Explore top 10 tips to secure your open-source projects now. Read More
×
An update for firefox is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: firefox security update Advisory ID: RHSA-2023:5437-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2023:5437 Issue date: 2023-10-04 CVE Names: CVE-2023-3600 CVE-2023-5169 CVE-2023-5171 CVE-2023-5176 CVE-2023-5217 ===================================================================== 1. Summary: An update for firefox is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream AUS (v.8.4) - x86_64 Red Hat Enterprise Linux AppStream E4S (v.8.4) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux AppStream TUS (v.8.4) - aarch64, ppc64le, s390x, x86_64 3. Description: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 115.3.1 ESR. Security Fix(es): * firefox: use-after-free in workers (CVE-2023-3600) * Mozilla: Out-of-bounds write in PathOps (CVE-2023-5169) * Mozilla: Use-after-free in Ion Compiler (CVE-2023-5171) * Mozilla: Memory safety bugs fixed in Firefox 118,Firefox ESR 115.3, and Thunderbird 115.3 (CVE-2023-5176) * libvpx: Heap buffer overflow in vp8 encoding in libvpx (CVE-2023-5217) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Firefox must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 2222652 - CVE-2023-3600 firefox: use-after-free in workers 2240893 - CVE-2023-5169 Mozilla: Out-of-bounds write in PathOps 2240894 - CVE-2023-5171 Mozilla: Use-after-free in Ion Compiler 2240896 - CVE-2023-5176 Mozilla: Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3 2241191 - CVE-2023-5217 libvpx: Heap buffer overflow in vp8 encoding in libvpx 6. Package List: Red Hat Enterprise Linux AppStream AUS (v.8.4): Source: firefox-115.3.1-1.el8_4.src.rpm x86_64: firefox-115.3.1-1.el8_4.x86_64.rpm firefox-debuginfo-115.3.1-1.el8_4.x86_64.rpm firefox-debugsource-115.3.1-1.el8_4.x86_64.rpm Red Hat Enterprise Linux AppStream E4S (v.8.4): Source: firefox-115.3.1-1.el8_4.src.rpm aarch64: firefox-115.3.1-1.el8_4.aarch64.rpm firefox-debuginfo-115.3.1-1.el8_4.aarch64.rpm firefox-debugsource-115.3.1-1.el8_4.aarch64.rpm ppc64le: firefox-115.3.1-1.el8_4.ppc64le.rpm firefox-debuginfo-115.3.1-1.el8_4.ppc64le.rpm firefox-debugsource-115.3.1-1.el8_4.ppc64le.rpm s390x: firefox-115.3.1-1.el8_4.s390x.rpm firefox-debuginfo-115.3.1-1.el8_4.s390x.rpm firefox-debugsource-115.3.1-1.el8_4.s390x.rpm x86_64: firefox-115.3.1-1.el8_4.x86_64.rpm firefox-debuginfo-115.3.1-1.el8_4.x86_64.rpm firefox-debugsource-115.3.1-1.el8_4.x86_64.rpm Red Hat Enterprise Linux AppStream TUS(v.8.4): Source: firefox-115.3.1-1.el8_4.src.rpm aarch64: firefox-115.3.1-1.el8_4.aarch64.rpm firefox-debuginfo-115.3.1-1.el8_4.aarch64.rpm firefox-debugsource-115.3.1-1.el8_4.aarch64.rpm ppc64le: firefox-115.3.1-1.el8_4.ppc64le.rpm firefox-debuginfo-115.3.1-1.el8_4.ppc64le.rpm firefox-debugsource-115.3.1-1.el8_4.ppc64le.rpm s390x: firefox-115.3.1-1.el8_4.s390x.rpm firefox-debuginfo-115.3.1-1.el8_4.s390x.rpm firefox-debugsource-115.3.1-1.el8_4.s390x.rpm x86_64: firefox-115.3.1-1.el8_4.x86_64.rpm firefox-debuginfo-115.3.1-1.el8_4.x86_64.rpm firefox-debugsource-115.3.1-1.el8_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2023-3600 https://access.redhat.com/security/cve/CVE-2023-5169 https://access.redhat.com/security/cve/CVE-2023-5171 https://access.redhat.com/security/cve/CVE-2023-5176 https://access.redhat.com/security/cve/CVE-2023-5217 https://access.redhat.com/security/updates/classification#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIcBAEBCAAGBQJlHYRUAAoJENzjgjWX9erEOz0P/jqrbAIxEIHRdzXqnThA9j4s FJBgjemtxQ/4w43IXk8Au56KoN+Ov1OQC40HjspeJX3Gy0Hkjf+kth+uvKbX0bzx 67SXPuXwuGoW25fjMy+nrgL/Z1o5Nw8ecGp36jpPgsWwuJIHOatuNZYaUGcXoakd 5gVTXxMgXmYsM8nJICX34hGhIHXGkkwgRCBUsr0aqQAkn4jT2B02O5mA4oEKVD56 