A flaw was found in the Red Hat Advanced Cluster Security for Kubernetes. Notifier secrets were not properly sanitized in the GraphQL API. This flaw allows authenticated ACS users to retrieve Notifiers from the GraphQL API, revealing secrets that can escalate their privileges.

**Red Hat Product Security Center**

Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

Product Security Center

CVE-2022-1902: Red Hat Customer Portal - Access to 24x7 support and knowledge

A Stored Cross-site scripting (XSS) vulnerability was found in keycloak as shipped in Red Hat Single Sign-On 7. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality.

'2101942?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-2256: Invalid Bug ID

An Improper Certificate Validation attack was found in Openshift. A re-encrypt Route with destinationCACertificate explicitly set to the default serviceCA skips internal Service TLS certificate validation. This flaw allows an attacker to exploit an invalid certificate, resulting in a loss of confidentiality.

CVE-2022-1632: Red Hat Customer Portal - Access to 24x7 support and knowledge

Red Hat Security Advisory 2022-6306-01 - MariaDB is a multi-user, multi-threaded SQL database server. For all practical purposes, MariaDB is binary-compatible with MySQL. Issues addressed include buffer overflow and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: rh-mariadb103-galera and rh-mariadb103-mariadb security and bug fix update  
Advisory ID:       RHSA-2022:6306-01  
Product:           Red Hat Software Collections  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6306  
Issue date:        2022-09-01  
CVE Names:         CVE-2021-46659 CVE-2021-46661 CVE-2021-46663  
                   CVE-2021-46664 CVE-2021-46665 CVE-2021-46668  
                   CVE-2021-46669 CVE-2022-21427 CVE-2022-24048  
                   CVE-2022-24050 CVE-2022-24051 CVE-2022-24052  
                   CVE-2022-27376 CVE-2022-27377 CVE-2022-27378  
                   CVE-2022-27379 CVE-2022-27380 CVE-2022-27381  
                   CVE-2022-27383 CVE-2022-27384 CVE-2022-27386  
                   CVE-2022-27387 CVE-2022-27445 CVE-2022-27447  
                   CVE-2022-27448 CVE-2022-27449 CVE-2022-27452  
                   CVE-2022-27456 CVE-2022-27458 CVE-2022-31622  
                   CVE-2022-31623 CVE-2022-32083 CVE-2022-32085  
                   CVE-2022-32087 CVE-2022-32088  
====================================================================  
1. Summary:

An update for rh-mariadb103-galera and rh-mariadb103-mariadb is now  
available for Red Hat Software Collections.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - ppc64le, s390x, x86_64  
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

MariaDB is a multi-user, multi-threaded SQL database server. For all  
practical purposes, MariaDB is binary-compatible with MySQL.

The following packages have been upgraded to a later upstream version:  
rh-mariadb103-galera (25.3.35), rh-mariadb103-mariadb (10.3.35).

Security Fix(es):

* mariadb: MariaDB through 10.5.9 allows attackers to trigger a  
convert_const_to_int use-after-free when the BIGINT data type is used  
(CVE-2021-46669)

* mysql: Server: FTS unspecified vulnerability (CPU Apr 2022)  
(CVE-2022-21427)

* mariadb: lack of proper validation of the length of user-supplied data  
prior to copying it to a fixed-length stack-based buffer (CVE-2022-24048)

* mariadb: lack of validating the existence of an object prior to  
performing operations on the object (CVE-2022-24050)

* mariadb: lack of proper validation of a user-supplied string before using  
it as a format specifier (CVE-2022-24051)

* mariadb: CONNECT storage engine heap-based buffer overflow  
(CVE-2022-24052)

* mariadb: assertion failure in Item_args::walk_arg (CVE-2022-27376)

* mariadb: use-after-poison when complex conversion is involved in blob  
(CVE-2022-27377)

* mariadb: server crash in create_tmp_table::finalize (CVE-2022-27378)

* mariadb: server crash in component arg_comparator::compare_real_fixed  
(CVE-2022-27379)

* mariadb: server crash at my_decimal::operator= (CVE-2022-27380)

* mariadb: server crash at Field::set_default via specially crafted SQL  
statements (CVE-2022-27381)

* mariadb: use-after-poison in my_strcasecmp_8bit() of ctype-simple.c  
(CVE-2022-27383)

* mariadb: crash via component Item_subselect::init_expr_cache_tracker  
(CVE-2022-27384)

* mariadb: server crashes in query_arena::set_query_arena upon SELECT from  
view (CVE-2022-27386)

* mariadb: assertion failures in decimal_bin_size (CVE-2022-27387)

* mariadb: assertion failure in compare_order_elements (CVE-2022-27445)

* mariadb: use-after-poison in Binary_string::free_buffer (CVE-2022-27447)

* mariadb: crash in multi-update and implicit grouping (CVE-2022-27448)

* mariadb: assertion failure in sql/item_func.cc (CVE-2022-27449)

* mariadb: assertion failure in sql/item_cmpfunc.cc (CVE-2022-27452)

* mariadb: assertion failure in VDec::VDec at /sql/sql_type.cc  
(CVE-2022-27456)

* mariadb: use-after-poison in Binary_string::free_buffer (CVE-2022-27458)

* mariadb: improper locking due to the unreleased lock in  
extra/mariabackup/ds_compress.cc (CVE-2022-31622)

* mariadb: improper locking due to the unreleased lock in  
extra/mariabackup/ds_compress.cc (CVE-2022-31623)

* mariadb: server crash at Item_subselect::init_expr_cache_tracker  
(CVE-2022-32083)

* mariadb: server crash in Item_func_in::cleanup/Item::cleanup_processor  
(CVE-2022-32085)

* mariadb: server crash in Item_args::walk_args (CVE-2022-32087)

