-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: xmlrpc-c security update
Advisory ID:       RHSA-2022:1539-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:1539
Issue date:        2022-04-26
CVE Names:         CVE-2022-25235 
====================================================================
1. Summary:

An update for xmlrpc-c is now available for Red Hat Enterprise Linux 8.1
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS E4S (v. 8.1) - aarch64, ppc64le, s390x, x86_64

3. Description:

XML-RPC is a remote procedure call (RPC) protocol that uses XML to encode
its calls and HTTP as a transport mechanism. The xmlrpc-c packages provide
a network protocol to allow a client program to make a simple RPC (remote
procedure call) over the Internet. It converts an RPC into an XML document,
sends it to a remote server using HTTP, and gets back the response in XML.

Security Fix(es):

* expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code
execution (CVE-2022-25235)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2056366 - CVE-2022-25235 expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution

6. Package List:

Red Hat Enterprise Linux BaseOS E4S (v. 8.1):

Source:
xmlrpc-c-1.51.0-5.el8_1.1.src.rpm

aarch64:
xmlrpc-c-1.51.0-5.el8_1.1.aarch64.rpm
xmlrpc-c-apps-debuginfo-1.51.0-5.el8_1.1.aarch64.rpm
xmlrpc-c-c++-debuginfo-1.51.0-5.el8_1.1.aarch64.rpm
xmlrpc-c-client++-debuginfo-1.51.0-5.el8_1.1.aarch64.rpm
xmlrpc-c-client-1.51.0-5.el8_1.1.aarch64.rpm
xmlrpc-c-client-debuginfo-1.51.0-5.el8_1.1.aarch64.rpm
xmlrpc-c-debuginfo-1.51.0-5.el8_1.1.aarch64.rpm
xmlrpc-c-debugsource-1.51.0-5.el8_1.1.aarch64.rpm

ppc64le:
xmlrpc-c-1.51.0-5.el8_1.1.ppc64le.rpm
xmlrpc-c-apps-debuginfo-1.51.0-5.el8_1.1.ppc64le.rpm
xmlrpc-c-c++-debuginfo-1.51.0-5.el8_1.1.ppc64le.rpm
xmlrpc-c-client++-debuginfo-1.51.0-5.el8_1.1.ppc64le.rpm
xmlrpc-c-client-1.51.0-5.el8_1.1.ppc64le.rpm
xmlrpc-c-client-debuginfo-1.51.0-5.el8_1.1.ppc64le.rpm
xmlrpc-c-debuginfo-1.51.0-5.el8_1.1.ppc64le.rpm
xmlrpc-c-debugsource-1.51.0-5.el8_1.1.ppc64le.rpm

s390x:
xmlrpc-c-1.51.0-5.el8_1.1.s390x.rpm
xmlrpc-c-apps-debuginfo-1.51.0-5.el8_1.1.s390x.rpm
xmlrpc-c-c++-debuginfo-1.51.0-5.el8_1.1.s390x.rpm
xmlrpc-c-client++-debuginfo-1.51.0-5.el8_1.1.s390x.rpm
xmlrpc-c-client-1.51.0-5.el8_1.1.s390x.rpm
xmlrpc-c-client-debuginfo-1.51.0-5.el8_1.1.s390x.rpm
xmlrpc-c-debuginfo-1.51.0-5.el8_1.1.s390x.rpm
xmlrpc-c-debugsource-1.51.0-5.el8_1.1.s390x.rpm

