Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 496
Alerts This Week
Warning Icon 1 496

Stay Secure with the Latest Linux Advisories

Filter%20icon Refine advisories
X Clear Filters
X Clear Filters
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security advisories

We found 40 articles for you...
203

Mageia Node.js Critical Memory Growth and Identity Check Issues 2026-0257

Security update. Publication date: 18 Jul 2026 URL: https://advisories.mageia.org/MGASA-2026-0257.html Type: security Affected Mageia releases: 10, 9 CVE: CVE-2026-48615, CVE-2026-48617, CVE-2026-48618, CVE-2026-48619, CVE-2026-48928, CVE-2026-48930, CVE-2026-48931, CVE-2026-48933, CVE-2026-48934, CVE-2026-48935, CVE-2026-48937 Description: lib,test: redact proxy credentials in tunnel errors. (CVE-2026-48615) permission: handle process.chdir on writereport. (CVE-2026-48617) tls: normalize hostname for server identity checks. (CVE-2026-48618) http2: cap originSet size to prevent unbounded memory growth. (CVE-2026-48619) tls: fix case-sensitive SNI context matching. (CVE-2026-48928) dns,net: reject hostnames with embedded NUL bytes. (CVE-2026-48930) http: fix response queue poisoning in http.Agent. (CVE-2026-48931) crypto: guard WebCrypto cipher output length. (CVE-2026-48933) tls: bind reusable sessions to authenticated host. (CVE-2026-48934) permission: disable FileHandle utimes with permission model. (CVE-2026-48935) deps: fix integration issues with the latest nghttp2. (CVE-2026-48937) References: - https://bugs.mageia.org/show_bug.cgi?id=35724 - https://nodejs.org/en/blog/release/v22.23.0 - https://nodejs.org/en/blog/vulnerability/june-2026-security-releases - https://www.cve.org/CVERecord?id=CVE-2026-48615 - https://www.cve.org/CVERecord?id=CVE-2026-48617 - https://www.cve.org/CVERecord?id=CVE-2026-48618 - https://www.cve.org/CVERecord?id=CVE-2026-48619 - https://www.cve.org/CVERecord?id=CVE-2026-48928 - https://www.cve.org/CVERecord?id=CVE-2026-48930 - https://www.cve.org/CVERecord?id=CVE-2026-48931 - https://www.cve.org/CVERecord?id=CVE-2026-48933 - https://www.cve.org/CVERecord?id=CVE-2026-48934 - https://www.cve.org/CVERecord?id=CVE-2026-48935 - https://www.cve.org/CVERecord?id=CVE-2026-48937 SRPMS: - 10/core/nodejs-22.23.1-2.mga10 - 9/core/nodejs-22.23.1-2.mga9 . Security vulnerabilities identified in Node.js for Mageia 10 and 9 requireimmediate attention. Patching instructions included.. nodejs security update,mageia vulnerability,critical security alert. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Jul 18, 2026 Critical Mageia
202

