CERT RSS

Pretplati se na CERT RSS feed CERT RSS
Osvježeno: prije 1 sat 38 minuta

Sigurnosni nedostaci programskog paketa rubygem-kramdown

čet, 2020-08-20 15:04
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LFE

——————————————————————————–
Fedora Update Notification
FEDORA-2020-5c70d97eca
2020-08-20 01:03:35.305841
——————————————————————————–

Name : rubygem-kramdown
Product : Fedora 31
Version : 1.17.0
Release : 6.fc31
URL : http://kramdown.rubyforge.org
Summary : Fast, pure-Ruby Markdown-superset converter
Description :
kramdown is yet-another-markdown-parser but fast, pure Ruby,
using a strict syntax definition and supporting several common extensions.

——————————————————————————–
Update Information:

A security flaw was found on ruby kramdown which may lead to unintended code
execution. THis vulnerability is now assigned as CVE-2020-14001 . This new rpm
should fix this issue.
——————————————————————————–
ChangeLog:

* Mon Aug 10 2020 Mamoru TASAKA <mtasaka@fedoraproject.org> – 1.17.0-6
– Backport upstream patch for CVE-2020-14001 (bug 1858395)
——————————————————————————–
References:

[ 1 ] Bug #1858414 – CVE-2020-14001 rubygem-kramdown: processing template options inside documents allows unintended read access or embedded Ruby code execution [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1858414
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-5c70d97eca’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

 

——————————————————————————–
Fedora Update Notification
FEDORA-2020-5c70d97eca
2020-08-20 01:03:35.305841
——————————————————————————–

Name : rubygem-kramdown
Product : Fedora 31
Version : 1.17.0
Release : 6.fc31
URL : http://kramdown.rubyforge.org
Summary : Fast, pure-Ruby Markdown-superset converter
Description :
kramdown is yet-another-markdown-parser but fast, pure Ruby,
using a strict syntax definition and supporting several common extensions.

——————————————————————————–
Update Information:

A security flaw was found on ruby kramdown which may lead to unintended code
execution. THis vulnerability is now assigned as CVE-2020-14001 . This new rpm
should fix this issue.
——————————————————————————–
ChangeLog:

* Mon Aug 10 2020 Mamoru TASAKA <mtasaka@fedoraproject.org> – 1.17.0-6
– Backport upstream patch for CVE-2020-14001 (bug 1858395)
——————————————————————————–
References:

[ 1 ] Bug #1858414 – CVE-2020-14001 rubygem-kramdown: processing template options inside documents allows unintended read access or embedded Ruby code execution [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1858414
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-5c70d97eca’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

The post Sigurnosni nedostaci programskog paketa rubygem-kramdown appeared first on CERT.hr.

Sigurnosni nedostaci programskog paketa MozillaFirefox

pon, 2020-07-20 16:05
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LSU

openSUSE Security Update: Security update for MozillaFirefox
______________________________________________________________________________

Announcement ID: openSUSE-SU-2020:0983-1
Rating: important
References: #1166238 #1173576 #1173613
Cross-References: CVE-2020-12402 CVE-2020-12415 CVE-2020-12416
CVE-2020-12417 CVE-2020-12418 CVE-2020-12419
CVE-2020-12420 CVE-2020-12421 CVE-2020-12422
CVE-2020-12423 CVE-2020-12424 CVE-2020-12425
CVE-2020-12426
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________

An update that fixes 13 vulnerabilities is now available.

Description:

This update for MozillaFirefox to version 78.0.1 ESR fixes the following
issues:

Security issues fixed:

– CVE-2020-12415: AppCache manifest poisoning due to url encoded character
processing (bsc#1173576).
– CVE-2020-12416: Use-after-free in WebRTC VideoBroadcaster (bsc#1173576).
– CVE-2020-12417: Memory corruption due to missing sign-extension for
ValueTags on ARM64 (bsc#1173576).
– CVE-2020-12418: Information disclosure due to manipulated URL object
(bsc#1173576).
– CVE-2020-12419: Use-after-free in nsGlobalWindowInner (bsc#1173576).
– CVE-2020-12420: Use-After-Free when trying to connect to a STUN server
(bsc#1173576).
– CVE-2020-12402: RSA Key Generation vulnerable to side-channel attack
(bsc#1173576).
– CVE-2020-12421: Add-On updates did not respect the same certificate
trust rules as software updates (bsc#1173576).
– CVE-2020-12422: Integer overflow in nsJPEGEncoder::emptyOutputBuffer
(bsc#1173576).
– CVE-2020-12423: DLL Hijacking due to searching %PATH% for a library
(bsc#1173576).
– CVE-2020-12424: WebRTC permission prompt could have been bypassed by a
compromised content process (bsc#1173576).
– CVE-2020-12425: Out of bound read in Date.parse() (bsc#1173576).
– CVE-2020-12426: Memory safety bugs fixed in Firefox 78 (bsc#1173576).
– FIPS: MozillaFirefox: allow /proc/sys/crypto/fips_enabled (bsc#1167231).

Non-security issues fixed:

– Fixed interaction with freetype6 (bsc#1173613).

This update was imported from the SUSE:SLE-15:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 15.2:

zypper in -t patch openSUSE-2020-983=1

Package List:

– openSUSE Leap 15.2 (x86_64):

MozillaFirefox-78.0.1-lp152.2.5.1
MozillaFirefox-branding-upstream-78.0.1-lp152.2.5.1
MozillaFirefox-buildsymbols-78.0.1-lp152.2.5.1
MozillaFirefox-debuginfo-78.0.1-lp152.2.5.1
MozillaFirefox-debugsource-78.0.1-lp152.2.5.1
MozillaFirefox-devel-78.0.1-lp152.2.5.1
MozillaFirefox-translations-common-78.0.1-lp152.2.5.1
MozillaFirefox-translations-other-78.0.1-lp152.2.5.1

References:

https://www.suse.com/security/cve/CVE-2020-12402.html
https://www.suse.com/security/cve/CVE-2020-12415.html
https://www.suse.com/security/cve/CVE-2020-12416.html
https://www.suse.com/security/cve/CVE-2020-12417.html
https://www.suse.com/security/cve/CVE-2020-12418.html
https://www.suse.com/security/cve/CVE-2020-12419.html
https://www.suse.com/security/cve/CVE-2020-12420.html
https://www.suse.com/security/cve/CVE-2020-12421.html
https://www.suse.com/security/cve/CVE-2020-12422.html
https://www.suse.com/security/cve/CVE-2020-12423.html
https://www.suse.com/security/cve/CVE-2020-12424.html
https://www.suse.com/security/cve/CVE-2020-12425.html
https://www.suse.com/security/cve/CVE-2020-12426.html
https://bugzilla.suse.com/1166238
https://bugzilla.suse.com/1173576
https://bugzilla.suse.com/1173613


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

 

 

openSUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:1017-1 Rating: important References: #1166238 #1173576 #1173613 Cross-References: CVE-2020-12402 CVE-2020-12415 CVE-2020-12416 CVE-2020-12417 CVE-2020-12418 CVE-2020-12419 CVE-2020-12420 CVE-2020-12421 CVE-2020-12422 CVE-2020-12423 CVE-2020-12424 CVE-2020-12425 CVE-2020-12426 Affected Products: openSUSE Leap 15.1 ______________________________________________________________________________ An update that fixes 13 vulnerabilities is now available. Description: This update for MozillaFirefox to version 78.0.1 ESR fixes the following issues: Security issues fixed: - CVE-2020-12415: AppCache manifest poisoning due to url encoded character processing (bsc#1173576). - CVE-2020-12416: Use-after-free in WebRTC VideoBroadcaster (bsc#1173576). - CVE-2020-12417: Memory corruption due to missing sign-extension for ValueTags on ARM64 (bsc#1173576). - CVE-2020-12418: Information disclosure due to manipulated URL object (bsc#1173576). - CVE-2020-12419: Use-after-free in nsGlobalWindowInner (bsc#1173576). - CVE-2020-12420: Use-After-Free when trying to connect to a STUN server (bsc#1173576). - CVE-2020-12402: RSA Key Generation vulnerable to side-channel attack (bsc#1173576). - CVE-2020-12421: Add-On updates did not respect the same certificate trust rules as software updates (bsc#1173576). - CVE-2020-12422: Integer overflow in nsJPEGEncoder::emptyOutputBuffer (bsc#1173576). - CVE-2020-12423: DLL Hijacking due to searching %PATH% for a library (bsc#1173576). - CVE-2020-12424: WebRTC permission prompt could have been bypassed by a compromised content process (bsc#1173576). - CVE-2020-12425: Out of bound read in Date.parse() (bsc#1173576). - CVE-2020-12426: Memory safety bugs fixed in Firefox 78 (bsc#1173576). - FIPS: MozillaFirefox: allow /proc/sys/crypto/fips_enabled (bsc#1167231). Non-security issues fixed: - Fixed interaction with freetype6 (bsc#1173613). This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.1: zypper in -t patch openSUSE-2020-1017=1 Package List: - openSUSE Leap 15.1 (x86_64): MozillaFirefox-78.0.1-lp151.2.53.1 MozillaFirefox-branding-upstream-78.0.1-lp151.2.53.1 MozillaFirefox-buildsymbols-78.0.1-lp151.2.53.1 MozillaFirefox-debuginfo-78.0.1-lp151.2.53.1 MozillaFirefox-debugsource-78.0.1-lp151.2.53.1 MozillaFirefox-devel-78.0.1-lp151.2.53.1 MozillaFirefox-translations-common-78.0.1-lp151.2.53.1 MozillaFirefox-translations-other-78.0.1-lp151.2.53.1 References: https://www.suse.com/security/cve/CVE-2020-12402.html https://www.suse.com/security/cve/CVE-2020-12415.html https://www.suse.com/security/cve/CVE-2020-12416.html https://www.suse.com/security/cve/CVE-2020-12417.html https://www.suse.com/security/cve/CVE-2020-12418.html https://www.suse.com/security/cve/CVE-2020-12419.html https://www.suse.com/security/cve/CVE-2020-12420.html https://www.suse.com/security/cve/CVE-2020-12421.html https://www.suse.com/security/cve/CVE-2020-12422.html https://www.suse.com/security/cve/CVE-2020-12423.html https://www.suse.com/security/cve/CVE-2020-12424.html https://www.suse.com/security/cve/CVE-2020-12425.html https://www.suse.com/security/cve/CVE-2020-12426.html https://bugzilla.suse.com/1166238 https://bugzilla.suse.com/1173576 https://bugzilla.suse.com/1173613 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

The post Sigurnosni nedostaci programskog paketa MozillaFirefox appeared first on CERT.hr.