x86_64:
xmlrpc-c-1.51.0-5.el8_1.1.i686.rpm
xmlrpc-c-1.51.0-5.el8_1.1.x86_64.rpm
xmlrpc-c-apps-debuginfo-1.51.0-5.el8_1.1.i686.rpm
xmlrpc-c-apps-debuginfo-1.51.0-5.el8_1.1.x86_64.rpm
xmlrpc-c-c++-debuginfo-1.51.0-5.el8_1.1.i686.rpm
xmlrpc-c-c++-debuginfo-1.51.0-5.el8_1.1.x86_64.rpm
xmlrpc-c-client++-debuginfo-1.51.0-5.el8_1.1.i686.rpm
xmlrpc-c-client++-debuginfo-1.51.0-5.el8_1.1.x86_64.rpm
xmlrpc-c-client-1.51.0-5.el8_1.1.i686.rpm
xmlrpc-c-client-1.51.0-5.el8_1.1.x86_64.rpm
xmlrpc-c-client-debuginfo-1.51.0-5.el8_1.1.i686.rpm
xmlrpc-c-client-debuginfo-1.51.0-5.el8_1.1.x86_64.rpm
xmlrpc-c-debuginfo-1.51.0-5.el8_1.1.i686.rpm
xmlrpc-c-debuginfo-1.51.0-5.el8_1.1.x86_64.rpm
xmlrpc-c-debugsource-1.51.0-5.el8_1.1.i686.rpm
xmlrpc-c-debugsource-1.51.0-5.el8_1.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-25235
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYmga8dzjgjWX9erEAQgapw//XhcvNxYnp6Qtm/aJepfUAUEL5c3eXy4d
u9bXtLD3mLIyJH6K698F74TxK8uIeC00t0jw/M5y57YORd+bMt13H1bgKf3DCBw7
G8MHTwWhwhT1ex8jJo3TcG05+ounKqs70J+MtlpxDNOpUEpbX8mDsWE53SYeYr76
l/ibI229I/nJO8vboz/Qmg3vcTI+k8iGJNnqVN2THRtgUXfZ4CnbNFzKe3x1VX8b
uttEBxp6tOnXjqLJ4XCeywJbA1ef44nvD6BhIznxZ2MfUEgRBdLM63AcTzTFk8Ie
2slI9OfBtCVaJV9UnQxrrY12nY1RS6Vjp//NqhEMxEYcq2XozBLMXMitrHdXPwb7
rB8KUdtTdv7caHVWb6l94eOrTM8qAA6wgkQ8DYvzX+5CWj7cHSQUcduBp4OdL6b+
p4skOpKWVgQUgxvoEknT9wLuUzzD7hqoQbPTGxRtgBD4dAvWAKO+jAcHWcLtS/dw
R537E4emI7BvPVXoT6OeLN9u8cr+0/nJIdB5JZwLqx2vQ+nkl5k0nyVDvIr2R6Cy
yrFF0nZWDpKWD28TtlKZsa9NQe/YRPSbmrEW1fLD+NudzhuLQZcNb7/sRKZEuxv1
kXArqwtv1pU3+EUM70nvmmRRb2KH2a9983S4HfTb129fcSgXeglYIekTVHA3jARH
rbuSYb0t5Ew=NpRA
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-1539:01 Important: xmlrpc-c security update

An update for xmlrpc-c is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Summary

XML-RPC is a remote procedure call (RPC) protocol that uses XML to encode its calls and HTTP as a transport mechanism. The xmlrpc-c packages provide a network protocol to allow a client program to make a simple RPC (remote procedure call) over the Internet. It converts an RPC into an XML document, sends it to a remote server using HTTP, and gets back the response in XML.
Security Fix(es):
* expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution (CVE-2022-25235)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2022-25235 https://access.redhat.com/security/updates/classification/#important