openSUSE Nodejs22 Important Denial of Service Vulnern 2026-2647-1

An update that solves 19 vulnerabilities can now be installed.. # Security update for nodejs22 Announcement ID: SUSE-SU-2026:2647-1 Release Date: 2026-06-26T10:34:06Z Rating: important References: * bsc#1259853 * bsc#1262274 * bsc#1266318 * bsc#1268097 * bsc#1268477 * bsc#1268479 * bsc#1268481 * bsc#1268482 * bsc#1268554 * bsc#1268555 * bsc#1268592 * bsc#1268593 * bsc#1268598 * bsc#1268605 * bsc#1268606 * bsc#1268608 * bsc#1268609 * bsc#1268611 * bsc#1268618 Cross-References: * CVE-2026-11525 * CVE-2026-12151 * CVE-2026-27135 * CVE-2026-40170 * CVE-2026-42338 * CVE-2026-48615 * CVE-2026-48617 * CVE-2026-48618 * CVE-2026-48619 * CVE-2026-48928 * CVE-2026-48930 * CVE-2026-48931 * CVE-2026-48933 * CVE-2026-48934 * CVE-2026-48935 * CVE-2026-48937 * CVE-2026-6733 * CVE-2026-9496 * CVE-2026-9679 CVSS scores: * CVE-2026-11525 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-11525 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-12151 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-12151 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-27135 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-27135 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-27135 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-40170 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-40170 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-40170 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-42338 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-42338 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N *CVE-2026-42338 ( NVD ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-42338 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N * CVE-2026-48615 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2026-48615 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2026-48615 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2026-48617 ( SUSE ): 1.8 CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-48617 ( SUSE ): 2.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N * CVE-2026-48617 ( NVD ): 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N * CVE-2026-48618 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-48618 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N * CVE-2026-48618 ( NVD ): 7.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N * CVE-2026-48619 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-48619 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2026-48928 ( SUSE ): 6.0 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-48928 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N * CVE-2026-48928 ( NVD ): 4.2 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N * CVE-2026-48930 ( SUSE ): 6.0 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-48930 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N * CVE-2026-48930 ( NVD ): 5.6 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2026-48931 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-48931 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-48931 ( NVD ): 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-48933 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-48933 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-48933 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-48934 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-48934 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N * CVE-2026-48934 ( NVD ): 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N * CVE-2026-48935 ( SUSE ): 5.1 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-48935 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-48935 ( NVD ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N * CVE-2026-48937 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2026-48937 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2026-6733 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-6733 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-9496 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-9496 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-9496 ( NVD ): 7.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-9496 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-9679 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2026-9679 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Affected Products: * openSUSE Leap 15.6 * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server 15 SP6 LTSS * SUSE Linux Enterprise Server for SAP Applications 15 SP6 An update that solves 19 vulnerabilities can now be installed. ## Description: This update for nodejs22 fixes the following issues Update to 22.23.0: * CVE-2026-6733:undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery (bsc#1268479). * CVE-2026-9496: pacote: excessive CPU consumption in `addGitSha` when processing a specially crafted `spec.rawSpec` value can lead to DoS (bsc#1266318). * CVE-2026-9679: undici: undici vulnerable to HTTP header injection via Set- Cookie percent-decoding (bsc#1268477). * CVE-2026-11525: undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header (bsc#1268481). * CVE-2026-12151: undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames (bsc#1268482). * CVE-2026-27135: nghttp2: assertion failure due to missing state validation can lead to DoS (bsc#1259853). * CVE-2026-40170: ngtcp2: qlog parameters_set stack buffer overflow (bsc#1262274). * CVE-2026-42338: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (bsc#1268097). * CVE-2026-48615: Proxy credentials leaked in ERR_PROXY_TUNNEL error message (bsc#1268598). * CVE-2026-48617: permission model enforcement bypass via `process.report.writeReport()` path misvalidation (bsc#1268554). * CVE-2026-48618: Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismatch (bsc#1268593). * CVE-2026-48619: Unbounded memory growth in node:http2 clients via attacker- controlled ORIGIN frames (bsc#1268618). * CVE-2026-48928: Uppercase sni context matching can lead to mtls authorization bypass due to case-sensitive hostname matching (bsc#1268605). * CVE-2026-48930: Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings (bsc#1268606). * CVE-2026-48931: HTTP Response Queue Poisoning via TOCTOU Race Condition in http.Agent (bsc#1268611). * CVE-2026-48933: Node.js WebCrypto AES Integer Overflow Leads to Remote Process Abort(bsc#1268592). * CVE-2026-48934: TLS host identity verification bypass via session reuse with different servername leads to unauthorized connections (bsc#1268608). * CVE-2026-48935: Permission Model bypass via FileHandle.utimes() in the promises API (bsc#1268609). * CVE-2026-48937: servers keep accepting data even after sending a `GOAWAY` frame (bsc#1268555). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Server 15 SP6 LTSS zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-2647=1 * openSUSE Leap 15.6 zypper in -t patch SUSE-2026-2647=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-2647=1 ## Package List: * SUSE Linux Enterprise Server for SAP Applications 15 SP6 (ppc64le x86_64) * nodejs22-debuginfo-22.23.0-150600.13.18.1 * nodejs22-devel-22.23.0-150600.13.18.1 * nodejs22-debugsource-22.23.0-150600.13.18.1 * npm22-22.23.0-150600.13.18.1 * nodejs22-22.23.0-150600.13.18.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 (noarch) * nodejs22-docs-22.23.0-150600.13.18.1 * openSUSE Leap 15.6 (aarch64 i586 ppc64le s390x x86_64) * nodejs22-debuginfo-22.23.0-150600.13.18.1 * nodejs22-devel-22.23.0-150600.13.18.1 * nodejs22-debugsource-22.23.0-150600.13.18.1 * corepack22-22.23.0-150600.13.18.1 * npm22-22.23.0-150600.13.18.1 * nodejs22-22.23.0-150600.13.18.1 * openSUSE Leap 15.6 (noarch) * nodejs22-docs-22.23.0-150600.13.18.1 * SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 ppc64le s390x x86_64) * nodejs22-debuginfo-22.23.0-150600.13.18.1 * nodejs22-devel-22.23.0-150600.13.18.1 * nodejs22-debugsource-22.23.0-150600.13.18.1 * npm22-22.23.0-150600.13.18.1 * nodejs22-22.23.0-150600.13.18.1 * SUSE Linux Enterprise Server 15 SP6LTSS (noarch) * nodejs22-docs-22.23.0-150600.13.18.1 ## References: * https://www.suse.com/security/cve/CVE-2026-11525.html * https://www.suse.com/security/cve/CVE-2026-12151.html * https://www.suse.com/security/cve/CVE-2026-27135.html * https://www.suse.com/security/cve/CVE-2026-40170.html * https://www.suse.com/security/cve/CVE-2026-42338.html * https://www.suse.com/security/cve/CVE-2026-48615.html * https://www.suse.com/security/cve/CVE-2026-48617.html * https://www.suse.com/security/cve/CVE-2026-48618.html * https://www.suse.com/security/cve/CVE-2026-48619.html * https://www.suse.com/security/cve/CVE-2026-48928.html * https://www.suse.com/security/cve/CVE-2026-48930.html * https://www.suse.com/security/cve/CVE-2026-48931.html * https://www.suse.com/security/cve/CVE-2026-48933.html * https://www.suse.com/security/cve/CVE-2026-48934.html * https://www.suse.com/security/cve/CVE-2026-48935.html * https://www.suse.com/security/cve/CVE-2026-48937.html * https://www.suse.com/security/cve/CVE-2026-6733.html * https://www.suse.com/security/cve/CVE-2026-9496.html * https://www.suse.com/security/cve/CVE-2026-9679.html * https://bugzilla.suse.com/show_bug.cgi?id=1259853 * https://bugzilla.suse.com/show_bug.cgi?id=1262274 * https://bugzilla.suse.com/show_bug.cgi?id=1266318 * https://bugzilla.suse.com/show_bug.cgi?id=1268097 * https://bugzilla.suse.com/show_bug.cgi?id=1268477 * https://bugzilla.suse.com/show_bug.cgi?id=1268479 * https://bugzilla.suse.com/show_bug.cgi?id=1268481 * https://bugzilla.suse.com/show_bug.cgi?id=1268482 * https://bugzilla.suse.com/show_bug.cgi?id=1268554 * https://bugzilla.suse.com/show_bug.cgi?id=1268555 * https://bugzilla.suse.com/show_bug.cgi?id=1268592 * https://bugzilla.suse.com/show_bug.cgi?id=1268593 * https://bugzilla.suse.com/show_bug.cgi?id=1268598 * https://bugzilla.suse.com/show_bug.cgi?id=1268605 * https://bugzilla.suse.com/show_bug.cgi?id=1268606 * https://bugzilla.suse.com/show_bug.cgi?id=1268608 *https://bugzilla.suse.com/show_bug.cgi?id=1268609 * https://bugzilla.suse.com/show_bug.cgi?id=1268611 * https://bugzilla.suse.com/show_bug.cgi?id=1268618 . Critical update for openSUSE addressing 19 important vulnerabilities in nodejs22, fixing various security issues.. openSUSE security,nodejs22 vulnerabilities,nodejs update,SUSE vulnerabilities. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Jun 26, 2026 Important OpenSUSE
100

