDTIEvAAih04pgoG+4CYbGsN5FtcIbaz6AsON3UruY8fKOftQ  
ZvwzwteOFc6D90ERu/x+NArx9tNhiwjxtFs2gBPOXQ4dDkJZI8NVygbuRh0aqmr9  
lxiFlQqTTXBcwhbCTv7LXYBcGesqpKIaYWMSiWf6s5Vv9qcUOiXKsn7tDJyZUmj3  
0AO6/S5CZZ/i6ziBtUIh5oH4wjcBSNzOzZX6fmDrgq7DSzPeZ/q2BIA13z7bq4w6  
POPMaCsSA/wNotnxlvR3voUDxBAlZ8QgrEt435AmV0nOvncdMgZYqhz18SPe/n7x  
tjBwSfYRzcTJm0oGk5WgDcMofLsQELk4iliqJDL2Td4havr4O+Om0xDQ9oxIX1s5  
GdQ+dHc8Qp0QCCAn74DoI+yz0xLubAFWUF+wKiaVaDAdAe0JWJX4kqaL/I3NqRpO  
gWZDffXyPHnvcEpsOIU7g1q7Mo7ufuFAvKT17CEXSkvJbL4J2JKkxnJWGBWgkVj6  
PdiJqkwxhgQmoq  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7171-01

Red Hat Security Advisory 2022-7185-01 - The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: device-mapper-multipath security update  
Advisory ID:       RHSA-2022:7185-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7185  
Issue date:        2022-10-25  
CVE Names:         CVE-2022-41974  
====================================================================  
1. Summary:

An update for device-mapper-multipath is now available for Red Hat  
Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

The device-mapper-multipath packages provide tools that use the  
device-mapper multipath kernel module to manage multipath devices.

Security Fix(es):

* device-mapper-multipath: Authorization bypass, multipathd daemon listens  
for client connections on an abstract Unix socket (CVE-2022-41974)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2133988 - CVE-2022-41974 device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 9):

Source:  
device-mapper-multipath-0.8.7-7.el9_0.1.src.rpm

aarch64:  
device-mapper-multipath-0.8.7-7.el9_0.1.aarch64.rpm  
device-mapper-multipath-debuginfo-0.8.7-7.el9_0.1.aarch64.rpm  
device-mapper-multipath-debugsource-0.8.7-7.el9_0.1.aarch64.rpm  
device-mapper-multipath-libs-0.8.7-7.el9_0.1.aarch64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.7-7.el9_0.1.aarch64.rpm  
kpartx-0.8.7-7.el9_0.1.aarch64.rpm  
kpartx-debuginfo-0.8.7-7.el9_0.1.aarch64.rpm  
libdmmp-debuginfo-0.8.7-7.el9_0.1.aarch64.rpm

ppc64le:  
device-mapper-multipath-0.8.7-7.el9_0.1.ppc64le.rpm  
device-mapper-multipath-debuginfo-0.8.7-7.el9_0.1.ppc64le.rpm  
device-mapper-multipath-debugsource-0.8.7-7.el9_0.1.ppc64le.rpm  
device-mapper-multipath-libs-0.8.7-7.el9_0.1.ppc64le.rpm  
device-mapper-multipath-libs-debuginfo-0.8.7-7.el9_0.1.ppc64le.rpm  
kpartx-0.8.7-7.el9_0.1.ppc64le.rpm  
kpartx-debuginfo-0.8.7-7.el9_0.1.ppc64le.rpm  
libdmmp-debuginfo-0.8.7-7.el9_0.1.ppc64le.rpm

s390x:  
device-mapper-multipath-0.8.7-7.el9_0.1.s390x.rpm  
device-mapper-multipath-debuginfo-0.8.7-7.el9_0.1.s390x.rpm  
device-mapper-multipath-debugsource-0.8.7-7.el9_0.1.s390x.rpm  
device-mapper-multipath-libs-0.8.7-7.el9_0.1.s390x.rpm  
device-mapper-multipath-libs-debuginfo-0.8.7-7.el9_0.1.s390x.rpm  
kpartx-0.8.7-7.el9_0.1.s390x.rpm  
kpartx-debuginfo-0.8.7-7.el9_0.1.s390x.rpm  
libdmmp-debuginfo-0.8.7-7.el9_0.1.s390x.rpm

