Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -5 articles for you...
100
security advisorymoderateregular expression denial of serviceSUSE: 2023:3835-1 Moderate: BCI/Python Update Resolves ReDoS Issue
The container bci/python was updated. The following patches have been included in this update:. SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3835-1 Container Tags : bci/python:3 , bci/python:3-14.33 , bci/python:3.6 , bci/python:3.6-14.33 Container Release : 14.33 Severity : moderate Type : security References : 1206667 CVE-2022-40897 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4517-1 Released: Tue Nov 21 17:30:27 2023 Summary: Security update for python3-setuptools Type: security Severity: moderate References: 1206667,CVE-2022-40897 This update for python3-setuptools fixes the following issues: - CVE-2022-40897: Fixed Regular Expression Denial of Service (ReDoS) in package_index.py (bsc#1206667). The following package changes have been done: - libxml2-2-2.10.3-150500.5.11.1 updated - libopenssl1_1-1.1.1l-150500.17.22.1 updated - libopenssl1_1-hmac-1.1.1l-150500.17.22.1 updated - openssl-1_1-1.1.1l-150500.17.22.1 updated - python3-setuptools-44.1.1-150400.9.6.1 updated - container:sles15-image-15.0.0-36.5.57 updated . Security enhancement for bci/python mitigates ReDoS in python3-setuptools by implementing included patches.. bci/python, security update, python3-setuptools, ReDoS. . LinuxSecurity.com Team
Nov 23, 2023
SuSE
98
security advisoryimportantredhatRedHat: RHSA-2023-5379 Important: Network Observability 1.4.0 ReDoS
Network Observability is an OpenShift operator that deploys a monitoring pipeline to collect and enrich network flows that are produced by the Network Observability eBPF agent. The operator provides dashboards, metrics, and keeps flows accessible in a. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Network Observability 1.4.0 for OpenShift Advisory ID: RHSA-2023:5379-01 Product: Network Observability Advisory URL: https://access.redhat.com/errata/RHSA-2023:5379 Issue date: 2023-09-28 CVE Names: CVE-2022-25883 CVE-2023-2602 CVE-2023-2603 CVE-2023-26115 CVE-2023-28321 CVE-2023-28322 CVE-2023-28484 CVE-2023-29469 ===================================================================== 1. Summary: Network Observability is an OpenShift operator that deploys a monitoring pipeline to collect and enrich network flows that are produced by the Network Observability eBPF agent. The operator provides dashboards, metrics, and keeps flows accessible in a queryable log store, Grafana Loki. When a FlowCollector is deployed, new dashboards are available in the Console. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Network Observability 1.4.0 Security Fix(es): * word-wrap: Regular Expression Denial of Service (CVE-2023-26115) * nodejs-semver: Regular expression denial of service (CVE-2022-25883) 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed(https://bugzilla.redhat.com/): 2216475 - CVE-2022-25883 nodejs-semver: Regular expression denial of service 2216827 - CVE-2023-26115 word-wrap: ReDoS 5. JIRA issues fixed (https://issues.redhat.com/): NETOBSERV-1009 - Export Netflows without Loki NETOBSERV-1034 - Remove 1.0.x channel NETOBSERV-1107 - Improve ebpf agent memory usage NETOBSERV-1131 - Metrics do not ignore duplicates NETOBSERV-1137 - UI Enhancements 1.4 NETOBSERV-1182 - add cluster name to flp configuration NETOBSERV-1196 - Extend platform coverage for Network Observability NETOBSERV-1224 - Flowcollector does not report status != Ready in OCP Console NETOBSERV-1242 - Console plugin build infos NETOBSERV-1283 - Not able to monitor Multus/SRIOV traffic on Network Observability Operator NETOBSERV-139 - Flow dashboards enhancements (flow-based metrics) NETOBSERV-962 - Add IPFIX exporter NETOBSERV-975 - Flows dropped due to Loki stream limit during large traffic spikes 6. References: https://access.redhat.com/security/cve/CVE-2022-25883 