RedHat: RHSA-2019-1456:01 Moderate: Red Hat Single Sign-On 7.3.2 security

    Date11 Jun 2019
    CategoryRed Hat
    2889
    Posted ByLinuxSecurity Advisories
    A security update is now available for Red Hat Single Sign-On 7.3 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Moderate: Red Hat Single Sign-On 7.3.2 security update
    Advisory ID:       RHSA-2019:1456-01
    Product:           Red Hat Single Sign-On
    Advisory URL:      https://access.redhat.com/errata/RHSA-2019:1456
    Issue date:        2019-06-11
    CVE Names:         CVE-2016-10735 CVE-2018-14041 CVE-2018-20676 
                       CVE-2018-20677 CVE-2019-3872 CVE-2019-3873 
                       CVE-2019-3875 CVE-2019-3888 CVE-2019-8331 
                       CVE-2019-10157 CVE-2019-11358 
    =====================================================================
    
    1. Summary:
    
    A security update is now available for Red Hat Single Sign-On 7.3 from the
    Customer Portal.
    
    Red Hat Product Security has rated this update as having a security impact
    of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
    gives a detailed severity rating, is available for each vulnerability from
    the CVE link(s) in the References section.
    
    2. Description:
    
    Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak
    project, that provides authentication and standards-based single sign-on
    capabilities for web and mobile applications.
    
    This release of Red Hat Single Sign-On 7.3.2 serves as a replacement for
    Red Hat Single Sign-On 7.3.1, and includes bug fixes and enhancements,
    which are documented in the Release Notes document.
    
    Security Fix(es):
    
    * bootstrap: XSS in the data-target attribute (CVE-2016-10735)
    
    * bootstrap: Cross-site Scripting (XSS) in the data-target property of
    scrollspy (CVE-2018-14041)
    
    * bootstrap: XSS in the tooltip data-viewport attribute (CVE-2018-20676)
    
    * bootstrap: XSS in the affix configuration target property
    (CVE-2018-20677)
    
    * picketlink: reflected XSS in SAMLRequest via RelayState parameter
    (CVE-2019-3872)
    
    * picketlink: URL injection via xinclude parameter (CVE-2019-3873)
    
    * keycloak: X.509 authentication: CRL signatures are not verified
    (CVE-2019-3875)
    
    * undertow: leak credentials to log files
    UndertowLogger.REQUEST_LOGGER.undertowRequestFailed (CVE-2019-3888)
    
    * bootstrap: XSS in the tooltip or popover data-template attribute
    (CVE-2019-8331)
    
    * keycloak: Node.js adapter internal NBF can be manipulated
    (CVE-2019-10157)
    
    * js-jquery: prototype pollution in object's prototype leading to denial of
    service or remote code execution or property injection (CVE-2019-11358)
    
    For more details about the security issue(s), including the impact, a CVSS
    score, and other related information, refer to the CVE page(s) listed in
    the References section.
    
    3. Solution:
    
    Before applying the update, back up your existing installation, including
    all applications, configuration files, databases and database settings, and
    so on.
    
    The References section of this erratum contains a download link (you must
    log in to download the update).
    
    4. Bugs fixed (https://bugzilla.redhat.com/):
    
    1601616 - CVE-2018-14041 bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy
    1668082 - CVE-2018-20676 bootstrap: XSS in the tooltip data-viewport attribute
    1668089 - CVE-2018-20677 bootstrap: XSS in the affix configuration target property
    1668097 - CVE-2016-10735 bootstrap: XSS in the data-target attribute
    1686454 - CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute
    1688966 - CVE-2019-3872 picketlink: reflected XSS in SAMLRequest via RelayState parameter
    1689014 - CVE-2019-3873 picketlink: URL injection via xinclude parameter
    1690628 - CVE-2019-3875 keycloak: missing signatures validation on CRL used to verify client certificates
    1693777 - CVE-2019-3888 undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed
    1701972 - CVE-2019-11358 js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection
    1702953 - CVE-2019-10157 keycloak: Node.js adapter internal NBF can be manipulated leading to DoS.
    