SUSE Nodejs22 Important Update Denial of Service Attack 2026-2647-1

An update that solves 19 vulnerabilities can now be installed.. # Security update for nodejs22 Announcement ID: SUSE-SU-2026:2647-1 Release Date: 2026-06-26T10:34:06Z Rating: important References: * bsc#1259853 * bsc#1262274 * bsc#1266318 * bsc#1268097 * bsc#1268477 * bsc#1268479 * bsc#1268481 * bsc#1268482 * bsc#1268554 * bsc#1268555 * bsc#1268592 * bsc#1268593 * bsc#1268598 * bsc#1268605 * bsc#1268606 * bsc#1268608 * bsc#1268609 * bsc#1268611 * bsc#1268618 Cross-References: * CVE-2026-11525 * CVE-2026-12151 * CVE-2026-27135 * CVE-2026-40170 * CVE-2026-42338 * CVE-2026-48615 * CVE-2026-48617 * CVE-2026-48618 * CVE-2026-48619 * CVE-2026-48928 * CVE-2026-48930 * CVE-2026-48931 * CVE-2026-48933 * CVE-2026-48934 * CVE-2026-48935 * CVE-2026-48937 * CVE-2026-6733 * CVE-2026-9496 * CVE-2026-9679 CVSS scores: * CVE-2026-11525 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-11525 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-12151 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-12151 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-27135 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-27135 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-27135 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-40170 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-40170 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-40170 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-42338 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-42338 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N *CVE-2026-42338 ( NVD ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-42338 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N * CVE-2026-48615 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2026-48615 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2026-48615 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2026-48617 ( SUSE ): 1.8 CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-48617 ( SUSE ): 2.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N * CVE-2026-48617 ( NVD ): 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N * CVE-2026-48618 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-48618 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N * CVE-2026-48618 ( NVD ): 7.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N * CVE-2026-48619 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-48619 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2026-48928 ( SUSE ): 6.0 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-48928 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N * CVE-2026-48928 ( NVD ): 4.2 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N * CVE-2026-48930 ( SUSE ): 6.0 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-48930 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N * CVE-2026-48930 ( NVD ): 5.6 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2026-48931 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-48931 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-48931 ( NVD ): 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-48933 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-48933 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-48933 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-48934 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-48934 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N * CVE-2026-48934 ( NVD ): 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N * CVE-2026-48935 ( SUSE ): 5.1 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-48935 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-48935 ( NVD ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N * CVE-2026-48937 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2026-48937 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2026-6733 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-6733 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-9496 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-9496 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-9496 ( NVD ): 7.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-9496 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-9679 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2026-9679 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Affected Products: * openSUSE Leap 15.6 * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server 15 SP6 LTSS * SUSE Linux Enterprise Server for SAP Applications 15 SP6 An update that solves 19 vulnerabilities can now be installed. ## Description: This update for nodejs22 fixes the following issues Update to 22.23.0: * CVE-2026-6733:undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery (bsc#1268479). * CVE-2026-9496: pacote: excessive CPU consumption in `addGitSha` when processing a specially crafted `spec.rawSpec` value can lead to DoS (bsc#1266318). * CVE-2026-9679: undici: undici vulnerable to HTTP header injection via Set- Cookie percent-decoding (bsc#1268477). * CVE-2026-11525: undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header (bsc#1268481). * CVE-2026-12151: undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames (bsc#1268482). * CVE-2026-27135: nghttp2: assertion failure due to missing state validation can lead to DoS (bsc#1259853). * CVE-2026-40170: ngtcp2: qlog parameters_set stack buffer overflow (bsc#1262274). * CVE-2026-42338: ip-address: Cross-site scripting via improper HTML escaping of untrusted input (bsc#1268097). * CVE-2026-48615: Proxy credentials leaked in ERR_PROXY_TUNNEL error message (bsc#1268598). * CVE-2026-48617: permission model enforcement bypass via `process.report.writeReport()` path misvalidation (bsc#1268554). * CVE-2026-48618: Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismatch (bsc#1268593). * CVE-2026-48619: Unbounded memory growth in node:http2 clients via attacker- controlled ORIGIN frames (bsc#1268618). * CVE-2026-48928: Uppercase sni context matching can lead to mtls authorization bypass due to case-sensitive hostname matching (bsc#1268605). * CVE-2026-48930: Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings (bsc#1268606). * CVE-2026-48931: HTTP Response Queue Poisoning via TOCTOU Race Condition in http.Agent (bsc#1268611). * CVE-2026-48933: Node.js WebCrypto AES Integer Overflow Leads to Remote Process Abort(bsc#1268592). * CVE-2026-48934: TLS host identity verification bypass via session reuse with different servername leads to unauthorized connections (bsc#1268608). * CVE-2026-48935: Permission Model bypass via FileHandle.utimes() in the promises API (bsc#1268609). * CVE-2026-48937: servers keep accepting data even after sending a `GOAWAY` frame (bsc#1268555). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Server 15 SP6 LTSS zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-2647=1 * openSUSE Leap 15.6 zypper in -t patch SUSE-2026-2647=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-2647=1 ## Package List: * SUSE Linux Enterprise Server for SAP Applications 15 SP6 (ppc64le x86_64) * nodejs22-debuginfo-22.23.0-150600.13.18.1 * nodejs22-devel-22.23.0-150600.13.18.1 * nodejs22-debugsource-22.23.0-150600.13.18.1 * npm22-22.23.0-150600.13.18.1 * nodejs22-22.23.0-150600.13.18.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 (noarch) * nodejs22-docs-22.23.0-150600.13.18.1 * openSUSE Leap 15.6 (aarch64 i586 ppc64le s390x x86_64) * nodejs22-debuginfo-22.23.0-150600.13.18.1 * nodejs22-devel-22.23.0-150600.13.18.1 * nodejs22-debugsource-22.23.0-150600.13.18.1 * corepack22-22.23.0-150600.13.18.1 * npm22-22.23.0-150600.13.18.1 * nodejs22-22.23.0-150600.13.18.1 * openSUSE Leap 15.6 (noarch) * nodejs22-docs-22.23.0-150600.13.18.1 * SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 ppc64le s390x x86_64) * nodejs22-debuginfo-22.23.0-150600.13.18.1 * nodejs22-devel-22.23.0-150600.13.18.1 * nodejs22-debugsource-22.23.0-150600.13.18.1 * npm22-22.23.0-150600.13.18.1 * nodejs22-22.23.0-150600.13.18.1 * SUSE Linux Enterprise Server 15 SP6LTSS (noarch) * nodejs22-docs-22.23.0-150600.13.18.1 ## References: * https://www.suse.com/security/cve/CVE-2026-11525.html * https://www.suse.com/security/cve/CVE-2026-12151.html * https://www.suse.com/security/cve/CVE-2026-27135.html * https://www.suse.com/security/cve/CVE-2026-40170.html * https://www.suse.com/security/cve/CVE-2026-42338.html * https://www.suse.com/security/cve/CVE-2026-48615.html * https://www.suse.com/security/cve/CVE-2026-48617.html * https://www.suse.com/security/cve/CVE-2026-48618.html * https://www.suse.com/security/cve/CVE-2026-48619.html * https://www.suse.com/security/cve/CVE-2026-48928.html * https://www.suse.com/security/cve/CVE-2026-48930.html * https://www.suse.com/security/cve/CVE-2026-48931.html * https://www.suse.com/security/cve/CVE-2026-48933.html * https://www.suse.com/security/cve/CVE-2026-48934.html * https://www.suse.com/security/cve/CVE-2026-48935.html * https://www.suse.com/security/cve/CVE-2026-48937.html * https://www.suse.com/security/cve/CVE-2026-6733.html * https://www.suse.com/security/cve/CVE-2026-9496.html * https://www.suse.com/security/cve/CVE-2026-9679.html * https://bugzilla.suse.com/show_bug.cgi?id=1259853 * https://bugzilla.suse.com/show_bug.cgi?id=1262274 * https://bugzilla.suse.com/show_bug.cgi?id=1266318 * https://bugzilla.suse.com/show_bug.cgi?id=1268097 * https://bugzilla.suse.com/show_bug.cgi?id=1268477 * https://bugzilla.suse.com/show_bug.cgi?id=1268479 * https://bugzilla.suse.com/show_bug.cgi?id=1268481 * https://bugzilla.suse.com/show_bug.cgi?id=1268482 * https://bugzilla.suse.com/show_bug.cgi?id=1268554 * https://bugzilla.suse.com/show_bug.cgi?id=1268555 * https://bugzilla.suse.com/show_bug.cgi?id=1268592 * https://bugzilla.suse.com/show_bug.cgi?id=1268593 * https://bugzilla.suse.com/show_bug.cgi?id=1268598 * https://bugzilla.suse.com/show_bug.cgi?id=1268605 * https://bugzilla.suse.com/show_bug.cgi?id=1268606 * https://bugzilla.suse.com/show_bug.cgi?id=1268608 *https://bugzilla.suse.com/show_bug.cgi?id=1268609 * https://bugzilla.suse.com/show_bug.cgi?id=1268611 * https://bugzilla.suse.com/show_bug.cgi?id=1268618 . Critical security update for SUSE addressing 19 issues in nodejs22. Install to secure systems against threats now.. SUSE security update,nodejs22 vulnerabilities,important patch,openSUSE security issues. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Jun 26, 2026 Important SuSE
89