Sigurnosni nedostatak programskog paketa openldap2

pon, 2020-07-20 16:05
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LSU

openSUSE Security Update: Security update for openldap2
______________________________________________________________________________

Announcement ID: openSUSE-SU-2020:0976-1
Rating: important
References: #1172698 #1172704
Cross-References: CVE-2020-8023
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________

An update that solves one vulnerability and has one errata
is now available.

Description:

This update for openldap2 fixes the following issues:

– CVE-2020-8023: Fixed a potential local privilege escalation from ldap to
root when OPENLDAP_CONFIG_BACKEND=”ldap” was used (bsc#1172698).
– Changed DB_CONFIG to root:ldap permissions (bsc#1172704).

This update was imported from the SUSE:SLE-15:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 15.2:

zypper in -t patch openSUSE-2020-976=1

Package List:

– openSUSE Leap 15.2 (i586 x86_64):

libldap-2_4-2-2.4.46-lp152.14.3.1
libldap-2_4-2-debuginfo-2.4.46-lp152.14.3.1
openldap2-2.4.46-lp152.14.3.1
openldap2-back-meta-2.4.46-lp152.14.3.1
openldap2-back-meta-debuginfo-2.4.46-lp152.14.3.1
openldap2-back-perl-2.4.46-lp152.14.3.1
openldap2-back-perl-debuginfo-2.4.46-lp152.14.3.1
openldap2-back-sock-2.4.46-lp152.14.3.1
openldap2-back-sock-debuginfo-2.4.46-lp152.14.3.1
openldap2-back-sql-2.4.46-lp152.14.3.1
openldap2-back-sql-debuginfo-2.4.46-lp152.14.3.1
openldap2-client-2.4.46-lp152.14.3.1
openldap2-client-debuginfo-2.4.46-lp152.14.3.1
openldap2-contrib-2.4.46-lp152.14.3.1
openldap2-contrib-debuginfo-2.4.46-lp152.14.3.1
openldap2-debuginfo-2.4.46-lp152.14.3.1
openldap2-debugsource-2.4.46-lp152.14.3.1
openldap2-devel-2.4.46-lp152.14.3.1
openldap2-devel-static-2.4.46-lp152.14.3.1
openldap2-ppolicy-check-password-1.2-lp152.14.3.1
openldap2-ppolicy-check-password-debuginfo-1.2-lp152.14.3.1

– openSUSE Leap 15.2 (noarch):

libldap-data-2.4.46-lp152.14.3.1
openldap2-doc-2.4.46-lp152.14.3.1

– openSUSE Leap 15.2 (x86_64):

libldap-2_4-2-32bit-2.4.46-lp152.14.3.1
libldap-2_4-2-32bit-debuginfo-2.4.46-lp152.14.3.1
openldap2-devel-32bit-2.4.46-lp152.14.3.1

References:

https://www.suse.com/security/cve/CVE-2020-8023.html
https://bugzilla.suse.com/1172698
https://bugzilla.suse.com/1172704


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

The post Sigurnosni nedostatak programskog paketa openldap2 appeared first on CERT.hr.

Sigurnosni nedostaci programskog paketa singularity

pon, 2020-07-20 16:05
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LSU

openSUSE Security Update: Security update for singularity
______________________________________________________________________________

Announcement ID: openSUSE-SU-2020:1011-1
Rating: important
References: #1174148 #1174150 #1174152
Cross-References: CVE-2020-13845 CVE-2020-13846 CVE-2020-13847

Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for singularity fixes the following issues:

– New version 3.6.0. This version introduces a new signature format for
SIF images, and changes to the signing / verification code to address
the following security problems:
– CVE-2020-13845, boo#1174150 In Singularity 3.x versions below 3.6.0,
issues allow the ECL to be bypassed by a malicious user.
– CVE-2020-13846, boo#1174148 In Singularity 3.5 the –all / -a option
to singularity verify returns success even when some objects in a SIF
container are not signed,
or cannot be verified.
– CVE-2020-13847, boo#1174152 In Singularity 3.x versions below 3.6.0,
Singularity’s sign and verify commands do not sign metadata found in
the global header or data object descriptors of a SIF file, allowing
an attacker to cause unexpected behavior. A signed container may
verify successfully, even when it has been modified in ways that could
be exploited to cause malicious behavior.

– New features / functionalities
– A new ‘–legacy-insecure’ flag to verify allows verification of SIF
signatures in the old, insecure format.
– A new ‘-l / –logs’ flag for instance list that shows the paths to
instance STDERR / STDOUT log files.
– The –json output of instance list now include paths to STDERR /
STDOUT log files.
– Singularity now supports the execution of minimal Docker/OCI
containers that do not contain /bin/sh, e.g. docker://hello-world.
– A new cache structure is used that is concurrency safe on a filesystem
that supports atomic rename. If you downgrade to Singularity 3.5 or
older after using 3.6 you will need to run singularity cache clean.
– A plugin system rework adds new hook points that will allow the
development of plugins that modify behavior of the runtime. An image
driver concept is introduced for plugins to support new ways of
handling image and
overlay mounts. Plugins built for <=3.5 are not compatible with 3.6.
– The –bind flag can now bind directories from a SIF or ext3 image into
a container.
– The –fusemount feature to mount filesystems to a container via FUSE
drivers is now a supported feature (previously an experimental hidden
flag).
– This permits users to mount e.g. sshfs and cvmfs filesystems to the
container at runtime.
– A new -c/–config flag allows an alternative singularity.conf to be
specified by the root user, or all users in an unprivileged
installation.
– A new –env flag allows container environment variables to be set via
the Singularity command line.
– A new –env-file flag allows container environment variables to be set
from a specified file.
– A new –days flag for cache clean allows removal of items older than a
specified number of days. Replaces the –name flag which is not
generally useful as the cache entries are stored by hash, not a
friendly name.

– Changed defaults / behaviours
– New signature format (see security fixes above).
– Fixed spacing of singularity instance list to be dynamically changing
based off of input lengths instead of fixed number of spaces to account
for long instance names.
– Environment variables prefixed with SINGULARITYENV_ always take
precedence over variables without SINGULARITYENV_ prefix.
– The %post build section inherits environment variables from the base
image.
– %files from … will now follow symlinks for sources that are directly
specified, or directly resolved from a glob pattern. It will not follow
symlinks found through directory traversal. This mirrors Docker
multi-stage COPY behaviour.
– Restored the CWD mount behaviour of v2, implying that CWD path is not
recreated inside container and any symlinks in the CWD path are not
resolved anymore to determine the destination path inside container.
– The %test build section is executed the same manner as singularity test
image.
–fusemount with the container: default directive will foreground the
FUSE process. Use container-daemon: for previous behavior.

– Deprecate -a / –all option to sign/verify as new signature behavior
makes this the default.
– For more information about upstream changes, please check:
https://github.com/hpcng/singularity/blob/master/CHANGELOG.md
– Removed –name flag for cache clean; replaced with –days.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 15.2:

zypper in -t patch openSUSE-2020-1011=1

Package List:

– openSUSE Leap 15.2 (x86_64):

singularity-3.6.0-lp152.2.3.1
singularity-debuginfo-3.6.0-lp152.2.3.1

References:

https://www.suse.com/security/cve/CVE-2020-13845.html
https://www.suse.com/security/cve/CVE-2020-13846.html
https://www.suse.com/security/cve/CVE-2020-13847.html
https://bugzilla.suse.com/1174148
https://bugzilla.suse.com/1174150
https://bugzilla.suse.com/1174152


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

The post Sigurnosni nedostaci programskog paketa singularity appeared first on CERT.hr.

Sigurnosni nedostaci programskog paketa webkit2gtk3

pon, 2020-07-20 16:05
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LFE

——————————————————————————–
Fedora Update Notification
FEDORA-2020-d2736ee493
2020-07-18 01:08:05.874317
——————————————————————————–

Name : webkit2gtk3
Product : Fedora 31
Version : 2.28.3
Release : 1.fc31
URL : http://www.webkitgtk.org/
Summary : GTK Web content engine library
Description :
WebKitGTK is the port of the portable web rendering engine WebKit to the
GTK platform.

This package contains WebKit2 based WebKitGTK for GTK 3.

——————————————————————————–
Update Information:

Update to 2.28.3: * Fix kinetic scrolling with async scrolling. * Fix web
process hangs on large GitHub pages. * Bubblewrap sandbox should not attempt to
bind empty paths. * Fix threading issues in the media player. * Fix several
crashes and rendering issues. * Security fixes: CVE-2020-9802, CVE-2020-9803,
CVE-2020-9805, CVE-2020-9806, CVE-2020-9807, CVE-2020-9843, CVE-2020-9850,
CVE-2020-13753
——————————————————————————–
ChangeLog:

* Thu Jul 9 2020 Michael Catanzaro <mcatanzaro@redhat.com> – 2.28.3-1
– Update to 2.28.3
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-d2736ee493’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

The post Sigurnosni nedostaci programskog paketa webkit2gtk3 appeared first on CERT.hr.

Sigurnosni nedostatak programskog paketa redis

pon, 2020-07-20 16:04
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LDE

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512

– ————————————————————————-
Debian Security Advisory DSA-4731-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 19, 2020 https://www.debian.org/security/faq
– ————————————————————————-

Package : redis
CVE ID : CVE-2020-14147

An integer overflow flaw leading to a stack-based buffer overflow was
discovered in redis, a persistent key-value database. A remote attacker
can use this flaw to cause a denial of service (application crash).

For the stable distribution (buster), this problem has been fixed in
version 5:5.0.3-4+deb10u2.

We recommend that you upgrade your redis packages.

