Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 1 articles for you...
98
security advisoryred hatsoftware updateRed Hat: RHSA-2023:5170-01 Important: Quarkus 2.13.8 HTTP Bypass
An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat build of Quarkus 2.13.8 release and security update Advisory ID: RHSA-2023:5170-01 Product: Red Hat build of Quarkus Advisory URL: https://access.redhat.com/errata/RHSA-2023:5170 Issue date: 2023-09-14 CVE Names: CVE-2023-4853 ===================================================================== 1. Summary: An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section. 2. Description: This release of Red Hat build of Quarkus 2.13.8 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section. Security Fixes: * CVE-2023-4853 quarkus-http: quarkus: HTTP security policy bypass [quarkus-2.13] 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2238034 - CVE-2023-4853 quarkus: HTTP security policy bypass 5. References: https://access.redhat.com/security/cve/CVE-2023-4853 https://access.redhat.com/security/updates/classification#important 6. Contact: The Red Hat security contact is . More contact details athttps://access.redhat.com/security/team/contact Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJlAyZNAAoJENzjgjWX9erEHr8P/itG6Q4VoXk3hcKNNTOvX3c2 li4ZZe3DPXAetvHB3vQQ40XS4xj8A9dgbgTQN+s+iWy86MomdFny4EgqcF4a2jjV Flf2X4qQoyP8hdRai3pnxwt0obk+ppsIl+W9e2vHwQjvcsa5FATHrzfNEbgDLNAB Mxz62PB7+FWVfSUfL3iJwubZnuTlKeue6+ZRYbeS2ZuTgg0bvRuOKLdJLXfsrlzG OO573SxHVUAZxnr2ksy+DyechbbI1VC4ZdyVQPJxYCrWEaFFW8yBXYwYiYvyRYRT J48jegHDtrVbs/dH5fFHOC1B4PkOWucWw4jDlavsP00vrYkFc/2K4JaJ/IHzJEn4 WmAxWBWBSPMGeRoyitwq4IrlKmy75eDIWIj4LJVCae7bzyxaPbwLL2TzJqCUTFS5 v3IS1ko2eyD3oBY4s9m0MCjP2KhWWRuO5iwj1a4Yp1FStgL68KU/EyaM50kQ7xvN VIecXPoxBqttfcJZr2ajnHs5A9FuSBRgA0kzzMyBuMbjljp5nZrzz4u3l/weO3RB x4f9FbL3mnwNll4iByqX1ggvGMGGuUFJvgAKy/sCMfseoctvmNmYm6mrjm/AXFm8 PCG9pt2sdNPHc80AytMa6lpq8yORnllL+4ZX2KgwgO7y3QepOqU/ooevleHyW9/E 6Yn1S7KvFUZfdM0gRstw =/zBa -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Sep 14, 2023
•Important
Red Hat
98
security advisoryupdatered hatRed Hat Build of OptaPlanner 8.38.0 RHSA-2023:4200-01 Important DoS Issue
Red Hat Build of OptaPlanner 8.38.0 for Quarkus 2.13.8 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed. Red Hat Product Security has rated this update as having an impact of. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Build of OptaPlanner 8.38.0 for Quarkus 2.13.8 security update Advisory ID: RHSA-2023:4200-01 Product: Red Hat build of OptaPlanner Advisory URL: https://access.redhat.com/errata/RHSA-2023:4200 Issue date: 2023-07-18 CVE Names: CVE-2023-20883 ==================================================================== 1. Summary: Red Hat Build of OptaPlanner 8.38.0 for Quarkus 2.13.8 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed. Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: A new release for Red Hat Build of OptaPlanner 8.38.0 for Quarkus 2.13.8 including security updates is now available. The purpose of this text-only errata is to inform you about the security issues fixed. Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Security Fix(es): * CVE-2023-20883 spring-boot: Spring Boot Welcome Page DoS Vulnerability 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, referto: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2209342 - CVE-2023-20883 spring-boot: Spring Boot Welcome Page DoS Vulnerability 5. JIRA issues fixed (https://redhat.atlassian.net/jira/projects): RHBOP-42 - Remove javadoc references on upstream BOM RHBOP-49 - Include sources for antlr-runtime.jar to maven-repo.zip RHBOP-50 - Include sources for jfreechart.jar to maven-repo.zip RHBOP-52 - [PLANNER-2899]Nearby selection for list variable 6. References: https://access.redhat.com/security/cve/CVE-2023-20883 https://access.redhat.com/security/updates/classification/#important 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJktsBeAAoJENzjgjWX9erE/FIP/2sQQ2Cmytsm1Qa7oEfwoo/Y AuLAtfh5Lh4YswqxSm1G6yGSvMBvfiqXb1o/P8xQ/HXZ0I2AP+70aaxuINoztkdF m9mTYJ8+7jzqLAbIDm6yQ7GITGs/O5BNChwfP8pcT4cqWyAyACJcgtIu9Kkv0AZG QQSKDKrjyB7ItSj5tXZ7U7EARrVFKRpZcMVcRqJaz6wmy5HNIT/TAfHCmdAVeQfm KkhGKYxarS5ZFrJtTRoMZsUUA4vzW3AWLVwdKidwa0tUMxZ/9Q5cpmll9ZtwnzN1 fV5DxX/wZbe3jwyLzTDJzyBHs2mAVvqqqjQfYO6O+3GfZyMIFK92Rh8MClIfbjll WE2km5Rx/75SyJ13rTG758Z6TzLWU3GGiNLGCtynyLLe865xbWg3kidX+2AuVvpC 5CXj7HSmHSAV0IZhYI3LPEfEczRkGTiyK1Vvn7NM2G+ocQQUKmGWLEAorrW3Ys9J dU/SngE1IVjHYU0t22ev71jkosvjCMu9HGuHQzGOaRSoBimE22zNIj7cy/tRoCqY NU8rluDBITDrUiv7fwjt03x9P5rJNqenhevfC/7BFkZWXdoKIF7Yj1J2ubkkvGFw +UYPMmromb0H9A+elpelwa6aloqUXUHnIbAhgRrieo9+AkyzYVInGhBneD3dvW8i Z2MC8cRTV6nVoA5Ke0uA =zvQ0 -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Jul 18, 2023