Fedora 38 FEDORA-2023-3baf3f43a0 Critical: htmltest Excessive Memory Growth

Security fix for CVE-2022-41717. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2023-3baf3f43a0 2023-09-07 01:27:49.829871 -------------------------------------------------------------------------------- Name : htmltest Product : Fedora 38 Version : 0.17.0 Release : 4.fc38 URL : https://github.com/wjdp/htmltest Summary : Test generated HTML for problems Description : htmltest runs your HTML output through a series of checks to ensure all your links, images, scripts references work, your alt tags are filled in, et cetera. -------------------------------------------------------------------------------- Update Information: Security fix for CVE-2022-41717 -------------------------------------------------------------------------------- ChangeLog: * Tue Aug 29 2023 Elliott Sales de Andrade - 0.17.0-4 - Backport patch to use govcr 4 * Thu Jul 20 2023 Fedora Release Engineering - 0.17.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests https://bugzilla.redhat.com/show_bug.cgi?id=2161274 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2023-3baf3f43a0' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announcemailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./ Do not reply to spam, report it: . Patch to address memory overconsumption in Fedora 38's htmltest, guaranteeing dependable HTML validations against security threats.. Fedora Update, htmltest Security Fix, Memory Growth Issue, Go Server Update. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Sep 07, 2023 Critical Fedora
98

Red Hat OpenShift 4.13.5 RHSA-2023:4090 Moderate: Memory Growth Issue

Red Hat OpenShift Container Platform release 4.13.5 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13.. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.13.5 security update Advisory ID: RHSA-2023:4090-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2023:4090 Issue date: 2023-07-20 CVE Names: CVE-2022-41717 CVE-2022-41723 CVE-2023-1260 CVE-2023-3089 CVE-2023-24329 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-24539 CVE-2023-27561 CVE-2023-29400 CVE-2023-32067 ==================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.13.5 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.5. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHSA-2023:4091 Security Fix(es): * golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests(CVE-2022-41717) * net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.13/html/updating_clusters/updating-cluster-cli 3. Solution: For OpenShift Container Platform 4.13 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.redhat.com/en/documentation/openshift_container_platform/4.13/html/release_notes/ocp-4-13-release-notes 4. Bugs fixed (https://bugzilla.redhat.com/): 2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests 2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding 5. JIRA issues fixed (https://issues.redhat.com/): OCPBUGS-13353 - Dpu operator should not create pdb in case of bad configmap configuration OCPBUGS-14099 - Default namespace for openshift-dpu-network-operator is set to 'Openshift Operators' 6.References: https://access.redhat.com/security/cve/CVE-2022-41717 https://access.redhat.com/security/cve/CVE-2022-41723 https://access.redhat.com/security/cve/CVE-2023-1260 https://access.redhat.com/security/cve/CVE-2023-3089 https://access.redhat.com/security/cve/CVE-2023-24329 https://access.redhat.com/security/cve/CVE-2023-24534 https://access.redhat.com/security/cve/CVE-2023-24536 https://access.redhat.com/security/cve/CVE-2023-24537 https://access.redhat.com/security/cve/CVE-2023-24538 https://access.redhat.com/security/cve/CVE-2023-24539 https://access.redhat.com/security/cve/CVE-2023-27561 https://access.redhat.com/security/cve/CVE-2023-29400 https://access.redhat.com/security/cve/CVE-2023-32067 https://access.redhat.com/security/updates/classification/#moderate https://docs.redhat.com/en/documentation/openshift_container_platform/4.13/html/release_notes/ocp-4-13-release-notes 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJkuYVEAAoJENzjgjWX9erEdvEP/1eNA60zMj7f6YeGT3gaJO0z dEGvbdRaMQAlS306YqN3025jPhaz1hCUshnGAgvtz4Rhl3BT0JqrpON/BKpbFKzK Dhpq5IjMD+QaYY+qJAiYmGRXwN/kWVjuj6kJJhXCxAmzGyxsEjI3a8+3dwbGRNA8 WaBxkvl3fvn+3PjLewJDki4MnXc9HkpINFXF4kKeGKmV1JZh6/NMyZk+brgHyWkD 54Eon4JM3WXsCQqXSdtT9EoX23DsoyqHs4Be1xJT4LM0xc5ZaJ5iUtzc5bS0aEPq 9Dj1TFyjoUSoOmX9q8tlET5GQ2j580EnUW1xOxW3XgEycfnBLwY+76ImsZQPGsB0 oGK8aL9Bjurr76rQxuabAkwykZl+zAxqpMecKJhRSE3gY5MfKJ0FA6uO1souHxWt KK4RrPkzsyUC0e6Z0pRe7oNN9vZJdimgVc3XNJjf2YN98IgZ+6Fk1GSi7SZ0L6Zz VNfNoMnSFsoSEP3ThAKR7GYbdh5t30N/hK87BRCiYJo3ml8ABbEs5mcCDvKeqJF7 9leLwYm6B4h7rIFYsl9gsGBu4VyO06Q9nLWwlpkG6IkBJ5Hd3mwnWN6dufcOb38L 2yQa/b+NTAGReFRltYZ5jwXCpUUkZEkqa5dPqZqOgf0MaTl6LZVXqTRhvWc4hKTi v5vyZ0q3FAbRWsXamzde =DqTj -----END PGP SIGNATURE----- -- RHSA-announce mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. . A new security patch released for Red Hat OpenShift Container Platform 4.13.5 addresses various bugs andvulnerabilities.. OpenShift Security Update, Red Hat OpenShift, Container Security, Platform Updates. . LinuxSecurity.com Team