x86_64:  
device-mapper-multipath-0.8.7-7.el9_0.1.x86_64.rpm  
device-mapper-multipath-debuginfo-0.8.7-7.el9_0.1.i686.rpm  
device-mapper-multipath-debuginfo-0.8.7-7.el9_0.1.x86_64.rpm  
device-mapper-multipath-debugsource-0.8.7-7.el9_0.1.i686.rpm  
device-mapper-multipath-debugsource-0.8.7-7.el9_0.1.x86_64.rpm  
device-mapper-multipath-libs-0.8.7-7.el9_0.1.i686.rpm  
device-mapper-multipath-libs-0.8.7-7.el9_0.1.x86_64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.7-7.el9_0.1.i686.rpm  
device-mapper-multipath-libs-debuginfo-0.8.7-7.el9_0.1.x86_64.rpm  
kpartx-0.8.7-7.el9_0.1.x86_64.rpm  
kpartx-debuginfo-0.8.7-7.el9_0.1.i686.rpm  
kpartx-debuginfo-0.8.7-7.el9_0.1.x86_64.rpm  
libdmmp-debuginfo-0.8.7-7.el9_0.1.i686.rpm  
libdmmp-debuginfo-0.8.7-7.el9_0.1.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 9):

aarch64:  
device-mapper-multipath-debuginfo-0.8.7-7.el9_0.1.aarch64.rpm  
device-mapper-multipath-debugsource-0.8.7-7.el9_0.1.aarch64.rpm  
device-mapper-multipath-devel-0.8.7-7.el9_0.1.aarch64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.7-7.el9_0.1.aarch64.rpm  
kpartx-debuginfo-0.8.7-7.el9_0.1.aarch64.rpm  
libdmmp-debuginfo-0.8.7-7.el9_0.1.aarch64.rpm

ppc64le:  
device-mapper-multipath-debuginfo-0.8.7-7.el9_0.1.ppc64le.rpm  
device-mapper-multipath-debugsource-0.8.7-7.el9_0.1.ppc64le.rpm  
device-mapper-multipath-devel-0.8.7-7.el9_0.1.ppc64le.rpm  
device-mapper-multipath-libs-debuginfo-0.8.7-7.el9_0.1.ppc64le.rpm  
kpartx-debuginfo-0.8.7-7.el9_0.1.ppc64le.rpm  
libdmmp-debuginfo-0.8.7-7.el9_0.1.ppc64le.rpm

s390x:  
device-mapper-multipath-debuginfo-0.8.7-7.el9_0.1.s390x.rpm  
device-mapper-multipath-debugsource-0.8.7-7.el9_0.1.s390x.rpm  
device-mapper-multipath-devel-0.8.7-7.el9_0.1.s390x.rpm  
device-mapper-multipath-libs-debuginfo-0.8.7-7.el9_0.1.s390x.rpm  
kpartx-debuginfo-0.8.7-7.el9_0.1.s390x.rpm  
libdmmp-debuginfo-0.8.7-7.el9_0.1.s390x.rpm