https://access.redhat.com/security/cve/CVE-2023-2602 https://access.redhat.com/security/cve/CVE-2023-2603 https://access.redhat.com/security/cve/CVE-2023-26115 https://access.redhat.com/security/cve/CVE-2023-28321 https://access.redhat.com/security/cve/CVE-2023-28322 https://access.redhat.com/security/cve/CVE-2023-28484 https://access.redhat.com/security/cve/CVE-2023-29469 https://access.redhat.com/security/updates/classification/#important 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIcBAEBCAAGBQJlFPJvAAoJENzjgjWX9erE6ocQAIq2UqNWebhHVR6RWz5DNPKV vN3p9UFDDV6218CnhSJ8utdpDfuf/QbiM4SD5oLjgwqkcT55CvHMG3FsDrBSoun7 ihpibVNkK9SD5gyUAtBWYO9jlxuMeDn1FqJqHo4bzVllq1oVQYtZp6FLp+zxrUX0 X7b0NbYsuR2cqec4d01eZvnfEGouvSMS0UnUJzCNZ5837SxND11jbwdYMXeJDZNL vftwDdcVaDXycy4bzK7iuw4ckoZLm30rmuKONbDrwID+tTqQXi2T7cqz3F+OxO6+ N9vLDY6xkOkzVUQtKvC7GYc4lHYZaJycm9KViYhgAF2US9L+vv4sbuyyVM6zpN3t B5+6I0tKX9kJyKpY7hDU9OTtIO2t8mZiTlkhNKv8oBE4AyfMWwbqS/4AGWBea1yN RQlRsMDKnv/qVgT380ckkkD7ksPEnxEy9ZMAvZ0ElQLrtKNPkwXQFhgCu/3QphWJ epieCp3IQiXZaHJeX31E26v3PcwCoeder/FsyRfgNINpLe+WLLSqkbDWvVQHsKHM mfbh/089ps5grHOD8aAv+w25OwbQGQZ1x65nxn4AAfFKtn1+JcRTpuvqZILXAn+f Nst3KqcTO0EDxMO/H7Gi2pTTHvDWzdgvRpkz3RXVyK7IjmqM0tqRXBGvRh45QNfx pKJwnAnKS+8ITelhsQGZ =mX3+ -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Sep 28, 2023
•Important
Red Hat
98
security advisorymoderatearbitrary code executionRed Hat: RHSA-2021-2865-01 Moderate: Arbitrary Code Execution Risk
Updated ovirt-engine packages that fix several bugs and add various enhancements are now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: RHV Manager (ovirt-engine) security update [ovirt-4.4.7] Advisory ID: RHSA-2021:2865-01 Product: Red Hat Virtualization Advisory URL: https://access.redhat.com/errata/RHSA-2021:2865 Issue date: 2021-07-22 CVE Names: CVE-2020-7733 CVE-2020-28469 CVE-2021-23343 CVE-2021-23358 ==================================================================== 1. Summary: Updated ovirt-engine packages that fix several bugs and add various enhancements are now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch 3. Description: The ovirt-engine package provides the manager for virtualization environments. This manager enables admins to define hosts and networks, as well as to add storage, create VMs and manage user permissions. Security Fix(es): * nodejs-underscore: Arbitrary code execution via the template function (CVE-2021-23358) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ua-parser-js: Regular expression denial of service via the regex (CVE-2020-7733) * nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer tothe CVE page(s) listed in the References section. Bug Fix(es): * Foreman integration, which allows you to provision bare metal hosts from the Administration Portal using Foreman and then added to the Manager, was deprecated in oVirt 4.4.6 / RHV 4.4.6 and removed completely in oVirt 4.4.7 / RHV 4.4.7. Similar functionality to provision bare metal hosts can be achieved using Foreman directly and adding an already provisioned host using the Administration Portal or the REST API. (BZ#1901011) * Adding a message banner to the web administration welcome page is straight forward using custom branding that only contains a preamble section. An example of preamble branding is given here: https://bugzilla-attachments.redhat.com/attachment.cgi?id=1783329 In an engine upgrade, the custom preamble brand remains in place and will work without issue. During engine backup and subsequent restore, on engine restore the custom preamble branding needs to be manually restored/reinstalled and verified. (BZ#1804774) * The column name threads_per_core in the Red hat Virtualization manager Dashboard is being deprecated, and will be removed in a future release. In version 4.4.7.2 the column name for threads_per_core will be changed to number_of_threads. In the Data Warehouse, the old name will be retained as an additional alias, resulting in 2 columns providing the same data: number_of_threads and threads_per_core, and threads_per_core will be removed in a future version. (BZ#1896359) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/2974891 5. Bugs fixed (https://bugzilla.redhat.com/): 1752996 - [RFE] Option in VM Portal to Full Screen 1765644 - VM portal on RHV-M 4.3.6 doesn't show the VM "Console Setting" functionality. 1779983 - After memory hot plug, Why the VM is showing icon for "server with the newer configuration for next run"? 1804774 - Simplify the process to add a msg on the RHVM Admin Portal Login 1817346 -[UI] SHA1 fingerprint shown to the user for approval 1877478 - [RFE] collect network metrics in DWH ( rx and tx drop ) 1879733 - CVE-2020-7733 nodejs-ua-parser-js: Regular expression denial of service via the regex 1887434 - LVM IDs and Machine ID are same for all new VMs created from sealed template 1888354 - rhv-log-collector-analyzer 0.2.16 from RHV 4.3 and up does not gather information about storage domains or LUN. 1896359 - "Count threads as cores" option is not honored by the RHV Dashboard CPU graph 1901011 - [RFE] Remove Foreman integration from engine 1902179 - Ignore message about not using latest kernel after upgrade when a host hasn't been rebooted 1937714 - [RFE] Add rx and tx drop to Grafana 1939198 - Refresh LUN operation via Admin Portal fails with "No host was found to perform the operation" 1941581 - [RFE] Add to API external template import 1944286 - CVE-2021-23358 nodejs-underscore: Arbitrary code execution via the template function 1945459 - CVE-2020-28469 nodejs-glob-parent: Regular expression denial of service 1946876 - automatic Maximum Memory exceeds possible maximum on new VM dialog 1951579 - RHV api issues when account has only "UserRole" permissions 1954878 - [RFE] Auto Pinning Policy: improve tooltip description and policy names 1955582 - rhv-image-discrepancies reports "different attribute voltype on storage(SHARED) and on DB(LEAF)" for template volumes 1956818 - CVE-2021-23343 nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe 1960968 - Disable checking of SSH connection when adding a host into the ansible-runner-service inventory 1961338 - [CodeChange][i18n] oVirt 4.4.7 rhv branding - translation update 1967169 - rhv-log-collector-analyzer --json fails with AttributeError 1970718 - Engine hits NPE when importing template with disks on 2 storage domains 6. Package List: RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine4.4: Source: ovirt-engine-4.4.7.6-0.11.el8ev.src.rpm ovirt-engine-dwh-4.4.7.3-1.el8ev.src.rpm ovirt-engine-extension-aaa-ldap-1.4.4-1.el8ev.src.rpm ovirt-engine-ui-extensions-1.2.7-1.el8ev.src.rpm ovirt-web-ui-1.7.0-1.el8ev.src.rpm rhv-log-collector-analyzer-1.0.10-1.el8ev.src.rpm rhvm-branding-rhv-4.4.9-1.el8ev.src.rpm noarch: ovirt-engine-4.4.7.6-0.11.el8ev.noarch.rpm ovirt-engine-backend-4.4.7.6-0.11.el8ev.noarch.rpm ovirt-engine-dbscripts-4.4.7.6-0.11.el8ev.noarch.rpm ovirt-engine-dwh-4.4.7.3-1.el8ev.noarch.rpm ovirt-engine-dwh-grafana-integration-setup-4.4.7.3-1.el8ev.noarch.rpm ovirt-engine-dwh-setup-4.4.7.3-1.el8ev.noarch.rpm ovirt-engine-extension-aaa-ldap-1.4.4-1.el8ev.noarch.rpm ovirt-engine-extension-aaa-ldap-setup-1.4.4-1.el8ev.noarch.rpm ovirt-engine-health-check-bundler-4.4.7.6-0.11.el8ev.noarch.rpm ovirt-engine-restapi-4.4.7.6-0.11.el8ev.noarch.rpm ovirt-engine-setup-4.4.7.6-0.11.el8ev.noarch.rpm ovirt-engine-setup-base-4.4.7.6-0.11.el8ev.noarch.rpm ovirt-engine-setup-plugin-cinderlib-4.4.7.6-0.11.el8ev.noarch.rpm ovirt-engine-setup-plugin-imageio-4.4.7.6-0.11.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-4.4.7.6-0.11.