•Important
Red Hat
98
security advisorymoderatesecurity updateRed Hat Quarkus 2.13.8 Moderate Update For Security Issues
An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat build of Quarkus 2.13.8 release and security update Advisory ID: RHSA-2023:3809-01 Product: Red Hat build of Quarkus Advisory URL: https://access.redhat.com/errata/RHSA-2023:3809 Issue date: 2023-06-29 CVE Names: CVE-2022-45787 CVE-2023-0481 CVE-2023-0482 CVE-2023-1436 CVE-2023-1584 CVE-2023-2974 CVE-2023-26053 CVE-2023-28867 ==================================================================== 1. Summary: An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section. 2. Description: This release of Red Hat build of Quarkus 2.13.8 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section. Security Fixes: * CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray [quarkus-2] * CVE-2023-26053 gradle: usage of long IDs for PGP keys is unsafe and is subject to collision attacks [quarkus-2] * CVE-2023-28867 graphql-java: crafted GraphQL query causes stack consumption [quarkus-2] * CVE-2023-1584 quarkus-oidc: ID and access tokens leak via the authorization code flow [quarkus-2] * CVE-2023-0482 RESTEasy: creation of insecure temp files [quarkus-2] * CVE-2022-3782 keycloak: path traversal viadouble URL encoding [quarkus-2] * CVE-2023-0481 io.quarkus-quarkus-parent: quarkus: insecure permissions on temp files [quarkus-2] * CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider [quarkus-2] For more information about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, see the CVE links listed in the References section. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2158916 - CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider 2163533 - CVE-2023-0481 quarkus: insecure permissions on temp files 2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files 2174854 - CVE-2023-26053 gradle: usage of long IDs for PGP keys is unsafe and is subject to collision attacks 2180886 - CVE-2023-1584 quarkus-oidc: ID and access tokens leak via the authorization code flow 2181977 - CVE-2023-28867 graphql-java: crafted GraphQL query causes stack consumption 2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray 2211026 - CVE-2023-2974 quarkus-core: TLS protocol configured with quarkus.http.ssl.protocols is not enforced, client can enforce weaker supported TLS protocol 5. JIRA issues fixed (https://redhat.atlassian.net/jira/projects): QUARKUS-2672 - Infinispan client is not aligned with newly released Red Hat Data Grid 8.4 QUARKUS-2787 - Rest Data Panache: Correct Open API integration QUARKUS-2846 - Ensure that new line chars don't break Panache projection QUARKUS-2978 - ExceptionMapper is not working in DEV mode QUARKUS-3158 - Do not create session and PKCE encryption keys if only bearer tokens are expected QUARKUS-3159 - 2.13: Do not support any Origin by default if CORS is enabled QUARKUS-3161 - Fixsecurity-csrf-prevention.adoc QUARKUS-3164 - Logging with Panache: fix LocalVariablesSorter usage QUARKUS-3167 - Make SDKMAN releases minor for maintenance and preview releases QUARKUS-3168 - Backport Ensure that ConfigBuilder classes work in native mode to 2.13 QUARKUS-3169 - New home for Narayana LRA coordinator Docker images QUARKUS-3170 - Fix truststore REST Client config when password is not set QUARKUS-3173 - Reinitialize sun.security.pkcs11.P11Util at runtime QUARKUS-3174 - Prevent SSE writing from potentially causing accumulation of headersQUARKUS-3175 - Filter out RESTEasy related warning in ProviderConfigInjectionWarningsTest QUARKUS-3176 - Make sure parent modules are loaded into workspace before those that depend on them QUARKUS-3177 - Fix copy paste error in qute docs QUARKUS-3178 - Pass `--userns=keep-id` to podman only when in rootless mode QUARKUS-3179 - Fix stuck HTTP2 request when sent challenge has resumed request QUARKUS-3181 - Make sure quarkus:go-offline properly supports test scoped dependencies QUARKUS-3184 - Use SchemaType.ARRAY instead of "ARRAY" for native support QUARKUS-3185 - Simplify logic in create-app.adoc and allow to define stream QUARKUS-3187 - Allow context propagation for OpenTelemetry QUARKUS-3188 - Fix RestAssured URL handling and unexpected restarts in QuarkusProdModeTest QUARKUS-3191 - Drop ':z' bind option when using MacOS and Podman QUARKUS-3194 - Exclude Netty's reflection configuration files QUARKUS-3195 - Integrate the api dependency from Infinispan 14 (#ISPN-14268) QUARKUS-3205 - Missing JARs and other discrepancies related to xpp3 dependency in 2.13.8. 6.References: https://access.redhat.com/security/cve/CVE-2022-45787 https://access.redhat.com/security/cve/CVE-2023-0481 https://access.redhat.com/security/cve/CVE-2023-0482 https://access.redhat.com/security/cve/CVE-2023-1436 https://access.redhat.com/security/cve/CVE-2023-1584 https://access.redhat.com/security/cve/CVE-2023-2974 https://access.redhat.com/security/cve/CVE-2023-26053 https://access.redhat.com/security/cve/CVE-2023-28867 https://access.redhat.com/security/updates/classification#moderate https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/2.13 https://access.redhat.com/articles/4966181 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZJ2oPdzjgjWX9erEAQg7vA//XRjryfzKARIPLNbuzypdOTlJ4YXfwNgb JZZLBVMxv7ckStVpyklHkg1IdmqgjGJki4dDKpS/dMRIcKibRHq5v92mJp/fYX4H meoN9H06RvMarWPzVodY+lo2kS5p6xcgd1+tOQhqJYMvVuuY58tOFvbLhDYgcU4x dDXwS3mLN4URrs0Jk4pop1z/E8An/xVJmCG2QRybpsmC9XxVi0jETDJ1278Gxe1q iUOgvONd4XjA+rPI+5iEt2hA2VG2IjvzzERmZA9+n7MuxkYP+QTSIFR/CldhATNy y/Vuy7ZzLVDd4DODqexWLv98GjKJnR48jwjA/KB0ZcSD9jum+C4el9514VxQlwf5 bIc1K8lspc97RKyiJaq/J0PYNXYjHZ0dd53U6eqntxKBJcvu468j1xKv68y3pLHg 0QFTbqtq55F9KTNhRqeMEuC0ly6EuwLl+0jDkpTIqPNjuzDDwLBaTjlm4aEYXSF6 9CMoNpQCwq5/6TeyH+9pScWKSWO0jblCiY4tJojJ0V5vPIs8U+2CJmb0iJzx3tKj PUY4Wz3KCnFLwgU+laCznvW2IrmrFnSCm3cTm1Y36i9jfX1Y4NZhxonN8avn+ty3 eF5AtyFLgE5KmlkwkUy+F3HAZb9qzRzHHjRPw4xbkekEZp28t7xifOuKGOWfFYT2 WUbTnwA26jw=JLoW -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Jun 29, 2023
Red Hat
98
security advisoryred hatsecurity fixRed Hat Quarkus 2.7.6.SP3 Important: RHSA-2022:8957-01 Security Fix
An update is now available for Red Hat build of Quarkus Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat build of Quarkus Platform 2.7.6.SP3 and security update Advisory ID: RHSA-2022:8957-01 Product: Red Hat build of Quarkus Advisory URL: https://access.redhat.com/errata/RHSA-2022:8957 Issue date: 2022-12-13 CVE Names: CVE-2022-4116 CVE-2022-4147 CVE-2022-45047 ==================================================================== 1. Summary: An update is now available for Red Hat build of Quarkus Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section. 2. Description: This release of Red Hat build of Quarkus 2.7.6.SP3 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section. Security Fix(es): * CVE-2022-4147 quarkus-vertx-http: Security misconfiguration of CORS : OWASP A05_2021 level in Quarkus * CVE-2022-4116 quarkus_dev_ui: Dev UI Config Editor is vulnerable to drive-by localhost attacks leading to RCE * CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying this update, make sure all previously released errata relevant to your systemhave been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2144748 - CVE-2022-4116 quarkus_dev_ui: Dev UI Config Editor is vulnerable to drive-by localhost attacks leading to RCE 2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability 2148867 - CVE-2022-4147 quarkus-vertx-http: Security misconfiguration of CORS : OWASP A05_2021 level in Quarkus 5. References: https://access.redhat.com/security/cve/CVE-2022-4116 https://access.redhat.com/security/cve/CVE-2022-4147 https://access.redhat.com/security/cve/CVE-2022-45047 https://access.redhat.com/articles/4966181 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=redhat.quarkus&version=2.7.6.SP3 https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.7 https://bugzilla.redhat.com/show_bug.cgi?id=2148867 https://bugzilla.redhat.com/show_bug.cgi?id=2144748 https://bugzilla.redhat.com/show_bug.cgi?id=2145194 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBY5ippNzjgjWX9erEAQitEw//aCEMjeXodioexjU4NxF9PNmmLl/GqKPc /rdKg3upMq7SvpZtpBcsFhmmeCPzug857MLB4ws4v7ZxvCZhGHSflWIhwfoaQE4+ z6ISkjimM9fy5kcUXeHmIJ8meeULiauZQ7dz3iwGwA7GIVgm96hXAorPG5iUKLe6 xarTjKCu3qN25VBkKxC9Ph56VL0V6A8X7++3ljevXlDl6AKej2rOFD4AMNyE0+i+ Mgomwz0LsnUBZ4T08LJ1E39jJUKcElCmD0fmzfnZqo9A33XZfkGk9lA5ZnGcilrr kBhWZ6XmixP3yePgTKjSQ/QLynbW27tlMWvu6aGCOj2jkQaf1SQFe1HLvVEBILTL 8TK+VJkKyW5We7w9mJTfa5Alo7tNBFJWHITBoKTPCZIXQPc5AcqImd9jOpgceocr NJ6pTftGbMuU3pgVSIT407/7v4GaEE60BfBIM4wfDRugN5o/uty20mjtw1qQiwac ii1VgY63Ruh/i+sO7LXzv9fsVv0T4OG+iViEjQmq4riZ6PccWK2E7YM0tZompMsc 5nmf1ZwklcgPPlMBySOIire2WRrPmaLHWjyeNkowaKeMO0+oJ+qv2caqHpwEOBxT A28opZP9RkJO7hHcuQ6Zfpdgpy6SWFZXDWTlD/IVvxXLXgWq8p8WSujLBTTCkppx kOci4Uw+rf4=xC3s -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Dec 13, 2022
•Important
Red Hat
98
security advisorymoderatesecurity updateRed Hat: RHSA-2022:4623-01 Moderate: Quarkus 2.7.5 Security Fix
An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat build of Quarkus 2.7.5 release and security update Advisory ID: RHSA-2022:4623-01 Product: Red Hat build of Quarkus Advisory URL: https://access.redhat.com/errata/RHSA-2022:4623 Issue date: 2022-05-18 CVE Names: CVE-2021-3914 CVE-2021-22569 CVE-2021-29427 CVE-2021-29428 CVE-2021-29429 CVE-2021-43797 CVE-2022-0981 CVE-2022-21363 CVE-2022-21724 ==================================================================== 1. Summary: An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section. 2. Description: This release of Red Hat build of Quarkus 2.7.5 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section. Security Fix(es): * gradle: information disclosure through temporary directory permissions (CVE-2021-29429) * gradle: repository content filters do not work in Settings pluginManagement (CVE-2021-29427) * gradle: local privilege escalation through system temporary director (CVE-2021-29428) * smallrye-health-ui: persistent cross-site scripting in endpoint (CVE-2021-3914) * Quarkus Resteasy component may return Resteasy implementation details * netty: control chars in header names may lead toHTTP request smuggling (CVE-2021-43797) * jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes (CVE-2022-21724) * mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors (CVE-2022-21363) * quarkus: privilege escalation vulnerability with RestEasy Reactive scope leakage in Quarkus (CVE-2022-0981) * protobuf-java: potential DoS in the parsing procedure for binary data (CVE-2021-22569) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in to download the update. 4. Bugs fixed (https://bugzilla.redhat.com/): 1949636 - CVE-2021-29429 gradle: information disclosure through temporary directory permissions 1949638 - CVE-2021-29427 gradle: repository content filters do not work in Settings pluginManagement 1949643 - CVE-2021-29428 gradle: local privilege escalation through system temporary directory 2018015 - CVE-2021-3914 smallrye-health-ui: persistent cross-site scripting in endpoint 2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling 2039903 - CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data 2047343 - CVE-2022-21363 mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors2050863 - CVE-2022-21724 jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes 2062520 - CVE-2022-0981 quarkus: privilege escalation vulnerability with RestEasy Reactive scope leakage in Quarkus 5. JIRAissues fixed (https://redhat.atlassian.net/jira/projects): QUARKUS-1376 - Quarkus Resteasy component may return Resteasy implementation details 6. References: https://access.redhat.com/security/cve/CVE-2021-3914 https://access.redhat.com/security/cve/CVE-2021-22569 https://access.redhat.com/security/cve/CVE-2021-29427 https://access.redhat.com/security/cve/CVE-2021-29428 https://access.redhat.com/security/cve/CVE-2021-29429 https://access.redhat.com/security/cve/CVE-2021-43797 https://access.redhat.com/security/cve/CVE-2022-0981 https://access.redhat.com/security/cve/CVE-2022-21363 https://access.redhat.com/security/cve/CVE-2022-21724 https://access.redhat.com/security/updates/classification#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus&downloadType=distributions&version=2.7.5 https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.7/ https://access.redhat.com/articles/4966181 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYoWMuNzjgjWX9erEAQg8tw/+NfxQRsVczGyCt5Uecmukk19/AYn9XuRY