For the detailed security status of redis please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/redis

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
—–BEGIN PGP SIGNATURE—–

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl8UnpdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0SIew/7B4Z3cIdWNPufkz9WXZisMyDfusXkFn4/c+/sWKlpLxpu9IccaiFOJzft
ikmlO5gHxWwj5JO9Og2o/eKFarry8fBQNK2pLBOoSGy8DSKPWB1N8l2TGJGzP1n4
uRm/aA+tdhqyCfX4wNrSd9oB/8ugA2x9JvlagMvV6UDmLS7J+IMjJG7pT2uahY7s
bBzf3+Yi0R7AbJVayQ1X9H/25l5WNboBEFEaBvr07cB+g1GU+Cg5qcz+rMsLGpC2
lej+/4OaPde7P+IWGSkQXWUpmaHTsVbmqCsw++BYUK3wl27qWuhndi6/lF009y6n
0Q0E4/AAyyHU1Uco9wo62IJL4Q/1k2o1d6SFwbbr10TQLpglSbZQS687jRt4eg2G
ozZoAuv0vbu64smQDfuG3GgwiJasfCLlV5hAghjsRb6pJMLMBnAS3GEpGn/tkg+K
EoJbQHxlbov6PwVKyJ/a7jmff75Snp+BwCITEUWQmg3SHEe4YTB55MRJb8F+N1Nx
Bn4teFjQL3a3lfx8G+oEKvBGfQKZZcourHpP765/IkHwMJU6hqpZObgd7m2PMuAb
kF72Fov31prbtHMphQfdjbXuii7mTtFnCubHQ4+SMEyjAFYMDAn/EafSyxyMCiOA
SJohGuvVEv6R0OdkcROJpXLmrZUl3MAuH3+tGZcinbFX9zTwJ04=
=9iaf
—–END PGP SIGNATURE—–

The post Sigurnosni nedostatak programskog paketa redis appeared first on CERT.hr.

Sigurnosni nedostatak programskog paketa ruby

pon, 2020-07-20 16:04
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LDE

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512

– ————————————————————————-
Debian Security Advisory DSA-4730-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 19, 2020 https://www.debian.org/security/faq
– ————————————————————————-

Package : ruby-sanitize
CVE ID : CVE-2020-4054
Debian Bug : 963808

Michal Bentkowski discovered that ruby-sanitize, a whitelist-based HTML
sanitizer, is prone to a HTML sanitization bypass vulnerability when
using the “relaxed” or a custom config allowing certain elements.
Content in a <math> or <svg> element may not be sanitized correctly even
if math and svg are not in the allowlist.

For the stable distribution (buster), this problem has been fixed in
version 4.6.6-2.1~deb10u1.

We recommend that you upgrade your ruby-sanitize packages.

For the detailed security status of ruby-sanitize please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/ruby-sanitize

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
—–BEGIN PGP SIGNATURE—–

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl8Um/NfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0SAVhAAgviIXl5xjKrq0Bex8oFTZKZQr3KZbkrcZx8ViBHz50FctPc6/Rx9/xrC
KkA9HdMNga60ux1LcoT3bYFCKP1h2cCx8NyYh+9zN7YwpIJpWZXl1Vf1OIYt8D6R
L4DZnxXxqIvtFmhBClFC4ENeI96gqj+L95KGqakgVhhPpOIHwK5OzYwaT+AUxxnA
25vm0v9pPXkWridz0HLbUXc41NfbX8X18GGnNN0uE62jgTuKrYEwqu++ktbrpwwS
fby6yiUrqGvPjjkYu8TN4930T0mlxe2roNrq5FaTolpT3u2C3/zDwjRmgZgb/3WX
a6OtA3qrM8WFly6UuTyST49OrvatLKAwHyk3jXtmdpiUmGw/Jb+wpDwFz7RLFKOA
IELcTXQV0TKJalfRbZHA1u2Pl0aLXRIx+UjDjkSEq0QApzBIIPAr4JA5eAs/yNb0
Ws3ImOe62xK1Nc8XsYccb/SNmluKZCJLnqUOYSL5yJw6/JZMj5gMM8hDAkc2T7s5
ao9E+oQCaw734qKtdPKmd7MYEsRpqEp+QLTkJTV3pn4v5efYdtqrmLVmiaPE0Dw9
CoqtHLD3RfRBKCX8tfdoKpL5GlzLI84XWCQutWRRV0icXlU+qnbYR1tqMR5PGtQo
/H53BgdxHlscmYMl4ey6R/TUS04Mn5O9eRpwrxbgRozpV4GcqIU=
=rbQg
—–END PGP SIGNATURE—–

The post Sigurnosni nedostatak programskog paketa ruby appeared first on CERT.hr.

Sigurnosni nedostatak programskog paketa python-ipaddress

pon, 2020-07-20 16:04
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LSU

openSUSE Security Update: Security update for python-ipaddress
______________________________________________________________________________

Announcement ID: openSUSE-SU-2020:1002-1
Rating: important
References: #1173274
Cross-References: CVE-2020-14422
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for python-ipaddress fixes the following issues:

– Add CVE-2020-14422-ipaddress-hash-collision.patch fixing CVE-2020-14422
(bsc#1173274, bpo#41004), where hash collisions in IPv4Interface and
IPv6Interface could lead to DOS.

This update was imported from the SUSE:SLE-15:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 15.2:

zypper in -t patch openSUSE-2020-1002=1

Package List:

– openSUSE Leap 15.2 (noarch):

python-ipaddress-1.0.18-lp152.4.3.1

References:

https://www.suse.com/security/cve/CVE-2020-14422.html
https://bugzilla.suse.com/1173274


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

openSUSE Security Update: Security update for python-ipaddress
______________________________________________________________________________

Announcement ID: openSUSE-SU-2020:0989-1
Rating: important
References: #1173274
Cross-References: CVE-2020-14422
Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for python-ipaddress fixes the following issues:

– Add CVE-2020-14422-ipaddress-hash-collision.patch fixing CVE-2020-14422
(bsc#1173274, bpo#41004), where hash collisions in IPv4Interface and
IPv6Interface could lead to DOS.

This update was imported from the SUSE:SLE-15:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 15.1:

zypper in -t patch openSUSE-2020-989=1

Package List:

– openSUSE Leap 15.1 (noarch):

python-ipaddress-1.0.18-lp151.3.3.1

References:

https://www.suse.com/security/cve/CVE-2020-14422.html
https://bugzilla.suse.com/1173274


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

The post Sigurnosni nedostatak programskog paketa python-ipaddress appeared first on CERT.hr.

Sigurnosni nedostaci programske biblioteke LibVNCServer

pon, 2020-07-20 16:04
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LSU

openSUSE Security Update: Security update for LibVNCServer
______________________________________________________________________________

Announcement ID: openSUSE-SU-2020:0978-1
Rating: important
References: #1173477
Cross-References: CVE-2017-18922
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for LibVNCServer fixes the following issues:

– CVE-2017-18922: Fixed an issue which could have allowed to an attacker
to pre-auth overwrite a function pointer which subsequently used leading
to potential remote code execution (bsc#1173477).

This update was imported from the SUSE:SLE-15:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 15.2:

zypper in -t patch openSUSE-2020-978=1

Package List:

– openSUSE Leap 15.2 (i586 x86_64):

LibVNCServer-debugsource-0.9.10-lp152.9.4.1
LibVNCServer-devel-0.9.10-lp152.9.4.1
libvncclient0-0.9.10-lp152.9.4.1
libvncclient0-debuginfo-0.9.10-lp152.9.4.1
libvncserver0-0.9.10-lp152.9.4.1
libvncserver0-debuginfo-0.9.10-lp152.9.4.1

References:

https://www.suse.com/security/cve/CVE-2017-18922.html
https://bugzilla.suse.com/1173477


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

The post Sigurnosni nedostaci programske biblioteke LibVNCServer appeared first on CERT.hr.

Sigurnosni nedostatak programskog paketa .NET Core

pon, 2020-07-20 16:04
  • Detalji os-a: WN7
  • Važnost: URG
  • Operativni sustavi: L
  • Kategorije: LRH

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Critical: .NET Core security update
Advisory ID: RHSA-2020:2989-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2989
Issue date: 2020-07-17
CVE Names: CVE-2020-1147
=====================================================================

1. Summary:

An update for .NET Core is now available for Red Hat Enterprise Linux 8.0
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.0) – x86_64

3. Description:

.NET Core is a managed-software framework. It implements a subset of the
.NET
framework APIs and several new APIs, and it includes a CLR implementation.

New versions of .NET Core that address a security vulnerability are now
available. The updated version is .NET Core Runtime 2.1.20 and SDK 2.1.516.

Security Fix(es):

* .NET Core: XML source markup processing remote code execution
(CVE-2020-1147)

Default inclusions for applications built with .NET Core have been updated
to reference the newest versions and their security fixes.

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1856929 – CVE-2020-1147 dotnet: XML source markup processing remote code execution

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.0):

Source:
dotnet-2.1.516-1.el8_0.src.rpm

x86_64:
dotnet-2.1.516-1.el8_0.x86_64.rpm
dotnet-debuginfo-2.1.516-1.el8_0.x86_64.rpm
dotnet-debugsource-2.1.516-1.el8_0.x86_64.rpm
dotnet-host-2.1.20-1.el8_0.x86_64.rpm
dotnet-host-debuginfo-2.1.20-1.el8_0.x86_64.rpm
dotnet-host-fxr-2.1-2.1.20-1.el8_0.x86_64.rpm
dotnet-host-fxr-2.1-debuginfo-2.1.20-1.el8_0.x86_64.rpm
dotnet-runtime-2.1-2.1.20-1.el8_0.x86_64.rpm
dotnet-runtime-2.1-debuginfo-2.1.20-1.el8_0.x86_64.rpm
dotnet-sdk-2.1-2.1.516-1.el8_0.x86_64.rpm
dotnet-sdk-2.1.5xx-2.1.516-1.el8_0.x86_64.rpm
dotnet-sdk-2.1.5xx-debuginfo-2.1.516-1.el8_0.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-1147
https://access.redhat.com/security/updates/classification/#critical

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBXxG6btzjgjWX9erEAQhiUA//frojWrWpMX2z4ifJD/D5voIZ+xcwrl8d
GYxRALtdwdXxjYbYNkHZxMGW/afB4tvbCY9ke6JT2nqPEzF1/e6wCtzXFTmgFkRw
wv7YTJ894BzDZfUK8ljoeiw4yiKYu1QPnJPaCoDXQe4bU4p0dWyTnsU+PExpzIu6
hmw/h2QOcFG1BTLn39H770MUmBMeK5pg179ieiCfyRwVIkOT0EjzBGqK2DM1peHZ
gKoqM6sAApsisiCSn7w+8HktpYii695zxLTLs24sJW1GfDaBhY+BowPcMAQTjY6X
2ohbMfX6ztUMa4sNVf7yOeSRAW2iow67UQtQnw53FaCakRTTCZLtNOyZ8Sj6Rz4F
wgvhkO6h/N+os8DuRCGexbghCm/hqUiSGqhzcDdhT4XBNLRPNfKJBDENvMYacUiE
tsrTxsFLQfGG0EsgMtMDRGYj9uVcfJLX68rAIT59gNEa7/6EiN/AfWtjSa2JmXLx
Zuq/TK7vG+MtAU4WpmFY1qatpCDzJ20IG+gD1aMEWCG9fVv/hmDjs64W5YU0EY2r
rT7qV1XKuvJ+EFYB/+ik525sQPE6Qw9MUWzl859lSLDlIyaUXWbfjn+DgXDUy/A0
PeY8thbvyTcEZaPFST49BXOtWKlas9TvbD2DAD3uED2IfnNluREbRitya9tVAyMV
sAzroN/bJ1Q=
=141+
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

The post Sigurnosni nedostatak programskog paketa .NET Core appeared first on CERT.hr.