x86_64:  
device-mapper-multipath-debuginfo-0.8.7-7.el9_0.1.i686.rpm  
device-mapper-multipath-debuginfo-0.8.7-7.el9_0.1.x86_64.rpm  
device-mapper-multipath-debugsource-0.8.7-7.el9_0.1.i686.rpm  
device-mapper-multipath-debugsource-0.8.7-7.el9_0.1.x86_64.rpm  
device-mapper-multipath-devel-0.8.7-7.el9_0.1.i686.rpm  
device-mapper-multipath-devel-0.8.7-7.el9_0.1.x86_64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.7-7.el9_0.1.i686.rpm  
device-mapper-multipath-libs-debuginfo-0.8.7-7.el9_0.1.x86_64.rpm  
kpartx-debuginfo-0.8.7-7.el9_0.1.i686.rpm  
kpartx-debuginfo-0.8.7-7.el9_0.1.x86_64.rpm  
libdmmp-debuginfo-0.8.7-7.el9_0.1.i686.rpm  
libdmmp-debuginfo-0.8.7-7.el9_0.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-41974  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1gpMdzjgjWX9erEAQhhlxAAnLYr8LOMnAArHYkmIBZqygypwgl4J0k1  
o7ncHpmStLpV69VzD6V8NCOEeB+xgxYgMTRRsBjszKtutvPM4Sl2yZDHJS7Fyacd  
aS6GcfYz5nx4YSRSPglJ1L8vsaSz/IloIfOEs0w8sNR8CQLZBNEfAIjcVIVDLQAJ  
Hps6A48rnLbDOnYlgN5vm2UweS+hIGXzyc4jj6/kpRMcwzYSRfbWGZE++fLtal6Z  
+Ccka8OkRl6RB6kvE1YXuzwYdkL8xjWZR4PvQS3x4sKQhRI1qdjwCijaNAzuSQMy  
GUyWvwxF6FHzLDSgOCbucMGjFmpQQTx3nIw13J/7kYEKAtRkNV0OeywUmi4yguXE  
Za443sUnaGa1WvirJdrLhVySmVnR623bhbamCD90HvgGUeT6CPJ0gyZfybQWo4op  
EP51z9xlpGKcPKaMd3jkB5L81RMky5mcYLnVjWGOwhA7XfAf8zDtwk39EZztpJqd  
gHG+kCvfmqmbPntYp06wBvYeEnYnlF1dYkPJo7Df31xG0F/MrDs/qLGor6mOKpGz  
pXCX2z1v+xy7wLAFgFYj4jg9rZtNnc1SgMTYZZZGVDw7GrnzlJi76KkOxB4MzIG/  
RiWrz3+EwLQVgQVAyzmBKC26TpIkUxjZDITXX/cJTEsyIwg/CxmPpiilvPPZYusH  
PrKNM5XvBl4=INDC  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7185-01

Red Hat Security Advisory 2022-7181-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.4.0. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:7181-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7181  
Issue date:        2022-10-25  
CVE Names:         CVE-2022-39236 CVE-2022-39249 CVE-2022-39250  
                   CVE-2022-39251 CVE-2022-42927 CVE-2022-42928  
                   CVE-2022-42929 CVE-2022-42932  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.4  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.4.0.

Security Fix(es):

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an  
impersonation attack by malicious server administrators (CVE-2022-39249)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a device  
verification attack (CVE-2022-39250)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an  
impersonation attack (CVE-2022-39251)

* Mozilla: Same-origin policy violation could have leaked cross-origin URLs  
(CVE-2022-42927)

* Mozilla: Memory Corruption in JS Engine (CVE-2022-42928)

* Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a data  
corruption issue (CVE-2022-39236)

* Mozilla: Denial of Service via window.print (CVE-2022-42929)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.4 and Thunderbird  
102.4 (CVE-2022-42932)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2135391 - CVE-2022-39236 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a data corruption issue  
2135393 - CVE-2022-39249 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack by malicious server administrators  
2135395 - CVE-2022-39250 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to a device verification attack  
2135396 - CVE-2022-39251 Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack  
2136156 - CVE-2022-42927 Mozilla: Same-origin policy violation could have leaked cross-origin URLs  
2136157 - CVE-2022-42928 Mozilla: Memory Corruption in JS Engine  
2136158 - CVE-2022-42929 Mozilla: Denial of Service via window.print  
2136159 - CVE-2022-42932 Mozilla: Memory safety bugs fixed in Firefox ESR 102.4 and Thunderbird 102.4

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.4):