* mariadb: segmentation fault in  
Exec_time_tracker::get_loops/Filesort_tracker::report_use/filesort  
(CVE-2022-32088)

* mariadb: Crash executing query with VIEW, aggregate and subquery  
(CVE-2021-46659)

* mariadb: MariaDB allows an application crash in find_field_in_tables and  
find_order_in_list via an unused common table expression (CTE)  
(CVE-2021-46661)

* mariadb: MariaDB through 10.5.13 allows a ha_maria::extra application  
crash via certain SELECT statements (CVE-2021-46663)

* mariadb: MariaDB through 10.5.9 allows an application crash in  
sub_select_postjoin_aggr for a NULL value of aggr (CVE-2021-46664)

* mariadb: MariaDB through 10.5.9 allows a sql_parse.cc application crash  
because of incorrect used_tables expectations (CVE-2021-46665)

* mariadb: MariaDB through 10.5.9 allows an application crash via certain  
long SELECT DISTINCT statements (CVE-2021-46668)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* [Tracker] Rebase to Galera 25.3.35 for MariaDB-10.3 (BZ#2107054)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the MariaDB server daemon (mysqld) will be  
restarted automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

2049302 - CVE-2021-46659 mariadb: Crash executing query with VIEW, aggregate and subquery  
2050017 - CVE-2021-46661 mariadb: MariaDB allows an application crash in find_field_in_tables and find_order_in_list via an unused common table expression (CTE)  
2050022 - CVE-2021-46663 mariadb: MariaDB through 10.5.13 allows a ha_maria::extra application crash via certain SELECT statements  
2050024 - CVE-2021-46664 mariadb: MariaDB through 10.5.9 allows an application crash in sub_select_postjoin_aggr for a NULL value of aggr  
2050026 - CVE-2021-46665 mariadb: MariaDB through 10.5.9 allows a sql_parse.cc application crash because of incorrect used_tables expectations  
2050032 - CVE-2021-46668 mariadb: MariaDB through 10.5.9 allows an application crash via certain long SELECT DISTINCT statements  
2050034 - CVE-2021-46669 mariadb: MariaDB through 10.5.9 allows attackers to trigger a convert_const_to_int use-after-free when the BIGINT data type is used  
2068211 - CVE-2022-24052 mariadb: CONNECT storage engine heap-based buffer overflow  
2068233 - CVE-2022-24051 mariadb: lack of proper validation of a user-supplied string before using it as a format specifier  
2068234 - CVE-2022-24048 mariadb: lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer  
2069833 - CVE-2022-24050 mariadb: lack of validating the existence of an object prior to performing operations on the object  
2074817 - CVE-2022-27376 mariadb: assertion failure in Item_args::walk_arg  
2074947 - CVE-2022-27377 mariadb: use-after-poison when complex conversion is involved in blob  
2074949 - CVE-2022-27378 mariadb: server crash in create_tmp_table::finalize  
2074951 - CVE-2022-27379 mariadb: server crash in component arg_comparator::compare_real_fixed  
2074966 - CVE-2022-27380 mariadb: server crash at my_decimal::operator2074981 - CVE-2022-27381 mariadb: server crash at Field::set_default via specially crafted SQL statements  
2074996 - CVE-2022-27383 mariadb: use-after-poison in my_strcasecmp_8bit() of ctype-simple.c  
2074999 - CVE-2022-27384 mariadb: crash via component Item_subselect::init_expr_cache_tracker  
2075005 - CVE-2022-27386 mariadb: server crashes in query_arena::set_query_arena upon SELECT from view  
2075006 - CVE-2022-27387 mariadb: assertion failures in decimal_bin_size  
2075691 - CVE-2022-27445 mariadb: assertion failure in compare_order_elements  
2075693 - CVE-2022-27447 mariadb: use-after-poison in Binary_string::free_buffer  
2075694 - CVE-2022-27448 mariadb: crash in multi-update and implicit grouping  
2075695 - CVE-2022-27449 mariadb: assertion failure in sql/item_func.cc  
2075697 - CVE-2022-27456 mariadb: assertion failure in VDec::VDec at /sql/sql_type.cc  
2075700 - CVE-2022-27458 mariadb: use-after-poison in Binary_string::free_buffer  
2076145 - CVE-2022-27452 mariadb: assertion failure in sql/item_cmpfunc.cc  
2082644 - CVE-2022-21427 mysql: Server: FTS unspecified vulnerability (CPU Apr 2022)  
2092354 - CVE-2022-31622 mariadb: improper locking due to the unreleased lock in extra/mariabackup/ds_compress.cc  
2092360 - CVE-2022-31623 mariadb: improper locking due to the unreleased lock in extra/mariabackup/ds_compress.cc  
2104425 - CVE-2022-32083 mariadb: server crash at Item_subselect::init_expr_cache_tracker  
2104431 - CVE-2022-32085 mariadb: server crash in Item_func_in::cleanup/Item::cleanup_processor  
2104434 - CVE-2022-32087 mariadb: server crash in Item_args::walk_args  
2106008 - CVE-2022-32088 mariadb: segmentation fault in Exec_time_tracker::get_loops/Filesort_tracker::report_use/filesort

6. Package List:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):

Source:  
rh-mariadb103-galera-25.3.35-1.el7.src.rpm  
rh-mariadb103-mariadb-10.3.35-1.el7.src.rpm

ppc64le:  
rh-mariadb103-galera-25.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-galera-debuginfo-25.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-backup-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-backup-syspaths-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-common-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-config-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-config-syspaths-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-connect-engine-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-debuginfo-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-devel-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-errmsg-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-gssapi-server-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-oqgraph-engine-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-server-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-server-galera-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-server-galera-syspaths-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-server-syspaths-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-server-utils-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-server-utils-syspaths-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-syspaths-10.3.35-1.el7.ppc64le.rpm  
rh-mariadb103-mariadb-test-10.3.35-1.el7.ppc64le.rpm

s390x:  
rh-mariadb103-galera-25.3.35-1.el7.s390x.rpm  
rh-mariadb103-galera-debuginfo-25.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-backup-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-backup-syspaths-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-common-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-config-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-config-syspaths-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-connect-engine-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-debuginfo-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-devel-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-errmsg-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-gssapi-server-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-oqgraph-engine-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-server-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-server-galera-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-server-galera-syspaths-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-server-syspaths-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-server-utils-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-server-utils-syspaths-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-syspaths-10.3.35-1.el7.s390x.rpm  
rh-mariadb103-mariadb-test-10.3.35-1.el7.s390x.rpm

x86_64:  
rh-mariadb103-galera-25.3.35-1.el7.x86_64.rpm  
rh-mariadb103-galera-debuginfo-25.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-backup-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-backup-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-common-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-config-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-config-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-connect-engine-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-debuginfo-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-devel-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-errmsg-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-gssapi-server-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-oqgraph-engine-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-galera-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-galera-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-utils-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-utils-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-test-10.3.35-1.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):

Source:  
rh-mariadb103-galera-25.3.35-1.el7.src.rpm  
rh-mariadb103-mariadb-10.3.35-1.el7.src.rpm

x86_64:  
rh-mariadb103-galera-25.3.35-1.el7.x86_64.rpm  
rh-mariadb103-galera-debuginfo-25.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-backup-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-backup-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-common-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-config-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-config-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-connect-engine-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-debuginfo-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-devel-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-errmsg-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-gssapi-server-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-oqgraph-engine-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-galera-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-galera-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-utils-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-server-utils-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-syspaths-10.3.35-1.el7.x86_64.rpm  
rh-mariadb103-mariadb-test-10.3.35-1.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-46659  
https://access.redhat.com/security/cve/CVE-2021-46661  
https://access.redhat.com/security/cve/CVE-2021-46663  
https://access.redhat.com/security/cve/CVE-2021-46664  
https://access.redhat.com/security/cve/CVE-2021-46665  
https://access.redhat.com/security/cve/CVE-2021-46668  
https://access.redhat.com/security/cve/CVE-2021-46669  
https://access.redhat.com/security/cve/CVE-2022-21427  
https://access.redhat.com/security/cve/CVE-2022-24048  
https://access.redhat.com/security/cve/CVE-2022-24050  
https://access.redhat.com/security/cve/CVE-2022-24051  
https://access.redhat.com/security/cve/CVE-2022-24052  
https://access.redhat.com/security/cve/CVE-2022-27376  
https://access.redhat.com/security/cve/CVE-2022-27377  
https://access.redhat.com/security/cve/CVE-2022-27378  
https://access.redhat.com/security/cve/CVE-2022-27379  
https://access.redhat.com/security/cve/CVE-2022-27380  
https://access.redhat.com/security/cve/CVE-2022-27381  
https://access.redhat.com/security/cve/CVE-2022-27383  
https://access.redhat.com/security/cve/CVE-2022-27384  
https://access.redhat.com/security/cve/CVE-2022-27386  
https://access.redhat.com/security/cve/CVE-2022-27387  
https://access.redhat.com/security/cve/CVE-2022-27445  
https://access.redhat.com/security/cve/CVE-2022-27447  
https://access.redhat.com/security/cve/CVE-2022-27448  
https://access.redhat.com/security/cve/CVE-2022-27449  
https://access.redhat.com/security/cve/CVE-2022-27452  
https://access.redhat.com/security/cve/CVE-2022-27456  
https://access.redhat.com/security/cve/CVE-2022-27458  
https://access.redhat.com/security/cve/CVE-2022-31622  
https://access.redhat.com/security/cve/CVE-2022-31623  
https://access.redhat.com/security/cve/CVE-2022-32083  
https://access.redhat.com/security/cve/CVE-2022-32085  
https://access.redhat.com/security/cve/CVE-2022-32087  
https://access.redhat.com/security/cve/CVE-2022-32088  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYxDdV9zjgjWX9erEAQifSA//aRBkVx5vWWSNWiR+bpq9ro9ZZgI9c1kZ  
CfYDwuybF1RIkEyfkEnDsc09/UzIAumlRqiAWYitb3novcS9G3+PhMI3tNK1lGXm  
wVEZ06kY69AxLcnHazQSh1smJlgOnA+jeBJA3qbCq9gc9d7jVQQTRmLjcQISW0Nc  
Jdg8klmApRdgwQKvFfINWojVwW5+XCYqzgPags5m4/jMSs+zC64l4iedHzdaK9ni  
UeTF41qPmeiwqKfLkaxa7TXXzYO8Nj8kveZj0F7j4ZnAums+FSVmHGNDWu42OKdk  
CDX4XviQt8ykGt/21WHyeFlvxtWkU2nuzPi4MP1/OF9rh5hgImgPXpY34JNjQ6Xu  
2k90YSbZAkk2knsnbAdaDDoHLAMma4CYfjZL54ll9XTD2VVPfGxTeng2NBCWf17U  
xDqCZTVt2GdrYclmX6CE65u6b6LmO6B+ALnRbB9fFC5bFhT/t+PU4MOGBIKK1238  
6vs07JOn+hkadH7Cy0RJukdcJ1IDz7/8BDXaUQNHzcn2I2cpde8luYX3SfXkQqnH  
N2exSc0lseD/J2gWBlxzZqjWyp6ly7byYELgByugXYuCuB2JJwQA0jPmKY5HHVxp  
vCmDOa7jvP81r/LfN0e0q0oM4UE9yThi1Y4mSiKW1TPpmzRwolejwkW0xUu4fQtW  
V6O5WEsw6KYékr  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6306-01

Red Hat Security Advisory 2022-6314-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include a privilege escalation vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: pcs security update  
Advisory ID:       RHSA-2022:6314-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6314  
Issue date:        2022-09-01  
CVE Names:         CVE-2022-2735  
====================================================================  
1. Summary:

An update for pcs is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux High Availability (v. 8) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Resilient Storage (v. 8) - ppc64le, s390x, x86_64

3. Description:

The pcs packages provide a command-line configuration system for the  
Pacemaker and Corosync utilities.