Sigurnosni nedostaci programskog paketa xen

pon, 2020-07-20 16:03
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LSU

openSUSE Security Update: Security update for xen
______________________________________________________________________________

Announcement ID: openSUSE-SU-2020:0985-1
Rating: important
References: #1027519 #1172205 #1173376 #1173377 #1173378
#1173380
Cross-References: CVE-2020-0543 CVE-2020-15563 CVE-2020-15565
CVE-2020-15566 CVE-2020-15567
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________

An update that solves 5 vulnerabilities and has one errata
is now available.

Description:

This update for xen fixes the following issues:

– CVE-2020-15563: Fixed inverted code paths in x86 dirty VRAM tracking
(bsc#1173377).
– CVE-2020-15565: Fixed insufficient cache write-back under VT-d
(bsc#1173378).
– CVE-2020-15566: Fixed incorrect error handling in event channel port
allocation (bsc#1173376).
– CVE-2020-15567: Fixed non-atomic modification of live EPT PTE
(bsc#1173380).
– CVE-2020-0543: Special Register Buffer Data Sampling (SRBDS) aka
“CrossTalk” (bsc#1172205).

Additional upstream bug fixes (bsc#1027519)

This update was imported from the SUSE:SLE-15-SP2:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 15.2:

zypper in -t patch openSUSE-2020-985=1

Package List:

– openSUSE Leap 15.2 (i586 x86_64):

xen-debugsource-4.13.1_04-lp152.2.3.1
xen-devel-4.13.1_04-lp152.2.3.1
xen-libs-4.13.1_04-lp152.2.3.1
xen-libs-debuginfo-4.13.1_04-lp152.2.3.1
xen-tools-domU-4.13.1_04-lp152.2.3.1
xen-tools-domU-debuginfo-4.13.1_04-lp152.2.3.1

– openSUSE Leap 15.2 (x86_64):

xen-4.13.1_04-lp152.2.3.1
xen-doc-html-4.13.1_04-lp152.2.3.1
xen-libs-32bit-4.13.1_04-lp152.2.3.1
xen-libs-32bit-debuginfo-4.13.1_04-lp152.2.3.1
xen-tools-4.13.1_04-lp152.2.3.1
xen-tools-debuginfo-4.13.1_04-lp152.2.3.1

– openSUSE Leap 15.2 (noarch):

xen-tools-xendomains-wait-disk-4.13.1_04-lp152.2.3.1

References:

https://www.suse.com/security/cve/CVE-2020-0543.html
https://www.suse.com/security/cve/CVE-2020-15563.html
https://www.suse.com/security/cve/CVE-2020-15565.html
https://www.suse.com/security/cve/CVE-2020-15566.html
https://www.suse.com/security/cve/CVE-2020-15567.html
https://bugzilla.suse.com/1027519
https://bugzilla.suse.com/1172205
https://bugzilla.suse.com/1173376
https://bugzilla.suse.com/1173377
https://bugzilla.suse.com/1173378
https://bugzilla.suse.com/1173380


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

The post Sigurnosni nedostaci programskog paketa xen appeared first on CERT.hr.

Sigurnosni nedostatak programskog paketa .NET Core

pon, 2020-07-20 08:10
  • Detalji os-a: WN7
  • Važnost: URG
  • Operativni sustavi: L
  • Kategorije: LRH

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Critical: .NET Core security and bugfix update
Advisory ID: RHSA-2020:2988-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2988
Issue date: 2020-07-16
CVE Names: CVE-2020-1147
=====================================================================

1. Summary:

An update for .NET Core is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v. 8.1) – x86_64

3. Description:

.NET Core is a managed-software framework. It implements a subset of the
.NET framework APIs and several new APIs, and it includes a CLR
implementation.

New versions of .NET Core that address a security vulnerability are now
available. The updated version is .NET Core Runtime 2.1.20 and SDK 2.1.516.

Security Fix(es):

* .NET Core: XML source markup processing remote code execution
(CVE-2020-1147)

Default inclusions for applications built with .NET Core have been updated
to reference the newest versions and their security fixes.

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1856929 – CVE-2020-1147 dotnet: XML source markup processing remote code execution

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v. 8.1):

Source:
dotnet-2.1.516-1.el8_1.src.rpm

x86_64:
dotnet-debuginfo-2.1.516-1.el8_1.x86_64.rpm
dotnet-debugsource-2.1.516-1.el8_1.x86_64.rpm
dotnet-host-fxr-2.1-2.1.20-1.el8_1.x86_64.rpm
dotnet-host-fxr-2.1-debuginfo-2.1.20-1.el8_1.x86_64.rpm
dotnet-runtime-2.1-2.1.20-1.el8_1.x86_64.rpm
dotnet-runtime-2.1-debuginfo-2.1.20-1.el8_1.x86_64.rpm
dotnet-sdk-2.1-2.1.516-1.el8_1.x86_64.rpm
dotnet-sdk-2.1.5xx-2.1.516-1.el8_1.x86_64.rpm
dotnet-sdk-2.1.5xx-debuginfo-2.1.516-1.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-1147
https://access.redhat.com/security/updates/classification/#critical

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBXxCortzjgjWX9erEAQh9Qg/+LHxhNgVostjdRPS7ALBH6RdmxANiiB9+
/tgGKhmBA133jvFBUDble1dc/0YxhyMEnjEmzltSaMdoiP2bMFicp0zkOXwgqrQp
fquiDmOGrtKIkKMIsJLj7elFvaC42D1EP3bGAjI4RmJvW+1b2aYd2gpPyTi4XLv4
762SduS9YD81qNxHjRT6AvOSd2K6BD649GH5t+02InoSpgDbxcuH+zctbREXC3pp
iIwSK73yWF3Odplj3ljVqxENPRIcshIapNfA0rU47o3be5Ts40A/wcztgE9bxXdn
l6FrgIFyKOiDnKWSUQPzdl3qPlVpd2B6o7UzmyvZN7GfnRaeZh4dv/3zRXAldaQx
i3uyIb8j5Xh9Ev/vN/PbFA361IUftqlzdtDWv0D92vvRd59oiGRc63rH5u0iRIn3
V1kNyw0gALFbM4K1hkiAm79pOryJJBY1da9qMMWTevfFS5LygS/eDRe6azJX/qjG
0nm1s6V97U4AarU5UXnLQxLjIY7FSFpGKOkQu+XonUqJvkHURcFaQB+nZGhsw8Re
xY/2hWweOq/awyov1OI/kKBX6kbacFE/SKhDGD3sxVygRLWYWX/QRFeqzAz5Vh3f
zNkJROPoBbyoteRPJJgG3fhMn+0yCccQ1pQ7+xTQvFOQOSSyxi1x2Z+xOItfB/kp
3G86mWPbBzE=
=1blX
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

The post Sigurnosni nedostatak programskog paketa .NET Core appeared first on CERT.hr.

Sigurnosni nedostatak programskog paketa python39

pon, 2020-07-20 08:09
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LFE

——————————————————————————–
Fedora Update Notification
FEDORA-2020-705c6ea5be
2020-07-17 00:47:32.617398
——————————————————————————–

Name : python39
Product : Fedora 32
Version : 3.9.0~b4
Release : 1.fc32
URL : https://www.python.org/
Summary : Version 3.9 of the Python interpreter
Description :
Python 3.9 package for developers.

This package exists to allow developers to test their code against a newer
version of Python. This is not a full Python stack and if you wish to run
your applications with Python 3.9, update your Fedora to a newer
version once Python 3.9 is stable.

——————————————————————————–
Update Information:

Update to 3.9.0b4
——————————————————————————–
ChangeLog:

* Sat Jul 4 2020 Tomas Hrnciar <thrnciar@redhat.com> – 3.9.0~b4-1
– Update to 3.9.0b4
——————————————————————————–
References:

[ 1 ] Bug #1854943 – CVE-2020-14422 python39: python: DoS via inefficiency in IPv{4,6}Interface classes [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1854943
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-705c6ea5be’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

——————————————————————————–
Fedora Update Notification
FEDORA-2020-b513391ca8
2020-07-17 01:04:26.705928
——————————————————————————–

Name : python39
Product : Fedora 31
Version : 3.9.0~b4
Release : 1.fc31
URL : https://www.python.org/
Summary : Version 3.9 of the Python interpreter
Description :
Python 3.9 package for developers.

This package exists to allow developers to test their code against a newer
version of Python. This is not a full Python stack and if you wish to run
your applications with Python 3.9, update your Fedora to a newer
version once Python 3.9 is stable.

——————————————————————————–
Update Information:

Update to 3.9.0b4
——————————————————————————–
ChangeLog:

* Sat Jul 4 2020 Tomas Hrnciar <thrnciar@redhat.com> – 3.9.0~b4-1
– Update to 3.9.0b4
——————————————————————————–
References:

[ 1 ] Bug #1854943 – CVE-2020-14422 python39: python: DoS via inefficiency in IPv{4,6}Interface classes [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1854943
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-b513391ca8’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

The post Sigurnosni nedostatak programskog paketa python39 appeared first on CERT.hr.

