Red Hat Security Advisory 2024-1787-03 - An update for squid is now available for Red Hat Enterprise Linux 7. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1787.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: squid security updateAdvisory ID:        RHSA-2024:1787-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1787Issue date:         2024-04-11Revision:           03CVE Names:          CVE-2023-46724====================================================================Summary: An update for squid is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.Security Fix(es):* squid: denial of service in HTTP header parser (CVE-2024-25617)* squid: denial of service in HTTP request parsing (CVE-2023-50269)* squid: Buffer over-read in the HTTP Message processing feature (CVE-2023-49285)* squid: Incorrect Check of Function Return Value In Helper Process management (CVE-2023-49286)* squid: NULL pointer dereference in the gopher protocol code (CVE-2023-46728)* squid: Denial of Service in SSL Certificate validation (CVE-2023-46724)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-46724References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2247567https://bugzilla.redhat.com/show_bug.cgi?id=2248521https://bugzilla.redhat.com/show_bug.cgi?id=2252923https://bugzilla.redhat.com/show_bug.cgi?id=2252926https://bugzilla.redhat.com/show_bug.cgi?id=2254663https://bugzilla.redhat.com/show_bug.cgi?id=2264309

Red Hat Security Advisory 2024-1787-03

Red Hat Security Advisory 2024-1786-03 - An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1786.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: httpd:2.4/mod_http2 security updateAdvisory ID:        RHSA-2024:1786-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1786Issue date:         2024-04-11Revision:           03CVE Names:          CVE-2024-27316====================================================================Summary: An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.Security Fix(es):* httpd: mod_http2: CONTINUATION frames DoS (CVE-2024-27316)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-27316References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2268277

Red Hat Security Advisory 2024-1786-03

Red Hat Security Advisory 2024-1785-03 - An update for xorg-x11-server is now available for Red Hat Enterprise Linux 7.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1785.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: X.Org server security updateAdvisory ID:        RHSA-2024:1785-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1785Issue date:         2024-04-11Revision:           03CVE Names:          CVE-2024-31080====================================================================Summary: An update for xorg-x11-server is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:X.Org is an open-source implementation of the X Window System. It provides thebasic low-level functionality that full-fledged graphical user interfaces aredesigned upon.Security Fix(es):* xorg-x11-server: Heap buffer overread/data leakage in ProcXIGetSelectedEvents (CVE-2024-31080)* xorg-x11-server: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice (CVE-2024-31081)* xorg-x11-server: User-after-free in ProcRenderAddGlyphs (CVE-2024-31083)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-31080References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2271997https://bugzilla.redhat.com/show_bug.cgi?id=2271998https://bugzilla.redhat.com/show_bug.cgi?id=2272000

Red Hat Security Advisory 2024-1785-03

Red Hat Security Advisory 2024-1784-03 - An update for gnutls is now available for Red Hat Enterprise Linux 8. Issues addressed include an information leakage vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1784.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: gnutls security updateAdvisory ID:        RHSA-2024:1784-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1784Issue date:         2024-04-11Revision:           03CVE Names:          CVE-2024-28834====================================================================Summary: An update for gnutls is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact ofModerate. A Common Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Description:The gnutls package provide the GNU Transport Layer Security (GnuTLS) library,which implements cryptographic algorithms and protocols such as SSL, TLS, andDTLS.This package update fixes a timing side-channel in deterministic ECDSA.Security Fix(es):* gnutls: vulnerable to Minerva side-channel information leak (CVE-2024-28834)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-28834References:https://access.redhat.com/security/updates/classification/#moderate

Red Hat Security Advisory 2024-1784-03

As of Jun 30, 2024, the Red Hat Enterprise Linux (RHEL) 7 maintenance support 2 phase ends and Red Hat will no longer update compliance content for RHEL 7. Many policy providers, such as CIS and DISA, will no longer update their policies once maintenance ends.When this support phase ends, you can expect:The RHEL 7 scap-security-guide package will no longer be updated. You can continue to use the content provided after Jun 30, 2024. The content is mature, stable, and still suitable for use by Extended Update Support (EUS) customers after the end of maintenance, however as mentioned before there

As of Jun 30, 2024, the Red Hat Enterprise Linux (RHEL) 7 maintenance support 2 phase ends and Red Hat will no longer update compliance content for RHEL 7. Many policy providers, such as CIS and DISA, will no longer update their policies once maintenance ends.

When this support phase ends, you can expect:

The RHEL 7 scap-security-guide package will no longer be updated. You can continue to use the content provided after Jun 30, 2024. The content is mature, stable, and still suitable for use by Extended Update Support (EUS) customers after the end of maintenance, however as mentioned before there are no updates planned.  

Additionally, the Center for Internet Security (CIS) and Defense Information Systems Agency (DISA) will no longer publish updates to their RHEL 7 profiles . CIS stated that version 4.0.0 will be the final release of their RHEL 7 benchmark. DISA typically ends support of a STIG after the maintenance phase ends, which can be expected in the case of the RHEL 7 STIG.