UCXWpKvtr1Z/XltkSIjQhYG0DKKcuT2Bz4gJbURJqj4NXYqWsjw/DD007PPBP3bn fYzNDNrf2ZHLBU2T33wQSrdcGpdqimrF1zOY+rvLyjD/GZZNSF/uA/44Rud1aYGe Y6ijfoYdGLm1UaqKOksHoakZIwYkSRdStDRjpQRenOced9U+GsR0w9Qn7yxB4PYk 8rq2Sbc0vEFhq6i9GBtM9I/7/D4/mqj/s9MpwYiVVIOI/t7h1A4cuc76MtX6fpit hYoyjBZLsGjIEAOIKvX1qW3kUbhMUvhu94B587WCx6IuQ1E+5iPggrs5ytJ+7zZP H+2OZaI8dKS0KYO2EWOrP0JpltVmbFKTuLDuZ+qcPt5qqj2T+8bN6jLRDVmTnu1s w0vOf34yDmPiHp1lZL7TLV91bRhSfYCgM5YIRC5D+huhTdUmO6vRk4sPlz9iDABn 74LS2GSnEhWpP9ZXBboS =rntD -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Red Hat OpenShift Container Platform release 4.12.36 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12.. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.12.36 bug fix and security update Advisory ID: RHSA-2023:5390-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2023:5390 Issue date: 2023-10-04 CVE Names: CVE-2023-2253 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.12.36 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.36. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHBA-2023:5392 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes/ocp-4-12-release-notes Security Fix(es): *distribution/distribution: DoS from malicious API request (CVE-2023-2253) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/updating_clusters/updating-cluster-cli 3. Solution: For OpenShift Container Platform 4.12 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes/ocp-4-12-release-notes You may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags. The sha values for the release are: (For x86_64 architecture) The image digest is sha256:38ccab25d5895a216a465a9f297541fbbebe7aa115fdaa9f2015c8d5a5d036eb (For s390x architecture) The image digest is sha256:91e9a38e4333cac73c9320a713247d6652017081cd573f892dae2a866142de45 (For ppc64le architecture) The image digest is sha256:674a2972728709445f1bf008d0b8740f3b7c3d7f5781f8a4235b11d47779038e (For aarch64 architecture) The image digest is sha256:e515ccfd4923cfb91b54fad78835338ec99ec204544d53691f81a92bfdd6f9f4 All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions forupgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/updating_clusters/updating-cluster-cli 4. Bugs fixed (https://bugzilla.redhat.com/): 2189886 - CVE-2023-2253 distribution/distribution: DoS from malicious API request 5. JIRA issues fixed (https://redhat.atlassian.net/jira/projects): OCPBUGS-10992 - SCOS bootstrap should skip pivot when root is not writable OCPBUGS-16376 - Avoid retry of Network Policy event OCPBUGS-19045 - Web console slowness on Project> Project access page OCPBUGS-19405 - [release-4.12] Extend workload-info gatherer to collect image repository info OCPBUGS-19511 - 4.12: Upgrade blocked: csi-snapshot-controller fails with read-only filesystem OCPBUGS-19557 - CBO crashes if internal IP is nil OCPBUGS-19770 - After Adding the FIP to existing Node, The CSR get generated, It should be approved automatically. 6. References: https://access.redhat.com/security/cve/CVE-2023-2253 https://access.redhat.com/security/updates/classification#moderate https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes/ocp-4-12-release-notes 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIcBAEBCAAGBQJlHNuqAAoJENzjgjWX9erEh5cP/A9LtseE8nzZrC+A8Zu0+l9p /W65ADKX5Wh+7Y0lQ7NKJrldKtE7PUp1D/3ufDJ8KrF2wJQ2DpDqGCYIO2K+Sldl 4dVeE7cgb1vcJmZGNKY2tB6z204IStsZakcy2yJhUi1USKhKOEy0YfDy10hMCcbZ /IuELwib/PYlKAn5WxZjNiiGPW0g5JE0BG1UAaxJovCewh/ORZH+IAhOY/Zbq88+ BDtFoaapCWyNDiYuUlXjxIz+YqESl20nVNaeDl4LGARHrNtCqUuTOWCOJnKUV4v8 +uP7OfWgocBNDnl2AKVQbX/Too8LrHtcRTeRNkqLhQzUwNUd8RHHzrAgSxeV681y V0AH/WbJR7pj/pXY80T+Jn9iM2mc0WCU+w3GAPc3Cmym8T7Ql8fDwkqezGe2aExu 4pZP3PpEdZWiZkkoRJf+ULfHtsVSQuekry44iSkC1inmHSJ22H8fZpgpMdP4FisD pt6nURLLcRztnKoJ64gPVox+vQACNVz5PZA3kXVLAN5DPYqj+ZhLOd66nZ8SPwzi NkimR39ADdJ+E1wLuYfU3qIoBzLS4i7fJKmlaa2SM451TzWdddapgEl5IWlJYgRc vgO/OMqPEc+9mDlb9EzdeYS8tgdAbdHeHrUUqG22bd4x+H7nBkmbdtFfn66iAHxm HXhZkUmQkTGnAvDS9E8J =4wiG -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Network Observability is an OpenShift operator that deploys a monitoring pipeline to collect and enrich network flows that are produced by the Network Observability eBPF agent. The operator provides dashboards, metrics, and keeps flows accessible in a. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Network Observability 1.4.0 for OpenShift Advisory ID: RHSA-2023:5379-01 Product: Network Observability Advisory URL: https://access.redhat.com/errata/RHSA-2023:5379 Issue date: 2023-09-28 CVE Names: CVE-2022-25883 CVE-2023-2602 CVE-2023-2603 CVE-2023-26115 CVE-2023-28321 CVE-2023-28322 CVE-2023-28484 CVE-2023-29469 ===================================================================== 1. Summary: Network Observability is an OpenShift operator that deploys a monitoring pipeline to collect and enrich network flows that are produced by the Network Observability eBPF agent. The operator provides dashboards, metrics, and keeps flows accessible in a queryable log store, Grafana Loki. When a FlowCollector is deployed, new dashboards are available in the Console. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Network Observability 1.4.0 Security Fix(es): * word-wrap: Regular Expression Denial of Service (CVE-2023-26115) * nodejs-semver: Regular expression denial of service (CVE-2022-25883) 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed(https://bugzilla.redhat.com/): 2216475 - CVE-2022-25883 nodejs-semver: Regular expression denial of service 2216827 - CVE-2023-26115 word-wrap: ReDoS 5. JIRA issues fixed (https://issues.redhat.com/): NETOBSERV-1009 - Export Netflows without Loki NETOBSERV-1034 - Remove 1.0.x channel NETOBSERV-1107 - Improve ebpf agent memory usage NETOBSERV-1131 - Metrics do not ignore duplicates NETOBSERV-1137 - UI Enhancements 1.4 NETOBSERV-1182 - add cluster name to flp configuration NETOBSERV-1196 - Extend platform coverage for Network Observability NETOBSERV-1224 - Flowcollector does not report status != Ready in OCP Console NETOBSERV-1242 - Console plugin build infos NETOBSERV-1283 - Not able to monitor Multus/SRIOV traffic on Network Observability Operator NETOBSERV-139 - Flow dashboards enhancements (flow-based metrics) NETOBSERV-962 - Add IPFIX exporter NETOBSERV-975 - Flows dropped due to Loki stream limit during large traffic spikes 6. References: https://access.redhat.com/security/cve/CVE-2022-25883 https://access.redhat.com/security/cve/CVE-2023-2602 https://access.redhat.com/security/cve/CVE-2023-2603 https://access.redhat.com/security/cve/CVE-2023-26115 https://access.redhat.com/security/cve/CVE-2023-28321 https://access.redhat.com/security/cve/CVE-2023-28322 https://access.redhat.com/security/cve/CVE-2023-28484 https://access.redhat.com/security/cve/CVE-2023-29469 https://access.redhat.com/security/updates/classification/#important 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIcBAEBCAAGBQJlFPJvAAoJENzjgjWX9erE6ocQAIq2UqNWebhHVR6RWz5DNPKV vN3p9UFDDV6218CnhSJ8utdpDfuf/QbiM4SD5oLjgwqkcT55CvHMG3FsDrBSoun7 ihpibVNkK9SD5gyUAtBWYO9jlxuMeDn1FqJqHo4bzVllq1oVQYtZp6FLp+zxrUX0 X7b0NbYsuR2cqec4d01eZvnfEGouvSMS0UnUJzCNZ5837SxND11jbwdYMXeJDZNL vftwDdcVaDXycy4bzK7iuw4ckoZLm30rmuKONbDrwID+tTqQXi2T7cqz3F+OxO6+ N9vLDY6xkOkzVUQtKvC7GYc4lHYZaJycm9KViYhgAF2US9L+vv4sbuyyVM6zpN3t B5+6I0tKX9kJyKpY7hDU9OTtIO2t8mZiTlkhNKv8oBE4AyfMWwbqS/4AGWBea1yN RQlRsMDKnv/qVgT380ckkkD7ksPEnxEy9ZMAvZ0ElQLrtKNPkwXQFhgCu/3QphWJ epieCp3IQiXZaHJeX31E26v3PcwCoeder/FsyRfgNINpLe+WLLSqkbDWvVQHsKHM mfbh/089ps5grHOD8aAv+w25OwbQGQZ1x65nxn4AAfFKtn1+JcRTpuvqZILXAn+f Nst3KqcTO0EDxMO/H7Gi2pTTHvDWzdgvRpkz3RXVyK7IjmqM0tqRXBGvRh45QNfx pKJwnAnKS+8ITelhsQGZ =mX3+ -----END PGP SIGNATURE----- -- RHSA-announce mailing list