Sigurnosni nedostaci programskog paketa OpenJDK

pon, 2020-07-20 08:09
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LRH

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: java-1.8.0-openjdk security update
Advisory ID: RHSA-2020:2985-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2985
Issue date: 2020-07-16
CVE Names: CVE-2020-14556 CVE-2020-14577 CVE-2020-14578
CVE-2020-14579 CVE-2020-14583 CVE-2020-14593
CVE-2020-14621
=====================================================================

1. Summary:

An update for java-1.8.0-openjdk is now available for Red Hat Enterprise
Linux 6.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 6) – i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) – i386, noarch, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) – x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) – noarch, x86_64
Red Hat Enterprise Linux Server (v. 6) – i386, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) – i386, noarch, x86_64
Red Hat Enterprise Linux Workstation (v. 6) – i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) – i386, noarch, x86_64

3. Description:

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime
Environment and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

* OpenJDK: Bypass of boundary checks in nio.Buffer via concurrent access
(Libraries, 8238920) (CVE-2020-14583)

* OpenJDK: Incomplete bounds checks in Affine Transformations (2D, 8240119)
(CVE-2020-14593)

* OpenJDK: Incorrect handling of access control context in ForkJoinPool
(Libraries, 8237117) (CVE-2020-14556)

* OpenJDK: Unexpected exception raised by DerInputStream (Libraries,
8237731) (CVE-2020-14578)

* OpenJDK: Unexpected exception raised by DerValue.equals() (Libraries,
8237736) (CVE-2020-14579)

* OpenJDK: XML validation manipulation due to incomplete application of the
use-grammar-pool-only feature (JAXP, 8242136) (CVE-2020-14621)

* OpenJDK: HostnameChecker does not ensure X.509 certificate names are in
normalized form (JSSE, 8237592) (CVE-2020-14577)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of OpenJDK Java must be restarted for this update to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1856448 – CVE-2020-14583 OpenJDK: Bypass of boundary checks in nio.Buffer via concurrent access (Libraries, 8238920)
1856784 – CVE-2020-14593 OpenJDK: Incomplete bounds checks in Affine Transformations (2D, 8240119)
1856885 – CVE-2020-14621 OpenJDK: XML validation manipulation due to incomplete application of the use-grammar-pool-only feature (JAXP, 8242136)
1856896 – CVE-2020-14556 OpenJDK: Incorrect handling of access control context in ForkJoinPool (Libraries, 8237117)
1856988 – CVE-2020-14577 OpenJDK: HostnameChecker does not ensure X.509 certificate names are in normalized form (JSSE, 8237592)
1856991 – CVE-2020-14578 OpenJDK: Unexpected exception raised by DerInputStream (Libraries, 8237731)
1856995 – CVE-2020-14579 OpenJDK: Unexpected exception raised by DerValue.equals() (Libraries, 8237736)

6. Package List:

Red Hat Enterprise Linux Desktop (v. 6):

Source:
java-1.8.0-openjdk-1.8.0.262.b10-0.el6_10.src.rpm

i386:
java-1.8.0-openjdk-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-headless-1.8.0.262.b10-0.el6_10.i686.rpm

x86_64:
java-1.8.0-openjdk-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.262.b10-0.el6_10.x86_64.rpm

Red Hat Enterprise Linux Desktop Optional (v. 6):

i386:
java-1.8.0-openjdk-debug-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-demo-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-demo-debug-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-devel-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-devel-debug-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-headless-debug-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-src-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-src-debug-1.8.0.262.b10-0.el6_10.i686.rpm

noarch:
java-1.8.0-openjdk-javadoc-1.8.0.262.b10-0.el6_10.noarch.rpm
java-1.8.0-openjdk-javadoc-debug-1.8.0.262.b10-0.el6_10.noarch.rpm

x86_64:
java-1.8.0-openjdk-debug-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-demo-debug-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-devel-debug-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-headless-debug-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-src-debug-1.8.0.262.b10-0.el6_10.x86_64.rpm

Red Hat Enterprise Linux HPC Node (v. 6):

Source:
java-1.8.0-openjdk-1.8.0.262.b10-0.el6_10.src.rpm

x86_64:
java-1.8.0-openjdk-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.262.b10-0.el6_10.x86_64.rpm

Red Hat Enterprise Linux HPC Node Optional (v. 6):

noarch:
java-1.8.0-openjdk-javadoc-1.8.0.262.b10-0.el6_10.noarch.rpm
java-1.8.0-openjdk-javadoc-debug-1.8.0.262.b10-0.el6_10.noarch.rpm

x86_64:
java-1.8.0-openjdk-debug-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-demo-debug-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-devel-debug-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-headless-debug-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-src-debug-1.8.0.262.b10-0.el6_10.x86_64.rpm

Red Hat Enterprise Linux Server (v. 6):

Source:
java-1.8.0-openjdk-1.8.0.262.b10-0.el6_10.src.rpm

i386:
java-1.8.0-openjdk-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-devel-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-headless-1.8.0.262.b10-0.el6_10.i686.rpm

x86_64:
java-1.8.0-openjdk-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.262.b10-0.el6_10.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 6):

i386:
java-1.8.0-openjdk-debug-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-demo-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-demo-debug-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-devel-debug-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-headless-debug-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-src-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-src-debug-1.8.0.262.b10-0.el6_10.i686.rpm

noarch:
java-1.8.0-openjdk-javadoc-1.8.0.262.b10-0.el6_10.noarch.rpm
java-1.8.0-openjdk-javadoc-debug-1.8.0.262.b10-0.el6_10.noarch.rpm

x86_64:
java-1.8.0-openjdk-debug-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-demo-debug-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-devel-debug-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-headless-debug-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-src-debug-1.8.0.262.b10-0.el6_10.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 6):

Source:
java-1.8.0-openjdk-1.8.0.262.b10-0.el6_10.src.rpm

i386:
java-1.8.0-openjdk-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-devel-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-headless-1.8.0.262.b10-0.el6_10.i686.rpm

x86_64:
java-1.8.0-openjdk-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.262.b10-0.el6_10.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 6):

i386:
java-1.8.0-openjdk-debug-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-demo-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-demo-debug-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-devel-debug-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-headless-debug-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-src-1.8.0.262.b10-0.el6_10.i686.rpm
java-1.8.0-openjdk-src-debug-1.8.0.262.b10-0.el6_10.i686.rpm

noarch:
java-1.8.0-openjdk-javadoc-1.8.0.262.b10-0.el6_10.noarch.rpm
java-1.8.0-openjdk-javadoc-debug-1.8.0.262.b10-0.el6_10.noarch.rpm

x86_64:
java-1.8.0-openjdk-debug-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-demo-debug-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-devel-debug-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-headless-debug-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.262.b10-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-src-debug-1.8.0.262.b10-0.el6_10.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-14556
https://access.redhat.com/security/cve/CVE-2020-14577
https://access.redhat.com/security/cve/CVE-2020-14578
https://access.redhat.com/security/cve/CVE-2020-14579
https://access.redhat.com/security/cve/CVE-2020-14583
https://access.redhat.com/security/cve/CVE-2020-14593
https://access.redhat.com/security/cve/CVE-2020-14621
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBXxCA19zjgjWX9erEAQgu5g//V9+s2TC/cvdRycSQ0XLYmcb6hKEeD+No
/leBVcIyA4hJjoDYTqbxze4kmoJanWWbHIHYW+X445/oZ2Ooa3U9+/DLGy1MeZ5S
0yBiiAEESdEkpFbPXuMfzWts7/YrCklRliRQnzpimTChx6Rb7jxrCKqsRzvQwUAl
uw3mwIgFUH47FGszWTat14b6TQDkw6QMa+PhQy3+cRq4LHHtvUoTfz7JNMQFYCIZ
G4YCrknb1ELEUena5Blxkg9wCdmQ7YIo06K0EAkmaUgWjVXXArf/TybzqRCqzwpO
gbbSYjftFu9BZl8LDqttK81NwI4b7oQsnwugkGI4C+WpeEasLoDCtbKPUbMK4XbR
v5UStQ8ZHmbLFkbfpygTvfq3WwL9yBIzOlior7kJMfafQyCMfxV8WABIzinIsw+c
u6SDDR1jnnAjn7JDOn9s7Q0VVdn36xU8DwyAlZawXI1ypePcHFNTgkJoNzB2tGi1
/jtQWYYNbhzTIGIzGrPdOK6zCgz+fgldxfRlvYoytF6QkjGm1q6wVYntjvjI1+4m
KJ548vFiqKfZzZ9ngDHxA5JbJKjTfNlh1+ZtiUEQVlV4qz+0vGIGlYQq11nxURqk
U0tlxYUHXHpg0fx7uhOA3GL3/z9/Ohei8FzpNu7vYBlKs1GLn5LmsOnypeHu1gPf
jmducsGg/p4=
=Szub
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

The post Sigurnosni nedostaci programskog paketa OpenJDK appeared first on CERT.hr.

Sigurnosni nedostaci programskog paketa openexr

pon, 2020-07-20 08:08
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LSU

openSUSE Security Update: Security update for openexr
______________________________________________________________________________

Announcement ID: openSUSE-SU-2020:0970-1
Rating: moderate
References: #1173466 #1173467 #1173469
Cross-References: CVE-2020-15304 CVE-2020-15305 CVE-2020-15306

Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for openexr fixes the following issues:

– CVE-2020-15304: Fixed a NULL pointer dereference in
TiledInputFile:TiledInputFile() (bsc#1173466).
– CVE-2020-15305: Fixed a use-after-free in
DeepScanLineInputFile:DeepScanLineInputFile() (bsc#1173467).
– CVE-2020-15306: Fixed a heap buffer overflow in
getChunkOffsetTableSize() (bsc#1173469).

This update was imported from the SUSE:SLE-15:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 15.1:

zypper in -t patch openSUSE-2020-970=1

Package List:

– openSUSE Leap 15.1 (i586 x86_64):

libIlmImf-2_2-23-2.2.1-lp151.4.12.1
libIlmImf-2_2-23-debuginfo-2.2.1-lp151.4.12.1
libIlmImfUtil-2_2-23-2.2.1-lp151.4.12.1
libIlmImfUtil-2_2-23-debuginfo-2.2.1-lp151.4.12.1
openexr-2.2.1-lp151.4.12.1
openexr-debuginfo-2.2.1-lp151.4.12.1
openexr-debugsource-2.2.1-lp151.4.12.1
openexr-devel-2.2.1-lp151.4.12.1
openexr-doc-2.2.1-lp151.4.12.1

– openSUSE Leap 15.1 (x86_64):

libIlmImf-2_2-23-32bit-2.2.1-lp151.4.12.1
libIlmImf-2_2-23-32bit-debuginfo-2.2.1-lp151.4.12.1
libIlmImfUtil-2_2-23-32bit-2.2.1-lp151.4.12.1
libIlmImfUtil-2_2-23-32bit-debuginfo-2.2.1-lp151.4.12.1

References:

https://www.suse.com/security/cve/CVE-2020-15304.html
https://www.suse.com/security/cve/CVE-2020-15305.html
https://www.suse.com/security/cve/CVE-2020-15306.html
https://bugzilla.suse.com/1173466
https://bugzilla.suse.com/1173467
https://bugzilla.suse.com/1173469


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

The post Sigurnosni nedostaci programskog paketa openexr appeared first on CERT.hr.