**Resources to Help Plan Your Upgrade**

If you plan on upgrading as a result of the end of this support phase, RHEL 8 and RHEL 9 each have a STIG, with automation available for both. This automation can be run with Red Hat Insights, Ansible, Satellite, all of this automation is powered by OpenSCAP.

Red Hat has the resources, tools, and consulting offerings you need to keep your systems running and keep up with the latest benefits that Red Hat Enterprise Linux has to offer. Get started by: 

*   Determining which version is best for you
*   Outlining steps for your upgrade project
*   Keeping track of important dates
*   Finding resources to ease your transition

The Red Hat Enterprise Linux upgrade page has those upgrade resources and more. Red Hat has resources to help plan your upgrade.

Red Hat is the world’s leading provider of enterprise open source software solutions, using a community-powered approach to deliver reliable and high-performing Linux, hybrid cloud, container, and Kubernetes technologies.

Read full bio

Red Hat Enterprise Linux 7: End of compliance content on June 30, 2024

Red Hat Security Advisory 2024-1781-03 - An update for bind9.16 is now available for Red Hat Enterprise Linux 8.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1781.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: bind9.16 security update  
Advisory ID:        RHSA-2024:1781-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1781  
Issue date:         2024-04-11  
Revision:           03  
CVE Names:          CVE-2023-4408  
====================================================================

Summary: 

An update for bind9.16 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

Security Fix(es):

* bind9: Parsing large DNS messages may cause excessive CPU load (CVE-2023-4408)

* bind9: Querying RFC 1918 reverse zones may cause an assertion failure when “nxdomain-redirect” is enabled (CVE-2023-5517)

* bind9: Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution (CVE-2023-5679)

* bind9: Specific recursive query patterns may lead to an out-of-memory condition (CVE-2023-6516)

* bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)

* bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-4408

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2263896  
https://bugzilla.redhat.com/show_bug.cgi?id=2263897  
https://bugzilla.redhat.com/show_bug.cgi?id=2263909  
https://bugzilla.redhat.com/show_bug.cgi?id=2263911  
https://bugzilla.redhat.com/show_bug.cgi?id=2263914  
https://bugzilla.redhat.com/show_bug.cgi?id=2263917

Red Hat Security Advisory 2024-1781-03

Red Hat Security Advisory 2024-1780-03 - An update for unbound is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1780.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: unbound security and bug fix updateAdvisory ID:        RHSA-2024:1780-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1780Issue date:         2024-04-11Revision:           03CVE Names:          CVE-2024-1488====================================================================Summary: An update for unbound is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The unbound packages provide a validating, recursive, and caching DNS or DNSSECresolver.Security Fix(es):* A vulnerability was found in Unbound due to incorrect default permissions,allowing any process outside the unbound group to modify the unbound runtimeconfiguration. The default combination of the \"control-use-cert: no\" option witheither explicit or implicit use of an IP address in the \"control-interface\"option could allow improper access. If a process can connect over localhost toport 8953, it can alter the configuration of unbound.service. This flaw allowsan unprivileged local process to manipulate a running instance, potentiallyaltering forwarders, allowing them to track all queries forwarded by the localresolver, and, in some cases, disrupting resolving altogether.To mitigate the vulnerability, a new file\"/etc/unbound/conf.d/remote-control.conf\" has been added and included in themain unbound configuration file, \"unbound.conf\". The file contains twodirectives that should limit access to unbound.conf:    control-interface: \"/run/unbound/control\"    control-use-cert: \"yes\"For details about these directives, run \"man unbound.conf\".Updating to the version of unbound provided by this advisory should, in mostcases, address the vulnerability. To verify that your configuration is notvulnerable, use the \"unbound-control status | grep control\" command. If theoutput contains \"control(ssl)\" or \"control(namedpipe)\", your configuration isnot vulnerable. If the command output returns only \"control\", the configurationis vulnerable because it does not enforce access only to the unbound groupmembers. To fix your configuration, add the line \"include:/etc/unbound/conf.d/remote-control.conf\" to the end of the file\"/etc/unbound/unbound.conf\". If you use a custom\"/etc/unbound/conf.d/remote-control.conf\" file, add the new directives to thisfile. (CVE-2024-1488)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-1488References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2264183

Red Hat Security Advisory 2024-1780-03

Red Hat Security Advisory 2024-1752-03 - An update is now available for Red Hat OpenShift GitOps v1.12.1 for Argo CD CLI and MicroShift GitOps. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include bypass and denial of service vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1752.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: GitOps 1.12.1- Argo CD CLI and MicroShift GitOps security update  
Advisory ID:        RHSA-2024:1752-03  
Product:            Red Hat OpenShift GitOps  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1752  
Issue date:         2024-04-10  
Revision:           03  
CVE Names:          CVE-2023-50726  
====================================================================

Summary: 

An update is now available for Red Hat OpenShift GitOps v1.12.1 for Argo CD CLI and MicroShift GitOps. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Errata Advisory for Red Hat OpenShift GitOps v1.12.1- Argo CD CLI and MicroShift GitOps.