An update for firefox is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: firefox security update Advisory ID: RHSA-2023:5198-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2023:5198 Issue date: 2023-09-18 CVE Names: CVE-2023-4863 ===================================================================== 1. Summary: An update for firefox is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream EUS (v.8.6) - aarch64, ppc64le, s390x, x86_64 3. Description: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.15.1 ESR. Security Fix(es): * libwebp: Heap buffer overflow in WebP Codec (CVE-2023-4863) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Firefox must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 2238431 - CVE-2023-4863 libwebp: Heapbuffer overflow in WebP Codec 6. Package List: Red Hat Enterprise Linux AppStream EUS (v.8.6): Source: firefox-102.15.1-1.el8_6.src.rpm aarch64: firefox-102.15.1-1.el8_6.aarch64.rpm firefox-debuginfo-102.15.1-1.el8_6.aarch64.rpm firefox-debugsource-102.15.1-1.el8_6.aarch64.rpm ppc64le: firefox-102.15.1-1.el8_6.ppc64le.rpm firefox-debuginfo-102.15.1-1.el8_6.ppc64le.rpm firefox-debugsource-102.15.1-1.el8_6.ppc64le.rpm s390x: firefox-102.15.1-1.el8_6.s390x.rpm firefox-debuginfo-102.15.1-1.el8_6.s390x.rpm firefox-debugsource-102.15.1-1.el8_6.s390x.rpm x86_64: firefox-102.15.1-1.el8_6.x86_64.rpm firefox-debuginfo-102.15.1-1.el8_6.x86_64.rpm firefox-debugsource-102.15.1-1.el8_6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2023-4863 https://access.redhat.com/security/updates/classification#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJlCGx3AAoJENzjgjWX9erEX+IP/Risnmiku6/aPd/GQxcNNQrB PtrQxvRp4erndvC3uHwoFQtIWOxE6TVkApaTuz9HyhfwWxcGuvXGnIzYT/qMIEoJ nY/lJ6q2T0iFB8mU7Q2YYOm078m/QLqIBGNqNjScAxEFg2aM8Zh6Ja9ISI61BnuC WUvBVsesUGo3rsURqIDfg8HLgzbOlMNFdaXNOhTAPO/F8dcc2nFW7MHOgA2ItiLE OjNdq/4prtLt4zNqbGptj2X2Wdn19cJLjNS/tL+cHiea1Ny17aSVi2N51vOLgp9G IqX5ZZu3/pAmK07kzXLYJ+ARJVYZ3ls6/3j4/GHZe29z2WhEqr+qttEAsmGZVdyv pOpJEO5cuqE/3fkcZHommSNNaWXOlUXjfm+dxiUU+ULT0u/Ls86/YxUC7SfjBtem 5q+XNeYdIM/56cglgtDzP9E91rEB8GluuhptFBLqvgA2UV0mUfqEwIzlMEJrMqU8 5ainn9GBwym5imoqDXZUMn+xecmEvdHSdvitG2We1afY29NNS2yAXN9Lajl9VNto xh/G28hzyk9ivxpzINO0pev9IbhzXeVDCi5Zbsku/CQJ9wdLRvwert67s+GlxHjn XkhB39nJ4Nuf6vRlOErtRxtBkYxFya3Z0Rm6sFYQgIeBsqwKAQNW9T9AA5TYE8FQ TUHprLPoRJnGLvaqeWwH =v+4x -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Red Hat DevWorkspace Operator 0.22 has been released. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: DevWorkspace Operator 0.22 release Advisory ID: RHSA-2023:4889-01 Product: DEVWORKSPACE Advisory URL: https://access.redhat.com/errata/RHSA-2023:4889 Issue date: 2023-08-30 CVE Names: CVE-2023-2602 CVE-2023-2603 CVE-2023-27536 CVE-2023-28321 CVE-2023-28484 CVE-2023-29469 CVE-2023-38408 ===================================================================== 1. Summary: Red Hat DevWorkspace Operator 0.22 has been released. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: The DevWorkspace Operator extends OpenShift to provide DevWorkspace support. Security Fix(es): * openssh: Remote code execution in ssh-agent PKCS#11 support (CVE-2023-38408) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 4. Bugs fixed (https://bugzilla.redhat.com/): 2224173 - CVE-2023-38408 openssh: Remote code execution in ssh-agent PKCS#11 support 5. JIRA issues fixed (https://redhat.atlassian.net/jira/projects): CRW-4641 - Release DevWorkspace Operator v0.22 6. References: https://access.redhat.com/security/cve/CVE-2023-2602 