Sigurnosni nedostaci programskog paketa Safari

čet, 2020-07-16 15:46
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: M
  • Kategorije: APL

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

APPLE-SA-2020-07-15-5 Safari 13.1.2

Safari 13.1.2 is now available and addresses the following:

Safari Downloads
Available for: macOS Mojave and macOS High Sierra, and included in
macOS Catalina
Impact: A malicious attacker may be able to change the origin of a
frame for a download in Safari Reader mode
Description: A logic issue was addressed with improved restrictions.
CVE-2020-9912: Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com)

Safari Login AutoFill
Available for: macOS Mojave and macOS High Sierra, and included in
macOS Catalina
Impact: A malicious attacker may cause Safari to suggest a password
for the wrong domain
Description: A logic issue was addressed with improved restrictions.
CVE-2020-9903: Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com)

Safari Reader
Available for: macOS Mojave and macOS High Sierra, and included in
macOS Catalina
Impact: An issue in Safari Reader mode may allow a remote attacker to
bypass the Same Origin Policy
Description: A logic issue was addressed with improved restrictions.
CVE-2020-9911: Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com)

WebKit
Available for: macOS Mojave and macOS High Sierra, and included in
macOS Catalina
Impact: A remote attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-9894: 0011 working with Trend Micro Zero Day Initiative

WebKit
Available for: macOS Mojave and macOS High Sierra, and included in
macOS Catalina
Impact: Processing maliciously crafted web content may prevent
Content Security Policy from being enforced
Description: An access issue existed in Content Security Policy.
This issue was addressed with improved access restrictions.
CVE-2020-9915: an anonymous researcher

WebKit
Available for: macOS Mojave and macOS High Sierra, and included in
macOS Catalina
Impact: Processing maliciously crafted web content may lead to
universal cross site scripting
Description: A logic issue was addressed with improved state
management.
CVE-2020-9925: an anonymous researcher

WebKit
Available for: macOS Mojave and macOS High Sierra, and included in
macOS Catalina
Impact: A remote attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2020-9893: 0011 working with Trend Micro Zero Day Initiative
CVE-2020-9895: Wen Xu of SSLab, Georgia Tech

WebKit
Available for: macOS Mojave and macOS High Sierra, and included in
macOS Catalina
Impact: A malicious attacker with arbitrary read and write capability
may be able to bypass Pointer Authentication
Description: Multiple issues were addressed with improved logic.
CVE-2020-9910: Samuel Groß of Google Project Zero

WebKit Page Loading
Available for: macOS Mojave and macOS High Sierra, and included in
macOS Catalina
Impact: A malicious attacker may be able to conceal the destination
of a URL
Description: A URL Unicode encoding issue was addressed with improved
state management.
CVE-2020-9916: Rakesh Mane (@RakeshMane10)

WebKit Web Inspector
Available for: macOS Mojave and macOS High Sierra, and included in
macOS Catalina
Impact: Copying a URL from Web Inspector may lead to command
injection
Description: A command injection issue existed in Web Inspector. This
issue was addressed with improved escaping.
CVE-2020-9862: Ophir Lojkine (@lovasoa)

Installation note:

Safari 13.1.2 may be obtained from the Mac App Store.
—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEEM5FaaFRjww9EJgvRBz4uGe3y0M0FAl8PNx4ACgkQBz4uGe3y
0M2+ZQ/7ByKUtmzMw18WfXzQZlxvfEulMz/QgCiHe1VvmHh1OuMspM9Et3AIVnZP
wU1IfSeOKp9y62L8pPAU1mg/BnqXx2vNsoDrZq7dcPYIDTrfGsZQRrYy66E2VA9P
TQyIeY8ZWXG8jKJ4kBczu/hmy+q+0HVNlZcU4Q4PsjkE0p53DzSSuPgBbqN5fXlr
fbZthRYEa1jXfI/om7NLYAu9rLw/2ngXZjI1PR3m4iRbNBG4gqXXQ7Sl5xVz4oDv
Nb6PbR8LTQCdmLaq8gXfc4koEnCsFK1k1194nXgYg88hlbT/zqO55Fiofw9y70aK
NC0JJFznC3DT5wgZHE9j5/g1USrC34OTZNenipud4VWFm2gTamgGe7c0Bji3NLeG
buHa13M7Z2PpGmB/fszdipj8iLvm3uRZjVJtHDOxmuztriTFwpytk2TwlzayW+/v
l4knuEohMnHQljRsQgLC9jzs2/udAXWxW7lv7FNGlfnxHJVY+cC9vNl7PPeGNaed
4khxlLZUn2Bc5gog8GZv0ryuWLvmlo4XVkZSnrsOXHlP0oseSJntz9/GxcAgCRww
PoFu8DOc9f6orbNsQEF3ZbCyXVG/EwSKOmQPtP1ihv+yjamDGw8yNd61/qqDvwIT
db5tmKrslK49r8jkup7RuiKpgRgXI29dws+qwIV4808FNZQaYzU=
=hpCf
—–END PGP SIGNATURE—–
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (Security-announce@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/security-announce/advinp%40cert.hr

This email sent to advinp@cert.hr

The post Sigurnosni nedostaci programskog paketa Safari appeared first on CERT.hr.

Sigurnosni nedostaci programskog paketa java-1.8.0-openjdk

čet, 2020-07-16 15:45
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LRH

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: java-1.8.0-openjdk security update
Advisory ID: RHSA-2020:2968-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2968
Issue date: 2020-07-16
CVE Names: CVE-2020-14556 CVE-2020-14577 CVE-2020-14578
CVE-2020-14579 CVE-2020-14583 CVE-2020-14593
CVE-2020-14621
=====================================================================

1. Summary:

An update for java-1.8.0-openjdk is now available for Red Hat Enterprise
Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) – x86_64
Red Hat Enterprise Linux Client Optional (v. 7) – noarch, x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) – x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) – noarch, x86_64
Red Hat Enterprise Linux Server (v. 7) – ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) – noarch, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) – x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) – noarch, x86_64

3. Description:

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime
Environment and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

* OpenJDK: Bypass of boundary checks in nio.Buffer via concurrent access
(Libraries, 8238920) (CVE-2020-14583)

* OpenJDK: Incomplete bounds checks in Affine Transformations (2D, 8240119)
(CVE-2020-14593)

* OpenJDK: Incorrect handling of access control context in ForkJoinPool
(Libraries, 8237117) (CVE-2020-14556)

* OpenJDK: Unexpected exception raised by DerInputStream (Libraries,
8237731) (CVE-2020-14578)

* OpenJDK: Unexpected exception raised by DerValue.equals() (Libraries,
8237736) (CVE-2020-14579)

* OpenJDK: XML validation manipulation due to incomplete application of the
use-grammar-pool-only feature (JAXP, 8242136) (CVE-2020-14621)

* OpenJDK: HostnameChecker does not ensure X.509 certificate names are in
normalized form (JSSE, 8237592) (CVE-2020-14577)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of OpenJDK Java must be restarted for this update to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1856448 – CVE-2020-14583 OpenJDK: Bypass of boundary checks in nio.Buffer via concurrent access (Libraries, 8238920)
1856784 – CVE-2020-14593 OpenJDK: Incomplete bounds checks in Affine Transformations (2D, 8240119)
1856885 – CVE-2020-14621 OpenJDK: XML validation manipulation due to incomplete application of the use-grammar-pool-only feature (JAXP, 8242136)
1856896 – CVE-2020-14556 OpenJDK: Incorrect handling of access control context in ForkJoinPool (Libraries, 8237117)
1856988 – CVE-2020-14577 OpenJDK: HostnameChecker does not ensure X.509 certificate names are in normalized form (JSSE, 8237592)
1856991 – CVE-2020-14578 OpenJDK: Unexpected exception raised by DerInputStream (Libraries, 8237731)
1856995 – CVE-2020-14579 OpenJDK: Unexpected exception raised by DerValue.equals() (Libraries, 8237736)

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:
java-1.8.0-openjdk-1.8.0.262.b10-0.el7_8.src.rpm

x86_64:
java-1.8.0-openjdk-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-1.8.0.262.b10-0.el7_8.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el7_8.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-headless-1.8.0.262.b10-0.el7_8.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

noarch:
java-1.8.0-openjdk-javadoc-1.8.0.262.b10-0.el7_8.noarch.rpm
java-1.8.0-openjdk-javadoc-zip-1.8.0.262.b10-0.el7_8.noarch.rpm

x86_64:
java-1.8.0-openjdk-accessibility-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-accessibility-1.8.0.262.b10-0.el7_8.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el7_8.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-demo-1.8.0.262.b10-0.el7_8.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-devel-1.8.0.262.b10-0.el7_8.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-src-1.8.0.262.b10-0.el7_8.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
java-1.8.0-openjdk-1.8.0.262.b10-0.el7_8.src.rpm

x86_64:
java-1.8.0-openjdk-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-1.8.0.262.b10-0.el7_8.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el7_8.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-headless-1.8.0.262.b10-0.el7_8.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

noarch:
java-1.8.0-openjdk-javadoc-1.8.0.262.b10-0.el7_8.noarch.rpm
java-1.8.0-openjdk-javadoc-zip-1.8.0.262.b10-0.el7_8.noarch.rpm

x86_64:
java-1.8.0-openjdk-accessibility-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-accessibility-1.8.0.262.b10-0.el7_8.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el7_8.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-demo-1.8.0.262.b10-0.el7_8.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-devel-1.8.0.262.b10-0.el7_8.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-src-1.8.0.262.b10-0.el7_8.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
java-1.8.0-openjdk-1.8.0.262.b10-0.el7_8.src.rpm

ppc64:
java-1.8.0-openjdk-1.8.0.262.b10-0.el7_8.ppc64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el7_8.ppc64.rpm
java-1.8.0-openjdk-devel-1.8.0.262.b10-0.el7_8.ppc64.rpm
java-1.8.0-openjdk-headless-1.8.0.262.b10-0.el7_8.ppc64.rpm