Calendar%202 Jul 20, 2023 Red Hat
98

Red Hat OpenShift 8.0.0 RHSA-2023:1372 Moderate: Memory Growth Issue

The components for Red Hat OpenShift support for Windows Containers 8.0.0 are now available. This product release includes bug fixes and a moderate security update for the following packages: windows-machine-config-operator and. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat OpenShift support for Windows Containers 8.0.0 [security update] Advisory ID: RHSA-2023:1372-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2023:1372 Issue date: 2023-05-10 CVE Names: CVE-2022-41717 CVE-2023-25173 ==================================================================== 1. Summary: The components for Red Hat OpenShift support for Windows Containers 8.0.0 are now available. This product release includes bug fixes and a moderate security update for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers. Security Fix(es): * golang: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717) * containerd: Supplementary groups are not set up properly (CVE-2023-25173) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section 3. Solution: For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed(https://bugzilla.redhat.com/): 2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests 2174485 - CVE-2023-25173 containerd: Supplementary groups are not set up properly 5. JIRA issues fixed (https://redhat.atlassian.net/jira/projects): OCPBUGS-10416 - Case sensitivity issue when label "openshift.io/cluster-monitoring" set to 'True' on openshift-windows-machine-config-operator namespace OCPBUGS-10709 - BYOH upgrade failed Unable to cleanup the Windows instance: error running powershell.exe -NonInteractive -ExecutionPolicy Bypass \"C:\\k\\windows-instance-config-daemon.exe cleanup - OCPBUGS-10930 - Windows pods are unable to resolve DNS records for services OCPBUGS-11444 - BYOH node upgrade failed when the node not in default namespace: deleting node winhost\nF0402 08:53:43.066039 4740 cleanup.go:56] nodes \"winhost\" is forbidden: User \"system:serviceaccount:winc-namespace-test:windows-instance-config-daemon\" OCPBUGS-11735 - oc adm node-logs failing in vSphere CI OCPBUGS-1513 - Check if Windows defender is running doesnt work OCPBUGS-2028 - [WINC] Windows nodes name not matching hostname in GCP OCPBUGS-3506 - Load balancer shows connectivity outage during Windows nodes upgrade OCPBUGS-4133 - Load Balance service with externalTrafficPolicy="Cluster" for Windows workloads intermittently unavailable in GCP and Azure OCPBUGS-5065 - Installation of WMCO in different namespace fails OCPBUGS-5354 - WMCO is unable to drain DaemonSet workloads OCPBUGS-5378 - containerd version is being misreported OCPBUGS-5732 - Windows nodes do not get drained (deconfigure) during the upgrade process OCPBUGS-5887 - Directory deletion errors are being ignored when deconfiguring Windows instances OCPBUGS-6611 - Hybrid Overlay logfile is in use and cannot be deleted OCPBUGS-6635 - WMCO kubelet version not matching OCP payload's one OCPBUGS-7287 - Kublet logs are not written to the kubelet log file WINC-1001 - Use standard library errors package WINC-1014 - Enable in-tree storagefor vSphere for 4.13 WINC-733 - Instance cleanup is done by WICD cleanup command WINC-736 - WICD controller periodically reconciles the state of Windows services WINC-741 - WICD takes more responsibility of Node configuration WINC-838 - Use PodOS field in e2e tests, and document it for usersWINC-898 - Containerd is added to windows-services configmap WINC-923 - Update pause image to 3.9 WINC-942 - OpenShift Branching Day release-4.13 / WMCO 8.0.0 WINC-959 - update GitHub build and testing docs WINC-962 - Pick up openshift/kubernetes 1.26 rebase updates WINC-977 - Update kube-proxy submodule to sdn-4.13-kubernetes-1.26.0 6. References: https://access.redhat.com/security/cve/CVE-2022-41717 https://access.redhat.com/security/cve/CVE-2023-25173 https://access.redhat.com/security/updates/classification/#moderate 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZFsxWdzjgjWX9erEAQhHXA/6AhWeuT89b6OpYzOBwz10B+PDTwCwkzYy kGoc5p8Wu7ov2liOTBYBwPZVrAN73T6O+FAIPzeYi0Ip8m2KBa7AThuDMcBsv8kC 5jj8lD8JzZLq1IPhOtnIuDBUkBGKwadcPwu+tH+L7QHLeaAVg5ceRE/55tcTEAM6 nYkkbrcWwpbU1PKo6PmGAW80phPCb+YvmQh3w10t8o/AqHry4g+6r5VvwqoB2YEB b7fXDESPuOYVRF+7A+uh4kL0wA93OW9TMMW61H147gmoJTHxKGZ6Ts6IVQn7+dkl cZ5xHfpxuMP2YbBqh05kx3D1SP2EmTGlYr/xjoyzFS4MWQvb667kESb6MrBP9Jl2 y2EJkZw/aUAouwy6kOexfAf3gnJl+9s0McYJHVO4TC+LvPpmcE4T5G3YK1r9dnFf fZQMLwoiNQZWXk/hLh96Lmk+H9bIXHMuL7OCiRDlYHaiDXjZQG83w5aPt733DCJ8 sP44DLRmP3WkNvz9BENHn1wgQ/ihGlmuEa2GsV51pHEMpvAHlRmb5XwFJ4RLLB9O 3vOzxH1XwCPK0lc1k2af4nO9ezHChsjHve86iEYFFrvdKFO0JgmigzqNpc/eEkHC LPqktATWXARi4qcn+JHEV7d40eAHYgZYv5AA4VHpomHK92WDK7EF6YOvMREwB/K/ dbxljBPzQIg=qVSk -----END PGP SIGNATURE----- -- RHSA-announce mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. . The latest security bulletin from Red Hat outlines a significant improvement for OpenShift on Windows, addressing concerns related to memory expansion and access vulnerabilities.. OpenShift SecurityUpdate, Windows Containers, Red Hat Advisory, Moderate Severity Fix, Memory Growth Issue. . LinuxSecurity.com Team

