Alerts This Week
Warning Icon 1 770
Alerts This Week
Warning Icon 1 770

Red Hat Enterprise Linux 8: RHSA-2021-4381 Moderate: GNOME Enhancement

red hat
Calendar Grey November 9, 2021
Dist Redhat Esm H88
A significant patch published for GNOME on CentOS Stream, featuring essential security enhancements and bug resolutions. Critical for user protection.
An update for GNOME is now available for Red Hat Enterprise Linux 8

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

GDM must be restarted for this update to take effect. The GNOME session must be restarted (log out, then log back in) for this update to take effect.

Summary

GNOME is the default desktop environment of Red Hat Enterprise Linux.
The following packages have been upgraded to a later upstream version: gdm (40.0), webkit2gtk3 (2.32.3). (BZ#1909300)
Security Fix(es):
* webkitgtk: Use-after-free in AudioSourceProviderGStreamer leading to arbitrary code execution (CVE-2020-13558)
* LibRaw: Stack buffer overflow in LibRaw::identify_process_dng_fields() in identify.cpp (CVE-2020-24870)
* webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2020-27918)
* webkitgtk: IFrame sandboxing policy violation (CVE-2021-1765)
* webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2021-1788)
* webkitgtk: Type confusion issue leading to arbitrary code execution (CVE-2021-1789)
* webkitgtk: Access to restricted ports on arbitrary servers via port redirection (CVE-2021-1799)
* webkitgtk: IFrame sandboxing policy violation (CVE-2021-1801)
* webkitgtk: Memory corruption issue leading to arbitrary code execution (CVE-2021-1844)
* webkitgtk: Logic issue leading to arbitrary code execution (CVE-2021-1870)
* webkitgtk: Logic issue leading to arbitrary code execution (CVE-2021-1871)
* webkitgtk: Use-after-free in ImageLoader dispatchPendingErrorEvent leading to information leak and possibly code execution (CVE-2021-21775)
* webkitgtk: Use-after-free in WebCore::GraphicsContext leading to information leak and possibly code execution (CVE-2021-21779)
* webkitgtk: Use-after-free in fireEventListeners leading to arbitrary code execution (CVE-2021-21806)
* webkitgtk: Integer overflow leading to arbitrary code execution (CVE-2021-30663)
* webkitgtk: Memory corruption leading to arbitrary code execution (CVE-2021-30665)
* webkitgtk: Logic issue leading to leak of sensitive user information (CVE-2021-30682)
* webkitgtk: Logic issue leading to universal cross site scripting attack (CVE-2021-30689)
* webkitgtk: Logic issue allowing access to restricted ports on arbitrary servers (CVE-2021-30720)
* webkitgtk: Memory corruptions leading to arbitrary code execution (CVE-2021-30734)
* webkitgtk: Cross-origin issue with iframe elements leading to universal cross site scripting attack (CVE-2021-30744)
* webkitgtk: Memory corruptions leading to arbitrary code execution (CVE-2021-30749)
* webkitgtk: Type confusion leading to arbitrary code execution (CVE-2021-30758)
* webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2021-30795)
* webkitgtk: Insufficient checks leading to arbitrary code execution (CVE-2021-30797)
* webkitgtk: Memory corruptions leading to arbitrary code execution (CVE-2021-30799)
* webkitgtk: User may be unable to fully delete browsing history (CVE-2020-29623)
* gnome-autoar: Directory traversal via directory symbolic links pointing outside of the destination directory (CVE-2020-36241)
* gnome-autoar: Directory traversal via directory symbolic links pointing outside of the destination directory (incomplete CVE-2020-36241 fix) (CVE-2021-28650)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section.

Topics%20covered

Topics Covered

security advisory bug fix Red Hat Enterprise Linux security impact Moderate severity GNOME update

References

https://access.redhat.com/security/cve/CVE-2020-13558 https://access.redhat.com/security/cve/CVE-2020-24870 https://access.redhat.com/security/cve/CVE-2020-27918 https://access.redhat.com/security/cve/CVE-2020-29623 https://access.redhat.com/security/cve/CVE-2020-36241 https://access.redhat.com/security/cve/CVE-2021-1765 https://access.redhat.com/security/cve/CVE-2021-1788 https://access.redhat.com/security/cve/CVE-2021-1789 https://access.redhat.com/security/cve/CVE-2021-1799 https://access.redhat.com/security/cve/CVE-2021-1801 https://access.redhat.com/security/cve/CVE-2021-1844 https://access.redhat.com/security/cve/CVE-2021-1870 https://access.redhat.com/security/cve/CVE-2021-1871 https://access.redhat.com/security/cve/CVE-2021-21775 https://access.redhat.com/security/cve/CVE-2021-21779 https://access.redhat.com/security/cve/CVE-2021-21806 https://access.redhat.com/security/cve/CVE-2021-28650 https://access.redhat.com/security/cve/CVE-2021-30663 https://access.redhat.com/security/cve/CVE-2021-30665 https://access.redhat.com/security/cve/CVE-2021-30682 https://access.redhat.com/security/cve/CVE-2021-30689 https://access.redhat.com/security/cve/CVE-2021-30720 https://access.redhat.com/security/cve/CVE-2021-30734 Read the Full Advisory