ppc64le:
java-1.8.0-openjdk-1.8.0.262.b10-0.el7_8.ppc64le.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el7_8.ppc64le.rpm
java-1.8.0-openjdk-devel-1.8.0.262.b10-0.el7_8.ppc64le.rpm
java-1.8.0-openjdk-headless-1.8.0.262.b10-0.el7_8.ppc64le.rpm

s390x:
java-1.8.0-openjdk-1.8.0.262.b10-0.el7_8.s390x.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el7_8.s390x.rpm
java-1.8.0-openjdk-devel-1.8.0.262.b10-0.el7_8.s390x.rpm
java-1.8.0-openjdk-headless-1.8.0.262.b10-0.el7_8.s390x.rpm

x86_64:
java-1.8.0-openjdk-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-1.8.0.262.b10-0.el7_8.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el7_8.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-devel-1.8.0.262.b10-0.el7_8.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-headless-1.8.0.262.b10-0.el7_8.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

noarch:
java-1.8.0-openjdk-javadoc-1.8.0.262.b10-0.el7_8.noarch.rpm
java-1.8.0-openjdk-javadoc-zip-1.8.0.262.b10-0.el7_8.noarch.rpm

ppc64:
java-1.8.0-openjdk-accessibility-1.8.0.262.b10-0.el7_8.ppc64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el7_8.ppc64.rpm
java-1.8.0-openjdk-demo-1.8.0.262.b10-0.el7_8.ppc64.rpm
java-1.8.0-openjdk-src-1.8.0.262.b10-0.el7_8.ppc64.rpm

ppc64le:
java-1.8.0-openjdk-accessibility-1.8.0.262.b10-0.el7_8.ppc64le.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el7_8.ppc64le.rpm
java-1.8.0-openjdk-demo-1.8.0.262.b10-0.el7_8.ppc64le.rpm
java-1.8.0-openjdk-src-1.8.0.262.b10-0.el7_8.ppc64le.rpm

s390x:
java-1.8.0-openjdk-accessibility-1.8.0.262.b10-0.el7_8.s390x.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el7_8.s390x.rpm
java-1.8.0-openjdk-demo-1.8.0.262.b10-0.el7_8.s390x.rpm
java-1.8.0-openjdk-src-1.8.0.262.b10-0.el7_8.s390x.rpm

x86_64:
java-1.8.0-openjdk-accessibility-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-accessibility-1.8.0.262.b10-0.el7_8.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el7_8.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-demo-1.8.0.262.b10-0.el7_8.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-src-1.8.0.262.b10-0.el7_8.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
java-1.8.0-openjdk-1.8.0.262.b10-0.el7_8.src.rpm

x86_64:
java-1.8.0-openjdk-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-1.8.0.262.b10-0.el7_8.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el7_8.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-devel-1.8.0.262.b10-0.el7_8.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-headless-1.8.0.262.b10-0.el7_8.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

noarch:
java-1.8.0-openjdk-javadoc-1.8.0.262.b10-0.el7_8.noarch.rpm
java-1.8.0-openjdk-javadoc-zip-1.8.0.262.b10-0.el7_8.noarch.rpm

x86_64:
java-1.8.0-openjdk-accessibility-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-accessibility-1.8.0.262.b10-0.el7_8.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el7_8.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-demo-1.8.0.262.b10-0.el7_8.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.262.b10-0.el7_8.i686.rpm
java-1.8.0-openjdk-src-1.8.0.262.b10-0.el7_8.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-14556
https://access.redhat.com/security/cve/CVE-2020-14577
https://access.redhat.com/security/cve/CVE-2020-14578
https://access.redhat.com/security/cve/CVE-2020-14579
https://access.redhat.com/security/cve/CVE-2020-14583
https://access.redhat.com/security/cve/CVE-2020-14593
https://access.redhat.com/security/cve/CVE-2020-14621
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBXxAmX9zjgjWX9erEAQgZLw/8D/Rz44bGAPLO6PXAAEqnac0uEt+Q9Ry6
pCLVgg2QzHrfQnFenJpYhesCqMjdlLHCOnvA54+FSpzLWMHlx5mq0s6GBN0lX3vd
GfJGaexa0NdjGTXHA0VuU9E+W51aNHeBe5gkR8+q1w86ktW2PW2zQ3GG3mjsl+Zt
e8xtln8sKEUsmCk1lR6Ok3frfH09k37hLKlF31h9mQqrN8RRspaNHcTpCyl3iUAI
VE01sIak42REUXCg8zYOZgX5Dun17hB+G6TXtmHif5HQ7H5avhP+0fTU9FPt3ZCq
mMayFQgrPEQMYZOXlDXS6ejLhIClcZfqmWsAv3yAfDoFX+RkI6yxQhSC1CgjCrip
usbn+AaTnyMAIGvDwZrohom7PMFgwCabfE01RFjUu+Dm3oBAfejCUX4LKniflJFJ
Mbu/pKQI1+kuCoBoXO7/Yyahvj2RuU4SQ8YH3SWGW8tOBEsys2PZLJ5G6CXqhxKV
7P7Sg5Y58rmal/IbAYLc9+H3g1gD4DcygnO4XKteEp7UsvCljyXFRmn6rUCLl/P1
z4g/gPElcnE+2PJXa+jn8kMoXTJ1e621az1ss2QrQt5RFe4AFOkUqojPH05TTRYw
ftW+a6IvMsRj5A7ROvxEyrEAwdRNx+IK4ggi2sdBvJBXgTQOfXK8BxQIDuawmUrG
h6ekrrqssA4=
=ez87
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: java-1.8.0-openjdk security update
Advisory ID: RHSA-2020:2972-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2972
Issue date: 2020-07-16
CVE Names: CVE-2020-14556 CVE-2020-14577 CVE-2020-14578
CVE-2020-14579 CVE-2020-14583 CVE-2020-14593
CVE-2020-14621
=====================================================================

1. Summary:

An update for java-1.8.0-openjdk is now available for Red Hat Enterprise
Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) – aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime
Environment and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

* OpenJDK: Bypass of boundary checks in nio.Buffer via concurrent access
(Libraries, 8238920) (CVE-2020-14583)

* OpenJDK: Incomplete bounds checks in Affine Transformations (2D, 8240119)
(CVE-2020-14593)

* OpenJDK: Incorrect handling of access control context in ForkJoinPool
(Libraries, 8237117) (CVE-2020-14556)

* OpenJDK: Unexpected exception raised by DerInputStream (Libraries,
8237731) (CVE-2020-14578)

* OpenJDK: Unexpected exception raised by DerValue.equals() (Libraries,
8237736) (CVE-2020-14579)

* OpenJDK: XML validation manipulation due to incomplete application of the
use-grammar-pool-only feature (JAXP, 8242136) (CVE-2020-14621)

* OpenJDK: HostnameChecker does not ensure X.509 certificate names are in
normalized form (JSSE, 8237592) (CVE-2020-14577)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of OpenJDK Java must be restarted for this update to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1856448 – CVE-2020-14583 OpenJDK: Bypass of boundary checks in nio.Buffer via concurrent access (Libraries, 8238920)
1856784 – CVE-2020-14593 OpenJDK: Incomplete bounds checks in Affine Transformations (2D, 8240119)
1856885 – CVE-2020-14621 OpenJDK: XML validation manipulation due to incomplete application of the use-grammar-pool-only feature (JAXP, 8242136)
1856896 – CVE-2020-14556 OpenJDK: Incorrect handling of access control context in ForkJoinPool (Libraries, 8237117)
1856988 – CVE-2020-14577 OpenJDK: HostnameChecker does not ensure X.509 certificate names are in normalized form (JSSE, 8237592)
1856991 – CVE-2020-14578 OpenJDK: Unexpected exception raised by DerInputStream (Libraries, 8237731)
1856995 – CVE-2020-14579 OpenJDK: Unexpected exception raised by DerValue.equals() (Libraries, 8237736)

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:
java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.src.rpm

aarch64:
java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.aarch64.rpm
java-1.8.0-openjdk-accessibility-1.8.0.262.b10-0.el8_2.aarch64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el8_2.aarch64.rpm
java-1.8.0-openjdk-debugsource-1.8.0.262.b10-0.el8_2.aarch64.rpm
java-1.8.0-openjdk-demo-1.8.0.262.b10-0.el8_2.aarch64.rpm
java-1.8.0-openjdk-demo-debuginfo-1.8.0.262.b10-0.el8_2.aarch64.rpm
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.262.b10-0.el8_2.aarch64.rpm
java-1.8.0-openjdk-devel-1.8.0.262.b10-0.el8_2.aarch64.rpm
java-1.8.0-openjdk-devel-debuginfo-1.8.0.262.b10-0.el8_2.aarch64.rpm
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.262.b10-0.el8_2.aarch64.rpm
java-1.8.0-openjdk-headless-1.8.0.262.b10-0.el8_2.aarch64.rpm
java-1.8.0-openjdk-headless-debuginfo-1.8.0.262.b10-0.el8_2.aarch64.rpm
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.262.b10-0.el8_2.aarch64.rpm
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.262.b10-0.el8_2.aarch64.rpm
java-1.8.0-openjdk-src-1.8.0.262.b10-0.el8_2.aarch64.rpm

noarch:
java-1.8.0-openjdk-javadoc-1.8.0.262.b10-0.el8_2.noarch.rpm
java-1.8.0-openjdk-javadoc-zip-1.8.0.262.b10-0.el8_2.noarch.rpm

ppc64le:
java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.ppc64le.rpm
java-1.8.0-openjdk-accessibility-1.8.0.262.b10-0.el8_2.ppc64le.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el8_2.ppc64le.rpm
java-1.8.0-openjdk-debugsource-1.8.0.262.b10-0.el8_2.ppc64le.rpm
java-1.8.0-openjdk-demo-1.8.0.262.b10-0.el8_2.ppc64le.rpm
java-1.8.0-openjdk-demo-debuginfo-1.8.0.262.b10-0.el8_2.ppc64le.rpm
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.262.b10-0.el8_2.ppc64le.rpm
java-1.8.0-openjdk-devel-1.8.0.262.b10-0.el8_2.ppc64le.rpm
java-1.8.0-openjdk-devel-debuginfo-1.8.0.262.b10-0.el8_2.ppc64le.rpm
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.262.b10-0.el8_2.ppc64le.rpm
java-1.8.0-openjdk-headless-1.8.0.262.b10-0.el8_2.ppc64le.rpm
java-1.8.0-openjdk-headless-debuginfo-1.8.0.262.b10-0.el8_2.ppc64le.rpm
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.262.b10-0.el8_2.ppc64le.rpm
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.262.b10-0.el8_2.ppc64le.rpm
java-1.8.0-openjdk-src-1.8.0.262.b10-0.el8_2.ppc64le.rpm