Source:  
thunderbird-102.4.0-1.el8_4.src.rpm

aarch64:  
thunderbird-102.4.0-1.el8_4.aarch64.rpm  
thunderbird-debuginfo-102.4.0-1.el8_4.aarch64.rpm  
thunderbird-debugsource-102.4.0-1.el8_4.aarch64.rpm

ppc64le:  
thunderbird-102.4.0-1.el8_4.ppc64le.rpm  
thunderbird-debuginfo-102.4.0-1.el8_4.ppc64le.rpm  
thunderbird-debugsource-102.4.0-1.el8_4.ppc64le.rpm

s390x:  
thunderbird-102.4.0-1.el8_4.s390x.rpm  
thunderbird-debuginfo-102.4.0-1.el8_4.s390x.rpm  
thunderbird-debugsource-102.4.0-1.el8_4.s390x.rpm

x86_64:  
thunderbird-102.4.0-1.el8_4.x86_64.rpm  
thunderbird-debuginfo-102.4.0-1.el8_4.x86_64.rpm  
thunderbird-debugsource-102.4.0-1.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-39236  
https://access.redhat.com/security/cve/CVE-2022-39249  
https://access.redhat.com/security/cve/CVE-2022-39250  
https://access.redhat.com/security/cve/CVE-2022-39251  
https://access.redhat.com/security/cve/CVE-2022-42927  
https://access.redhat.com/security/cve/CVE-2022-42928  
https://access.redhat.com/security/cve/CVE-2022-42929  
https://access.redhat.com/security/cve/CVE-2022-42932  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1gpXtzjgjWX9erEAQgKbw//SKeJmtgvK39I4nnmnHEMvPAvQBni66S0  
ut2glMr63CN0qbsbDYHGjOm6WT4uLzFjwwiK0LmQYIfQLdQCctXBECgUdArDBNCd  
/IPrT3m1kL2If5ge4MApHKQo1c/Eicf2plY8I5R+ql0Xq9fz14WRroZ+RI12SRlO  
zuEkPAAoKABaoHqh/h5hdvsilMqSgnaPepAJbGKRsMXa9vqD2zSZaQ4FT8NR43Cc  
GUA5j5kXzheaLRyuK1KzlYxoD87F1Fc0ygzzljSi2+qjuxk+KsWRSeouVjSYH3sN  
J46fSgb55do1S8QMwzLFtb8liM8DKVENurVtWWDoG7LiZrHrGkzZq6EYEaM1b4kX  
7Yw7igMYf9yj2/n6uehQtQx0CAkVGvQ/88HlZpXzmCjs4ewfqDJ1HrlUy8p7ZnQF  
ndTPelBgUxsd2QPZT3ek8bypD5n8oKEfFUJl0qlsL6KzShmhluOuXsBVcRvp4RaV  
XgmOn3xKjJLaYrDCW3vVW6/CXTlto74OtqZRVJK71rl2W41Lpe3lJ4iontV3d1/M  
Et4XHHL4wvYHOwIFPT1iQS5Zz+phtmrs2HKwZUcSJusZp648rXi/qahfVjz5rnvh  
I7E3GfP9SvtfwQmUrJR6oiyXaSxKebbM47m3di/XmsGZ3+na1B9SdpEFBEVVYPKH  
n6JgqoRWgG8=s8XS  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7181-01

Red Hat Security Advisory 2022-7192-01 - The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: device-mapper-multipath security update  
Advisory ID:       RHSA-2022:7192-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7192  
Issue date:        2022-10-25  
CVE Names:         CVE-2022-41974  
====================================================================  
1. Summary:

An update for device-mapper-multipath is now available for Red Hat  
Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

The device-mapper-multipath packages provide tools that use the  
device-mapper multipath kernel module to manage multipath devices.