Calendar%202 May 10, 2023 Red Hat
98

Red Hat Enterprise Linux 9 RHSA-2023:2283-01 Moderate Skopeo Security Issue

An update for skopeo is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: skopeo security and bug fix update Advisory ID: RHSA-2023:2283-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2023:2283 Issue date: 2023-05-09 CVE Names: CVE-2022-30629 CVE-2022-41717 ==================================================================== 1. Summary: An update for skopeo is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: The skopeo command lets you inspect images from container image registries, get images and image layers, and use signatures to create and verify files. Security Fix(es): * golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717) * golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section. 4. Solution: For details onhow to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add 2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests 2182318 - skopeo-1.11.2 required in RHEL9.2.0 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: skopeo-1.11.2-0.1.el9.src.rpm aarch64: skopeo-1.11.2-0.1.el9.aarch64.rpm skopeo-debuginfo-1.11.2-0.1.el9.aarch64.rpm skopeo-debugsource-1.11.2-0.1.el9.aarch64.rpm skopeo-tests-1.11.2-0.1.el9.aarch64.rpm ppc64le: skopeo-1.11.2-0.1.el9.ppc64le.rpm skopeo-debuginfo-1.11.2-0.1.el9.ppc64le.rpm skopeo-debugsource-1.11.2-0.1.el9.ppc64le.rpm skopeo-tests-1.11.2-0.1.el9.ppc64le.rpm s390x: skopeo-1.11.2-0.1.el9.s390x.rpm skopeo-debuginfo-1.11.2-0.1.el9.s390x.rpm skopeo-debugsource-1.11.2-0.1.el9.s390x.rpm skopeo-tests-1.11.2-0.1.el9.s390x.rpm x86_64: skopeo-1.11.2-0.1.el9.x86_64.rpm skopeo-debuginfo-1.11.2-0.1.el9.x86_64.rpm skopeo-debugsource-1.11.2-0.1.el9.x86_64.rpm skopeo-tests-1.11.2-0.1.el9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-30629 https://access.redhat.com/security/cve/CVE-2022-41717 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBZFo08NzjgjWX9erEAQgWOg//fccJBQ9s9bwxbqVmM7c6Z7DqWyekfzZS b1XjA6XcNIDQaYD6d9qvLpMEKmpQg8aeNeIpfvSQWmJPARkYU8sJIrc24yHklE5n pgFJ6FbRJccWpjRVKay/0Spwo7KQwB5o9cZXLR6oFDFRpxT/BvLtNqEHZ1n7ugFQ aE1SFS/nd7x6HvYI0ymhQmpNRURltAdFgmtauUKECN7tc8UsFxMHxpVG4JT7CyOx bLRoMR3LFLjEsNr+VMIjHGAMSGa1fyjp/bifR2qj+QUm2CuaR1+whXTjBMEHE9t8 KmWt29dQ4PdyVmuuBz4uxdy1EmeChS4dxKnJ2DQJaPzmMcN0f2IfTR8p17jLSlhf RwIJQC5bobz5sJwlojxMLTafHQ9+XoTFFxHnebOW6omCjkiyFzQ2Vjebr5QYAJQ1 19ca/1eXVdlYNAZSCRfpw3oGb9LJBuA7Ad/3+AgfTLGWN809T309eOVM6fVL5ICL mIzxzDrFr2IXQV6cRPapsMov5CD19h9gpxL63eBhOLasbmH8eotani+2Xx+kSrzt e3H56EdgOHE5ckCogsaZDUUw+5M12O2NjYRFYoUu112z0qif9QGYXuV0UNd93oKr fwuxCnI1CJmFV2KBqNZQ2CAr4pihjzl5c7NHUZGvVG/OQYw/z8QaCUa/2VBD+hI8 TsacnXu2QB0=52Iy -----END PGP SIGNATURE----- -- RHSA-announce mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. . Investigate the latest Red Hat Security Advisory concerning skopeo, which focuses on notable bug resolutions and security implications.. skopeo update, Red Hat security, Enterprise Linux advisories, memory growth fix. . LinuxSecurity.com Team

