Red Hat Security Advisory 2024-3831-03 - An update for containernetworking-plugins is now available for Red Hat Enterprise Linux 9. Issues addressed include a memory exhaustion vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3831.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: containernetworking-plugins security and bug fix update  
Advisory ID:        RHSA-2024:3831-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:3831  
Issue date:         2024-06-12  
Revision:           03  
CVE Names:          CVE-2023-45290  
====================================================================

Summary: 

An update for containernetworking-plugins is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The Container Network Interface (CNI) project consists of a specification and libraries for writing plug-ins for configuring network interfaces in Linux containers, along with a number of supported plug-ins. CNI concerns itself only with network connectivity of containers and removing allocated resources when the container is deleted. 

Security Fix(es):

* golang: net/http: memory exhaustion in Request.ParseMultipartForm (CVE-2023-45290)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-45290

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2268017

Red Hat Security Advisory 2024-3831-03

Red Hat Security Advisory 2024-3830-03 - An update for gvisor-tap-vsock is now available for Red Hat Enterprise Linux 9. Issues addressed include a memory exhaustion vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3830.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: gvisor-tap-vsock security and bug fix updateAdvisory ID:        RHSA-2024:3830-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3830Issue date:         2024-06-12Revision:           03CVE Names:          CVE-2023-45290====================================================================Summary: An update for gvisor-tap-vsock is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:A replacement for libslirp and VPNKit, written in pure Go. It is based on the network stack of gVisor and is used to provide networking for podman-machine virtual machines. Compared to libslirp, gvisor-tap-vsock brings a configurable DNS server and dynamic port forwarding.Security Fix(es):* golang: net/http: memory exhaustion in Request.ParseMultipartForm (CVE-2023-45290)Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-45290References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2268017

Red Hat Security Advisory 2024-3830-03

Red Hat Security Advisory 2024-3827-03 - An update for buildah is now available for Red Hat Enterprise Linux 9. Issues addressed include memory exhaustion and resource exhaustion vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3827.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: buildah security and bug fix update  
Advisory ID:        RHSA-2024:3827-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:3827  
Issue date:         2024-06-12  
Revision:           03  
CVE Names:          CVE-2023-45290  
====================================================================

Summary: 

An update for buildah is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to: Create a working container, either from scratch or using an image as a starting point; Create an image, either from a working container or using the instructions in a Dockerfile; Build both Docker and OCI images. 

Security Fix(es):

* golang: net/http: memory exhaustion in Request.ParseMultipartForm (CVE-2023-45290)

* jose-go: improper handling of highly compressed data (CVE-2024-28180)

* buildah: jose: resource exhaustion (CVE-2024-28176)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-45290

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2268017  
https://bugzilla.redhat.com/show_bug.cgi?id=2268820  
https://bugzilla.redhat.com/show_bug.cgi?id=2268854

Red Hat Security Advisory 2024-3827-03

Red Hat Security Advisory 2024-3790-03 - OpenShift API for Data Protection 1.3.2 is now available. Issues addressed include a memory exhaustion vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3790.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenShift API for Data Protection (OADP) 1.3.2 security and bug fix update  
Advisory ID:        RHSA-2024:3790-03  
Product:            OpenShift API for Data Protection  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:3790  
Issue date:         2024-06-11  
Revision:           03  
CVE Names:          CVE-2023-45289  
====================================================================

Summary: 

OpenShift API for Data Protection (OADP) 1.3.2 is now available.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.

Security Fix(es) from Bugzilla:

* golang: net/http: memory exhaustion in Request.ParseMultipartForm (CVE-2023-45290)

* golang: net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect (CVE-2023-45289)

* golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm (CVE-2024-24783)

* golang: net/mail: comments in display names are incorrectly handled (CVE-2024-24784)

* golang: html/template: errors returned from MarshalJSON methods may break template escaping (CVE-2024-24785)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-45289

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2268017  
https://bugzilla.redhat.com/show_bug.cgi?id=2268018  
https://bugzilla.redhat.com/show_bug.cgi?id=2268019  
https://bugzilla.redhat.com/show_bug.cgi?id=2268021  
https://bugzilla.redhat.com/show_bug.cgi?id=2268022

Red Hat Security Advisory 2024-3790-03

Red Hat Security Advisory 2024-3784-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.10. Issues addressed include bypass and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3784.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: thunderbird security update  
Advisory ID:        RHSA-2024:3784-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:3784  
Issue date:         2024-06-10  
Revision:           03  
CVE Names:          CVE-2024-4367  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 8.10.

Red Hat Product Security has rated this update as having a security impact of  
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.11.0.