Security Fix(es):

* device-mapper-multipath: Authorization bypass, multipathd daemon listens  
for client connections on an abstract Unix socket (CVE-2022-41974)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2133988 - CVE-2022-41974 device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 8):

Source:  
device-mapper-multipath-0.8.4-22.el8_6.2.src.rpm

aarch64:  
device-mapper-multipath-0.8.4-22.el8_6.2.aarch64.rpm  
device-mapper-multipath-debuginfo-0.8.4-22.el8_6.2.aarch64.rpm  
device-mapper-multipath-debugsource-0.8.4-22.el8_6.2.aarch64.rpm  
device-mapper-multipath-libs-0.8.4-22.el8_6.2.aarch64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-22.el8_6.2.aarch64.rpm  
kpartx-0.8.4-22.el8_6.2.aarch64.rpm  
kpartx-debuginfo-0.8.4-22.el8_6.2.aarch64.rpm  
libdmmp-0.8.4-22.el8_6.2.aarch64.rpm  
libdmmp-debuginfo-0.8.4-22.el8_6.2.aarch64.rpm

ppc64le:  
device-mapper-multipath-0.8.4-22.el8_6.2.ppc64le.rpm  
device-mapper-multipath-debuginfo-0.8.4-22.el8_6.2.ppc64le.rpm  
device-mapper-multipath-debugsource-0.8.4-22.el8_6.2.ppc64le.rpm  
device-mapper-multipath-libs-0.8.4-22.el8_6.2.ppc64le.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-22.el8_6.2.ppc64le.rpm  
kpartx-0.8.4-22.el8_6.2.ppc64le.rpm  
kpartx-debuginfo-0.8.4-22.el8_6.2.ppc64le.rpm  
libdmmp-0.8.4-22.el8_6.2.ppc64le.rpm  
libdmmp-debuginfo-0.8.4-22.el8_6.2.ppc64le.rpm

s390x:  
device-mapper-multipath-0.8.4-22.el8_6.2.s390x.rpm  
device-mapper-multipath-debuginfo-0.8.4-22.el8_6.2.s390x.rpm  
device-mapper-multipath-debugsource-0.8.4-22.el8_6.2.s390x.rpm  
device-mapper-multipath-libs-0.8.4-22.el8_6.2.s390x.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-22.el8_6.2.s390x.rpm  
kpartx-0.8.4-22.el8_6.2.s390x.rpm  
kpartx-debuginfo-0.8.4-22.el8_6.2.s390x.rpm  
libdmmp-0.8.4-22.el8_6.2.s390x.rpm  
libdmmp-debuginfo-0.8.4-22.el8_6.2.s390x.rpm

x86_64:  
device-mapper-multipath-0.8.4-22.el8_6.2.x86_64.rpm  
device-mapper-multipath-debuginfo-0.8.4-22.el8_6.2.i686.rpm  
device-mapper-multipath-debuginfo-0.8.4-22.el8_6.2.x86_64.rpm  
device-mapper-multipath-debugsource-0.8.4-22.el8_6.2.i686.rpm  
device-mapper-multipath-debugsource-0.8.4-22.el8_6.2.x86_64.rpm  
device-mapper-multipath-libs-0.8.4-22.el8_6.2.i686.rpm  
device-mapper-multipath-libs-0.8.4-22.el8_6.2.x86_64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-22.el8_6.2.i686.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-22.el8_6.2.x86_64.rpm  
kpartx-0.8.4-22.el8_6.2.x86_64.rpm  
kpartx-debuginfo-0.8.4-22.el8_6.2.i686.rpm  
kpartx-debuginfo-0.8.4-22.el8_6.2.x86_64.rpm  
libdmmp-0.8.4-22.el8_6.2.i686.rpm  
libdmmp-0.8.4-22.el8_6.2.x86_64.rpm  
libdmmp-debuginfo-0.8.4-22.el8_6.2.i686.rpm  
libdmmp-debuginfo-0.8.4-22.el8_6.2.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

aarch64:  
device-mapper-multipath-debuginfo-0.8.4-22.el8_6.2.aarch64.rpm  
device-mapper-multipath-debugsource-0.8.4-22.el8_6.2.aarch64.rpm  
device-mapper-multipath-devel-0.8.4-22.el8_6.2.aarch64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-22.el8_6.2.aarch64.rpm  
kpartx-debuginfo-0.8.4-22.el8_6.2.aarch64.rpm  
libdmmp-debuginfo-0.8.4-22.el8_6.2.aarch64.rpm