Calendar%202 May 09, 2023 Red Hat
98

Red Hat Enterprise Linux 9 RHSA-2023:2222-01 Moderate: Conmon Memory Impact

An update for conmon is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: conmon security and bug fix update Advisory ID: RHSA-2023:2222-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2023:2222 Issue date: 2023-05-09 CVE Names: CVE-2022-41717 ==================================================================== 1. Summary: An update for conmon is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: Conmon is an OCI container runtime monitor. Security Fix(es): * golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2129080 - conmon bug fixand enhancement update [rhel-9.2.0] 2154417 - podman gating test issues in RHEL9.0 (bump conmon-2.1.4) 2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests 2173697 - Fails to run containers with kernel-rt and cgroups v1 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: conmon-2.1.7-1.el9_2.src.rpm aarch64: conmon-2.1.7-1.el9_2.aarch64.rpm conmon-debuginfo-2.1.7-1.el9_2.aarch64.rpm conmon-debugsource-2.1.7-1.el9_2.aarch64.rpm ppc64le: conmon-2.1.7-1.el9_2.ppc64le.rpm conmon-debuginfo-2.1.7-1.el9_2.ppc64le.rpm conmon-debugsource-2.1.7-1.el9_2.ppc64le.rpm s390x: conmon-2.1.7-1.el9_2.s390x.rpm conmon-debuginfo-2.1.7-1.el9_2.s390x.rpm conmon-debugsource-2.1.7-1.el9_2.s390x.rpm x86_64: conmon-2.1.7-1.el9_2.x86_64.rpm conmon-debuginfo-2.1.7-1.el9_2.x86_64.rpm conmon-debugsource-2.1.7-1.el9_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2022-41717 https://access.redhat.com/security/updates/classification#moderate https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/9.2_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBZFo0WNzjgjWX9erEAQiM9hAAn7KBwcV6tJGVHKSa3Cong1LrQ3gM/DDD pmt/FxQ29FcRexK9gUaSc/QOzPdIX2kmD0f2Lhau+Cw/6fotNYjoeXTISocTeBxV pNdSQq0dXHAZA3CTqFzrgJ1hRy6cv27pBd4OkVTfsTNgPnlindo9K0Z92bIIfH+c jCx77ZinWVTL/KgoN1OieXjfrTPNO3gy8etkDNfnlcG75qgzW0n663M0nxXdpkdS rzEzrxD98CYNIr4b/GNADDGMmUqbtr73EODjsOs1TZ6VqEfZkvYoJpd0lNB/rlIk yP3FnNbQbt9ZvgM80yg3T0ll8WW1mue8Gbo03FSGTXlOLlHNhcgQDgyMyfWazF3h WLWQyMCn9/+nzxhYTDJBvsXzVZWCrhHrh5zw8Ac96kpgB2cSpHVnAAu4JBmGFPTP mHBvBHue5ycvm59LDSVZnvPXS2Kf7kH4r23AESRMYY0a4GlCsVC4dNvNvo0k0K+U aHFpz2UcO8PxEhgVAU0C+oTk7pwmV44flRtPPfa7XAIaxqFcyRxjomBT8McREirl B0H7SHDGV0pjJFcUe34QSM4N3EsCRraOBKsTC6WD10CVA3AN+gHv8yKhlN1Qlytf e1oXwIt3tC/ETF1ljBr4lOg4Zc7AIBtxzl/V/0WN+8EMe1JPn7SvYiZL78KUWQhB YkR3P+oC3/Y=tSPS -----END PGP SIGNATURE----- -- RHSA-announce mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. . The conmon update on Red Hat Enterprise Linux resolves a moderate security vulnerability and includes essential bug fixes deemed critical. . Red Hat Enterprise Linux, conmon security update, OCI container runtime, bug fixes. . LinuxSecurity.com Team

Calendar%202 May 09, 2023 Red Hat
News Add Esm H240

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200