    5. References:
    
    https://access.redhat.com/security/cve/CVE-2016-10735
    https://access.redhat.com/security/cve/CVE-2018-14041
    https://access.redhat.com/security/cve/CVE-2018-20676
    https://access.redhat.com/security/cve/CVE-2018-20677
    https://access.redhat.com/security/cve/CVE-2019-3872
    https://access.redhat.com/security/cve/CVE-2019-3873
    https://access.redhat.com/security/cve/CVE-2019-3875
    https://access.redhat.com/security/cve/CVE-2019-3888
    https://access.redhat.com/security/cve/CVE-2019-8331
    https://access.redhat.com/security/cve/CVE-2019-10157
    https://access.redhat.com/security/cve/CVE-2019-11358
    https://access.redhat.com/security/updates/classification/#moderate
    https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso&downloadType=securityPatches&version=7.3
    https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/
    
    6. Contact:
    
    The Red Hat security contact is . More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2019 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1
    
    iQIVAwUBXP/Js9zjgjWX9erEAQhq+xAAhN99EmwW27VDe/PAp8jM6sL8bSiqIVTf
    FfrjFhnreCeQHRHm9ySzj5XJD3U8HhFs/RkNf7lacfAV+LZ4TJffNBdaUJAezcXQ
    5Xa8BakQ8mkC2bmZydujtaRuu78iOydmitAU1dTCifWreUHi8HKubio8Uk7hW7jJ
    7VijR2ItqBestpz5KqOLlvuAzh+K47wft7oI/ga+rMxeIA5N971fkLlqK8pkovVJ
    N23fyRzobPdCzhPyCunRD3LFee2/GLZz0uxYX1OwG3f3JPpNjjhhQ7Fb4UN/9dMC
    KycaylIfdZIYTgehBe5jQVU0t/WMFw05EvkNP0IqQDCUplVEHa0HlaJXqmFE1KOy
    eug573jEBW5NLBfqihNy2XDjuktp540KTec3t67DsnNelr2NC28fVHi0XTZxyCwg
    QpzPyl5i9kOui3fqGCTxBO28RMSJGQU1cI7wyNWfHZ63v3kzscdvXwvXY9asWK9M
    N2SpKMRlb0190lRlU4XYqGeaFHO/FtYiLrieujV/1hhyoyzT9ocuKfcKv/yKJZ5o
    XoAPINBcfhk932o39EDJk5UA/h0p5mKMN2hDJHGC3HCsle5uqAmCj0m+1PXQQhTd
    Df2yZpcIeNad6et7UlwY3sAhFWJQ1VN9ME8BIphKu5CqInAZtZKrYGByvOdqVbX7
    8QsAY6H6R80=
    =rceQ
    -----END PGP SIGNATURE-----
    
    --
    RHSA-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.redhat.com/mailman/listinfo/rhsa-announce
    
    You are not authorised to post comments.

    ccommentViewComments Object ( [document] => [_name:protected] => comments [_models:protected] => Array ( ) [_basePath:protected] => /var/www/www.linuxsecurity.com-443/html/components/com_comment [_defaultModel:protected] => [_layout:protected] => default [_layoutExt:protected] => php [_layoutTemplate:protected] => _ [_path:protected] => Array ( [template] => Array ( [0] => /var/www/www.linuxsecurity.com-443/html/templates/shaperhelix_child/html/com_comment/templates/default/ [1] => /var/www/www.linuxsecurity.com-443/html/components/com_comment/templates/default/ [2] => /var/www/www.linuxsecurity.com-443/html/templates/shaperhelix_child/html/com_content/comments/ [3] => /var/www/www.linuxsecurity.com-443/html/components/com_comment/views/comments/tmpl/ ) [helper] => Array ( [0] => /var/www/www.linuxsecurity.com-443/html/components/com_comment/helpers/ ) ) [_template:protected] => /var/www/www.linuxsecurity.com-443/html/components/com_comment/templates/default/default_menu.php [_output:protected] => [_escape:protected] => htmlspecialchars [_charset:protected] => UTF-8 [_errors:protected] => Array ( ) [baseurl] => [plugin] => CcommentComponentContentPlugin Object ( [row] => stdClass Object ( [id] => 268466 [asset_id] => 0 [title] => RedHat: RHSA-2019-1456:01 Moderate: Red Hat Single Sign-On 7.3.2 security [alias] => redhat-rhsa-2019-1456-01-moderate-red-hat-single-sign-on-7-3-2-security [introtext] => A security update is now available for Red Hat Single Sign-On 7.3 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which [fulltext] =>
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Moderate: Red Hat Single Sign-On 7.3.2 security update
    Advisory ID:       RHSA-2019:1456-01
    Product:           Red Hat Single Sign-On
    Advisory URL:      https://access.redhat.com/errata/RHSA-2019:1456
    Issue date:        2019-06-11
    CVE Names:         CVE-2016-10735 CVE-2018-14041 CVE-2018-20676 
                       CVE-2018-20677 CVE-2019-3872 CVE-2019-3873 
                       CVE-2019-3875 CVE-2019-3888 CVE-2019-8331 
                       CVE-2019-10157 CVE-2019-11358 
    =====================================================================
    
    1. Summary:
    
    A security update is now available for Red Hat Single Sign-On 7.3 from the
    Customer Portal.
    
