Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -3 articles for you...
98
security advisoryRed HatupdateRedHat: RHSA-2023-4612-01 Important: Spring Boot 2.7.13 Update Security
An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat support for Spring Boot 2.7.13 security update Advisory ID: RHSA-2023:4612-01 Product: Red Hat OpenShift Application Runtimes Advisory URL: https://access.redhat.com/errata/RHSA-2023:4612 Issue date: 2023-08-16 CVE Names: CVE-2021-46877 CVE-2022-1471 CVE-2022-31684 CVE-2022-45143 CVE-2023-1108 CVE-2023-20860 CVE-2023-20861 ===================================================================== 1. Summary: An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform. This release of Red Hat support for Spring Boot 2.7.13 serves as a replacement for Red Hat support for Spring Boot 2.7.12, and includes security, bug fixes and enhancements. For more information, see the release notes linked in the References section. Security Fix(es): * snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471) * undertow: Infinite loop in SslConduit during close (CVE-2023-1108) * springframework: Security Bypass With Un-Prefixed Double WildcardPattern (CVE-2023-20860) * jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877) * springframework: Spring Expression DoS Vulnerability (CVE-2023-20861) * reactor-netty-http: Log request headers in some cases of invalid HTTP requests (CVE-2022-31684) * tomcat: JsonErrorReportValve injection (CVE-2022-45143) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2141353 - CVE-2022-31684 reactor-netty-http: Log request headers in some cases of invalid HTTP requests 2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution 2158695 - CVE-2022-45143 tomcat: JsonErrorReportValve injection 2174246 - CVE-2023-1108 Undertow: Infinite loop in SslConduit during close 2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern 2180530 - CVE-2023-20861 springframework: Spring Expression DoS Vulnerability 2185707 - CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode 5. References: https://access.redhat.com/security/cve/CVE-2021-46877 https://access.redhat.com/security/cve/CVE-2022-1471 https://access.redhat.com/security/cve/CVE-2022-31684 https://access.redhat.com/security/cve/CVE-2022-45143 https://access.redhat.com/security/cve/CVE-2023-1108 https://access.redhat.com/security/cve/CVE-2023-20860 https://access.redhat.com/security/cve/CVE-2023-20861 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.7/html/release_notes_for_spring_boot_2.7/index 6. Contact: The Red Hatsecurity contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJk3NshAAoJENzjgjWX9erEZMcQAJI0PVt/9Ae/5MWvXTpUf53E H41TjbqCgcCXZIqE7HEF5a1zEZChLyzMVtLwNg9FnbCyH491RjCvIqH0kOo7rP9u asZ2kFznygvI9fvyjO0DKT47XEgS8umWLGsl2tGf62fC16RYKwN0TVzS/bf7yfAm zOR162OXdNYO6UGKp+7eu3JVDbwTIkvHIwBa7s1QTZU9SVsStGYmb08hf5zogLHR moO+pzZNnOaPQPZxHwdA/xG236Wu+5U0ybjweCBHxg6dHw2/LmZfx4sNOnE2VY5U rdqvj4Kv/Z32C+h0RklQOqiv0OCDxBjfd7e/y4YCWVywRWmiSv2ccgp5ICpMN6eq b5hNmouFYYnfalf6jYTABF0UaZ6v5zqiByZKs4GkbdnJOicLyaNUJXhsRKAXsawt fY9Ildy+WfKaKQFBWh9mFkT+Kj5bz+dd6/g1KFjV8DY2wk8UJ80Xkp36BEBl0DNg YQcdt/CRUhjuHzbrM94nk4bUfSWZgjw+qPhTKhL2jzW83jtS4SGtfvKkgiLm7si/ djdrpLljF2iAH4LwuOrtG/s8EEBZARt6HLsGBBejo2Rskvb5/rsyrFaxVL28kkUw hFZi/tQ/L+oyEjewln+dE3YWKEUx5yHA9taYCfPQ3/wgz65an4yg4b18coIQLxmS q5vEHlEv72kvu+tfUh3r =asIM -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Aug 16, 2023 •Important Red Hat 98
security advisoryimportantdosRed Hat: RHSA-2020:2366-01 Important: Spring Boot 2.1.12 Security Issues
An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat support for Spring Boot 2.1.12 security and bug fix update Advisory ID: RHSA-2020:2366-01 Product: Red Hat OpenShift Application Runtimes Advisory URL: https://access.redhat.com/errata/RHSA-2020:2366 Issue date: 2020-06-04 CVE Names: CVE-2019-0199 CVE-2019-3868 CVE-2019-3875 CVE-2019-10199 CVE-2019-10201 CVE-2019-14832 ==================================================================== 1. Summary: An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [NOTE: This security advisory was unintentionally omitted at the time of the initial software release on 2020-02-18. The advisory is informational only; no files in the release have changed.] 2. Description: Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform. This release of Red Hat support for Spring Boot 2.1.12 serves as a replacement for Red Hat support for Spring Boot 2.1.6, and includes security and bug fixes and enhancements. For further information, refer to the release notes linked to in the References section. Security Fix(es): * tomcat: Apache Tomcat HTTP/2 DoS(CVE-2019-0199) * keycloak: SAML broker does not check existence of signature on document allowing any user impersonation (CVE-2019-10201) * keycloak: session hijack using the user access token (CVE-2019-3868) * keycloak: missing signatures validation on CRL used to verify client certificates (CVE-2019-3875) * keycloak: CSRF check missing in My Resources functionality in the Account Console (CVE-2019-10199) * keycloak: cross-realm user access auth bypass (CVE-2019-14832) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1679144 - CVE-2019-3868 keycloak: session hijack using the user access token 1690628 - CVE-2019-3875 keycloak: missing signatures validation on CRL used to verify client certificates 1693325 - CVE-2019-0199 tomcat: Apache Tomcat HTTP/2 DoS 1728609 - CVE-2019-10201 keycloak: SAML broker does not check existence of signature on document allowing any user impersonation 1729261 - CVE-2019-10199 keycloak: CSRF check missing in My Resources functionality in the Account Console 1749487 - CVE-2019-14832 keycloak: cross-realm user access auth bypass 5.References: https://access.redhat.com/security/cve/CVE-2019-0199 https://access.redhat.com/security/cve/CVE-2019-3868 https://access.redhat.com/security/cve/CVE-2019-3875 https://access.redhat.com/security/cve/CVE-2019-10199 https://access.redhat.com/security/cve/CVE-2019-10201 https://access.redhat.com/security/cve/CVE-2019-14832 https://access.redhat.com/security/updates/classification#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=catRhoar.spring.boot&downloadType=distributions&version=2.1.12 https://docs.redhat.com/en/documentation/red_hat_support_for_spring_boot/2.1/html-single/release_notes_for_spring_boot_2.1/index 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXtjx9tzjgjWX9erEAQhFOA//Tkk46vAF4/aJiKVApEHvF5R96081W2Hq G96k3lUPuatTrcD/2yek9whs1Bf9MQgWcaFWCgx63nsNs6Mm81frsR/dt4YV8mWc 97y4u6kz6nvQQ6Wz6Xuic9km17/yXuNl5JqgmcLtltgNhtWgZhpQUKfbP3ot0T2X FStJvnZlPrgDnpnVZ8y6x++otaDfbXGiy2FyGepXei8WWxXtQ/XYPoQC/mYbuXgM eUNsFLEyY9hWLCE4vfavLCM4fHs+djrL2E6N431JhpLyCrbTx0nYkaMkoOoJlLe2 agJjBzd5iYnBbD6p9K5okIWR1U2gNsdV6Q7UROTLiEFoxBOr1hO1mzqYkJ80t1Pm d48N7OuQ4MhYgiKftVDmsVgXuQzySUrjZWnZZnDbVZo02gwD8T1NXgq9zCX64/sl ucKvbDnnmLDYQYsKRCjf1aH1ZDrrPOPIOkTbMlb4+Wqc/O8jrRfzvya0ym9wnN8v CG3VmxPBPeNgp6/pmTBrJU9c+dER9qmavAB77Vl09dH88V9Ne4GLiVfqSVOEhY1w vwZo31fNXNYFYT/NV2v9CiZwrRcsqn60VH0E4Qc+zTOb5esR7bIidcBMGtPm+BI0 80uR7D6DwjVmZsfzwakCIiGMaChysonql+P72iOd2Xerj7osdvMSEQHSVSjuILh7 wiv1ksQVw/s=pUHq -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Jun 04, 2020 •Important Red Hat 
98
security advisorysecurity issueupdateRedHat: RHSA-2020-2252-01 Important: Spring Boot 2.2.6 Security Update
An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat support for Spring Boot 2.2.6 security and bug fix update Advisory ID: RHSA-2020:2252-01 Product: Red Hat OpenShift Application Runtimes Advisory URL: https://access.redhat.com/errata/RHSA-2020:2252 Issue date: 2020-06-01 CVE Names: CVE-2020-1697 CVE-2020-1698 CVE-2020-1718 CVE-2020-1724 CVE-2020-1727 CVE-2020-1744 ==================================================================== 1. Summary: An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform. This release of Red Hat support for Spring Boot 2.2.6 serves as a replacement for Red Hat support for Spring Boot 2.1.13, and includes security and bug fixes and enhancements. For further information, refer to the release notes linked to in the References section. Security Fix(es): * keycloak: security issue on reset credential flow (CVE-2020-1718) * keycloak: stored XSS in client settings via application links (CVE-2020-1697) * keycloak: missing input validation in IDP authorization URLs (CVE-2020-1727) * keycloak:Password leak by logged exception in HttpMethod class (CVE-2020-1698) * keycloak: problem with privacy after user logout (CVE-2020-1724) * keycloak: failedLogin Event not sent to BruteForceProtector when using Post Login Flow with Conditional-OTP (CVE-2020-1744) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1790292 - CVE-2020-1698 keycloak: Password leak by logged exception in HttpMethod class 1791538 - CVE-2020-1697 keycloak: stored XSS in client settings via application links 1796756 - CVE-2020-1718 keycloak: security issue on reset credential flow 1800527 - CVE-2020-1724 keycloak: problem with privacy after user logout 1800573 - CVE-2020-1727 keycloak: missing input validation in IDP authorization URLs 1805792 - CVE-2020-1744 keycloak: failedLogin Event not sent to BruteForceProtector when using Post Login Flow with Conditional-OTP 5. References: https://access.redhat.com/security/cve/CVE-2020-1697 https://access.redhat.com/security/cve/CVE-2020-1698 https://access.redhat.com/security/cve/CVE-2020-1718 https://access.redhat.com/security/cve/CVE-2020-1724 https://access.redhat.com/security/cve/CVE-2020-1727 https://access.redhat.com/security/cve/CVE-2020-1744 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.spring.boot&version=2.2.6 https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/ 6. Contact: The Red Hat security contact is . More contact details athttps://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXtUfrtzjgjWX9erEAQjILA//SJVcOXK4mXfZ5+GmUGu2q7bxTBwsWHzJ CedomHVugs0L6lePsEP1Ft89x5U32tnnJR//a2t/tKD+PYyKz7o9ZUfeACPQj+aP Oftq4grNMVMDsNy+4mJawPvHFGZ2kNlmMLF6xoOW1ebjyFim5XhIIccBzd3dWzOA 