Security Fix(es):

* pcs: obtaining an authentication token for hacluster user could lead to  
privilege escalation (CVE-2022-2735)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2116815 - CVE-2022-2735 pcs: obtaining an authentication token for hacluster user could lead to privilege escalation

6. Package List:

Red Hat Enterprise Linux High Availability (v. 8):

Source:  
pcs-0.10.12-6.el8_6.2.src.rpm

aarch64:  
pcs-0.10.12-6.el8_6.2.aarch64.rpm  
pcs-snmp-0.10.12-6.el8_6.2.aarch64.rpm

ppc64le:  
pcs-0.10.12-6.el8_6.2.ppc64le.rpm  
pcs-snmp-0.10.12-6.el8_6.2.ppc64le.rpm

s390x:  
pcs-0.10.12-6.el8_6.2.s390x.rpm  
pcs-snmp-0.10.12-6.el8_6.2.s390x.rpm

x86_64:  
pcs-0.10.12-6.el8_6.2.x86_64.rpm  
pcs-snmp-0.10.12-6.el8_6.2.x86_64.rpm

Red Hat Enterprise Linux Resilient Storage (v. 8):

Source:  
pcs-0.10.12-6.el8_6.2.src.rpm

ppc64le:  
pcs-0.10.12-6.el8_6.2.ppc64le.rpm  
pcs-snmp-0.10.12-6.el8_6.2.ppc64le.rpm

s390x:  
pcs-0.10.12-6.el8_6.2.s390x.rpm  
pcs-snmp-0.10.12-6.el8_6.2.s390x.rpm

x86_64:  
pcs-0.10.12-6.el8_6.2.x86_64.rpm  
pcs-snmp-0.10.12-6.el8_6.2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2735  
https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id!16837

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYxDdRdzjgjWX9erEAQh7WRAAnt3Q7zKoGIONdc4Pz+fjTU/zhQY/fX94  
ke+qx1jlaSE3yLYsPKBlvabwr4MFlD/EOmanz+KkfE9aCDBUGvKv8QA42RQXMpCa  
Iv7GHDI4pRc1t1MBPkxO4CvHWr5c9mA9DJE8tYHMrKlhh4JzfhNXPV6zsMlCb2/s  
JgCPia9pUoGfRgeyzQDyjvdvksXeTJf8Qj96rytCAtgj2WGEJubqHpcX7s3WNDFD  
LMUKM1b9YnoXxEd0ochmpnrjHmotZb07kSCqlS+HEY/7q0/eJZagZ7oHj8iO6Mz7  
UXe16yLESC2UsM7PdC4Xi6FPGARBnGmLrSkoNrhQ4yav8qlgBHUQHmOYOgUwH9WB  
OBCMoJg1m0x3TXPGAV4tfRp5BiVgSjfEWBgOaQgFTo7E2o2TQjG+plCSb1oNQixP  
BXV3tMFWWBIYtzxN83hPnZvox6uHXZOvRzWwekbYmEwvCnERKRlhvL0T9QCb5qu3  
yqZo4QVyy08Rya7qrCrgm92AJjhAxy1Bk0EQD/s6u6i7samM+Vj2kDir1SMrifiW  
c82+fNnDzMb2sJ4TRWp9Xza+laJOK/paJQ3rpTxVtpJRwNWUafpXBawpx/Q4UAtS  
mGOMyUBgRj66SLYKCxDxVNIj5wj4s4v3vLQPPuqjGd2uLlWjq/EynADRsO4TY5Bx  
07UXTJVBJ3A=CRof  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6314-01

Red Hat Security Advisory 2022-6312-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include a privilege escalation vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: pcs security update  
Advisory ID:       RHSA-2022:6312-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6312  
Issue date:        2022-09-01  
CVE Names:         CVE-2022-2735  
====================================================================  
1. Summary:

An update for pcs is now available for Red Hat Enterprise Linux 8.4  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux High Availability EUS (v.8.4) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Resilient Storage EUS (v.8.4) - ppc64le, s390x, x86_64

3. Description:

The pcs packages provide a command-line configuration system for the  
Pacemaker and Corosync utilities.

Security Fix(es):

* pcs: obtaining an authentication token for hacluster user could lead to  
privilege escalation (CVE-2022-2735)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2116815 - CVE-2022-2735 pcs: obtaining an authentication token for hacluster user could lead to privilege escalation

6. Package List:

Red Hat Enterprise Linux High Availability EUS (v.8.4):

Source:  
pcs-0.10.8-1.el8_4.2.src.rpm

aarch64:  
pcs-0.10.8-1.el8_4.2.aarch64.rpm  
pcs-snmp-0.10.8-1.el8_4.2.aarch64.rpm

ppc64le:  
pcs-0.10.8-1.el8_4.2.ppc64le.rpm  
pcs-snmp-0.10.8-1.el8_4.2.ppc64le.rpm

s390x:  
pcs-0.10.8-1.el8_4.2.s390x.rpm  
pcs-snmp-0.10.8-1.el8_4.2.s390x.rpm

x86_64:  
pcs-0.10.8-1.el8_4.2.x86_64.rpm  
pcs-snmp-0.10.8-1.el8_4.2.x86_64.rpm

Red Hat Enterprise Linux Resilient Storage EUS (v.8.4):

