#red_hat

Container-native virtualization release 2.3.0 is now available with updates to packages and images that fix several bugs and add enhancements.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-1701: virt-handler: virt-handler daemonset clusterroles allows retrieval of secrets * CVE-2020-1742: nmstate/kubernetes-nmstate-handler: /etc/passwd is given incorrect privileges

Container-native virtualization release 2.3.0 is now available with updates to packages and images that fix several bugs and add enhancements.Container-native virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains the following container-native virtualization 2.3.0 images: RHEL-7-CNV-2.3 ============== kubevirt-ssp-operator-container-v2.3.0-42 RHEL-8-CNV-2.3 ============== hostpath-provisioner-operator-container-v2.3.0-13 kubevirt-cpu-node-labeller-container-v2.3.0-9 kubevirt-metrics-collector-container-v2.3.0-9 kubevirt-template-validator-container-v2.3.0-10 virtio-win-container-v2.3.0-8 node-maintenance-operator-container-v2.3.0-10 hostpath-provisioner-container-v2.3.0-12 kubevirt-kvm-info-nfd-plugin-container-v2.3.0-9 bridge-marker-container-v2.3.0-29 cnv-containernetworking-plugins-container-v2.3.0-30 kubemacpool-container-v2.3.0-28 kubevirt-cpu-model-nfd-plugin-container-v2.3.0-9 kubernetes-nmstate-handler-cont...

An update for git is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2019-1352: git: Files inside the .git directory may be overwritten during cloning via NTFS Alternate Data Streams * CVE-2019-1387: git: Remote code execution in recursive clones with nested submodules * CVE-2020-11008: git: Crafted URL containing new lines, empty host or lacks a scheme can cause credential leak

In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml (which contain a secret_key and a bind_password) are world readable.

An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords).

An update is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-19869: qt5-qtsvg: Invalid parsing of malformed url reference resulting in a denial of service * CVE-2018-19871: qt5-qtimageformats: QTgaFile CPU exhaustion * CVE-2018-19872: qt: Malformed PPM image causing division by zero and crash in qppmhandler.cpp * CVE-2019-18281: qt5-qtbase: Out-of-bounds access in generateDirectionalRuns() function in qtextengine.cpp

An update for the pki-core:10.6 and pki-deps:10.6 modules is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System. Security Fix(es): * jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig (CVE-2019-14540) * jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource (CVE-2019-16335) * jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* (CVE-2019-16942) * jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource (CVE-2019-16943) * jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531) For more details...

An update for e2fsprogs is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The e2fsprogs packages provide a number of utilities for creating, checking, modifying, and correcting the ext2, ext3, and ext4 file systems. The following packages have been upgraded to a later upstream version: e2fsprogs (1.45.4). (BZ#1783777) Security Fix(es): * e2fsprogs: crafted ext4 partition leads to out-of-bounds write (CVE-2019-5094) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.2 Release Notes l...

Zoho ManageEngine OpManager before 125120 allows an unauthenticated user to retrieve an API key via a servlet call.

A flaw was found in the Eclipse Che up to version 7.8.x, where it did not properly restrict access to workspace pods. An authenticated user can exploit this flaw to bypass JWT proxy and gain access to the workspace pods of another user. Successful exploitation requires knowledge of the service name and namespace of the target pod.