ppc64le:  
device-mapper-multipath-debuginfo-0.8.4-22.el8_6.2.ppc64le.rpm  
device-mapper-multipath-debugsource-0.8.4-22.el8_6.2.ppc64le.rpm  
device-mapper-multipath-devel-0.8.4-22.el8_6.2.ppc64le.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-22.el8_6.2.ppc64le.rpm  
kpartx-debuginfo-0.8.4-22.el8_6.2.ppc64le.rpm  
libdmmp-debuginfo-0.8.4-22.el8_6.2.ppc64le.rpm

s390x:  
device-mapper-multipath-debuginfo-0.8.4-22.el8_6.2.s390x.rpm  
device-mapper-multipath-debugsource-0.8.4-22.el8_6.2.s390x.rpm  
device-mapper-multipath-devel-0.8.4-22.el8_6.2.s390x.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-22.el8_6.2.s390x.rpm  
kpartx-debuginfo-0.8.4-22.el8_6.2.s390x.rpm  
libdmmp-debuginfo-0.8.4-22.el8_6.2.s390x.rpm

x86_64:  
device-mapper-multipath-debuginfo-0.8.4-22.el8_6.2.i686.rpm  
device-mapper-multipath-debuginfo-0.8.4-22.el8_6.2.x86_64.rpm  
device-mapper-multipath-debugsource-0.8.4-22.el8_6.2.i686.rpm  
device-mapper-multipath-debugsource-0.8.4-22.el8_6.2.x86_64.rpm  
device-mapper-multipath-devel-0.8.4-22.el8_6.2.i686.rpm  
device-mapper-multipath-devel-0.8.4-22.el8_6.2.x86_64.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-22.el8_6.2.i686.rpm  
device-mapper-multipath-libs-debuginfo-0.8.4-22.el8_6.2.x86_64.rpm  
kpartx-debuginfo-0.8.4-22.el8_6.2.i686.rpm  
kpartx-debuginfo-0.8.4-22.el8_6.2.x86_64.rpm  
libdmmp-debuginfo-0.8.4-22.el8_6.2.i686.rpm  
libdmmp-debuginfo-0.8.4-22.el8_6.2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-41974  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1go0tzjgjWX9erEAQi1Vg/+Jqqq7oYlPu31HClxrkeh1hRVpKM4wtlL  
dhaxdCntvKop7SGOoivxAy8PwnvdeSS8792yx2UJoErMoDCMvks7wKszTiNsI1Yp  
xZdysfmVj78bnkyMfdYSm9Rqwl4I4bC2endGCz8efVREGAAHKIW/ly3rGqRZnNnG  
N1HMy4v+XSvFtGWX1TDyxLNPkxDDdEKVC/cvns+UDUnIRgQHuO3RJ36ZHnYlF8Ye  
HfDIxt1ux1fS8C5JcVBdsKj1pQ0oUs9qkUsW+qxunSTIaGgSQyT2/L8K3NzrcR5d  
ZZimoDWX65binEYUhvKGNChp3cV3lwEJogcGmyeMpP+bF6WsTMCYB3aYsIeDMB8i  
SBmzsJZlI1Eb1Xk69SNGk55MyURpK2+97op51OTdJlhqQnGxqX0UEDXWv7a1Yt4+  
pXNnEWXRDz621bkJKImYYocvsqeX3xwCFEBJuJphuqK0gtReZb1zWbjNQoh97/Vk  
enZoPwjJVakn228vjq19bcxqtAX6kKLe2aHX3PuX2Dz8v8D4qk4nHRao8mHPfkae  
jBr263ltp8DyKOkpuQM67y84xSpyaaYzgNjlSQcmAC9dNmaVOxB+3p7qINxDnj4e  
rMXIohPsciENFDLa7vFSKhC5bcYiMzd+xat75AuB2V5ExqJioh+GtVVlGNhy756m  
47fa2KnK5Ag=in8Z  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#linux