Source:  
pcs-0.10.8-1.el8_4.2.src.rpm

ppc64le:  
pcs-0.10.8-1.el8_4.2.ppc64le.rpm  
pcs-snmp-0.10.8-1.el8_4.2.ppc64le.rpm

s390x:  
pcs-0.10.8-1.el8_4.2.s390x.rpm  
pcs-snmp-0.10.8-1.el8_4.2.s390x.rpm

x86_64:  
pcs-0.10.8-1.el8_4.2.x86_64.rpm  
pcs-snmp-0.10.8-1.el8_4.2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2735  
https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id!16836

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYxDdT9zjgjWX9erEAQh7ShAAla4hzjBXI+Ba9Y0IIr/1QLR9/2LVV/dv  
bLPDnfzxcNivBlEKwifFvrti0mT+Br9bv6UV9aFa8IowlUUwP71grZm/Rx/hO1kH  
a7RFxGCJZ+LqDVr9jDpiGe9yOu1cb6b+hMhpzKwvO/KsAfxu70o9MjXdds0CV0qH  
inRChminbpkVEf8GIZOUDuQcq5IEd3Zo/JzD7wjgf3CHe1iC2f98t0WbCEjSmERG  
1wh2W5ht05cW7iZPj4Oo8SOj4RRSVqUhoWhapZG9HO+E9QGCIeX39sMz8ICRCosi  
fKNor4OEMCpt52u6UlJg+1a3fQNXIVoUav6dZNEKOLx/bRr0kZMpyOSHC+pqLiuY  
rcosCtUvUhBbsKgIu7iE3GWDfCbToJoBBXlD7e+8wzvTXEAE/wjI0RprBE4ceabZ  
OniXom8txVgUwEqWvyf+UwagcEfYv2Nip8blAJPzEHQ8O3zO9CxuvsblPKJD4IYa  
V9D4cxw8+RXdAGOW+d0FNDuf0dJo86weF+iCn4TteIU4boq5iQ9321Lc6b8bBSz9  
8adhTzhtyQeCDrHqqnSQndnNDG0jAYBlXECKCo01IlGHy2s1SlXflDZoGNKjmv8v  
qY1VN00xR+T3iASGH6ksp4oXAqfZRh7KvEDE3Zmsu1Bq+2LImKSHNOCXzhPa/4FT  
5/AkhU6ibu4=OieI  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6312-01

Red Hat Security Advisory 2022-6313-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include a privilege escalation vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: pcs security update  
Advisory ID:       RHSA-2022:6313-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6313  
Issue date:        2022-09-01  
CVE Names:         CVE-2022-2735  
====================================================================  
1. Summary:

An update for pcs is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux High Availability (v. 9) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Resilient Storage (v. 9) - ppc64le, s390x, x86_64

3. Description:

The pcs packages provide a command-line configuration system for the  
Pacemaker and Corosync utilities.

Security Fix(es):

* pcs: obtaining an authentication token for hacluster user could lead to  
privilege escalation (CVE-2022-2735)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2116815 - CVE-2022-2735 pcs: obtaining an authentication token for hacluster user could lead to privilege escalation

6. Package List:

Red Hat Enterprise Linux High Availability (v. 9):

Source:  
pcs-0.11.1-10.el9_0.2.src.rpm

aarch64:  
pcs-0.11.1-10.el9_0.2.aarch64.rpm  
pcs-snmp-0.11.1-10.el9_0.2.aarch64.rpm

ppc64le:  
pcs-0.11.1-10.el9_0.2.ppc64le.rpm  
pcs-snmp-0.11.1-10.el9_0.2.ppc64le.rpm

s390x:  
pcs-0.11.1-10.el9_0.2.s390x.rpm  
pcs-snmp-0.11.1-10.el9_0.2.s390x.rpm

x86_64:  
pcs-0.11.1-10.el9_0.2.x86_64.rpm  
pcs-snmp-0.11.1-10.el9_0.2.x86_64.rpm

Red Hat Enterprise Linux Resilient Storage (v. 9):

Source:  
pcs-0.11.1-10.el9_0.2.src.rpm

ppc64le:  
pcs-0.11.1-10.el9_0.2.ppc64le.rpm  
pcs-snmp-0.11.1-10.el9_0.2.ppc64le.rpm

s390x:  
pcs-0.11.1-10.el9_0.2.s390x.rpm  
pcs-snmp-0.11.1-10.el9_0.2.s390x.rpm

x86_64:  
pcs-0.11.1-10.el9_0.2.x86_64.rpm  
pcs-snmp-0.11.1-10.el9_0.2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2735  
https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id!16839

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYxDdStzjgjWX9erEAQjUJg/9Hov0AK9DBgtNQt6oxIIrWhs7TYvehdzJ  
qIPh1BbZmyuRrOMM1a7hrMH9UYfBK0pwrXs+U0NkY6NjKflQq3VKAi1nGuZbLy3r  
tkX032KlknHbSDVyHUl8mKsPRVYW/obelia23F22IIAXdjU/aEY3UzGMwQGW9lh9  
CVKVNu2/fDhZtII7AUJw5UlOdvlMSaeND0RmqiOhRJSoaE8jP2pLklL1Q4L48txX  
Dhyq2CzCgGBHSkcZ6Yn3FRus1kTRRDjIMQABLZVSSsZF8xTMI3EDPmagl8ynS5uE  
LZk5k3BNNGXsyP8sF23iZ66z5Ue7mFbqioRcY8pSrkOZ9nM66S5+TA3TNmeK0Gde  
Pxhdryo9Btu1Tkku7NwaY1uZD14wgj4O6gTCDSoPQy+PcbUKlOxDm3DBCfZwHl4r  
BB2qOmbSkBUcYLV10qPzdik8UTl64dB2z7DXWSy3nqpD0avTnDe66JwXcBYmVK44  
DaVWe2YKfkNtQQJ3mf2WuFqRmcuOSUQloWJvTmlzDwSy7kpBJTDCfnBQORIbkYa7  
eIc8PUj0GjfZqRZ7Ku+y0UKR0UOpXLtm4V0TsdAF9V6kbLd4aA7Y1tP+3RyFfsTR  
SMl77kwTVV52m1KZ1bLC6hEnWMKk9MdaZhY+HFSKWy9nkYwmtV42YR1UXcBeJ5OU  
CQXUykjXU9c=KFjU  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6313-01

Red Hat Security Advisory 2022-6152-01 - Secondary Scheduler Operator for Red Hat OpenShift 1.1.0.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Secondary Scheduler Operator for Red Hat OpenShift 1.1.0 security update  
Advisory ID:       RHSA-2022:6152-01  
Product:           OSSO  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6152  
Issue date:        2022-09-01  
CVE Names:         CVE-2022-1705 CVE-2022-1962 CVE-2022-24675  
                   CVE-2022-28131 CVE-2022-28327 CVE-2022-30629  
                   CVE-2022-30630 CVE-2022-30631 CVE-2022-30632  
                   CVE-2022-30633 CVE-2022-30635 CVE-2022-32148  
====================================================================  
1. Summary:

Secondary Scheduler Operator for Red Hat OpenShift 1.1.0

Red Hat Product Security has rated this update as having a security impact  
of  
Important. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a  
detailed severity rating, is available for each vulnerability from the CVE  
link(s) in the References section.

2. Description:

Secondary Scheduler Operator for Red Hat OpenShift 1.1.0

Security Fix(es):

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)  
* golang: net/http: improper sanitization of Transfer-Encoding header  
(CVE-2022-1705)  
* golang: go/parser: stack exhaustion in all Parse* functions  
(CVE-2022-1962)  
* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)  
* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)  
* golang: crypto/elliptic: panic caused by oversized scalar  
(CVE-2022-28327)  
* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)  
* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)  
* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)  
* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)  
* golang: net/http/httputil: NewSingleHostReverseProxy - omit  
X-Forwarded-For not working (CVE-2022-32148)  
* golang: crypto/tls: session tickets lack random ticket_age_add  
(CVE-2022-30629)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s)  
listed in the References section.

3. Solution:

For Secondary Scheduler Operator 1.1.0 see the following documentation,  
which  
will be updated shortly, for detailed release notes:

For more information on Secondary Scheduler Operator for Red Hat OpenShift  
1.1.0, see the following release notes:

https://docs.openshift.com/container-platform/4.11/nodes/scheduling/secondary_scheduler/nodes-secondary-scheduler-release-notes.html#secondary-scheduler-operator-release-notes-1.1.0

4. Bugs fixed (https://bugzilla.redhat.com/):

2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode  
2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar  
2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add  
2105001 - [SSO] Secondary scheduler version is shown as unknown in the operator logs  
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read  
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob  
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header  
2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions  
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working  
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob  
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode  
2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip  
2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal

5. JIRA issues fixed (https://issues.jboss.org/):

WRKLDS-466 - Secondary Scheduler Operator for Red Hat OpenShift 1.1 release

6. References:

https://access.redhat.com/security/cve/CVE-2022-1705  
https://access.redhat.com/security/cve/CVE-2022-1962  
https://access.redhat.com/security/cve/CVE-2022-24675  
https://access.redhat.com/security/cve/CVE-2022-28131  
https://access.redhat.com/security/cve/CVE-2022-28327  
https://access.redhat.com/security/cve/CVE-2022-30629  
https://access.redhat.com/security/cve/CVE-2022-30630  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/cve/CVE-2022-30632  
https://access.redhat.com/security/cve/CVE-2022-30633  
https://access.redhat.com/security/cve/CVE-2022-30635  
https://access.redhat.com/security/cve/CVE-2022-32148  
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYxCI69zjgjWX9erEAQhXXxAAosQlZxGWGILaGuYUJr/S/jXROYtor0Wv  
z8na9oZNTgJG086tiPehf+HAUIbwIRlExUg/fI0TkkQILou0JDqDKbMfxuvZ3You  
vgUzKoLHnf541JJp1tjLFbHl+dcG1ohoXEFdh6UpmhxILu56hnC7jB7hfAXnye/E  
wIwwtRkG7tzS2f81vFG1TwWunVddvtNy6ITnqkBLWvjRP0ihk6mBt4iBz4NOKYFi  
x/7TRZUGV+ILeP++g7qsbehOwZLj2p9NzqE2cRw/A1DP3WVRglKaGuhd46kR9mtn  
o0LK9jSBJ0QMPXDvEk52PU4J8yDqhhvTWSeCrFg0rwC3Xd3/41xxKTo9htbLOHfQ  
Ei359sevhBTpLH1sdS7/jjmd8jMYe9CZXxk0Ck87e+T17MXOyKVHSsMFjZR1Pgfu  
wXAMZaIut1l23RA+3T79jYUnrbB+zD4rDk5mwLuurO8n6y7Bw1Dr1Rr2r1mKgr7N  
rxIpHDhw2nWjEhnhl91+2r2ucLvfD6qqsdnV58XTKdLUqNbYAOL1p3tGljqmUVsH  
f2YWDoEc3LpbVoT12xbxqnmJRQGmWwfsNRY4tr6w+qVHgKjBAjMGaDhd4gIVEuGi  
08mdVFBRqUPBbkIZu9ku5Eh8dgg2NcOFN1naDYb3AaNJp7+garNbcGFL1lIK0cBM  
ZO93shdrUmc=3goO  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6152-01

Red Hat Security Advisory 2022-6292-01 - AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. This release of Red Hat AMQ Broker 7.8.7 serves as a replacement for Red Hat AMQ Broker 7.8.6, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section. Issues addressed include a html injection vulnerability.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256====================================================================                   Red Hat Security AdvisorySynopsis:          Important: Red Hat AMQ Broker 7.8.7 release and security updateAdvisory ID:       RHSA-2022:6292-01Product:           Red Hat JBoss AMQAdvisory URL:      https://access.redhat.com/errata/RHSA-2022:6292Issue date:        2022-09-01CVE Names:         CVE-2022-35278====================================================================1. Summary:Red Hat AMQ Broker 7.8.7 is now available from the Red Hat Customer Portal.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.2. Description:AMQ Broker is a high-performance messaging implementation based on ActiveMQArtemis. It uses an asynchronous journal for fast message persistence, andsupports multiple languages, protocols, and platforms.This release of Red Hat AMQ Broker 7.8.7 serves as a replacement for RedHat AMQ Broker 7.8.6, and includes security and bug fixes, andenhancements. For further information, refer to the release notes linked toin the References section.Security Fix(es):* artemis-plugin: activemq-artemis: AMQ Broker web console HTML Injection(CVE-2022-35278)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVEpage(s) listed in the References section.3. Solution:Before applying the update, back up your existing installation, includingall applications, configuration files, databases and database settings, andso on.The References section of this erratum contains a download link (you mustlog in to download the update).4. Bugs fixed (https://bugzilla.redhat.com/):2109805 - CVE-2022-35278 activemq-artemis: AMQ Broker web console HTML Injection5. References:https://access.redhat.com/security/cve/CVE-2022-35278https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.broker&version=7.8.7https://access.redhat.com/documentation/en-us/red_hat_amq/6. Contact:The Red Hat security contact is <secalert@redhat.com>. More contactdetails at https://access.redhat.com/security/team/contact/Copyright 2022 Red Hat, Inc.-----BEGIN PGP SIGNATURE-----Version: GnuPG v1iQIVAwUBYxCI3NzjgjWX9erEAQhXPQ//evF+wS+qIbMzTyHsDPwN9HUHkEsqe0ZfyS6InsjK8VPVDNx96Q0OthS6A/qCYaHFCPZCZvaBYuj8KT2odH1VqRTT9wLa9y/f0hFvqMtUDmCu7IBMhwmUkzRH/TlM6LAxzlvUhkuSEIXCIIaFE+Rif+zcF4qYbnZVAvXzSIP1f2HGOXgVgxgoYR0zI0wldCwq+29w4+BJGcjGd2mk5Fwsc2KeBY0PAYCHPFtkPnnV1LkFMzPHrFwYHC8GwtO5kUBpUlOb4Abd82hXIRH5zJVOLUWyjA4OdU6bhkbmkcyABoUzNRVfTt3TOwZ7F7eCAj9Kleke9S0+5H3a5rPY4pOOUXodRaAZjkhLh4twQIkvtgqeidA7cVbbCRDcIJDuJb+cWxrlxdAYh1OWBavlyGaIvK6vdL5dv57AT6diUX49udNsC77ncSmCySt1kt+tGNxEhmPYBSeqUsjaap8ikuABr7qoqoxKLcQSrq2O9sYMICg71C7CnKyyJJB6FUa7uh+kq670h/+aDGK8MExiGUEdMQeNSfWYd0MOPJ6TtyApkyR12EqP+DhBLpy4JM173DDNACpduMFp4pBtskpaWL0lRfa5N4tS3G8YKW2iR/MEQFKfPYy673S/bgMy3mW+cn84FrbAhXWVbOG9/4rKzAhJWE1/FiseOajUxb10bkQYL7E=Q4jI-----END PGP SIGNATURE-------RHSA-announce mailing listRHSA-announce@redhat.comhttps://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6292-01

Red Hat Security Advisory 2022-6290-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: OpenShift API for Data Protection (OADP) 1.1.0 security and bug fix update  
Advisory ID:       RHSA-2022:6290-01  
Product:           OpenShift API for Data Protection  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6290  
Issue date:        2022-09-01  
CVE Names:         CVE-2021-3634 CVE-2021-40528 CVE-2022-1271  
                   CVE-2022-1292 CVE-2022-1586 CVE-2022-2068  
                   CVE-2022-2097 CVE-2022-21698 CVE-2022-24675  
                   CVE-2022-25313 CVE-2022-25314 CVE-2022-26691  
                   CVE-2022-28327 CVE-2022-29154 CVE-2022-29824  
                   CVE-2022-30629 CVE-2022-30631 CVE-2022-32206  
                   CVE-2022-32208  
====================================================================  
1. Summary:

OpenShift API for Data Protection (OADP) 1.1.0 is now available.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

OpenShift API for Data Protection (OADP) enables you to back up and restore  
application resources, persistent volume data, and internal container  
images to external backup storage. OADP enables both file system-based and  
snapshot-based backups for persistent volumes.

Security Fix(es) from Bugzilla:

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

* prometheus/client_golang: Denial of service using  
InstrumentHandlerCounter (CVE-2022-21698)

* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)

* golang: crypto/elliptic: panic caused by oversized scalar  
(CVE-2022-28327)

* golang: crypto/tls: session tickets lack random ticket_age_add  
(CVE-2022-30629)

For more details about the security issue(s), including the impact, a CVSS  
score, and other related information, refer to the CVE page(s) listed in  
the References section.