https://access.redhat.com/security/cve/CVE-2023-2603 https://access.redhat.com/security/cve/CVE-2023-27536 https://access.redhat.com/security/cve/CVE-2023-28321 https://access.redhat.com/security/cve/CVE-2023-28484 https://access.redhat.com/security/cve/CVE-2023-29469 https://access.redhat.com/security/cve/CVE-2023-38408 https://access.redhat.com/security/updates/classification#important 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIcBAEBCAAGBQJk7+KOAAoJENzjgjWX9erEOKQP/0EHTmOZXTTPDoYmghH9Fcjg 2+I/HSTn6Tw3hjcK8WJu9oZ/ILI6cyFZNMeEfwt0t0q8Rrpl2aO9kGbgSvh+34eB nm0u6BHml3IGK2dMK3HtWUtUy3AKoWinCW1nuX8a8Ti3GHadDzXvXTuBmGzErFin 9TK+44+njTcJb8KF7WWWINKAEft6MbhU/9Ka0gJ2oEE1b5NacfBslYtPsxNSzn50 tlyVX4fpPbaGNitkrqbakem3szzBhRcJE4xuaXXxV1GMsP67wc6iSALQDmSqf9YD Vas1evj3qVaKwoeum9+holMhYSgdksL891mBA7bViY213vBxlQYBfLyjEKviJp2b nkc86ZDPgDf3rJCKZdsSwWTSLdkyo9WDirMU2Y00hMTXAnf+88G01IFax/rL5PIb vy2szr9w/Ne9jqbeHNQG14nrYroLDtnlD7F3kxavxIl3/zoYxfkDuDM9y3CZrJjO MrM9m5RNXBWfGXZHUh8+BrrY3PaZOwmt1xZ4M6nV+mS3byYf4H+M0Cf/dwRckCGf 1Rx0Y6NT5fGQBoq+BuP2QOi6JiYBHlh0an1rclil2U2ItO7u4DbtAlGGWGvmfbmQ u5FyOoRk23GCDGvpb+nJcwQvx+PMIwnhQQCPptdtXerl9MZfx9yYvWnIfvbPSinz t8LZshP5tSCpVgBWplIK =gNjz -----END PGP SIGNATURE----- -- RHSA-announce mailing list
An update for .NET 7.0 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: .NET 7.0 security, bug fix, and enhancement update Advisory ID: RHSA-2023:4643-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2023:4643 Issue date: 2023-08-14 CVE Names: CVE-2023-35390 CVE-2023-38180 ===================================================================== 1. Summary: An update for .NET 7.0 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux CRB (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 7.0.110 and .NET Runtime 7.0.10. Security Fix(es): * dotnet: RCE under dotnet commands (CVE-2023-35390) * dotnet: Kestrel vulnerability to slow read attacks leading to Denial of Service attack (CVE-2023-38180) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in theReferences section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2228621 - CVE-2023-38180 dotnet: Kestrel vulnerability to slow read attacks leading to Denial of Service attack 2228622 - CVE-2023-35390 dotnet: RCE under dotnet commands 6. Package List: Red Hat Enterprise Linux AppStream (v.8): Source: dotnet7.0-7.0.110-1.el8_8.src.rpm aarch64: aspnetcore-runtime-7.0-7.0.10-1.el8_8.aarch64.rpm aspnetcore-targeting-pack-7.0-7.0.10-1.el8_8.aarch64.rpm dotnet-7.0.110-1.el8_8.aarch64.rpm dotnet-apphost-pack-7.0-7.0.10-1.el8_8.aarch64.rpm dotnet-apphost-pack-7.0-debuginfo-7.0.10-1.el8_8.aarch64.rpm dotnet-host-7.0.10-1.el8_8.aarch64.rpm dotnet-host-debuginfo-7.0.10-1.el8_8.aarch64.rpm dotnet-hostfxr-7.0-7.0.10-1.el8_8.aarch64.rpm dotnet-hostfxr-7.0-debuginfo-7.0.10-1.el8_8.aarch64.rpm dotnet-runtime-7.0-7.0.10-1.el8_8.aarch64.rpm dotnet-runtime-7.0-debuginfo-7.0.10-1.el8_8.aarch64.rpm dotnet-sdk-7.0-7.0.110-1.el8_8.aarch64.rpm dotnet-sdk-7.0-debuginfo-7.0.110-1.el8_8.aarch64.rpm dotnet-targeting-pack-7.0-7.0.10-1.el8_8.aarch64.rpm dotnet-templates-7.0-7.0.110-1.el8_8.aarch64.rpm dotnet7.0-debuginfo-7.0.110-1.el8_8.aarch64.rpm dotnet7.0-debugsource-7.0.110-1.el8_8.aarch64.rpm netstandard-targeting-pack-2.1-7.0.110-1.el8_8.aarch64.rpm ppc64le: aspnetcore-runtime-7.0-7.0.10-1.el8_8.ppc64le.rpm aspnetcore-targeting-pack-7.0-7.0.10-1.el8_8.ppc64le.rpm dotnet-7.0.110-1.el8_8.ppc64le.rpm dotnet-apphost-pack-7.0-7.0.10-1.el8_8.ppc64le.rpm dotnet-apphost-pack-7.0-debuginfo-7.0.10-1.el8_8.ppc64le.rpm dotnet-host-7.0.10-1.el8_8.ppc64le.rpm dotnet-host-debuginfo-7.0.10-1.el8_8.ppc64le.rpm dotnet-hostfxr-7.0-7.0.10-1.el8_8.ppc64le.rpm dotnet-hostfxr-7.0-debuginfo-7.0.10-1.el8_8.ppc64le.rpm dotnet-runtime-7.0-7.0.10-1.el8_8.ppc64le.rpm dotnet-runtime-7.0-debuginfo-7.0.10-1.el8_8.ppc64le.rpm dotnet-sdk-7.0-7.0.110-1.el8_8.ppc64le.rpm dotnet-sdk-7.0-debuginfo-7.0.110-1.el8_8.ppc64le.rpm dotnet-targeting-pack-7.0-7.0.10-1.el8_8.ppc64le.rpm dotnet-templates-7.0-7.0.110-1.el8_8.ppc64le.rpm dotnet7.0-debuginfo-7.0.110-1.el8_8.ppc64le.rpm dotnet7.0-debugsource-7.0.110-1.el8_8.ppc64le.rpm netstandard-targeting-pack-2.1-7.0.110-1.el8_8.ppc64le.rpm s390x: aspnetcore-runtime-7.0-7.0.10-1.el8_8.s390x.rpm aspnetcore-targeting-pack-7.0-7.0.10-1.el8_8.s390x.rpm dotnet-7.0.110-1.el8_8.s390x.rpm dotnet-apphost-pack-7.0-7.0.10-1.el8_8.s390x.rpm dotnet-apphost-pack-7.0-debuginfo-7.0.10-1.el8_8.s390x.rpm dotnet-host-7.0.10-1.el8_8.s390x.rpm dotnet-host-debuginfo-7.0.10-1.el8_8.s390x.rpm dotnet-hostfxr-7.0-7.0.10-1.el8_8.s390x.rpm dotnet-hostfxr-7.0-debuginfo-7.0.10-1.el8_8.s390x.rpm dotnet-runtime-7.0-7.0.10-1.el8_8.s390x.rpm dotnet-runtime-7.0-debuginfo-7.0.10-1.el8_8.s390x.rpm dotnet-sdk-7.0-7.0.110-1.el8_8.s390x.rpm dotnet-sdk-7.0-debuginfo-7.0.110-1.el8_8.s390x.rpm dotnet-targeting-pack-7.0-7.0.10-1.el8_8.s390x.rpm dotnet-templates-7.0-7.0.110-1.el8_8.s390x.rpm dotnet7.0-debuginfo-7.0.110-1.el8_8.s390x.rpm dotnet7.0-debugsource-7.0.110-1.el8_8.s390x.rpm netstandard-targeting-pack-2.1-7.0.110-1.el8_8.s390x.rpm x86_64: aspnetcore-runtime-7.0-7.0.10-1.el8_8.x86_64.rpm aspnetcore-targeting-pack-7.0-7.0.10-1.el8_8.x86_64.rpm dotnet-7.0.110-1.el8_8.x86_64.rpm dotnet-apphost-pack-7.0-7.0.10-1.el8_8.x86_64.rpm dotnet-apphost-pack-7.0-debuginfo-7.0.10-1.el8_8.x86_64.rpm dotnet-host-7.0.10-1.el8_8.x86_64.rpm dotnet-host-debuginfo-7.0.10-1.el8_8.x86_64.rpm dotnet-hostfxr-7.0-7.0.10-1.el8_8.x86_64.rpm dotnet-hostfxr-7.0-debuginfo-7.0.10-1.el8_8.x86_64.rpm dotnet-runtime-7.0-7.0.10-1.el8_8.x86_64.rpm dotnet-runtime-7.0-debuginfo-7.0.10-1.el8_8.x86_64.rpm dotnet-sdk-7.0-7.0.110-1.el8_8.x86_64.rpm dotnet-sdk-7.0-debuginfo-7.0.110-1.el8_8.x86_64.rpm dotnet-targeting-pack-7.0-7.0.10-1.el8_8.x86_64.rpm dotnet-templates-7.0-7.0.110-1.el8_8.x86_64.rpm dotnet7.0-debuginfo-7.0.110-1.el8_8.x86_64.rpm dotnet7.0-debugsource-7.0.110-1.el8_8.x86_64.rpm netstandard-targeting-pack-2.1-7.0.110-1.el8_8.x86_64.rpm Red Hat Enterprise Linux CRB (v.8): aarch64: dotnet-apphost-pack-7.0-debuginfo-7.0.10-1.el8_8.aarch64.rpm dotnet-host-debuginfo-7.0.10-1.el8_8.aarch64.rpm dotnet-hostfxr-7.0-debuginfo-7.0.10-1.el8_8.aarch64.rpm dotnet-runtime-7.0-debuginfo-7.0.10-1.el8_8.aarch64.rpm dotnet-sdk-7.0-debuginfo-7.0.110-1.el8_8.aarch64.rpm dotnet-sdk-7.0-source-built-artifacts-7.0.110-1.el8_8.aarch64.rpm dotnet7.0-debuginfo-7.0.110-1.el8_8.aarch64.rpm dotnet7.0-debugsource-7.0.110-1.el8_8.aarch64.rpm ppc64le: dotnet-apphost-pack-7.0-debuginfo-7.0.10-1.el8_8.ppc64le.rpm dotnet-host-debuginfo-7.0.10-1.el8_8.ppc64le.rpm dotnet-hostfxr-7.0-debuginfo-7.0.10-1.el8_8.ppc64le.rpm dotnet-runtime-7.0-debuginfo-7.0.10-1.el8_8.ppc64le.rpm dotnet-sdk-7.0-debuginfo-7.0.110-1.el8_8.ppc64le.rpm dotnet-sdk-7.0-source-built-artifacts-7.0.110-1.el8_8.ppc64le.rpm dotnet7.0-debuginfo-7.0.110-1.el8_8.ppc64le.rpm dotnet7.0-debugsource-7.0.110-1.el8_8.ppc64le.rpm s390x: dotnet-apphost-pack-7.0-debuginfo-7.0.10-1.el8_8.s390x.rpm dotnet-host-debuginfo-7.0.10-1.el8_8.s390x.rpm dotnet-hostfxr-7.0-debuginfo-7.0.10-1.el8_8.s390x.rpm dotnet-runtime-7.0-debuginfo-7.0.10-1.el8_8.s390x.rpm dotnet-sdk-7.0-debuginfo-7.0.110-1.el8_8.s390x.rpm dotnet-sdk-7.0-source-built-artifacts-7.0.110-1.el8_8.s390x.rpm dotnet7.0-debuginfo-7.0.110-1.el8_8.s390x.rpm dotnet7.0-debugsource-7.0.110-1.el8_8.s390x.rpm x86_64: dotnet-apphost-pack-7.0-debuginfo-7.0.10-1.el8_8.x86_64.rpm dotnet-host-debuginfo-7.0.10-1.el8_8.x86_64.rpm dotnet-hostfxr-7.0-debuginfo-7.0.10-1.el8_8.x86_64.rpm