Security Fix(es):

* firefox: Arbitrary JavaScript execution in PDF.js (CVE-2024-4367)

* firefox: IndexedDB files retained in private browsing mode (CVE-2024-4767)

* firefox: Potential permissions request bypass via clickjacking (CVE-2024-4768)

* firefox: Cross-origin responses could be distinguished between script and  
non-script content-types (CVE-2024-4769)

* firefox: Use-after-free could occur when printing to PDF (CVE-2024-4770)

* firefox: Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11, and  
Thunderbird 115.11 (CVE-2024-4777)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-4367

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2280382  
https://bugzilla.redhat.com/show_bug.cgi?id=2280383  
https://bugzilla.redhat.com/show_bug.cgi?id=2280384  
https://bugzilla.redhat.com/show_bug.cgi?id=2280385  
https://bugzilla.redhat.com/show_bug.cgi?id=2280386  
https://bugzilla.redhat.com/show_bug.cgi?id=2280387

Red Hat Security Advisory 2024-3784-03

Red Hat Security Advisory 2024-3783-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.10. Issues addressed include bypass and use-after-free vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3783.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: firefox security updateAdvisory ID:        RHSA-2024:3783-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3783Issue date:         2024-06-10Revision:           03CVE Names:          CVE-2024-4367====================================================================Summary: An update for firefox is now available for Red Hat Enterprise Linux 8.10.Red Hat Product Security has rated this update as having a security impact ofModerate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Mozilla Firefox is an open-source web browser, designed for standardscompliance, performance, and portability.This update upgrades Firefox to version 115.11.0 ESR.Security Fix(es):* firefox: Arbitrary JavaScript execution in PDF.js (CVE-2024-4367)* firefox: IndexedDB files retained in private browsing mode (CVE-2024-4767)* firefox: Potential permissions request bypass via clickjacking (CVE-2024-4768)* firefox: Cross-origin responses could be distinguished between script andnon-script content-types (CVE-2024-4769)* firefox: Use-after-free could occur when printing to PDF (CVE-2024-4770)* firefox: Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11, andThunderbird 115.11 (CVE-2024-4777)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-4367References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2280382https://bugzilla.redhat.com/show_bug.cgi?id=2280383https://bugzilla.redhat.com/show_bug.cgi?id=2280384https://bugzilla.redhat.com/show_bug.cgi?id=2280385https://bugzilla.redhat.com/show_bug.cgi?id=2280386https://bugzilla.redhat.com/show_bug.cgi?id=2280387