    Red Hat Product Security has rated this update as having a security impact
    of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
    gives a detailed severity rating, is available for each vulnerability from
    the CVE link(s) in the References section.
    
    2. Description:
    
    Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak
    project, that provides authentication and standards-based single sign-on
    capabilities for web and mobile applications.
    
    This release of Red Hat Single Sign-On 7.3.2 serves as a replacement for
    Red Hat Single Sign-On 7.3.1, and includes bug fixes and enhancements,
    which are documented in the Release Notes document.
    
    Security Fix(es):
    
    * bootstrap: XSS in the data-target attribute (CVE-2016-10735)
    
    * bootstrap: Cross-site Scripting (XSS) in the data-target property of
    scrollspy (CVE-2018-14041)
    
    * bootstrap: XSS in the tooltip data-viewport attribute (CVE-2018-20676)
    
    * bootstrap: XSS in the affix configuration target property
    (CVE-2018-20677)
    
    * picketlink: reflected XSS in SAMLRequest via RelayState parameter
    (CVE-2019-3872)
    
    * picketlink: URL injection via xinclude parameter (CVE-2019-3873)
    
    * keycloak: X.509 authentication: CRL signatures are not verified
    (CVE-2019-3875)
    
    * undertow: leak credentials to log files
    UndertowLogger.REQUEST_LOGGER.undertowRequestFailed (CVE-2019-3888)
    
    * bootstrap: XSS in the tooltip or popover data-template attribute
    (CVE-2019-8331)
    
    * keycloak: Node.js adapter internal NBF can be manipulated
    (CVE-2019-10157)
    
    * js-jquery: prototype pollution in object's prototype leading to denial of
    service or remote code execution or property injection (CVE-2019-11358)
    
    For more details about the security issue(s), including the impact, a CVSS
    score, and other related information, refer to the CVE page(s) listed in
    the References section.
    
    3. Solution:
    
    Before applying the update, back up your existing installation, including
    all applications, configuration files, databases and database settings, and
    so on.
    
    The References section of this erratum contains a download link (you must
    log in to download the update).
    
    4. Bugs fixed (https://bugzilla.redhat.com/):
    
    1601616 - CVE-2018-14041 bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy
    1668082 - CVE-2018-20676 bootstrap: XSS in the tooltip data-viewport attribute
    1668089 - CVE-2018-20677 bootstrap: XSS in the affix configuration target property
    1668097 - CVE-2016-10735 bootstrap: XSS in the data-target attribute
    1686454 - CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute
    1688966 - CVE-2019-3872 picketlink: reflected XSS in SAMLRequest via RelayState parameter
    1689014 - CVE-2019-3873 picketlink: URL injection via xinclude parameter
    1690628 - CVE-2019-3875 keycloak: missing signatures validation on CRL used to verify client certificates
    1693777 - CVE-2019-3888 undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed
    1701972 - CVE-2019-11358 js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection
    1702953 - CVE-2019-10157 keycloak: Node.js adapter internal NBF can be manipulated leading to DoS.
    
    5. References:
    
    https://access.redhat.com/security/cve/CVE-2016-10735
    https://access.redhat.com/security/cve/CVE-2018-14041
    https://access.redhat.com/security/cve/CVE-2018-20676
    https://access.redhat.com/security/cve/CVE-2018-20677
    https://access.redhat.com/security/cve/CVE-2019-3872
    https://access.redhat.com/security/cve/CVE-2019-3873
    https://access.redhat.com/security/cve/CVE-2019-3875
    https://access.redhat.com/security/cve/CVE-2019-3888
    https://access.redhat.com/security/cve/CVE-2019-8331
    https://access.redhat.com/security/cve/CVE-2019-10157
    https://access.redhat.com/security/cve/CVE-2019-11358
    https://access.redhat.com/security/updates/classification/#moderate
    https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso&downloadType=securityPatches&version=7.3
    https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/
    