Package List

Red Hat Enterprise Linux BaseOS E4S (v. 8.1):
Source: xmlrpc-c-1.51.0-5.el8_1.1.src.rpm
aarch64: xmlrpc-c-1.51.0-5.el8_1.1.aarch64.rpm xmlrpc-c-apps-debuginfo-1.51.0-5.el8_1.1.aarch64.rpm xmlrpc-c-c++-debuginfo-1.51.0-5.el8_1.1.aarch64.rpm xmlrpc-c-client++-debuginfo-1.51.0-5.el8_1.1.aarch64.rpm xmlrpc-c-client-1.51.0-5.el8_1.1.aarch64.rpm xmlrpc-c-client-debuginfo-1.51.0-5.el8_1.1.aarch64.rpm xmlrpc-c-debuginfo-1.51.0-5.el8_1.1.aarch64.rpm xmlrpc-c-debugsource-1.51.0-5.el8_1.1.aarch64.rpm
ppc64le: xmlrpc-c-1.51.0-5.el8_1.1.ppc64le.rpm xmlrpc-c-apps-debuginfo-1.51.0-5.el8_1.1.ppc64le.rpm xmlrpc-c-c++-debuginfo-1.51.0-5.el8_1.1.ppc64le.rpm xmlrpc-c-client++-debuginfo-1.51.0-5.el8_1.1.ppc64le.rpm xmlrpc-c-client-1.51.0-5.el8_1.1.ppc64le.rpm xmlrpc-c-client-debuginfo-1.51.0-5.el8_1.1.ppc64le.rpm xmlrpc-c-debuginfo-1.51.0-5.el8_1.1.ppc64le.rpm xmlrpc-c-debugsource-1.51.0-5.el8_1.1.ppc64le.rpm
s390x: xmlrpc-c-1.51.0-5.el8_1.1.s390x.rpm xmlrpc-c-apps-debuginfo-1.51.0-5.el8_1.1.s390x.rpm xmlrpc-c-c++-debuginfo-1.51.0-5.el8_1.1.s390x.rpm xmlrpc-c-client++-debuginfo-1.51.0-5.el8_1.1.s390x.rpm xmlrpc-c-client-1.51.0-5.el8_1.1.s390x.rpm xmlrpc-c-client-debuginfo-1.51.0-5.el8_1.1.s390x.rpm xmlrpc-c-debuginfo-1.51.0-5.el8_1.1.s390x.rpm xmlrpc-c-debugsource-1.51.0-5.el8_1.1.s390x.rpm
x86_64: xmlrpc-c-1.51.0-5.el8_1.1.i686.rpm xmlrpc-c-1.51.0-5.el8_1.1.x86_64.rpm xmlrpc-c-apps-debuginfo-1.51.0-5.el8_1.1.i686.rpm xmlrpc-c-apps-debuginfo-1.51.0-5.el8_1.1.x86_64.rpm xmlrpc-c-c++-debuginfo-1.51.0-5.el8_1.1.i686.rpm xmlrpc-c-c++-debuginfo-1.51.0-5.el8_1.1.x86_64.rpm xmlrpc-c-client++-debuginfo-1.51.0-5.el8_1.1.i686.rpm xmlrpc-c-client++-debuginfo-1.51.0-5.el8_1.1.x86_64.rpm xmlrpc-c-client-1.51.0-5.el8_1.1.i686.rpm xmlrpc-c-client-1.51.0-5.el8_1.1.x86_64.rpm xmlrpc-c-client-debuginfo-1.51.0-5.el8_1.1.i686.rpm xmlrpc-c-client-debuginfo-1.51.0-5.el8_1.1.x86_64.rpm xmlrpc-c-debuginfo-1.51.0-5.el8_1.1.i686.rpm xmlrpc-c-debuginfo-1.51.0-5.el8_1.1.x86_64.rpm xmlrpc-c-debugsource-1.51.0-5.el8_1.1.i686.rpm xmlrpc-c-debugsource-1.51.0-5.el8_1.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2022:1539-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:1539
Issued Date: : 2022-04-26
CVE Names: CVE-2022-25235

Topic

An update for xmlrpc-c is now available for Red Hat Enterprise Linux 8.1Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures

Red Hat Enterprise Linux BaseOS E4S (v. 8.1) - aarch64, ppc64le, s390x, x86_64


Bugs Fixed

2056366 - CVE-2022-25235 expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution


Related News

30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
2.Motherboard Esm H320
2 - 3 min read
The recently uncovered "Native Branch History Injection (BHI)" exploit against the Linux kernel marks a significant milestone in the ongoing battle

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved