Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -3 articles for you...
98
security advisorysecurity updatered hatRedHat OpenShift 4.6.26 Important Security Update and Bug Fixes
Red Hat OpenShift Container Platform release 4.6.26 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.6.. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 4.6.26 security and extras update Advisory ID: RHSA-2021:1230-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2021:1230 Issue date: 2021-04-27 CVE Names: CVE-2018-14718 CVE-2018-14719 CVE-2018-14720 CVE-2018-14721 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 CVE-2019-14379 CVE-2020-24750 CVE-2020-35490 CVE-2020-35491 CVE-2020-35728 CVE-2020-36179 CVE-2020-36180 CVE-2020-36181 CVE-2020-36182 CVE-2020-36183 CVE-2020-36184 CVE-2020-36185 CVE-2020-36186 CVE-2020-36187 CVE-2020-36188 CVE-2020-36189 CVE-2021-3449 CVE-2021-20190 ==================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.6.26 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * jackson-databind: arbitrarycode execution in slf4j-ext class (CVE-2018-14718) * jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719) * jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360) * jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361) * jackson-databind: improper polymorphic deserialization in jboss-common-core class (CVE-2018-19362) * jackson-databind: default typing mishandling leading to remote code execution (CVE-2019-14379) * jackson-databind: Serialization gadgets in com.pastdev.httpcomponents.configuration.JndiConfiguration (CVE-2020-24750) * jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource (CVE-2020-35490) * jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource (CVE-2020-35491) * jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (CVE-2020-35728) * jackson-databind: mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS (CVE-2020-36179) * jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS (CVE-2020-36180) * jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS (CVE-2020-36181) * jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS (CVE-2020-36182) * jackson-databind: mishandles the interaction between serialization gadgets and typing, relatedto org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool (CVE-2020-36183) * jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource (CVE-2020-36184) * jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource (CVE-2020-36185) * jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource (CVE-2020-36186) * jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource (CVE-2020-36187) * jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource (CVE-2020-36188) * jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSourc e (CVE-2020-36189) * jackson-databind: mishandles the interaction between serialization gadgets and typing, related to javax.swing (CVE-2021-20190) * jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720) * jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (CVE-2018-14721) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.26. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHBA-2021:1232 All OpenShift Container Platform 4.6 users are advised to upgrade to these updated packages and images when they are available in the appropriate releasechannel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.redhat.com/en/documentation/openshift_container_platform/4.6/html/release_notes/ocp-4-6-release-notes Details on how to access this content are available at - -cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1666415 - CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class 1666418 - CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes 1666423 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes 1666428 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class 1666482 - CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class 1666484 - CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class 1666489 - CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class 1737517 - CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution 1859004 - Sometimes the eventrouter couldn't gather event logs. 1882310 - CVE-2020-24750 jackson-databind: Serialization gadgets in com.pastdev.httpcomponents.configuration.JndiConfiguration 1909266 - CVE-2020-35490 jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource 1909269 - CVE-2020-35491 jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource 1911502 -CVE-2020-35728 jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool 1913871 - CVE-2020-36179 jackson-databind: mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS 1913872 - CVE-2020-36180 jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS 1913874 - CVE-2020-36181 jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS 1913926 - CVE-2020-36182 jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS 1913927 - CVE-2020-36183 jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool 1913928 - CVE-2020-36184 jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource 1913929 - CVE-2020-36185 jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource 1913931 - CVE-2020-36186 jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource 1913933 - CVE-2020-36187 jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource 1913934 - CVE-2020-36188 jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource 1913937 - CVE-2020-36189jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource 1916633 - CVE-2021-20190 jackson-databind: mishandles the interaction between serialization gadgets and typing, related to javax.swing 1925361 - [4.6] ClusterLogForwarder namespace-specific log forwarding does not work as expected 1950894 - Placeholder bug for OCP 4.6.0 extras release 5. References: https://access.redhat.com/security/cve/CVE-2018-14718 https://access.redhat.com/security/cve/CVE-2018-14719 https://access.redhat.com/security/cve/CVE-2018-14720 https://access.redhat.com/security/cve/CVE-2018-14721 https://access.redhat.com/security/cve/CVE-2018-19360 https://access.redhat.com/security/cve/CVE-2018-19361 https://access.redhat.com/security/cve/CVE-2018-19362 https://access.redhat.com/security/cve/CVE-2019-14379 https://access.redhat.com/security/cve/CVE-2020-24750 https://access.redhat.com/security/cve/CVE-2020-35490 https://access.redhat.com/security/cve/CVE-2020-35491 https://access.redhat.com/security/cve/CVE-2020-35728 https://access.redhat.com/security/cve/CVE-2020-36179 https://access.redhat.com/security/cve/CVE-2020-36180 https://access.redhat.com/security/cve/CVE-2020-36181 https://access.redhat.com/security/cve/CVE-2020-36182 https://access.redhat.com/security/cve/CVE-2020-36183 https://access.redhat.com/security/cve/CVE-2020-36184 https://access.redhat.com/security/cve/CVE-2020-36185 https://access.redhat.com/security/cve/CVE-2020-36186 https://access.redhat.com/security/cve/CVE-2020-36187 https://access.redhat.com/security/cve/CVE-2020-36188 https://access.redhat.com/security/cve/CVE-2020-36189 https://access.redhat.com/security/cve/CVE-2021-3449 https://access.redhat.com/security/cve/CVE-2021-20190 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat,Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYIfTktzjgjWX9erEAQg+8A//QGo1YBtlmSC7RqagNERfByPYx5YNGlfi 2RIAMqi0QrGUVuvnQxQUs5Zm9sLF559qyH56geUi2q4ICVr+rgAeUhLtsx6GLuJC xe9w4Gz8ozN6jIvTGKPx9lnTafIvR+ddgUPk389Eqo6PDPWlw7PHvaBlNHa8hGF7 6rUnTdED/G+JnXANJnAkvc+gW0BLeAYaOI+1wTOx1neicwfa+POqC8rCzYl8ESjD 8NlVG3+wu0pZK9zRTBg67TcPi+bsdyh4R6w4Uxg0w1vJkN6IdUHd+CDhqJzNDpNe pDHqPm5zAwe4iTDrV1+FJQYpx6iy9oeSPiAD/+L/JRGZ51ij5eLHpxbeL8SzpcH6 JtOpYrxVktvihnVydP1ALYlQpQvAUkmY3EcE7flNujebJNlG1MFwctaxHtDarXTL 2m4mlI4ccX2kHPYt/t0GYchRf2e7kA6Ph12SpV3tNC3zCn9JGZva4OXpyyQmvmHi 9PMifX/XTU5k4k6xXZE5ljo0YOnnKlM/4mDGBxGFiNGcsQSZhnhCALI1W6U6oGK0 uef8BrOrEFx9UHENIEqoRYp2T7d6EO3oA/mTfl3H8Ddi1qyg/U1mwJw2aE5hOTVO xkXaBb1nCb2SxcW6kMbcCeSJX9qSclcNetQI9/HrF3lxC/eCpNk5B4F6Q2AztXbL zm97KOYD3LQ=CKcx -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Apr 27, 2021
•Important
Red Hat
89
security advisoryfedoraarbitrary code executionFedora 29: Eclipse-Linuxtools Security Advisory - Multiple Threats Resolved
Fixes CVE-2018-14718 CVE-2018-14719 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 CVE-2018-12022 CVE-2018-12023 CVE-2018-14720 CVE-2018-14721 and CVE-2016-7051.. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2019-df57551f6d 2019-02-19 13:59:57.021257 --------------------------------------------------------------------------------Name : eclipse-linuxtools Product : Fedora 29 Version : 7.1.0 Release : 3.fc29 URL : https://eclipse.dev/linuxtools/ Summary : Linux specific Eclipse plugins Description : The Linux Tools project is a two-faceted project. Firstly, it develops tools and frameworks for writing tools for Linux developers. Secondly, it provides a place for Linux distributions to collaboratively overcome issues surrounding distribution packaging of Eclipse technology. The project will produce both best practices and tools related to packaging. --------------------------------------------------------------------------------Update Information: Fixes CVE-2018-14718 CVE-2018-14719 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 CVE-2018-12022 CVE-2018-12023 CVE-2018-14720 CVE-2018-14721 and CVE-2016-7051. --------------------------------------------------------------------------------ChangeLog: * Thu Feb 7 2019 Mat Booth - 7.1.0-3 - Rebuild against newer BC and Jackson * Thu Jan 31 2019 Fedora Release Engineering - 7.1.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild * Mon Dec 10 2018 Mat Booth - 7.1.0-1 - Update to 2018-12 release --------------------------------------------------------------------------------References: [ 1 ] Bug #1555900 - jackson-datatype-jdk8: FTBFS in F28 https://bugzilla.redhat.com/show_bug.cgi?id=1555900 [ 2 ] Bug #1604397 - jackson-datatype-jdk8: FTBFS in Fedora rawhide https://bugzilla.redhat.com/show_bug.cgi?id=1604397 [ 3 ] Bug #1671098 - CVE-2018-12022 jackson-databind: improper polymorphicdeserialization of types from Jodd-db library [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1671098 [ 4 ] Bug #1666490 - CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1666490 [ 5 ] Bug #1666486 - CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1666486 [ 6 ] Bug #1666483 - CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1666483 [ 7 ] Bug #1666429 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1666429 [ 8 ] Bug #1666424 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1666424 [ 9 ] Bug #1666419 - CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1666419 [ 10 ] Bug #1666416 - CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1666416 [ 11 ] Bug #1380206 - CVE-2016-7051 jackson-dataformat-xml: XmlMapper is vulnerable to SSRF attack [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1380206 [ 12 ] Bug #1672925 - bouncycastle-1.61 is available https://bugzilla.redhat.com/show_bug.cgi?id=1672925 [ 13 ] Bug #1667118 - CVE-2018-1000873 jackson-datatype-jsr310: jackson-modules-java8: DoS due to an Improper Input Validation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1667118 [ 14 ] Bug #1671099 - CVE-2018-12023 jackson-databind: improper polymorphic deserialization of types from Oracle JDBCdriver [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1671099 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2019-df57551f6d' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Feb 19, 2019
•Important
Fedora
89
security advisorydenial of serviceFedoraFedora 29 Security Update: jackson-bom - Critical SSRF and Execution Risks
Fixes CVE-2018-14718 CVE-2018-14719 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 CVE-2018-12022 CVE-2018-12023 CVE-2018-14720 CVE-2018-14721 and CVE-2016-7051.. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2019-df57551f6d 2019-02-19 13:59:57.021257 --------------------------------------------------------------------------------Name : jackson-bom Product : Fedora 29 Version : 2.9.8 Release : 1.fc29 URL : https://github.com/FasterXML/jackson-bom Summary : Bill of materials POM for Jackson projects Description : A "bill of materials" POM for Jackson dependencies. --------------------------------------------------------------------------------Update Information: Fixes CVE-2018-14718 CVE-2018-14719 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 CVE-2018-12022 CVE-2018-12023 CVE-2018-14720 CVE-2018-14721 and CVE-2016-7051. --------------------------------------------------------------------------------ChangeLog: * Wed Feb 6 2019 Mat Booth - 2.9.8-1 - Update to latest upstream release * Fri Feb 1 2019 Fedora Release Engineering - 2.9.4-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild --------------------------------------------------------------------------------References: [ 1 ] Bug #1555900 - jackson-datatype-jdk8: FTBFS in F28 https://bugzilla.redhat.com/show_bug.cgi?id=1555900 [ 2 ] Bug #1604397 - jackson-datatype-jdk8: FTBFS in Fedora rawhide https://bugzilla.redhat.com/show_bug.cgi?id=1604397 [ 3 ] Bug #1671098 - CVE-2018-12022 jackson-databind: improper polymorphic deserialization of types from Jodd-db library [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1671098 [ 4 ] Bug #1666490 - CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1666490 [ 5 ] Bug #1666486 - CVE-2018-19361 jackson-databind:improper polymorphic deserialization in openjpa class [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1666486 [ 6 ] Bug #1666483 - CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1666483 [ 7 ] Bug #1666429 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1666429 [ 8 ] Bug #1666424 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1666424 [ 9 ] Bug #1666419 - CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1666419 [ 10 ] Bug #1666416 - CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1666416 [ 11 ] Bug #1380206 - CVE-2016-7051 jackson-dataformat-xml: XmlMapper is vulnerable to SSRF attack [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1380206 [ 12 ] Bug #1672925 - bouncycastle-1.61 is available https://bugzilla.redhat.com/show_bug.cgi?id=1672925 [ 13 ] Bug #1667118 - CVE-2018-1000873 jackson-datatype-jsr310: jackson-modules-java8: DoS due to an Improper Input Validation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1667118 [ 14 ] Bug #1671099 - CVE-2018-12023 jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1671099 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2019-df57551f6d' at the command line. For more information, refer to the dnf documentation availableat https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Feb 19, 2019
•Critical
Fedora
200
security advisorybug fixmoderate severityScientific Linux SL7: Addressing SLSA-2018-3242-1 Glusterfs Memory Issue
glusterfs: Improper deserialization in dict.c:dict_unserialize() can allow attackers to read arbitrary memory (CVE-2018-10911) SL7 x86_64 glusterfs-3.12.2-18.el7.x86_64.rpm glusterfs-api-3.12.2-18.el7.x86_64.rpm glusterfs-cli-3.12.2-18.el7.x86_64.rpm glusterfs-client-xlators-3.12.2-18.el7.x86_64.rpm glusterfs-debuginfo-3.12.2-18.el7.x86_64.rpm glusterfs-fuse-3.12.2-1 [More...]. Synopsis: Moderate: glusterfs security, bug fix, and Advisory ID: SLSA-2018:3242-1 Issue Date: 2018-10-30 CVE Numbers: CVE-2018-10911 -- Security Fix(es): * glusterfs: Improper deserialization in dict.c:dict_unserialize() can allow attackers to read arbitrary memory (CVE-2018-10911) -- SL7 x86_64 glusterfs-3.12.2-18.el7.x86_64.rpm glusterfs-api-3.12.2-18.el7.x86_64.rpm glusterfs-cli-3.12.2-18.el7.x86_64.rpm glusterfs-client-xlators-3.12.2-18.el7.x86_64.rpm glusterfs-debuginfo-3.12.2-18.el7.x86_64.rpm glusterfs-fuse-3.12.2-18.el7.x86_64.rpm glusterfs-libs-3.12.2-18.el7.x86_64.rpm glusterfs-api-devel-3.12.2-18.el7.x86_64.rpm glusterfs-devel-3.12.2-18.el7.x86_64.rpm glusterfs-rdma-3.12.2-18.el7.x86_64.rpm python2-gluster-3.12.2-18.el7.x86_64.rpm - Scientific Linux Development Team . Cautionary notice for glusterfs users on Scientific Linux regarding a vulnerability related to incorrect deserialization outlined in CVE-2018-10911.. glusterfs, deserialization, security advisory, memory leak, SL7. . LinuxSecurity.com Team
Nov 26, 2018
Scientific Linux
98
security advisorybug fixRed Hat Enterprise LinuxRed Hat Enterprise Linux 7: RHSA-2018-3242 Moderate: GlusterFS Security Fix
An update for glusterfs is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: glusterfs security, bug fix, and enhancement update Advisory ID: RHSA-2018:3242-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2018:3242 Issue date: 2018-10-30 CVE Names: CVE-2018-10911 ==================================================================== 1. Summary: An update for glusterfs is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64le, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64le, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7) - ppc64le Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7) - ppc64le 3. Description: GlusterFS is a key building block of Red Hat Gluster Storage. It is based on a stackable user-space design and can deliver exceptional performance for diverse workloads.GlusterFS aggregates various storage servers over network interconnections into one large, parallel network file system. The following packages have been upgraded to a later upstream version: glusterfs (3.12.2). (BZ#1579734) Security Fix(es): * glusterfs: Improper deserialization in dict.c:dict_unserialize() can allow attackers to read arbitrary memory (CVE-2018-10911) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Michael Hanselmann (hansmi.ch) for reporting this issue. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1579734 - Update glusterfs client rpms to the latest at RHEL 7.6 1601657 - CVE-2018-10911 glusterfs: Improper deserialization in dict.c:dict_unserialize() can allow attackers to read arbitrary memory 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: glusterfs-3.12.2-18.el7.src.rpm x86_64: glusterfs-3.12.2-18.el7.x86_64.rpm glusterfs-api-3.12.2-18.el7.x86_64.rpm glusterfs-cli-3.12.2-18.el7.x86_64.rpm glusterfs-client-xlators-3.12.2-18.el7.x86_64.rpm glusterfs-debuginfo-3.12.2-18.el7.x86_64.rpm glusterfs-fuse-3.12.2-18.el7.x86_64.rpm glusterfs-libs-3.12.2-18.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: glusterfs-api-devel-3.12.2-18.el7.x86_64.rpm glusterfs-debuginfo-3.12.2-18.el7.x86_64.rpm glusterfs-devel-3.12.2-18.el7.x86_64.rpm glusterfs-rdma-3.12.2-18.el7.x86_64.rpm python2-gluster-3.12.2-18.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v.7): Source: glusterfs-3.12.2-18.el7.src.rpm x86_64: glusterfs-3.12.2-18.el7.x86_64.rpm glusterfs-api-3.12.2-18.el7.x86_64.rpm glusterfs-client-xlators-3.12.2-18.el7.x86_64.rpm glusterfs-debuginfo-3.12.2-18.el7.x86_64.rpm glusterfs-fuse-3.12.2-18.el7.x86_64.rpm glusterfs-libs-3.12.2-18.el7.x86_64.rpm glusterfs-rdma-3.12.2-18.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: glusterfs-api-devel-3.12.2-18.el7.x86_64.rpm glusterfs-cli-3.12.2-18.el7.x86_64.rpm glusterfs-debuginfo-3.12.2-18.el7.x86_64.rpm glusterfs-devel-3.12.2-18.el7.x86_64.rpm python2-gluster-3.12.2-18.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: glusterfs-3.12.2-18.el7.src.rpm ppc64le: glusterfs-3.12.2-18.el7.ppc64le.rpm glusterfs-debuginfo-3.12.2-18.el7.ppc64le.rpm glusterfs-libs-3.12.2-18.el7.ppc64le.rpm glusterfs-rdma-3.12.2-18.el7.ppc64le.rpm x86_64: glusterfs-3.12.2-18.el7.x86_64.rpm glusterfs-api-3.12.2-18.el7.x86_64.rpm glusterfs-cli-3.12.2-18.el7.x86_64.rpm glusterfs-client-xlators-3.12.2-18.el7.x86_64.rpm glusterfs-debuginfo-3.12.2-18.el7.x86_64.rpm glusterfs-fuse-3.12.2-18.el7.x86_64.rpm glusterfs-libs-3.12.2-18.el7.x86_64.rpm glusterfs-rdma-3.12.2-18.el7.x86_64.rpm Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7): Source: glusterfs-3.12.2-18.el7.src.rpm ppc64le: glusterfs-3.12.2-18.el7.ppc64le.rpm glusterfs-debuginfo-3.12.2-18.el7.ppc64le.rpm glusterfs-libs-3.12.2-18.el7.ppc64le.rpm glusterfs-rdma-3.12.2-18.el7.ppc64le.rpm Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7): ppc64le: glusterfs-api-3.12.2-18.el7.ppc64le.rpm glusterfs-api-devel-3.12.2-18.el7.ppc64le.rpm glusterfs-cli-3.12.2-18.el7.ppc64le.rpm