3. Solution:

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter  
2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode  
2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar  
2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add  
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

5. JIRA issues fixed (https://issues.jboss.org/):

OADP-145 - Restic Restore stuck on InProgress status when app is deployed with DeploymentConfig  
OADP-154 - Ensure support for backing up resources based on different label selectors  
OADP-194 - Remove the registry dependency from OADP  
OADP-199 - Enable support for restore of existing resources  
OADP-224 - Restore silently ignore resources if they exist - restore log not updated  
OADP-225 - Restore doesn't update velero.io/backup-name when a resource is updated  
OADP-234 - Implementation of incremental restore  
OADP-324 - Add label to Expired backups failing garbage collection  
OADP-382 - 1.1: Update downstream OLM channels to support different x and y-stream releases  
OADP-422 - [GCP] An attempt of snapshoting volumes on CSI storageclass using Velero-native snapshots fails because it's unable to find the zone  
OADP-423 - CSI Backup is not blocked and does not wait for snapshot to complete  
OADP-478 - volumesnapshotcontent cannot be deleted; SnapshotDeleteError Failed to delete snapshot  
OADP-528 - The volumesnapshotcontent is not removed for the synced backup  
OADP-533 - OADP Backup via Ceph CSI snapshot hangs indefinitely on OpenShift v4.10  
OADP-538 - typo on noDefaultBackupLocation error on DPA CR  
OADP-552 - Validate OADP with 4.11 and Pod Security Admissions  
OADP-558 - Empty Failed Backup CRs can't be removed  
OADP-585 - OADP 1.0.3: CSI functionality is broken on OCP 4.11 due to missing v1beta1 API version  
OADP-586 - registry deployment still exists on 1.1 build, and the registry pod gets recreated endlessly  
OADP-592 - OADP must-gather add support for insecure tls  
OADP-597 - BSL validation logs  
OADP-598 - Data mover performance on backup blocks backup process  
OADP-599 - [Data Mover] Datamover Restic secret cannot be configured per bsl  
OADP-600 - Operator should validate volsync installation and raise warning if data mover is enabled  
OADP-602 - Support GCP for openshift-velero-plugin registry  
OADP-605 - [OCP 4.11] CSI restore fails with admission webhook \"volumesnapshotclasses.snapshot.storage.k8s.io\" denied  
OADP-607 - DataMover: VSB is stuck on SnapshotBackupDone  
OADP-610 - Data mover fails if a stale volumesnapshot exists in application namespace  
OADP-613 - DataMover: upstream documentation refers wrong CRs  
OADP-637 - Restic backup fails with CA certificate  
OADP-643 - [Data Mover] VSB and VSR names are not unique  
OADP-644 - VolumeSnapshotBackup and VolumeSnapshotRestore timeouts should be configurable  
OADP-648 - Remove default limits for velero and restic pods  
OADP-652 - Data mover VolSync pod errors with Noobaa  
OADP-655 - DataMover: volsync-dst-vsr pod completes although not all items where restored in the namespace  
OADP-660 - Data mover restic secret does not support Azure  
OADP-698 - DataMover: volume-snapshot-mover pod points to upstream image  
OADP-715 - Restic restore fails: restic-wait container continuously fails with "Not found: /restores/<pod-volume>/.velero/<restore-UID>"  
OADP-716 - Incremental restore: second restore of a namespace partially fails  
OADP-736 - Data mover VSB always fails with volsync 0.5

6. References:

https://access.redhat.com/security/cve/CVE-2021-3634  
https://access.redhat.com/security/cve/CVE-2021-40528  
https://access.redhat.com/security/cve/CVE-2022-1271  
https://access.redhat.com/security/cve/CVE-2022-1292  
https://access.redhat.com/security/cve/CVE-2022-1586  
https://access.redhat.com/security/cve/CVE-2022-2068  
https://access.redhat.com/security/cve/CVE-2022-2097  
https://access.redhat.com/security/cve/CVE-2022-21698  
https://access.redhat.com/security/cve/CVE-2022-24675  
https://access.redhat.com/security/cve/CVE-2022-25313  
https://access.redhat.com/security/cve/CVE-2022-25314  
https://access.redhat.com/security/cve/CVE-2022-26691  
https://access.redhat.com/security/cve/CVE-2022-28327  
https://access.redhat.com/security/cve/CVE-2022-29154  
https://access.redhat.com/security/cve/CVE-2022-29824  
https://access.redhat.com/security/cve/CVE-2022-30629  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/cve/CVE-2022-32206  
https://access.redhat.com/security/cve/CVE-2022-32208  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYxA0ftzjgjWX9erEAQgcZBAAhpl5yhUlRDVqai0DF0VUbpNENP0oqAEU  
nSI4eOGm66Y8d2Qtymae3HwiP8Fa+FIg+QLlQqJaLSPRpttv1kxmB7vL2fzcDyQ2  
6VKUFLV9Lo9oSUqfAlvO8rbSWMvvickV3kTYC+HDgz5/Y3C2JKA1wlhn/5548Iq0  
syHaj/sLw3lYK9AsQDrgN+FWFnNgUsqPmb5WmgQ3HoYP4Ksq1jpcnWAtqkNl7eT4  
IeBAl1B8+I5l4eDj20HJyaGh5h37loCLW1NhcVeoqrwqnkWKVXcbXeYanEoRGCya  
Y38JtNmFlNLjQ69sWoyLonDqKdNQmnbhWRYzRjQF7nGAB+STG9uJ1e1e75T4IoD7  
m0gMS30vjC9rqV455m8sOeDwNf+1rPAXmgC5QR1mEavd1LphlHkO56a+j4aPVPGV  
V/ItM94tAuFvdkL7ZPRMxNux0CMzkBtvEeh3wbUXWF1UKw6ew8yhLHoUevCI2paT  
ggXr3kbBV5yAKgT/+c6TRGYiI66pV1RjCOpE/tJYYpiNhq2dhxjpm0e9RRxLtoTK  
EazQq5tWEYDqNcY2LmXIAwgnIhygqy6HXVBI04rqdI4WKgHPtnp8vfSNaArfSCUP  
kC85ROZc6ZTBOPVWEBT34Y64lPO37jzXhuvvytOmOtUJbuWn4XFl9rRswRnv/yKU  
Rl4NtEV1XHs=zaXV  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#red_hat