Red Hat Security Advisory 2024-3783-03

Red Hat Security Advisory 2024-3781-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include HTTP request smuggling, buffer overflow, code execution, cross site scripting, denial of service, memory exhaustion, null pointer, and password leak vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3781.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix UpdateAdvisory ID:        RHSA-2024:3781-03Product:            Red Hat Ansible Automation PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3781Issue date:         2024-06-10Revision:           03CVE Names:          CVE-2023-5752====================================================================Summary: An update is now available for Red Hat Ansible Automation Platform 2.4Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.Security Fix(es):* automation-controller: aiohttp: DoS when trying to parse malformed POST requests (CVE-2024-30251)* automation-controller: Django: Potential regular expression denial-of-service in django.utils.text.Truncator.words() (CVE-2024-27351)* automation-controller: pip: Mercurial configuration injectable in repo revision when installing via pip (CVE-2023-5752)* automation-controller: pydantic: regular expression denial of service via crafted email string (CVE-2024-3772)* automation-hub, python3/python39-galaxy-ng: follow-redirects: Possible credential leak (CVE-2024-28849)* python3/python39-aiohttp: DoS when trying to parse malformed POST requests (CVE-2024-30251)* python3/python39-aiohttp: XSS on index pages for static file handling (CVE-2024-27306)* python3/python39-black: ReDoS via the lines_with_leading_tabs_expanded() function in strings.py file (CVE-2024-21503)* python3/python39-cryptography: NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override (CVE-2024-26130)* python3/python39-cryptography: NULL-dereference when loading PKCS7 certificates (CVE-2023-49083)* python3/python39-cryptography: NULL-dereference when loading PKCS7 certificates (CVE-2023-49083)* python3/python39-gunicorn: HTTP Request Smuggling due to improper validation of Transfer-Encoding headers (CVE-2024-1135)* python3/python39-idna: potential DoS via resource consumption via specially crafted inputs to idna.encode() (CVE-2024-3651)* python3/python39-jinja2: accepts keys containing non-attribute characters (CVE-2024-34064)* python3/python39-pillow: buffer overflow in _imagingcms.c (CVE-2024-28219)* python3/python39-pillow: Arbitrary Code Execution via the environment parameter (CVE-2023-50447)* python3/python39-pydantic: regular expression denial of service via crafted email string (CVE-2024-3772)* python3/python39-requests: subsequent requests to the same host ignore cert verification (CVE-2024-35195)* python3/python39-social-auth-app-django: Improper Handling of Case Sensitivity in social-auth-app-django (CVE-2024-32879)* python3/python39-sqlparse: parsing heavily nested list leads to denial of service (CVE-2024-4340)* receptor: golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm (CVE-2024-24783)* receptor: golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288)* receptor: golang: net/http: memory exhaustion in Request.ParseMultipartForm (CVE-2023-45290)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Updates and fixes for automation controller:* Fixed Redis connection leak on version 4.5.6 (AAP-24286)* automation-controller has been updated to 4.5.7Updates and fixes for automation hub:* Fixed repository sync issues (AAH-3111, AAH-3218)* automation-hub/python3-galaxy-ng/python39-galaxy-ng have been updated to 4.9.2Additional changes:* ansible-core has been updated to 2.15.11* automation-eda-controller has been updated to 1.0.7* installer and setup have been updated to 2.4-7* receptor has been updated to 1.4.8For more details about the updates and fixes included in this release, refer to the Release Notes.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-5752References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2250765https://bugzilla.redhat.com/show_bug.cgi?id=2255331https://bugzilla.redhat.com/show_bug.cgi?id=2259479https://bugzilla.redhat.com/show_bug.cgi?id=2266045https://bugzilla.redhat.com/show_bug.cgi?id=2268017https://bugzilla.redhat.com/show_bug.cgi?id=2268019https://bugzilla.redhat.com/show_bug.cgi?id=2268273https://bugzilla.redhat.com/show_bug.cgi?id=2269576https://bugzilla.redhat.com/show_bug.cgi?id=2269617https://bugzilla.redhat.com/show_bug.cgi?id=2270236https://bugzilla.redhat.com/show_bug.cgi?id=2272563https://bugzilla.redhat.com/show_bug.cgi?id=2274779https://bugzilla.redhat.com/show_bug.cgi?id=2275106https://bugzilla.redhat.com/show_bug.cgi?id=2275280https://bugzilla.redhat.com/show_bug.cgi?id=2275989https://bugzilla.redhat.com/show_bug.cgi?id=2277035https://bugzilla.redhat.com/show_bug.cgi?id=2278038https://bugzilla.redhat.com/show_bug.cgi?id=2278710https://bugzilla.redhat.com/show_bug.cgi?id=2279476https://bugzilla.redhat.com/show_bug.cgi?id=2282114https://issues.redhat.com/browse/AAH-3111https://issues.redhat.com/browse/AAP-22461

Red Hat Security Advisory 2024-3781-03

Red Hat Security Advisory 2024-3775-03 - An update for the idm:DL1 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3775.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: idm:DL1 security updateAdvisory ID:        RHSA-2024:3775-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3775Issue date:         2024-06-10Revision:           03CVE Names:          CVE-2024-3183====================================================================Summary: An update for the idm:DL1 module is now available for Red Hat Enterprise Linux8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. Security Fix(es):* CVE-2024-3183 freeipa: user can obtain a hash of the passwords of all domain users and perform offline brute forceFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-3183References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2270685

Red Hat Security Advisory 2024-3775-03

Red Hat Security Advisory 2024-3763-03 - An update for nghttp2 is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3763.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: nghttp2 security updateAdvisory ID:        RHSA-2024:3763-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3763Issue date:         2024-06-10Revision:           03CVE Names:          CVE-2024-28182====================================================================Summary: An update for nghttp2 is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:libnghttp2 is a library implementing the Hypertext Transfer Protocol version 2 (HTTP/2) protocol in C.Security Fix(es):* nghttp2: CONTINUATION frames DoS (CVE-2024-28182,VU#421644.5)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-28182References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2268639

Red Hat Security Advisory 2024-3763-03

Red Hat Security Advisory 2024-3762-03 - Red Hat AMQ Broker 7.11.7 is now available from the Red Hat Customer Portal.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3762.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat AMQ Broker 7.11.7 release and security updateAdvisory ID:        RHSA-2024:3762-03Product:            Red Hat JBoss AMQAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3762Issue date:         2024-06-10Revision:           03CVE Names:          CVE-2023-5072====================================================================Summary: Red Hat AMQ Broker 7.11.7 is now available from the Red Hat Customer Portal.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms.This release of Red Hat AMQ Broker 7.11.7 includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.Security Fix(es):* (CVE-2023-5072) JSON-java: parser confusion leads to OOM* (CVE-2024-1132) keycloak: path transversal in redirection validationFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.Solution:CVEs:CVE-2023-5072References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.broker&version=7.11.7https://access.redhat.com/documentation/en-us/red_hat_amq_broker/7.11https://bugzilla.redhat.com/show_bug.cgi?id=2246417https://bugzilla.redhat.com/show_bug.cgi?id=2262117

Tag

#red_hat