Package List

Red Hat Enterprise Linux AppStream (v. 8):
Source: LibRaw-0.19.5-3.el8.src.rpm accountsservice-0.6.55-2.el8.src.rpm gdm-40.0-15.el8.src.rpm gnome-autoar-0.2.3-2.el8.src.rpm gnome-calculator-3.28.2-2.el8.src.rpm gnome-control-center-3.28.2-28.el8.src.rpm gnome-online-accounts-3.28.2-3.el8.src.rpm gnome-session-3.28.1-13.el8.src.rpm gnome-settings-daemon-3.32.0-16.el8.src.rpm gnome-shell-3.32.2-40.el8.src.rpm gnome-shell-extensions-3.32.1-20.el8.src.rpm gnome-software-3.36.1-10.el8.src.rpm gtk3-3.22.30-8.el8.src.rpm mutter-3.32.2-60.el8.src.rpm vino-3.22.0-11.el8.src.rpm webkit2gtk3-2.32.3-2.el8.src.rpm
aarch64: accountsservice-0.6.55-2.el8.aarch64.rpm accountsservice-debuginfo-0.6.55-2.el8.aarch64.rpm accountsservice-debugsource-0.6.55-2.el8.aarch64.rpm accountsservice-libs-0.6.55-2.el8.aarch64.rpm accountsservice-libs-debuginfo-0.6.55-2.el8.aarch64.rpm gdm-40.0-15.el8.aarch64.rpm gdm-debuginfo-40.0-15.el8.aarch64.rpm gdm-debugsource-40.0-15.el8.aarch64.rpm gnome-autoar-0.2.3-2.el8.aarch64.rpm gnome-autoar-debuginfo-0.2.3-2.el8.aarch64.rpm gnome-autoar-debugsource-0.2.3-2.el8.aarch64.rpm gnome-calculator-3.28.2-2.el8.aarch64.rpm gnome-calculator-debuginfo-3.28.2-2.el8.aarch64.rpm gnome-calculator-debugsource-3.28.2-2.el8.aarch64.rpm

Read the Full Advisory


Advisory ID: RHSA-2021:4381-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:4381
Issue date: 2021-11-09

Topic

An update for GNOME is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory bug fix Red Hat Enterprise Linux security impact Moderate severity GNOME update

Relevant Releases Architectures

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64

Red Hat Enterprise Linux CRB (v. 8) - aarch64, ppc64le, s390x, x86_64

Bugs Fixed

1651378 - [RFE] Provide a mechanism for persistently showing the security level of a machine at login time

1770302 - disable show text in GDM login/lock screen (patched in RHEL 7.8)

1791478 - Cannot completely disable odrs (Gnome Ratings) from the Software application in Gnome Desktop

1813727 - Files copied from NFS4 to Desktop can't be opened

1854679 - [RFE] Disable left edge gesture

1873297 - Gnome-software coredumps when run as root in terminal

1873488 - GTK3 prints errors with overlay scrollbar disabled

1888404 - Updates page hides ongoing updates on refresh

1894613 - [RFE] Re-inclusion of workspace renaming in GNOME 3.

1897932 - JS ERROR: Error: Extension point conflict: there is already a status indicator for role ...

1904139 - Automatic Logout Feature not working

1905000 - Desktop refresh broken after unlock

1909300 - gdm isn't killing the login screen on login after all, should rebase to latest release

1914925 - RFE: add patch to set grub boot_success flag on shutdown/reboot

1924725 - [Wayland] Double-touch desktop icons fails sometimes

1925640 - CVE-2020-36241 gnome-autoar: Directory traversal via directory symbolic links pointing outside of the destination directory

1928794 - CVE-2020-24870 LibRaw: Stack buffer overflow in LibRaw::identify_process_dng_fields() in identify.cpp

1928886 - CVE-2020-13558 webkitgtk: Use-after-free in AudioSourceProviderGStreamer leading to arbitrary code execution

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here