    6. Contact:
    
    The Red Hat security contact is . More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2019 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1
    
    iQIVAwUBXP/Js9zjgjWX9erEAQhq+xAAhN99EmwW27VDe/PAp8jM6sL8bSiqIVTf
    FfrjFhnreCeQHRHm9ySzj5XJD3U8HhFs/RkNf7lacfAV+LZ4TJffNBdaUJAezcXQ
    5Xa8BakQ8mkC2bmZydujtaRuu78iOydmitAU1dTCifWreUHi8HKubio8Uk7hW7jJ
    7VijR2ItqBestpz5KqOLlvuAzh+K47wft7oI/ga+rMxeIA5N971fkLlqK8pkovVJ
    N23fyRzobPdCzhPyCunRD3LFee2/GLZz0uxYX1OwG3f3JPpNjjhhQ7Fb4UN/9dMC
    KycaylIfdZIYTgehBe5jQVU0t/WMFw05EvkNP0IqQDCUplVEHa0HlaJXqmFE1KOy
    eug573jEBW5NLBfqihNy2XDjuktp540KTec3t67DsnNelr2NC28fVHi0XTZxyCwg
    QpzPyl5i9kOui3fqGCTxBO28RMSJGQU1cI7wyNWfHZ63v3kzscdvXwvXY9asWK9M
    N2SpKMRlb0190lRlU4XYqGeaFHO/FtYiLrieujV/1hhyoyzT9ocuKfcKv/yKJZ5o
    XoAPINBcfhk932o39EDJk5UA/h0p5mKMN2hDJHGC3HCsle5uqAmCj0m+1PXQQhTd
    Df2yZpcIeNad6et7UlwY3sAhFWJQ1VN9ME8BIphKu5CqInAZtZKrYGByvOdqVbX7
    8QsAY6H6R80=
    =rceQ
    -----END PGP SIGNATURE-----
    
    --
    RHSA-announce mailing list
    RHSA-announce@redhat.com
    https://www.redhat.com/mailman/listinfo/rhsa-announce
    