dotnet-runtime-7.0-debuginfo-7.0.10-1.el8_8.x86_64.rpm dotnet-sdk-7.0-debuginfo-7.0.110-1.el8_8.x86_64.rpm dotnet-sdk-7.0-source-built-artifacts-7.0.110-1.el8_8.x86_64.rpm dotnet7.0-debuginfo-7.0.110-1.el8_8.x86_64.rpm dotnet7.0-debugsource-7.0.110-1.el8_8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7.References: https://access.redhat.com/security/cve/CVE-2023-35390 https://access.redhat.com/security/cve/CVE-2023-38180 https://access.redhat.com/security/updates/classification#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJk2oy6AAoJENzjgjWX9erEjeAP/iLDSy13Bn4eWSwgaBrF7OCe MknMYGPt3wLsS+WJ/UeLoFV/rQT2o+r1ZZPtpuATWP25sGmPtiSvDMfttWEevFbi Vu1wi/RHTgEd7iJ0RiVDLyRuS1fsUj5vqORYgvu+FFIy/gTmrV2SWenxKCadiBBe uXKU/L8QUtnGMKDGHtEqpt0B3XEKsYG+nB72um83RegEM+R3uPRYdJw4V7lgL85W O9/Rrq6BexhQ2ChWxAS7qzOxk3Q/iW80hRB0HNu7ljNlWXYEpkGKUXmrPvjFGAX4 UKPD0tLUVopcGId1drzRUNp4uRPGX8MILwQfgwZVkfK4k9wYEyck8GnbRCGzZYtz TfA4DYI30rVkqvcc4oJCP9hnV09KpfzWNNyqcn6876V4j+1tBwveVTDApsLbCwYa +naFV4E/kR0RP0XBL20Eu9paHIyVcSiW4QPUrgtW7v7wGVH6fM5Jlb84apnjsck+ LF76uuZNO2dVQPlokYh1VFzLHdOJiKBndQ0UY6XAd/RG/08V3+UmTECf2ghS+viJ rL3FqvDX4uTMBjehCom/hYNux7+iuCxSl8y2rYAKcBlu/qe53CpZbxEZjIZdZz/2 Wa7oaygnxkeuCNlKZgoNm9l6/Nh2JzmWTqboZXy8vDH5K0CQIKHhuo09FC5+ZONw TK47hhUufwD66+TPMtNt =8QYr -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Multicluster Engine for Kubernetes 2.1.7 General Availability release images, which address security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Critical: Multicluster Engine for Kubernetes 2.1.7 security fixes and container updates Advisory ID: RHSA-2023:3325-01 Product: multicluster engine for Kubernetes Advisory URL: https://access.redhat.com/errata/RHSA-2023:3325 Issue date: 2023-05-25 CVE Names: CVE-2022-2795 CVE-2022-2928 CVE-2022-2929 CVE-2022-36227 CVE-2022-41973 CVE-2023-0361 CVE-2023-27535 CVE-2023-32313 CVE-2023-32314 ==================================================================== 1. Summary: Multicluster Engine for Kubernetes 2.1.7 General Availability release images, which address security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section. 2. Description: Multicluster Engine for Kubernetes 2.1.7 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Security fix(es): * CVE-2023-32314vm2: Sandbox Escape * CVE-2023-32313 vm2: Inspect Manipulation 3. Solution: For multicluster engine for Kubernetes, see the following documentation for details on how to install the images: 4. Bugs fixed (https://bugzilla.redhat.com/): 2208376 - CVE-2023-32314 vm2: Sandbox Escape 2208377 - CVE-2023-32313 vm2: Inspect Manipulation 5. References: https://access.redhat.com/security/cve/CVE-2022-2795 https://access.redhat.com/security/cve/CVE-2022-2928 https://access.redhat.com/security/cve/CVE-2022-2929 https://access.redhat.com/security/cve/CVE-2022-36227 https://access.redhat.com/security/cve/CVE-2022-41973 https://access.redhat.com/security/cve/CVE-2023-0361 https://access.redhat.com/security/cve/CVE-2023-27535 https://access.redhat.com/security/cve/CVE-2023-32313 https://access.redhat.com/security/cve/CVE-2023-32314 https://access.redhat.com/security/updates/classification#critical 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZG/BttzjgjWX9erEAQjYsQ/9H3JpPTOvwIPWOwCwcuGu8M5yONlUfHG+ QmK/UaVkA9bTv+OrQQ2Idte+JIAnEI6J5x6Hs5xu14loLY5deqsj4enzk3v+KLal RAN3yxHNBtfdI6aYqgVCtzfGZAWw3lvf5D+unHvNGRb66FXK71BYjRqC4uzGY2OS 5hrYOhJBB7jdcqaQnnA/7aqghZxUgp2drDDszuxidCZj9p1BtRs4R64bdZA1bhda xf7iTnlTmgw/g9Gfv1vaKWSh91ajxXETURzgubZ9Pd8VmxycvBfMo3NlYPb/nPv2 41EYuwSlGBAChCony1nW/nrm0eRvJpBLiuup5G/Z0EZ6dn/kgRgHLv/pKtnpGaVr vSLlSaBBEKdv7u4BmzJ547ULEjGu8ZDOPjFheZvZnNbnluIKdwJOH+hPnqfxNPsd 0zh02tDhzrlJqanC8gTz97TTAakQgNDgMDMn/syi67Gs/o+XDSDF9ypFFxDWjJER de1QmjOlbxQCQRAqKfM2cvkZdLBJ3qLeNWjJE+nGs7jeg0qD3KlD5npHN+vWWmO1 nLCEz4Awd3WXzY3TmkBMv3Sy6RuHWYxm8MyYfrXZA44FEnIspEtx87e2RSNT50jI Fan26hcaiJNmGutIb8GEmKzf9EzBP/tuITzBSQNpcwzlmVbV/CtP6j1vkvBwMsJg PnzJEccKKHs=o7LV -----END PGP SIGNATURE----- -- RHSA-announce mailing list
An update is now available for OpenJDK. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: OpenJDK 8u372 Windows Security Update Advisory ID: RHSA-2023:1912-01 Product: OpenJDK Advisory URL: https://access.redhat.com/errata/RHSA-2023:1912 Issue date: 2023-04-25 CVE Names: CVE-2023-21930 CVE-2023-21937 CVE-2023-21938 CVE-2023-21939 CVE-2023-21954 CVE-2023-21967 CVE-2023-21968 ==================================================================== 1. Summary: An update is now available for OpenJDK. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: The OpenJDK 8 packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. This release of the Red Hat build of OpenJDK 8 (8u372) for Windows serves as a replacement for the Red Hat build of OpenJDK 8 (8u362) and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section. Security Fix(es): * OpenJDK: improper connection handling during TLS handshake (8294474) (CVE-2023-21930) * OpenJDK: Swing HTML parsing issue (8296832) (CVE-2023-21939) * OpenJDK: incorrect enqueue of references in garbage collector (8298191) (CVE-2023-21954) * OpenJDK: certificate validation issue in TLS session negotiation (8298310) (CVE-2023-21967) * OpenJDK: missing string checks for NULL characters(8296622) (CVE-2023-21937) * OpenJDK: incorrect handling of NULL characters in ProcessBuilder (8295304) (CVE-2023-21938) * OpenJDK: missing check for slash characters in URI-to-path conversion (8298667) (CVE-2023-21968) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2187435 - CVE-2023-21930 OpenJDK: improper connection handling during TLS handshake (8294474) 2187441 - CVE-2023-21954 OpenJDK: incorrect enqueue of references in garbage collector (8298191) 2187704 - CVE-2023-21967 OpenJDK: certificate validation issue in TLS session negotiation (8298310) 2187724 - CVE-2023-21939 OpenJDK: Swing HTML parsing issue (8296832) 2187758 - CVE-2023-21938 OpenJDK: incorrect handling of NULL characters in ProcessBuilder (8295304) 2187790 - CVE-2023-21937 OpenJDK: missing string checks for NULL characters (8296622) 2187802 - CVE-2023-21968 OpenJDK: missing check for slash characters in URI-to-path conversion (8298667) 5. References: https://access.redhat.com/security/cve/CVE-2023-21930 https://access.redhat.com/security/cve/CVE-2023-21937 https://access.redhat.com/security/cve/CVE-2023-21938 https://access.redhat.com/security/cve/CVE-2023-21939 https://access.redhat.com/security/cve/CVE-2023-21954 https://access.redhat.com/security/cve/CVE-2023-21967 https://access.redhat.com/security/cve/CVE-2023-21968 https://access.redhat.com/security/updates/classification#important 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBZEe/QdzjgjWX9erEAQhqTQ//XYgKY9fteDQ/UR+mNh+qyRkKmblOogQH qsAO79z5wPJ5V7y1Ugpc8qFIZQVnifOmDyLMaUDuhLaqd9rorFHZN3QDgi0hYEwQ FVdmr63aJdUCDGMado0C+G7w4Mp8U9Gn9Ri4W4JnV6raEHTCCMSP6GsIse/zXOr8 lYDbh10t+/lNp6DyLvxbMpmYi8Nbz/AxGBVfKFb4pd8YU7bbxrr0iiiDagZ7tReB BAMyTspTry1cY3C79U6uNqdTiobMjI9O7BmuZPyRSZHxiW9zCAzZ5qoLy/K9HDzU 1KC9TVCSNdlEeHHPd1+K4zyX/Ne/7IVJCI1c3QBmWYQPKbdDjG5UGrGq6c4XoJVv gWxeI6WcsBgDmp2TMWt3BRntnWZueQz7LypPBuaahI21eyCtFQBhk95UTSSEsB5j z221+mXKC9ImY4D9OMK89Gpms7K/GkZlACvlU4YaTLG8zOoEqQJquIkE24BYeb3R oVQBE/MD6r4rcVA+YAQF5+8KWKkyQDRK5pSPFAYwOWDGl6mFvpb84dIEtVLv7m/8 V69xHPupVBpvovaAYA+0Fxxr9lr4761C8dTAj92ZaZOqg/77xcPI0y2Vt2Js2TDe DpZCeY9IrJ3Q83MXXgHBmkHKsmz1SvxQWHkz9n8oUfFJR8/RmwMff1ICYPQmoMQN 259zQEQfg+U=J703 -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Get the latest Linux and open source security news straight to your inbox.