5dp77tWEX7ZUo5FL29SK4dlk5h9jV9WHHlPw2O+xrvQ+KPfPLTPNqHRW/vCW/AEl 0F/QvaZOq4eqhQgpXCCN7eC3bMBCbHebd9g/fwmdjuAlF3peBEz9+D7MXTzUmuzb T1I7bGWgBNoXQrDVJfe1sFW364YUrirtC5HcJ+cSuuupM/ztcizc0ds/S4dZIrGU TeuDq1uwHKE1tl3mjzaxBSpUGJjuxQt0sw2Pq5+yP7rNrgWH3HH9sJ9hmhuO4xU7 Zfn0IUpE3QB8TjlILF6fiaUgCJnXaTSzDLbmGt2pDcaJqGZN9cKiwolSM33DoDzb EgEB/0rPRmd7RqUfdHTlLlV1n6A1Q4wJjqpn08j9np8bpR3NkPExhC8itG9hFCBk 9JCtN0ZgZsaFMjlRgk/aC25aJWBRa+DPsq61sj39fwCoPxfBd8LOreiAedZkyKeh YHVmwJWN7C2/Yv7me9/5Pq8HpHJ4MaUawvZ7ndg8FOuGoI1V7rXuRf/2DI+zz8hR luq8oLenEA4=RTbh -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Jun 01, 2020 •Important Red Hat 98
security advisoryred hatremote code executionRedHat: RHSA-2019-3901-01 Critical Security Update for OpenShift Runtimes
An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability . -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat OpenShift Application Runtimes Vert.x 3.8.3 security update Advisory ID: RHSA-2019:3901-01 Product: Red Hat OpenShift Application Runtimes Advisory URL: https://access.redhat.com/errata/RHSA-2019:3901 Issue date: 2019-11-18 CVE Names: CVE-2019-10174 CVE-2019-12384 CVE-2019-14379 CVE-2019-16869 CVE-2019-16942 ==================================================================== 1. Summary: An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Application Runtimes provide an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform. This release of RHOAR Vert.x 3.8.3 includes security updates, bug fixes, and enhancements. For more information, see the release notes linked to in the References section. Security Fix(es): * infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods (CVE-2019-10174) * jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution (CVE-2019-12384) * jackson-databind: defaulttyping mishandling leading to remote code execution (CVE-2019-14379) * jackson-databind: Serialization gadgets in classes of the commons-dbcp package (CVE-2019-16942) * netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869) For more details about the security issue(s), including the impact, a CVSS score, acknowledgements, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1703469 - CVE-2019-10174 infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods 1725807 - CVE-2019-12384 jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution 1737517 - CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution 1758187 - CVE-2019-16942 jackson-databind: Serialization gadgets in classes of the commons-dbcp package 1758619 - CVE-2019-16869 netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers 5.References: https://access.redhat.com/security/cve/CVE-2019-10174 https://access.redhat.com/security/cve/CVE-2019-12384 https://access.redhat.com/security/cve/CVE-2019-14379 https://access.redhat.com/security/cve/CVE-2019-16869 https://access.redhat.com/security/cve/CVE-2019-16942 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_build_of_eclipse_vert.x/3.8/html/release_notes_for_eclipse_vert.x_3.8/index https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.eclipse.vertx&version=3.8.3 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE-----Version: GnuPG v1 iQIVAwUBXdKtvtzjgjWX9erEAQi+iw/+LcM8pgyWih/2nwGZtiRrAc43jvr8uhBu WTTqUJZEJZ2yoNwwVatpmtHtfqicumthHAjAF3gGYHGsqLVbbeyEeHhY54vXDk1s KLMMlojUUoi2pAzOhlYHPx0WgmvuB6Ax+R0v9vbOEKMSFyvld4vfmTxpbhf1h/0f v7ZF3GnEdpEmM6xX/7em1BEkDTyYEVZdMpQocUjTEP8dpx/bewUBzUc9BIuiUAy3 yRKR0PFaUXrKPF/OfIVkADTlPQcv8GkBIas0S5d9oeM4Q1BwmbCc20x4FioOlc7h OH8qZvyzWPg8M5W0oy7CmcnkRkCK8zwcSXL+nqYvbnbPoT+QGqBhv5ZlBzTGY/+z lqHWR8XFQw5pEqOu9imD5VeipTE26XQNIlLss2zFGXPwWwsp2fdCMzDNeML1XJwp asr05dIiik078vK5doJphafxmTjD8wWwVYh/yV0YHUILbeRjh78/+id2UclCBCm+ RNMvoDANd7LFuvHNYsyli8EAkObQvH7xQVVGZt5nzgXJNo9rBuGPcYbvl0Y6Gstv 30uWQQmGd7BP/zTk29e3LOHI0q7H8LtdFynU/PzhjkolvlE/NDAsh9/GPovWbHSu PGF92cMVhadTsq091mWHrKRK0VaPtqvpKikpg5o+kTH8BIRCOn68WQWiAJTmqjd1 OrzbPujbIjg=jAZe -----END PGP SIGNATURE-------RHSA-announce mailing list
Nov 18, 2019 •Important Red Hat 98
security advisorymoderatered hatRed Hat OpenShift Moderate Security Update RHSA-2018:2552-01 DoS Risk
An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat OpenShift Application Runtimes Node.js 8.11.4 security update Advisory ID: RHSA-2018:2552-01 Product: Red Hat OpenShift Application Runtimes Advisory URL: https://access.redhat.com/errata/RHSA-2018:2552 Issue date: 2018-08-22 Keywords: Node.js CVE Names: CVE-2018-0732 CVE-2018-12115 ==================================================================== 1. Summary: An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Application Runtimes Node.js 8 - noarch, x86_64 3. Description: Red Hat Openshift Application Runtimes provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform. This release of RHOAR Node.js 8.11.4 serves as a replacement for RHOAR Node.js 8.11.3, and includes bug fixes and enhancements. For further information, refer to the Release Notes linked to in the References section. Security Fix(es): * openssl: Malicious server can send large prime to client during DH(E) TLS handshake causing the client to hang (CVE-2018-0732) * nodejs: Out of bounds (OOB) write via UCS-2 encoding (CVE-2018-12115) For more detailsabout the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1591100 - CVE-2018-0732 openssl: Malicious server can send large prime to client during DH(E) TLS handshake causing the client to hang 1620219 - CVE-2018-12115 nodejs: Out of bounds (OOB) write via UCS-2 encoding 6. JIRA issues fixed (https://redhat.atlassian.net/jira/projects): NODE-153 - Productisation (Node CVE-2018-12115): Out of bounds (OOB) write NODE-154 - Productisation (OpenSSL (CVE-2018-0732): Client DoS due to large DH parameter NODE-155 - Productisation (OpenSSL CVE not assigned): ECDSA key extraction via local side-channel NODE-160 - Productisation (Errata): Build Node 8.11.4 RPMs 7. Package List: Red Hat OpenShift Application Runtimes Node.js 8: Source: rhoar-nodejs-8.11.4-2.el7.src.rpm noarch: rhoar-nodejs-docs-8.11.4-2.el7.noarch.rpm x86_64: npm-5.6.0-1.8.11.4.2.el7.x86_64.rpm rhoar-nodejs-8.11.4-2.el7.x86_64.rpm rhoar-nodejs-debuginfo-8.11.4-2.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 8. References: https://access.redhat.com/security/cve/CVE-2018-0732 https://access.redhat.com/security/cve/CVE-2018-12115 https://access.redhat.com/security/updates/classification#moderate https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/ 9. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBW33SIdzjgjWX9erEAQh0fQ/9GdhX+/xfTe2HtglaQE+jvMP+JPiOorev ajhLAbVYTM0W/T9PaQTllMOvQ8Hz7tk6Tx6CryKpREK7mGEprlp5npPQemNX9S1J gaP6WQCuOX6yKTQC93a83FUpsFduwXX5MnCDnXbYDItnXaDfAXwPB/R1DM0R+uYL 1TiD7P2X+UfhW40GX4vhjjWaoxM5CvW3iRVMRXpf06tS2FMlIlADp89doNzXIpY1 cREKFlXaLxZt2FttP9tJATqqXDyW23prfWVpJJEHXPAxMhRfqZBjh+ftVEobOGQg 8gH1IQBsDYg5WSoWfWcZKeePi1bJmBXfR2nLnNRLGASZ+/0NMFuLtXGzucjon8nL tyzyOAwBmWDOmGnHwPJMZZ7YrH9HsiRWvCMTsasg0/60G6jrazqGqUmQSlxLHkxy ZD7MepPU3MUOHJrlXNw73pWtXdE5Z4Wjv9duuBZEo+s0rXfq7Ufq7r5D1fIgjLte yhVooLS+98ypMlSFTsqdhxo8OH7ENroTo9pqa0SYpKig1/ODMnnAt/d8hPja0nzW By8uX93OXsyR120HwAlnEVHZINoqsU/z8iEOd/o4He4wr12tUWssyuRHLEZEUe9y KP76uM62Vp5fMrVXTwjUwK5Zj5ajWv9QMcmq/RSLy0k8nhaS8rlkgbk6Ltg69mCo G6ct7pDZgFQ=tMx/ -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Aug 22, 2018 Red Hat 98
security advisorymoderateremote attackModerate Remote Vulnerabilities in Red Hat OpenShift Application Runtimes
An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat OpenShift Application Runtimes security and bug fix update Advisory ID: RHSA-2018:2371-01 Product: Red Hat OpenShift Application Runtimes Advisory URL: https://access.redhat.com/errata/RHSA-2018:2371 Issue date: 2018-08-09 CVE Names: CVE-2018-12537 CVE-2018-12540 ==================================================================== 1. Summary: An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Openshift Application Runtimes provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform. The RHOAR Eclipse Vert.x 3.5.3 release serves as a replacement for RHOAR Eclipse Vert.x 3.5.1, and includes bug fixes and enhancements. For a detailed list of issues resolved in the community Eclipse Vert.x 3.5.3 release, see the release notes in the References section. Security Fix(es): * vertx: Improper neutralization of CRLF sequences allows remote attackersto inject arbitrary HTTP response headers (CVE-2018-12537) * vertx-web: Incomplete CSRF validation by CSRFHandler (CVE-2018-12540) For more details about the security issue(s), including the impact, a CVSS score, and otherrelated information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1591072 - CVE-2018-12537 vertx: Improper neutralization of CRLF sequences allows remote attackers to inject arbitrary HTTP response headers1600666 - CVE-2018-12540 vertx-web: Incomplete CSRF validation by CSRFHandler 5. References: https://access.redhat.com/security/cve/CVE-2018-12537 https://access.redhat.com/security/cve/CVE-2018-12540 https://access.redhat.com/security/updates/classification#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.eclipse.vertx&version=3.5.3 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW2xSSdzjgjWX9erEAQh6Vw//ULAGJNKQS+MwW96t4pUTLDR+O+RzbWPD AJ4kZFLT6b7chyk2+pV+r3YVlu4pDicIpZ60PE+ON4aFCT4TI2Kao1Tu7eMGZoqk iwdCFdvCXv3ysXr5VUHYHkwdKwvKM8Mn/DmEy0Zi77nSazxt09mnTJcMWwn38vs7 cbI7BMEQpJFXpJwC+8hjZCk33A1y+Tv2QJce71feV2WTH9avXVWtA233AVCUaYxi ul/7vJWss/OF735ExjhEFcsuHgQfBBCD0Md4zJaNKGMrUM/oMYnVpsyNlSHFQvLr 8X0BrcAHgdEJPmF2u2zTaRQEkZcde7QQ5sWie5yW9BDtMMV+3QEz5PEtL0HvHhxD /iJyYh7kW1X2i6YG3I4OWB2JcET7CBhF2I2WCe1b4FvFcDq44ADCOycSLcR7/4km r2joW4TjiwwTRnQusXk42vyz69LAZn9zRY7NQjZUxujMT5X/7Jzz2FeIMJ/cXXTM ua3FJDB1zhYDiwPW0kzyOGXO7YziYpnmZszOCiKo92dfSS0gtGOe6IUrTz8AG8Ux 06Nl+5DRH3vdKbzsgxldlmxWdOWwp6YSa8FbJzEdtPUQxhSVj2JkDXnrfa7kSJlW g/rSM8DvVIgsREj1adF31kxHF6+9YaBvqih7b65d1fBoeVMQtwJenHjWkxnucH8j 36BwUEcSHk0=p3aY -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Aug 09, 2018 Red Hat 
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!