    [state] => 1 [catid] => 98 [created] => 2019-06-11 11:33:00 [created_by] => 62 [created_by_alias] => LinuxSecurity.com Team [modified] => 2019-06-11 11:33:00 [modified_by] => 0 [checked_out] => 0 [checked_out_time] => 0000-00-00 00:00:00 [publish_up] => 2019-06-11 11:33:00 [publish_down] => 0000-00-00 00:00:00 [images] => {"image_intro_alt":"'RedHat: RHSA-2019-1456:01 Moderate: Red Hat Single Sign-On 7.3.2 security'","image_fulltext_alt":"'RedHat: RHSA-2019-1456:01 Moderate: Red Hat Single Sign-On 7.3.2 security'","image_fulltext":"/images/distros-large/redhat-large.png","image_intro":"/images/distros-large/redhat-large.png","image_intro_caption":"'RedHat: RHSA-2019-1456:01 Moderate: Red Hat Single Sign-On 7.3.2 security'","image_fulltext_caption":"'RedHat: RHSA-2019-1456:01 Moderate: Red Hat Single Sign-On 7.3.2 security'","float_fulltext":"/images/distros-large/redhat-large.png","float_intro":""} [urls] => [attribs] => [version] => 1 [ordering] => 1 [metakey] => [metadesc] => [access] => 1 [hits] => 2889 [metadata] => Joomla\Registry\Registry Object ( [data:protected] => stdClass Object ( [robots] => [author] => [rights] => [xreference] => ) [initialized:protected] => 1 [separator] => . ) [featured] => 0 [language] => * [xreference] => [category_title] => Red Hat [category_alias] => red-hat [category_access] => 1 [author] => LinuxSecurity Advisories [parent_title] => ADVISORIES [parent_id] => 181 [parent_route] => advisories [parent_alias] => advisories [rating] => [rating_count] => [params] => Joomla\Registry\Registry Object ( [data:protected] => stdClass Object ( [article_layout] => _:default [show_title] => 1 [link_titles] => 1 [show_intro] => 1 [info_block_position] => 0 [info_block_show_title] => 1 [show_category] => 1 [link_category] => 1 [show_parent_category] => 0 [link_parent_category] => 0 [show_associations] => 0 [flags] => 1 [show_author] => 1 [link_author] => 0 [show_create_date] => 0 [show_modify_date] => 0 [show_publish_date] => 1 [show_item_navigation] => 1 [show_vote] => 0 [show_readmore] => 1 [show_readmore_title] => 1 [readmore_limit] => 100 [show_tags] => 1 [show_icons] => 1 [show_print_icon] => 1 [show_email_icon] => 0 [show_hits] => 1 [show_noauth] => 0 [urls_position] => 0 [captcha] => [show_publishing_options] => 1 [show_article_options] => 1 [save_history] => 1 [history_limit] => 10 [show_urls_images_frontend] => 0 [show_urls_images_backend] => 1 [targeta] => 0 [targetb] => 0 [targetc] => 0 [float_intro] => left [float_fulltext] => left [category_layout] => _:blog [show_category_heading_title_text] => 1 [show_category_title] => 0 [show_description] => 0 [show_description_image] => 0 [maxLevel] => 1 [show_empty_categories] => 0 [show_no_articles] => 1 [show_subcat_desc] => 1 [show_cat_num_articles] => 0 [show_cat_tags] => 1 [show_base_description] => 1 [maxLevelcat] => -1 [show_empty_categories_cat] => 0 [show_subcat_desc_cat] => 1 [show_cat_num_articles_cat] => 1 [num_leading_articles] => 0 [num_intro_articles] => 5 [num_columns] => 1 [num_links] => 4 [multi_column_order] => 0 [show_subcategory_content] => 0 [show_pagination_limit] => 1 [filter_field] => hide [show_headings] => 1 [list_show_date] => 0 [date_format] => [list_show_hits] => 1 [list_show_author] => 1 [orderby_pri] => alpha [orderby_sec] => rdate [order_date] => created [show_pagination] => 2 [show_pagination_results] => 1 [show_featured] => show [show_feed_link] => 1 [feed_summary] => 0 [feed_show_readmore] => 0 [sef_advanced] => 1 [sef_ids] => 1 [custom_fields_enable] => 0 [show_page_heading] => 0 [layout_type] => blog [menu_text] => 1 [menu_show] => 1 [secure] => 0 [menulayout] => {"width":600,"menuItem":1,"menuAlign":"right","layout":[{"type":"row","attr":[{"type":"column","colGrid":12,"menuParentId":"108","moduleId":""}]}]} [megamenu] => 0 [showmenutitle] => 1 [enable_page_title] => 0 [page_title] => Advisories [page_description] => LinuxSecurity.com is the community's central source for information on Linux and open source security. We follow the open source trends as they affect the community. We produce content that appeals to administrators, developers, home users, and security professionals. [page_rights] => [robots] => [access-view] => 1 ) [initialized:protected] => 1 [separator] => . ) [tagLayout] => Joomla\CMS\Layout\FileLayout Object ( [layoutId:protected] => joomla.content.tags [basePath:protected] => [fullPath:protected] => [includePaths:protected] => Array ( ) [options:protected] => Joomla\Registry\Registry Object ( [data:protected] => stdClass Object ( [component] => com_content [client] => 0 ) [initialized:protected] => [separator] => . ) [data:protected] => Array ( ) [debugMessages:protected] => Array ( ) ) [slug] => 268466:redhat-rhsa-2019-1456-01-moderate-red-hat-single-sign-on-7-3-2-security [catslug] => 98:red-hat [parent_slug] => 181:advisories [readmore_link] => /advisories/red-hat/redhat-rhsa-2019-1456-01-moderate-red-hat-single-sign-on-7-3-2-security [text] => A security update is now available for Red Hat Single Sign-On 7.3 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Moderate: Red Hat Single Sign-On 7.3.2 security update
    Advisory ID:       RHSA-2019:1456-01
    Product:           Red Hat Single Sign-On
    Advisory URL:      https://access.redhat.com/errata/RHSA-2019:1456
    Issue date:        2019-06-11
    CVE Names:         CVE-2016-10735 CVE-2018-14041 CVE-2018-20676 
                       CVE-2018-20677 CVE-2019-3872 CVE-2019-3873 
                       CVE-2019-3875 CVE-2019-3888 CVE-2019-8331 
                       CVE-2019-10157 CVE-2019-11358 
    =====================================================================
    
    1. Summary:
    
    A security update is now available for Red Hat Single Sign-On 7.3 from the
    Customer Portal.
    
    Red Hat Product Security has rated this update as having a security impact
    of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
    gives a detailed severity rating, is available for each vulnerability from
    the CVE link(s) in the References section.
    
    2. Description:
    
    Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak
    project, that provides authentication and standards-based single sign-on
    capabilities for web and mobile applications.
    
    This release of Red Hat Single Sign-On 7.3.2 serves as a replacement for
    Red Hat Single Sign-On 7.3.1, and includes bug fixes and enhancements,
    which are documented in the Release Notes document.
    