LYGUv7/vtpRZHESqrOw/uIO0INZuNOnp6VArMDwvDga9HcfHFFZZkHpg5v9ZgNdT NXzi0V7oXADiEFF9GZHWN8T6DS2/bw1CeC64K3cAgiAdBqBpGJDIlBnyAym+Qzqf qpvEDGL7BIVXpsqDIKdSSkbBjGqL5xPaeRJQrXY4caxUtN8cV0Wq07dF86a73Yil 8m9LcRmkXrMYjm9VIbUg+2EcIuJQHYgBOkJKGiRTB/3AQaqhFuc1MVGGYo/d8Mel IGeG34buEv2oovpoJcnLF992qu+obUMuXskcO8z4sVxFFEl/cJxEWfSnWgz3KAzw cNXv7vZd40Qm2PwcvH0casK1LavEMpqN/1/DzJtMZ33F2+20LL7ZjK2TRbkx2HG4 7uXrZ1U+rUBVEoX23BPtJBbqxN7/Bb24dX6LPfojgWPwYekT/nHkwMQuHb2YHShH ePfqtZidb8HMFVIUNNpey1JoKu01vVNQXmQi9xJqSPJmk8lKlnONTKWXrDkOHC5j c9QsDziNvp1TH0eXz17iySDTf6lFI3uDsNEPwkjCXWLHK/dELQQVBMZXWKzzoJQD TumZO1D6fXUBq0jb8wZhugD0XO3UpqG8zTJqn8yGxu1WBuf3QE4lYPS4CNBAn58D NdRgfmXR4KQ=Kqt+ -----END PGP SIGNATURE----- -- RHSA-announce mailing list
May 18, 2022
Red Hat
98
security advisorymoderateDoSRed Hat Integration: RHSA-2022-0222-02 Moderate: log4j DoS and RCE Fix
A security update to Red Hat Integration Camel Extensions for Quarkus 2.2 is now available. The purpose of this text-only errata is to inform you about the security issues fixed. Red Hat Product Security has rated this update as having an impact of. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Integration Camel Extensions for Quarkus 2.2 security update Advisory ID: RHSA-2022:0222-01 Product: Red Hat Integration Advisory URL: https://access.redhat.com/errata/RHSA-2022:0222 Issue date: 2022-01-20 CVE Names: CVE-2021-44832 CVE-2021-45046 CVE-2021-45105 ==================================================================== 1. Summary: A security update to Red Hat Integration Camel Extensions for Quarkus 2.2 is now available. The purpose of this text-only errata is to inform you about the security issues fixed. Red Hat Product Security has rated this update as having an impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: This update of Red Hat Integration - Camel Extensions for Quarkus serves as a replacement for 2.2 GA and includes the following security Fix(es): Security Fix(es): * log4j-core: remote code execution via JDBC Appender (CVE-2021-44832) * log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046) * log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying thisupdate, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2032580 - CVE-2021-45046 log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) 2034067 - CVE-2021-45105 log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern 2035951 - CVE-2021-44832 log4j-core: remote code execution via JDBC Appender 5. References: https://access.redhat.com/security/cve/CVE-2021-44832 https://access.redhat.com/security/cve/CVE-2021-45046 https://access.redhat.com/security/cve/CVE-2021-45105 https://access.redhat.com/security/updates/classification#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2022-Q1 https://docs.redhat.com/en/documentation/red_hat_integration/2022.q1 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYentr9zjgjWX9erEAQh+3Q/+LQWMqJ01XS7Fj4x/VLJ3QMumLEKmu2nL Y7YfCO1pPtjLlDnEjCkfMABfkJpzV9oHcRMyGZoaIgGSzc3Y82fPxPkMx5s3FPB5 rp9pzYDBMQAQ5Gq+UJl5XDF1VCDgE2mY+z743WKevuSoVk4gyLewpB4yS8RZb41G y8JLZrlbSyDfw29wqrHpbBNSp8KozClNmA4/cURk+8y8nxYZTCb9SVSiyO4bfs6E 3mSfAJNby/XfvmGbOepKZIIwtZSDrTuSLnZtbc/IqmUvNUisBZrcid8YfYuUS+7a Sn9VB96KuCyxdGuOtW2B6HZ/5yhKDRdg9hucUWb3p9I2wy8X5ldQmYvOCEZ84twZ bJpEt43J2RjqP8EuCTzl0vWlpvPg8bXTY4Jny47sJq1CVSxUAKxGdSU6XtdeCGdt RsjjpJ/S2rBzAi31N4mVEKw2rWeFuZXMqo6xm1IQKH/ZlEIFbNKYFFFgO9tTYJne aGoLLIwJqrWQ+LvdfWMwj/Xo/i0SYKmOoJ+llHO4s2qRsTiW+h7zw/QwJF6YYM2e ibrG408f+DeAPfVQYEsTN5n62HuSL8F00AO4KYM6ve/JAXlyKCwJrUT2KNot5rtv q52XqMzTNIvbj516Z4BLaMyqqJkInFFJZZj5eymxknFyEg6gKT2afOo4LZA1qavy dPm9N6YMOsk=bJEp -----END PGP SIGNATURE----- -- RHSA-announcemailing list
Jan 20, 2022
Red Hat
98
security advisorymoderatesecurity issuesRed Hat: RHSA-2021-4767-03 Moderate: Integration Camel Extensions DoS Risk
Red Hat Integration Camel Extensions for Quarkus 2.2 is now GA. The purpose of this text-only errata is to inform you about the security issues fixed since the tech preview 2 release. Red Hat Product Security has rated this update as having a security impact. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Integration Camel Extensions for Quarkus GA security update Advisory ID: RHSA-2021:4767-01 Product: Red Hat Integration Advisory URL: https://access.redhat.com/errata/RHSA-2021:4767 Issue date: 2021-11-23 CVE Names: CVE-2020-13936 CVE-2020-14326 CVE-2020-26217 CVE-2020-26258 CVE-2020-26259 CVE-2020-27218 CVE-2020-27223 CVE-2020-28052 CVE-2020-28491 CVE-2021-3629 CVE-2021-3642 CVE-2021-3690 CVE-2021-20289 CVE-2021-20328 CVE-2021-21341 CVE-2021-21342 CVE-2021-21343 CVE-2021-21344 CVE-2021-21345 CVE-2021-21346 CVE-2021-21347 CVE-2021-21348 CVE-2021-21349 CVE-2021-21350 CVE-2021-21351 CVE-2021-27568 CVE-2021-28163 CVE-2021-28164 CVE-2021-28165 CVE-2021-28169 CVE-2021-29429 CVE-2021-29505 CVE-2021-34428 CVE-2021-39139 CVE-2021-39140 CVE-2021-39141 CVE-2021-39144 CVE-2021-39145 CVE-2021-39146 CVE-2021-39147 CVE-2021-39148 CVE-2021-39149 CVE-2021-39150 CVE-2021-39151 CVE-2021-39152 CVE-2021-39153 CVE-2021-39154 ==================================================================== 1. Summary: Red Hat Integration Camel Extensions for Quarkus 2.2 is now GA. The purpose of this text-only errata is to inform you about the security issues fixed since the tech preview 2 release. Red Hat Product Security has rated this update as having asecurity impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: This release of Red Hat Integration - Camel Extensions for Quarkus - 2.2 GA serves as a replacement for tech-preview 2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * jetty (CVE-2021-28163, CVE-2020-27218, CVE-2020-27223, CVE-2021-28164, CVE-2021-28169, CVE-2021-28165, CVE-2021-34428, CVE-2021-34428) * undertow: potential security issue in flow control over HTTP/2 may lead to DOS (CVE-2021-3629) * xstream (CVE-2021-39144, CVE-2021-39141, CVE-2021-39154, CVE-2021-39153, CVE-2021-39152, CVE-2021-39151, CVE-2021-39150, CVE-2021-39149, CVE-2021-39148, CVE-2021-39147, CVE-2021-39146, CVE-2021-39145, CVE-2021-39140, CVE-2021-39139, CVE-2021-21351, CVE-2021-21350, CVE-2021-21349, CVE-2021-21348, CVE-2021-21347, CVE-2021-21346, CVE-2021-21345, CVE-2021-21344, CVE-2021-21343, CVE-2021-21342, CVE-2021-21341, CVE-2021-29505, CVE-2020-26259, CVE-2020-26258, CVE-2020-26217) * wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642) * RESTEasy: Caching routes in RootNode may result in DoS (CVE-2020-14326) * resteasy-core: resteasy: Error message exposes endpoint class information (CVE-2021-20289) * velocity: arbitrary code execution when attacker is able to modify templates (CVE-2020-13936) * undertow: buffer leak on incoming websocket PONG message may lead to DoS (CVE-2021-3690) * mongodb-driver: mongo-java-driver: client-side field level encryption not verifying KMS host name (CVE-2021-20328) * gradle: information disclosure through temporary directory permissions (CVE-2021-29429) * json-smart: uncaught exception may lead to crash or information disclosure (CVE-2021-27568) * bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible (CVE-2020-28052) *jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception (CVE-2020-28491) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 1855826 - CVE-2020-14326 RESTEasy: Caching routes in RootNode may result in DoS 1898907 - CVE-2020-26217 XStream: remote code execution due to insecure XML deserialization when relying on blocklists 1902826 - CVE-2020-27218 jetty: buffer not correctly recycled in Gzip Request inflation 1908832 - CVE-2020-26258 XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling 1908837 - CVE-2020-26259 XStream: arbitrary file deletion on the local host when unmarshalling 1912881 - CVE-2020-28052 bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible 1930423 - CVE-2020-28491 jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception 1934116 - CVE-2020-27223 jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS 1934236 - CVE-2021-20328 mongo-java-driver: client-side field level encryption not verifying KMS host name 1935927 - CVE-2021-20289 resteasy: Error message exposes endpoint class information 1937440 - CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates 1939839 - CVE-2021-27568 json-smart: uncaught exception may lead to crash or information disclosure 1942539 - CVE-2021-21341 XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream 1942545 - CVE-2021-21342 XStream: SSRF via crafted input stream 1942550 -CVE-2021-21343 XStream: arbitrary file deletion on the local host via crafted input stream 1942554 - CVE-2021-21344 XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet 1942558 - CVE-2021-21345 XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry 1942578 - CVE-2021-21346 XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue 1942629 - CVE-2021-21347 XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator 1942633 - CVE-2021-21348 XStream: ReDoS vulnerability 1942635 - CVE-2021-21349 XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host 1942637 - CVE-2021-21350 XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader 1942642 - CVE-2021-21351 XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream 1945710 - CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents 1945712 - CVE-2021-28164 jetty: Ambiguous paths can access WEB-INF 1945714 - CVE-2021-28165 jetty: Resource exhaustion when receiving an invalid large TLS frame 1949636 - CVE-2021-29429 gradle: information disclosure through temporary directory permissions 1966735 - CVE-2021-29505 XStream: remote command execution attack by manipulating the processed input stream 1971016 - CVE-2021-28169 jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory 1974891 - CVE-2021-34428 jetty: SessionListener can prevent a session from being invalidated breaking logout 1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS 1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer 1991299 - CVE-2021-3690 undertow: buffer leak on incoming websocket PONG message may lead to DoS 1997763 - CVE-2021-39139 xstream:Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl 1997765 - CVE-2021-39140 xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler 1997769 - CVE-2021-39141 xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.* 1997772 - CVE-2021-39144 xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.* 1997775 - CVE-2021-39145 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration 1997777 - CVE-2021-39146 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue 1997779 - CVE-2021-39147 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration 1997781 - CVE-2021-39148 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator 1997784 - CVE-2021-39149 xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.* 1997786 - CVE-2021-39150 xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.* 1997791 - CVE-2021-39151 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration 1997793 - CVE-2021-39152 xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData 1997795 - CVE-2021-39153 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl 1997801 - CVE-2021-39154 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue 5.References: https://access.redhat.com/security/cve/CVE-2020-13936 https://access.redhat.com/security/cve/CVE-2020-14326 https://access.redhat.com/security/cve/CVE-2020-26217 https://access.redhat.com/security/cve/CVE-2020-26258 https://access.redhat.com/security/cve/CVE-2020-26259 https://access.redhat.com/security/cve/CVE-2020-27218 https://access.redhat.com/security/cve/CVE-2020-27223 https://access.redhat.com/security/cve/CVE-2020-28052 https://access.redhat.com/security/cve/CVE-2020-28491 https://access.redhat.com/security/cve/CVE-2021-3629 https://access.redhat.com/security/cve/CVE-2021-3642 https://access.redhat.com/security/cve/CVE-2021-3690 https://access.redhat.com/security/cve/CVE-2021-20289 https://access.redhat.com/security/cve/CVE-2021-20328 https://access.redhat.com/security/cve/CVE-2021-21341 https://access.redhat.com/security/cve/CVE-2021-21342 https://access.redhat.com/security/cve/CVE-2021-21343 https://access.redhat.com/security/cve/CVE-2021-21344 https://access.redhat.com/security/cve/CVE-2021-21345 https://access.redhat.com/security/cve/CVE-2021-21346 https://access.redhat.com/security/cve/CVE-2021-21347 https://access.redhat.com/security/cve/CVE-2021-21348 https://access.redhat.com/security/cve/CVE-2021-21349 https://access.redhat.com/security/cve/CVE-2021-21350 https://access.redhat.com/security/cve/CVE-2021-21351 https://access.redhat.com/security/cve/CVE-2021-27568 https://access.redhat.com/security/cve/CVE-2021-28163 https://access.redhat.com/security/cve/CVE-2021-28164 https://access.redhat.com/security/cve/CVE-2021-28165 https://access.redhat.com/security/cve/CVE-2021-28169 https://access.redhat.com/security/cve/CVE-2021-29429 