Security Fix(es):

* argo-cd: Denial of Service Due to Unsafe Array Modification in Multi-threaded Environment (CVE-2024-21661)

* argo-cd: Users with `create` but not `override` privileges can perform local  
sync (CVE-2023-50726)

* argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss (CVE-2024-21652)

* argo-cd: uncontrolled resource consumption vulnerability (CVE-2024-29893)

* argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow (CVE-2024-21662)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-50726

References:

https://access.redhat.com/security/updates/classification/#important  
https://docs.openshift.com/gitops/latest/understanding_openshift_gitops/about-redhat-openshift-gitops.html  
https://bugzilla.redhat.com/show_bug.cgi?id=2269479  
https://bugzilla.redhat.com/show_bug.cgi?id=2270170  
https://bugzilla.redhat.com/show_bug.cgi?id=2270173  
https://bugzilla.redhat.com/show_bug.cgi?id=2270182  
https://bugzilla.redhat.com/show_bug.cgi?id=2272211

Red Hat Security Advisory 2024-1752-03

Red Hat Security Advisory 2024-1751-03 - An update for unbound is now available for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1751.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: unbound security updateAdvisory ID:        RHSA-2024:1751-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1751Issue date:         2024-04-11Revision:           03CVE Names:          CVE-2024-1488====================================================================Summary: An update for unbound is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver.Security Fix(es):* A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound group to modify the unbound runtime configuration. The default combination of the \"control-use-cert: no\" option with either explicit or implicit use of an IP address in the \"control-interface\" option could allow improper access. If a process can connect over localhost to port 8953, it can alter the configuration of unbound.service. This flaw allows an unprivileged local process to manipulate a running instance, potentially altering forwarders, allowing them to track all queries forwarded by the local resolver, and, in some cases, disrupting resolving altogether.To mitigate the vulnerability, a new file \"/etc/unbound/conf.d/remote-control.conf\" has been added and included in the main unbound configuration file, \"unbound.conf\". The file contains two directives that should limit access to unbound.conf:    control-interface: \"/run/unbound/control\"    control-use-cert: \"yes\"For details about these directives, run \"man unbound.conf\".Updating to the version of unbound provided by this advisory should, in most cases, address the vulnerability. To verify that your configuration is not vulnerable, use the \"unbound-control status | grep control\" command. If the output contains \"control(ssl)\" or \"control(namedpipe)\", your configuration is not vulnerable. If the command output returns only \"control\", the configuration is vulnerable because it does not enforce access only to the unbound group members. To fix your configuration, add the line \"include: /etc/unbound/conf.d/remote-control.conf\" to the end of the file \"/etc/unbound/unbound.conf\". If you use a custom \"/etc/unbound/conf.d/remote-control.conf\" file, add the new directives to this file. (CVE-2024-1488)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-1488References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2264183

Red Hat Security Advisory 2024-1751-03

Red Hat Security Advisory 2024-1750-03 - An update for unbound is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1750.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: unbound security updateAdvisory ID:        RHSA-2024:1750-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1750Issue date:         2024-04-10Revision:           03CVE Names:          CVE-2024-1488====================================================================Summary: An update for unbound is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver.Security Fix(es):* A vulnerability was found in Unbound due to incorrect default permissions,allowing any process outside the unbound group to modify the unbound runtimeconfiguration. The default combination of the \"control-use-cert: no\" option witheither explicit or implicit use of an IP address in the \"control-interface\"option could allow improper access. If a process can connect over localhost toport 8953, it can alter the configuration of unbound.service. This flaw allowsan unprivileged local process to manipulate a running instance, potentiallyaltering forwarders, allowing them to track all queries forwarded by the localresolver, and, in some cases, disrupting resolving altogether.To mitigate the vulnerability, a new file\"/etc/unbound/conf.d/remote-control.conf\" has been added and included in themain unbound configuration file, \"unbound.conf\". The file contains twodirectives that should limit access to unbound.conf:    control-interface: \"/run/unbound/control\"    control-use-cert: \"yes\"For details about these directives, run \"man unbound.conf\".Updating to the version of unbound provided by this advisory should, in mostcases, address the vulnerability. To verify that your configuration is notvulnerable, use the \"unbound-control status | grep control\" command. If theoutput contains \"control(ssl)\" or \"control(namedpipe)\", your configuration isnot vulnerable. If the command output returns only \"control\", the configurationis vulnerable because it does not enforce access only to the unbound groupmembers. To fix your configuration, add the line \"include:/etc/unbound/conf.d/remote-control.conf\" to the end of the file\"/etc/unbound/unbound.conf\". If you use a custom\"/etc/unbound/conf.d/remote-control.conf\" file, add the new directives to thisfile. (CVE-2024-1488)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-1488References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2264183

Tag

#red_hat