    Security Fix(es):
    
    * bootstrap: XSS in the data-target attribute (CVE-2016-10735)
    
    * bootstrap: Cross-site Scripting (XSS) in the data-target property of
    scrollspy (CVE-2018-14041)
    
    * bootstrap: XSS in the tooltip data-viewport attribute (CVE-2018-20676)
    
    * bootstrap: XSS in the affix configuration target property
    (CVE-2018-20677)
    
    * picketlink: reflected XSS in SAMLRequest via RelayState parameter
    (CVE-2019-3872)
    
    * picketlink: URL injection via xinclude parameter (CVE-2019-3873)
    
    * keycloak: X.509 authentication: CRL signatures are not verified
    (CVE-2019-3875)
    
    * undertow: leak credentials to log files
    UndertowLogger.REQUEST_LOGGER.undertowRequestFailed (CVE-2019-3888)
    
    * bootstrap: XSS in the tooltip or popover data-template attribute
    (CVE-2019-8331)
    
    * keycloak: Node.js adapter internal NBF can be manipulated
    (CVE-2019-10157)
    
    * js-jquery: prototype pollution in object's prototype leading to denial of
    service or remote code execution or property injection (CVE-2019-11358)
    
    For more details about the security issue(s), including the impact, a CVSS
    score, and other related information, refer to the CVE page(s) listed in
    the References section.
    
    3. Solution:
    
    Before applying the update, back up your existing installation, including
    all applications, configuration files, databases and database settings, and
    so on.
    
    The References section of this erratum contains a download link (you must
    log in to download the update).
    
    4. Bugs fixed (https://bugzilla.redhat.com/):
    
    1601616 - CVE-2018-14041 bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy
    1668082 - CVE-2018-20676 bootstrap: XSS in the tooltip data-viewport attribute
    1668089 - CVE-2018-20677 bootstrap: XSS in the affix configuration target property
    1668097 - CVE-2016-10735 bootstrap: XSS in the data-target attribute
    1686454 - CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute
    1688966 - CVE-2019-3872 picketlink: reflected XSS in SAMLRequest via RelayState parameter
    1689014 - CVE-2019-3873 picketlink: URL injection via xinclude parameter
    1690628 - CVE-2019-3875 keycloak: missing signatures validation on CRL used to verify client certificates
    1693777 - CVE-2019-3888 undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed
    1701972 - CVE-2019-11358 js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection
    1702953 - CVE-2019-10157 keycloak: Node.js adapter internal NBF can be manipulated leading to DoS.
    
    5. References:
    
    https://access.redhat.com/security/cve/CVE-2016-10735
    https://access.redhat.com/security/cve/CVE-2018-14041
    https://access.redhat.com/security/cve/CVE-2018-20676
    https://access.redhat.com/security/cve/CVE-2018-20677
    https://access.redhat.com/security/cve/CVE-2019-3872
    https://access.redhat.com/security/cve/CVE-2019-3873
    https://access.redhat.com/security/cve/CVE-2019-3875
    https://access.redhat.com/security/cve/CVE-2019-3888
    https://access.redhat.com/security/cve/CVE-2019-8331
    https://access.redhat.com/security/cve/CVE-2019-10157
    https://access.redhat.com/security/cve/CVE-2019-11358
    https://access.redhat.com/security/updates/classification/#moderate
    https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso&downloadType=securityPatches&version=7.3
    https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/
    
    6. Contact:
    
    The Red Hat security contact is . More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2019 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1
    
    iQIVAwUBXP/Js9zjgjWX9erEAQhq+xAAhN99EmwW27VDe/PAp8jM6sL8bSiqIVTf
    FfrjFhnreCeQHRHm9ySzj5XJD3U8HhFs/RkNf7lacfAV+LZ4TJffNBdaUJAezcXQ
    5Xa8BakQ8mkC2bmZydujtaRuu78iOydmitAU1dTCifWreUHi8HKubio8Uk7hW7jJ
    7VijR2ItqBestpz5KqOLlvuAzh+K47wft7oI/ga+rMxeIA5N971fkLlqK8pkovVJ
    N23fyRzobPdCzhPyCunRD3LFee2/GLZz0uxYX1OwG3f3JPpNjjhhQ7Fb4UN/9dMC
    KycaylIfdZIYTgehBe5jQVU0t/WMFw05EvkNP0IqQDCUplVEHa0HlaJXqmFE1KOy
    eug573jEBW5NLBfqihNy2XDjuktp540KTec3t67DsnNelr2NC28fVHi0XTZxyCwg
    QpzPyl5i9kOui3fqGCTxBO28RMSJGQU1cI7wyNWfHZ63v3kzscdvXwvXY9asWK9M
    N2SpKMRlb0190lRlU4XYqGeaFHO/FtYiLrieujV/1hhyoyzT9ocuKfcKv/yKJZ5o
    XoAPINBcfhk932o39EDJk5UA/h0p5mKMN2hDJHGC3HCsle5uqAmCj0m+1PXQQhTd
    Df2yZpcIeNad6et7UlwY3sAhFWJQ1VN9ME8BIphKu5CqInAZtZKrYGByvOdqVbX7
    8QsAY6H6R80=
    =rceQ
    -----END PGP SIGNATURE-----
    
    --
    RHSA-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.redhat.com/mailman/listinfo/rhsa-announce
    
    [tags] => Joomla\CMS\Helper\TagsHelper Object ( [tagsChanged:protected] => [replaceTags:protected] => [typeAlias] => [itemTags] => Array ( ) ) [jcfields] => Array ( ) [event] => stdClass Object ( [afterDisplayTitle] => [beforeDisplayContent] => ) [prev] => /advisories/red-hat/redhat-rhsa-2019-1467-01-important-python-security-update [next] => /advisories/red-hat/redhat-rhsa-2019-1455-01-important-advanced-virtualization-security-update [prev_label] => Prev [next_label] => Next [pagination] => [paginationposition] => 1 [paginationrelative] => 0 ) [params] => Joomla\Registry\Registry Object ( [data:protected] => stdClass Object ( [article_layout] => _:default [show_title] => 1 [link_titles] => 1 [show_intro] => 1 [info_block_position] => 0 [info_block_show_title] => 1 [show_category] => 1 [link_category] => 1 [show_parent_category] => 0 [link_parent_category] => 0 [show_associations] => 0 [flags] => 1 [show_author] => 1 [link_author] => 0 [show_create_date] => 0 [show_modify_date] => 0 [show_publish_date] => 1 [show_item_navigation] => 1 [show_vote] => 0 [show_readmore] => 1 [show_readmore_title] => 1 [readmore_limit] => 100 [show_tags] => 1 [show_icons] => 1 [show_print_icon] => 1 [show_email_icon] => 0 [show_hits] => 1 [show_noauth] => 0 [urls_position] => 0 [captcha] => [show_publishing_options] => 1 [show_article_options] => 1 [save_history] => 1 [history_limit] => 10 [show_urls_images_frontend] => 0 [show_urls_images_backend] => 1 [targeta] => 0 [targetb] => 0 [targetc] => 0 [float_intro] => left [float_fulltext] => left [category_layout] => _:blog [show_category_heading_title_text] => 1 [show_category_title] => 0 [show_description] => 0 [show_description_image] => 0 [maxLevel] => 1 [show_empty_categories] => 0 [show_no_articles] => 1 [show_subcat_desc] => 1 [show_cat_num_articles] => 0 [show_cat_tags] => 1 [show_base_description] => 1 [maxLevelcat] => -1 [show_empty_categories_cat] => 0 [show_subcat_desc_cat] => 1 [show_cat_num_articles_cat] => 1 [num_leading_articles] => 0 [num_intro_articles] => 5 [num_columns] => 1 [num_links] => 4 [multi_column_order] => 0 [show_subcategory_content] => 0 [show_pagination_limit] => 1 [filter_field] => hide [show_headings] => 1 [list_show_date] => 0 [date_format] => [list_show_hits] => 1 [list_show_author] => 1 [orderby_pri] => alpha [orderby_sec] => rdate [order_date] => created [show_pagination] => 2 [show_pagination_results] => 1 [show_featured] => show [show_feed_link] => 1 [feed_summary] => 0 [feed_show_readmore] => 0 [sef_advanced] => 1 [sef_ids] => 1 [custom_fields_enable] => 0 [show_page_heading] => 0 [layout_type] => blog [menu_text] => 1 [menu_show] => 1 [secure] => 0 [menulayout] => {"width":600,"menuItem":1,"menuAlign":"right","layout":[{"type":"row","attr":[{"type":"column","colGrid":12,"menuParentId":"108","moduleId":""}]}]} [megamenu] => 0 [showmenutitle] => 1 [enable_page_title] => 0 [page_title] => Advisories [page_description] => LinuxSecurity.com is the community's central source for information on Linux and open source security. We follow the open source trends as they affect the community. We produce content that appeals to administrators, developers, home users, and security professionals. [page_rights] => [robots] => [access-view] => 1 ) [initialized:protected] => 1 [separator] => . ) ) [config] => Joomla\Registry\Registry Object ( [data:protected] => stdClass Object ( [basic] => stdClass Object ( [include_categories] => 1 [categories] => Array ( [0] => 179 [1] => 171 [2] => 84 [3] => 83 [4] => 82 [5] => 81 [6] => 80 [7] => 79 [8] => 78 [9] => 77 [10] => 76 [11] => 75 [12] => 74 [13] => 73 [14] => 72 [15] => 69 [16] => 67 [17] => 178 [18] => 181 [19] => 87 [20] => 89 [21] => 91 [22] => 98 [23] => 99 [24] => 100 [25] => 172 [26] => 197 [27] => 198 [28] => 199 [29] => 200 [30] => 182 [31] => 159 [32] => 102 [33] => 183 [34] => 157 [35] => 156 [36] => 184 [37] => 107 [38] => 106 [39] => 105 [40] => 104 [41] => 103 [42] => 185 [43] => 186 [44] => 108 [45] => 187 [46] => 160 [47] => 166 [48] => 169 [49] => 161 [50] => 167 [51] => 162 [52] => 163 [53] => 188 [54] => 170 [55] => 189 [56] => 196 ) [exclude_content_items] => Array ( ) [disable_additional_comments] => Array ( ) ) [security] => stdClass Object ( [authorised_users] => Array ( [0] => 6 [1] => 7 [2] => 2 [3] => 3 [4] => 4 [5] => 5 [6] => 8 ) [auto_publish] => 1 [notify_moderators] => 0 [moderators] => Array ( [0] => 8 ) [captcha] => 1 [captcha_type] => default [maxlength_text] => 30000 ) [layout] => stdClass Object ( [tree] => 1 [sort] => 0 [comments_per_page] => 10 [support_ubb] => 1 [support_pictures] => 0 [pictures_maxwidth] => 200 [voting_visible] => 1 [date_format] => age [show_readon] => 1 [menu_readon] => 0 [intro_only] => 0 [emoticon_pack] => modern ) [template] => stdClass Object ( [template] => default ) [template_params] => stdClass Object ( [emulate_bootstrap] => 1 [minify_scripts] => 0 [notify_users] => 1 [pagination_position] => 0 [form_position] => 1 [form_avatar] => 1 [form_ubb] => 1 [required_user] => 1 [required_email] => 1 [show_rss] => 1 [show_search] => 1 [preview_visible] => 1 [preview_length] => 80 [preview_lines] => 10 ) [integrations] => stdClass Object ( [gravatar] => 1 [support_profiles] => 0 ) [global] => stdClass Object ( [censorship_word_list] => Array ( ) ) ) [initialized:protected] => 1 [separator] => . [id] => 1 [component] => com_content ) [count] => 0 [contentId] => 268466 [component] => com_content [allowedToPost] => [discussionClosed] => [emoticons] => Array ( [:angry:] => /media/com_comment/emoticons/modern/images/Angry.gif [:angry-red:] => /media/com_comment/emoticons/modern/images/Angry-Red.gif [:evil:] => /media/com_comment/emoticons/modern/images/Evil-Toothy.gif [:idea:] => /media/com_comment/emoticons/modern/images/Idea.gif [:love:] => /media/com_comment/emoticons/modern/images/Love.gif [:x] => /media/com_comment/emoticons/modern/images/Mad.gif [:no-comments:] => /media/com_comment/emoticons/modern/images/No-Comments.gif [:ooo:] => /media/com_comment/emoticons/modern/images/Oooo.gif [:pirate:] => /media/com_comment/emoticons/modern/images/Pirate.gif [:?:] => /media/com_comment/emoticons/modern/images/Question.gif [:(] => /media/com_comment/emoticons/modern/images/Sad.gif [:sleep:] => /media/com_comment/emoticons/modern/images/Sleeping.gif [:)] => /media/com_comment/emoticons/modern/images/Smile.gif [,)] => /media/com_comment/emoticons/modern/images/Wink.gif [,))] => /media/com_comment/emoticons/modern/images/Wink-2.gif [:0] => /media/com_comment/emoticons/modern/images/Wooo.gif ) [customfieldsForm] => Joomla\CMS\Form\Form Object ( [data:protected] => Joomla\Registry\Registry Object ( [data:protected] => stdClass Object ( ) [initialized:protected] => [separator] => . ) [errors:protected] => Array ( ) [name:protected] => customfields [options:protected] => Array ( [control] => jform ) [xml:protected] => SimpleXMLElement Object ( [fields] => SimpleXMLElement Object ( [@attributes] => Array ( [name] => customfields ) ) ) [repeat] => ) )

    Comments powered by CComment

    LinuxSecurity Poll

    Have you used our RSS feeds?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 4 answer(s).
    /component/communitypolls/?task=poll.vote&format=json
    21
    radio
    [{"id":"77","title":"Yes, for articles","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"78","title":"Yes, for advisories","votes":"1","type":"x","order":"2","pct":33.33,"resources":[]},{"id":"79","title":"Hybrid that contains both","votes":"0","type":"x","order":"3","pct":0,"resources":[]},{"id":"80","title":"No","votes":"2","type":"x","order":"4","pct":66.67,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.