https://access.redhat.com/security/cve/CVE-2021-29505 https://access.redhat.com/security/cve/CVE-2021-34428 https://access.redhat.com/security/cve/CVE-2021-39139 https://access.redhat.com/security/cve/CVE-2021-39140 https://access.redhat.com/security/cve/CVE-2021-39141 https://access.redhat.com/security/cve/CVE-2021-39144 https://access.redhat.com/security/cve/CVE-2021-39145 https://access.redhat.com/security/cve/CVE-2021-39146 https://access.redhat.com/security/cve/CVE-2021-39147 https://access.redhat.com/security/cve/CVE-2021-39148 https://access.redhat.com/security/cve/CVE-2021-39149 https://access.redhat.com/security/cve/CVE-2021-39150 https://access.redhat.com/security/cve/CVE-2021-39151 https://access.redhat.com/security/cve/CVE-2021-39152 https://access.redhat.com/security/cve/CVE-2021-39153 https://access.redhat.com/security/cve/CVE-2021-39154 https://access.redhat.com/security/updates/classification#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2021-Q4 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYZz9mdzjgjWX9erEAQhd7Q/+KypKPUeD2ek8SbZvKhUsRz4jCWnDxLTH 9Q0itGtRZLGubEatxj+EkOg4Zqg9m2BpmLQfLrnLuDCBLlcdV6GoWkAIQr7Vg88h VI5bah1uLsgRrGmFvY3KY0Ghow2BAid7rzd2sah8lNPVk1AsUph/HkzCvWwm1xw1 Zvoo+0bvs3QAQ6IGQHklO5PYWw2/rjVMEAuE8DmSOMEhgWWJzI4Y9vXl1n6dX/BY EK4gKU23wBOK9ZB/t97X1hCdWMIT5QoQ8xejYgslheMdgHc/cFmTmh+kNzMTwwCI OkL4xYyCfiEM0NuJsAo4sHnRAVJEngdWc1/Cx0sWzdZNKW9aVFklciPqL/w7i4vb Z6dB9A7ezBa9SFPW6okSIAUEPU9e5HdMwH/qAM6N6LYB7fZhNpgR8a9QWTmAEJlc haDlLwJhbqouEDvWnaJ7ZCsCmSltLES94sezLIzwBvYsn67lJhLzg803gxwG6F6b q17H40IeSOffh8NX1L2dJDyU3y5N88FhKPEWISkKde3mntz+DLC0OVXfEuLYaLkx BybTlsuiA9sRhh/oZZYVotUGvaeZiiNBGr/B6rsHMWynuD9uvT04Kz2kucdcB5tE c5dHeJyUTqdpBdRPer5Ld6lpkqCoTguEaCfoIQ6NmwnZpcNcULkOm3i0h4dNbtJf QfTF06xoxe4=kZG0 -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Nov 23, 2021
Red Hat
98
security advisorymoderatesecurity issueRed Hat Quarkus 1.7.6 RHSA-2021-0084-01 Moderate: Apache Client Issue
An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat build of Quarkus 1.7.6 release and security update Advisory ID: RHSA-2021:0084-01 Product: Red Hat build of Quarkus Advisory URL: https://access.redhat.com/errata/RHSA-2021:0084 Issue date: 2021-01-12 CVE Names: CVE-2020-13956 ==================================================================== 1. Summary: An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section. 2. Description: This release of Red Hat build of Quarkus 1.7.6 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section. Security Fix(es): * apache http client: incorrect handling of malformed authority component in request URIs (CVE-2020-13956) * vertx-web: Vert.x StaticHandler backslash issue on Windows (QUARKUS-458) For more details about the security issues and their impact, the CVSS score, acknowledgments, and other related information see the CVE pages listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in todownload the update. 4. Bugs fixed (https://bugzilla.redhat.com/): 1886587 - CVE-2020-13956 apache-httpclient: incorrect handling of malformed authority component in request URIs 5. References: https://access.redhat.com/security/cve/CVE-2020-13956 https://access.redhat.com/security/updates/classification#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus&downloadType=distributions&version=1.7.6 https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/1.7 https://access.redhat.com/articles/4966181 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX/3R4tzjgjWX9erEAQhnZg/+KazeUlyl0/SfdqdhNd3RJT8Pd+jghn3d y1EE3m15v2TQ0SkFRdNWj58srDpOA3BYn/9JK0kOxW6PzyfOxKU08jH/XAitEg3Z L3H5Sod3reOISz2jtJCDVwweHoqQWaiWqfF7w5g+wHQt7eJmSYmKs6k1ndV6D3x6 3BfCcqVAIy7/qBmp5O2S+I5iLTCPKWFXcRrmw2v46CxnacoULAGkQLfS+Nynt6oY siA0J7rkSaOHCiLYQyT7WCuOjZtSeiFWp3m7HuOWkvzhCCKcuL6SbE9ePfG/jfGC movB00m8D901046bOc1JExWp7BJnipTRHJpZbckSwKTOLx0MvaxdqXbphR69CcX3 X8uYssVXPMxT3oTzsn5uFcRPIpFD3w2AtKwuncwvXfFDFjGWQ65/3nn6kYjsQ0pY ATyHX9Jgsh4690Dis9D+sIzQhGGWDOyKCGOFxTjlYn7aZc/nKBkMLRL2kVLWy7fV D2LbvjXTPiI3e0xBFTWb0YWaVDG+u4+Wr8r3G9OKvKq3l/BJh7J4ev9RKlVjFdu8 jXY13StLNo+pV+aacIMMoMht46MOxHmKM9XEQcdTgyWBujGNox9nBT/BWVz466p9 5Pxu090LNHoCmlE738r2BQQSuhYbHE3fQySjjDexo7pS5e1qKCy3+Vu3ymkDQp1M RxLxL1ZmL18=hVxB -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Jan 12, 2021
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!