glusterfs-client-xlators-3.12.2-18.el7.ppc64le.rpm glusterfs-debuginfo-3.12.2-18.el7.ppc64le.rpm glusterfs-devel-3.12.2-18.el7.ppc64le.rpm glusterfs-fuse-3.12.2-18.el7.ppc64le.rpm python2-gluster-3.12.2-18.el7.ppc64le.rpm Red Hat Enterprise Linux Server Optional (v.7): ppc64le: glusterfs-api-3.12.2-18.el7.ppc64le.rpm glusterfs-api-devel-3.12.2-18.el7.ppc64le.rpm glusterfs-cli-3.12.2-18.el7.ppc64le.rpm glusterfs-client-xlators-3.12.2-18.el7.ppc64le.rpm glusterfs-debuginfo-3.12.2-18.el7.ppc64le.rpm glusterfs-devel-3.12.2-18.el7.ppc64le.rpm glusterfs-fuse-3.12.2-18.el7.ppc64le.rpm python2-gluster-3.12.2-18.el7.ppc64le.rpm x86_64: glusterfs-api-devel-3.12.2-18.el7.x86_64.rpm glusterfs-debuginfo-3.12.2-18.el7.x86_64.rpm glusterfs-devel-3.12.2-18.el7.x86_64.rpm python2-gluster-3.12.2-18.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: glusterfs-3.12.2-18.el7.src.rpm x86_64: glusterfs-3.12.2-18.el7.x86_64.rpm glusterfs-api-3.12.2-18.el7.x86_64.rpm glusterfs-cli-3.12.2-18.el7.x86_64.rpm glusterfs-client-xlators-3.12.2-18.el7.x86_64.rpm glusterfs-debuginfo-3.12.2-18.el7.x86_64.rpm glusterfs-fuse-3.12.2-18.el7.x86_64.rpm glusterfs-libs-3.12.2-18.el7.x86_64.rpm glusterfs-rdma-3.12.2-18.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: glusterfs-api-devel-3.12.2-18.el7.x86_64.rpm glusterfs-debuginfo-3.12.2-18.el7.x86_64.rpm glusterfs-devel-3.12.2-18.el7.x86_64.rpm python2-gluster-3.12.2-18.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-10911 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.6_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBW9gRb9zjgjWX9erEAQjW2RAAiA0wYYKlgzQXPMEYKO2pVQ8OnZsXZZRb oqgjs1ov8sIFVGBoIJKMt+PFb7h3ih4ChCShA0JmQtfQdd2rGJ7L/+GjyZC/UNhH aCqjFFlawMUyKfbzTXp2/3tuBHqa5+Vx4bS00KQ8FRQdThhT3pVGOyzNwZ29QMF6 +hvQbcBWhzodplqPJ+7E7woW7M7Huz4kzM+DxavsZtW8zh/S7h+kaCjcQas+YFFA TmMQVfE6TBpEn/5bEf+/kinujdAHawfoXW/bt2HFKA9KBn6S+a7zJ4/1duIKWgxs ldDT6BnCP8yeiKmetaowaHcMzv4tY/0h3mU2KR6Voq/hQmB0lXsguPppfPMQsbHu uvUvSHKFrzV++cP+iyOwUqcbFIkVOR/ka7awH0TyTlqD5uBuhXXILtAkYH9MmSWb ZJzCHsyQZySipwbjk1XN8Dk8Cio8kJmNPRo8zEG8dpEDWyxt7l6Be1NsK0hMFGPV +5neiSfjbcz6Uq1+5DFHvHGGAT7Fng3c5E4Tpu3eGLXUF5C/NyN7leakO3TdFgDi GEoJtr4aOssDWXWipv1wWDtmRN7/HlOHtlLuASOV0j0uqKsN2ybTaZNw1EWoU0jF 77OjOx6U9OQUcNwScxvcTrjbg2S4kx8HJr4K+5OrDu5nUhZOHa7eCft8EriFUed3 C2cgD7W/weA=hgwz -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Oct 30, 2018
Red Hat
200
security advisorymoderatebug fixSciLinux: SLSA-2018-2892-1 Moderate: GlusterFS Improper Deserialization
glusterfs: Improper deserialization in dict.c:dict_unserialize() can allow attackers to read arbitrary memory (CVE-2018-10911) SL6 x86_64 glusterfs-3.12.2-18.el6.x86_64.rpm glusterfs-api-3.12.2-18.el6.x86_64.rpm glusterfs-client-xlators-3.12.2-18.el6.x86_64.rpm glusterfs-debuginfo-3.12.2-18.el6.x86_64.rpm glusterfs-fuse-3.12.2-18.el6.x86_64.rpm glusterfs-libs-3.12.2- [More...]. Synopsis: Moderate: glusterfs security, bug fix, and Advisory ID: SLSA-2018:2892-1 Issue Date: 2018-10-09 CVE Numbers: CVE-2018-10911 -- The glusterfs packages have been upgraded to upstream version 3.12.2, which provides a number of bug fixes over the previous version. Security Fix(es): * glusterfs: Improper deserialization in dict.c:dict_unserialize() can allow attackers to read arbitrary memory (CVE-2018-10911) -- SL6 x86_64 glusterfs-3.12.2-18.el6.x86_64.rpm glusterfs-api-3.12.2-18.el6.x86_64.rpm glusterfs-client-xlators-3.12.2-18.el6.x86_64.rpm glusterfs-debuginfo-3.12.2-18.el6.x86_64.rpm glusterfs-fuse-3.12.2-18.el6.x86_64.rpm glusterfs-libs-3.12.2-18.el6.x86_64.rpm glusterfs-api-devel-3.12.2-18.el6.x86_64.rpm glusterfs-cli-3.12.2-18.el6.x86_64.rpm glusterfs-devel-3.12.2-18.el6.x86_64.rpm glusterfs-rdma-3.12.2-18.el6.x86_64.rpm - Scientific Linux Development Team . A timely glusterfs upgrade rectifies an issue with incorrect deserialization, preventing potential memory exploitation on SL6 environments.. GlusterFS, Security Advisory, Deserialization Flaw, SL6 Update. . LinuxSecurity.com Team
Oct 10, 2018
Scientific Linux
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!