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-common-4.4.7.6-0.11.el8ev.noarch.rpm ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.7.6-0.11.el8ev.noarch.rpm ovirt-engine-setup-plugin-websocket-proxy-4.4.7.6-0.11.el8ev.noarch.rpm ovirt-engine-tools-4.4.7.6-0.11.el8ev.noarch.rpm ovirt-engine-tools-backup-4.4.7.6-0.11.el8ev.noarch.rpm ovirt-engine-ui-extensions-1.2.7-1.el8ev.noarch.rpm ovirt-engine-vmconsole-proxy-helper-4.4.7.6-0.11.el8ev.noarch.rpm ovirt-engine-webadmin-portal-4.4.7.6-0.11.el8ev.noarch.rpm ovirt-engine-websocket-proxy-4.4.7.6-0.11.el8ev.noarch.rpm ovirt-web-ui-1.7.0-1.el8ev.noarch.rpm python3-ovirt-engine-lib-4.4.7.6-0.11.el8ev.noarch.rpm rhv-log-collector-analyzer-1.0.10-1.el8ev.noarch.rpm rhvm-4.4.7.6-0.11.el8ev.noarch.rpm rhvm-branding-rhv-4.4.9-1.el8ev.noarch.rpm These packages are GPG signed by Red Hat for security. Our keyand details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-7733 https://access.redhat.com/security/cve/CVE-2020-28469 https://access.redhat.com/security/cve/CVE-2021-23343 https://access.redhat.com/security/cve/CVE-2021-23358 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYPmLO9zjgjWX9erEAQjJcQ//a3A/5akbg1AWahPTZpaRMzJgPPvtzMgO YQGrVOPA4ISUIBW1RQKkvSofLNF0RtazAazqf+2xY2AMuTHujiwPJkIAi0vmUM4V G2oQdSHrU1Pj5cqwVp2E8/gjJD3MSMGzQT99rmA2oTKyqcMn8L6vOH6n6xis0Gti q6VNmAV3twiO06bnPLpSxfkhhahYMflBp7yVudq1SCcNfUXjB30DN/5NcrgaNrPo VNj5Q1EMsYA65eCoKKU1pwrE+BWVWKjRX9hOcIUEQ3cUTqeYyytBXWIENKrTxpkj xsKGO7uhIg2u792mMvuDJcOdtwywRmSsSNFTyUOVDbrL8nI1ihZAJ4Fs7Kp/9c4e P+TJRWHGVigaZK80/JlKqjlmpg3dL8tHy0/mwEnEUNUsti/fgXHpvcVTaDEYMEGW ZQEBbDspSa1+Ar7rUVqPLUrUxlYPNUDvdZ6t1xcL0DY7Djw88VziOFZqOfdEti3B CiZJA/B0xzz5yt+YkQypTVT5+ya9upyeqnvQNvNZqzpeuN7Td9+SWW2PaQeQ8Ppn 7jLgVXlExYs5W75/NNCaM/t5PTey7AdJ4PPZSeR+kqj1QR6gcSR5M1IvoROyqcgi fxkGGY0NfOaeUZHNsoATOYv+ToxDzhgPEQpT2IHK+bMxptVzcwGFqAEIRpZORD/j 2JM0wA+XaQY=/4Xn -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Jul 22, 2021
Red Hat
202
security advisorysecurity fiximportantopenSUSE Leap 15.2: 2021:1060-1 Important: Nodejs14 DoS Issues
An update that fixes four vulnerabilities is now available. . openSUSE Security Update: Security update for nodejs14 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:1060-1 Rating: important References: #1184450 #1187973 #1187976 #1187977 Cross-References: CVE-2020-7774 CVE-2021-22918 CVE-2021-23362 CVE-2021-27290 CVSS scores: CVE-2020-7774 (NVD) : 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2021-22918 (NVD) : 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CVE-2021-23362 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-23362 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-27290 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-27290 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for nodejs14 fixes the following issues: Update nodejs14 to 14.17.2. Including fixes for: - CVE-2021-22918: libuv upgrade - Out of bounds read (bsc#1187973) - CVE-2021-27290: ssri Regular Expression Denial of Service (bsc#1187976) - CVE-2021-23362: hosted-git-info Regular Expression Denial of Service (bsc#1187977) - CVE-2020-7774: y18n Prototype Pollution (bsc#1184450) This update was imported from the SUSE:SLE-15-SP2:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2021-1060=1 Package List: - openSUSE Leap 15.2(noarch): nodejs14-docs-14.17.2-lp152.11.1 - openSUSE Leap 15.2 (x86_64): nodejs14-14.17.2-lp152.11.1 nodejs14-debuginfo-14.17.2-lp152.11.1 nodejs14-debugsource-14.17.2-lp152.11.1 nodejs14-devel-14.17.2-lp152.11.1 npm14-14.17.2-lp152.11.1 References: https://www.suse.com/security/cve/CVE-2020-7774.html https://www.suse.com/security/cve/CVE-2021-22918.html https://www.suse.com/security/cve/CVE-2021-23362.html https://www.suse.com/security/cve/CVE-2021-27290.html https://bugzilla.suse.com/1184450 https://bugzilla.suse.com/1187973 https://bugzilla.suse.com/1187976 https://bugzilla.suse.com/1187977 . A crucial update for nodejs14 on openSUSE addresses several security vulnerabilities, improving overall system protection.. openSUSE Security Update, Nodejs14 patch, important security issues. . Severity: Important. LinuxSecurity.com Team
Jul 19, 2021
•Important
OpenSUSE
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!