s390x:
java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.s390x.rpm
java-1.8.0-openjdk-accessibility-1.8.0.262.b10-0.el8_2.s390x.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el8_2.s390x.rpm
java-1.8.0-openjdk-debugsource-1.8.0.262.b10-0.el8_2.s390x.rpm
java-1.8.0-openjdk-demo-1.8.0.262.b10-0.el8_2.s390x.rpm
java-1.8.0-openjdk-demo-debuginfo-1.8.0.262.b10-0.el8_2.s390x.rpm
java-1.8.0-openjdk-devel-1.8.0.262.b10-0.el8_2.s390x.rpm
java-1.8.0-openjdk-devel-debuginfo-1.8.0.262.b10-0.el8_2.s390x.rpm
java-1.8.0-openjdk-headless-1.8.0.262.b10-0.el8_2.s390x.rpm
java-1.8.0-openjdk-headless-debuginfo-1.8.0.262.b10-0.el8_2.s390x.rpm
java-1.8.0-openjdk-src-1.8.0.262.b10-0.el8_2.s390x.rpm

x86_64:
java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64.rpm
java-1.8.0-openjdk-accessibility-1.8.0.262.b10-0.el8_2.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.262.b10-0.el8_2.x86_64.rpm
java-1.8.0-openjdk-debugsource-1.8.0.262.b10-0.el8_2.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.262.b10-0.el8_2.x86_64.rpm
java-1.8.0-openjdk-demo-debuginfo-1.8.0.262.b10-0.el8_2.x86_64.rpm
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.262.b10-0.el8_2.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.262.b10-0.el8_2.x86_64.rpm
java-1.8.0-openjdk-devel-debuginfo-1.8.0.262.b10-0.el8_2.x86_64.rpm
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.262.b10-0.el8_2.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.262.b10-0.el8_2.x86_64.rpm
java-1.8.0-openjdk-headless-debuginfo-1.8.0.262.b10-0.el8_2.x86_64.rpm
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.262.b10-0.el8_2.x86_64.rpm
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.262.b10-0.el8_2.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.262.b10-0.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-14556
https://access.redhat.com/security/cve/CVE-2020-14577
https://access.redhat.com/security/cve/CVE-2020-14578
https://access.redhat.com/security/cve/CVE-2020-14579
https://access.redhat.com/security/cve/CVE-2020-14583
https://access.redhat.com/security/cve/CVE-2020-14593
https://access.redhat.com/security/cve/CVE-2020-14621
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBXxAkftzjgjWX9erEAQhh2w/+LRxVc2FS07BmbMoTSeXIHJpPYwZx4yvf
r7dbKJx+OWXX/zkvyatPjZmK3LeQYXKcmFWrkjlBdRf/jW1nMAKvDZJfWr5rKBok
siWaZKRvMXHSnla7ioQGyeM1Z8hzW+dizCSuKRueUbJ2eyt/PCPZ8bULP90vkb25
sks/CPhokkE7ApWPzrDjDe5+mU+tsIsV6eTxQ1FzdJu/9p3Xzx6VWth9ESSm4P+1
CCbtSE9/IQu99jeB76xJoj1rHV2viuyIGAtXvqtiDs1NO79McilkPMvQ3q++JPOy
KwsQylTt43cVysWiShh/qbn9MjgsjMWNPpDNQ7BYVHlprHlpIib26VXuNJdm8VUm
/hImJhcVd3+s5hs8jejw/QZGHiKtpSWCvLcIl9Jj5ZLd+Se9UkpuY+AwFtV/S9FM
1d262eWQ7d7WFEdgvw1MBpgMubbKn/JsyN6j9adTadKYNwvN0XgrIxVDjah68IIk
XJzlU0XyIPEclxU4wUq83RUKG0O0xVtHWVG93gFTGC0ghnS6+3zPOLMtPa6wtHpL
LtwtyYkCYugd2OQx2RY5qPuueBRlYtlD1UKRBTYxFAh86iNaqNuXe06YsL4tL4A6
BG6cNzZ4F/oYvviFe74h3FynghIaokobdtUpPRIQn1PXSo3Uo1AA8Gd07nWaaV/9
WXi/QqAaGio=
=XPv5
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

The post Sigurnosni nedostaci programskog paketa java-1.8.0-openjdk appeared first on CERT.hr.

Sigurnosni nedostaci programskog paketa java-11-openjdk

čet, 2020-07-16 15:45
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LRH

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: java-11-openjdk security and enhancement update
Advisory ID: RHSA-2020:2970-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2970
Issue date: 2020-07-16
CVE Names: CVE-2020-14556 CVE-2020-14562 CVE-2020-14573
CVE-2020-14577 CVE-2020-14583 CVE-2020-14593
CVE-2020-14621
=====================================================================

1. Summary:

An update for java-11-openjdk is now available for Red Hat Enterprise Linux
8.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) – aarch64, ppc64le, s390x, x86_64

3. Description:

The java-11-openjdk packages provide the OpenJDK 11 Java Runtime
Environment and the OpenJDK 11 Java Software Development Kit.

Security Fix(es):

* OpenJDK: Bypass of boundary checks in nio.Buffer via concurrent access
(Libraries, 8238920) (CVE-2020-14583)

* OpenJDK: Incomplete bounds checks in Affine Transformations (2D, 8240119)
(CVE-2020-14593)

* OpenJDK: Incorrect handling of access control context in ForkJoinPool
(Libraries, 8237117) (CVE-2020-14556)

* OpenJDK: Excessive memory usage in ImageIO TIFF plugin (ImageIO, 8233239)
(CVE-2020-14562)

* OpenJDK: Incomplete interface type checks in Graal compiler (Hotspot,
8236867) (CVE-2020-14573)

* OpenJDK: XML validation manipulation due to incomplete application of the
use-grammar-pool-only feature (JAXP, 8242136) (CVE-2020-14621)

* OpenJDK: HostnameChecker does not ensure X.509 certificate names are in
normalized form (JSSE, 8237592) (CVE-2020-14577)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Enhancement(s):

* Add -static-libs subpackage with statically linked OpenJDK libraries
(BZ#1848701)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of OpenJDK Java must be restarted for this update to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1856448 – CVE-2020-14583 OpenJDK: Bypass of boundary checks in nio.Buffer via concurrent access (Libraries, 8238920)
1856784 – CVE-2020-14593 OpenJDK: Incomplete bounds checks in Affine Transformations (2D, 8240119)
1856810 – CVE-2020-14562 OpenJDK: Excessive memory usage in ImageIO TIFF plugin (ImageIO, 8233239)
1856885 – CVE-2020-14621 OpenJDK: XML validation manipulation due to incomplete application of the use-grammar-pool-only feature (JAXP, 8242136)
1856896 – CVE-2020-14556 OpenJDK: Incorrect handling of access control context in ForkJoinPool (Libraries, 8237117)
1856951 – CVE-2020-14573 OpenJDK: Incomplete interface type checks in Graal compiler (Hotspot, 8236867)
1856988 – CVE-2020-14577 OpenJDK: HostnameChecker does not ensure X.509 certificate names are in normalized form (JSSE, 8237592)

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:
java-11-openjdk-11.0.8.10-0.el8_2.src.rpm

aarch64:
java-11-openjdk-11.0.8.10-0.el8_2.aarch64.rpm
java-11-openjdk-debuginfo-11.0.8.10-0.el8_2.aarch64.rpm
java-11-openjdk-debugsource-11.0.8.10-0.el8_2.aarch64.rpm
java-11-openjdk-demo-11.0.8.10-0.el8_2.aarch64.rpm
java-11-openjdk-devel-11.0.8.10-0.el8_2.aarch64.rpm
java-11-openjdk-devel-debuginfo-11.0.8.10-0.el8_2.aarch64.rpm
java-11-openjdk-headless-11.0.8.10-0.el8_2.aarch64.rpm
java-11-openjdk-headless-debuginfo-11.0.8.10-0.el8_2.aarch64.rpm
java-11-openjdk-javadoc-11.0.8.10-0.el8_2.aarch64.rpm
java-11-openjdk-javadoc-zip-11.0.8.10-0.el8_2.aarch64.rpm
java-11-openjdk-jmods-11.0.8.10-0.el8_2.aarch64.rpm
java-11-openjdk-src-11.0.8.10-0.el8_2.aarch64.rpm
java-11-openjdk-static-libs-11.0.8.10-0.el8_2.aarch64.rpm

ppc64le:
java-11-openjdk-11.0.8.10-0.el8_2.ppc64le.rpm
java-11-openjdk-debuginfo-11.0.8.10-0.el8_2.ppc64le.rpm
java-11-openjdk-debugsource-11.0.8.10-0.el8_2.ppc64le.rpm
java-11-openjdk-demo-11.0.8.10-0.el8_2.ppc64le.rpm
java-11-openjdk-devel-11.0.8.10-0.el8_2.ppc64le.rpm
java-11-openjdk-devel-debuginfo-11.0.8.10-0.el8_2.ppc64le.rpm
java-11-openjdk-headless-11.0.8.10-0.el8_2.ppc64le.rpm
java-11-openjdk-headless-debuginfo-11.0.8.10-0.el8_2.ppc64le.rpm
java-11-openjdk-javadoc-11.0.8.10-0.el8_2.ppc64le.rpm
java-11-openjdk-javadoc-zip-11.0.8.10-0.el8_2.ppc64le.rpm
java-11-openjdk-jmods-11.0.8.10-0.el8_2.ppc64le.rpm
java-11-openjdk-src-11.0.8.10-0.el8_2.ppc64le.rpm
java-11-openjdk-static-libs-11.0.8.10-0.el8_2.ppc64le.rpm

s390x:
java-11-openjdk-11.0.8.10-0.el8_2.s390x.rpm
java-11-openjdk-debuginfo-11.0.8.10-0.el8_2.s390x.rpm
java-11-openjdk-debugsource-11.0.8.10-0.el8_2.s390x.rpm
java-11-openjdk-demo-11.0.8.10-0.el8_2.s390x.rpm
java-11-openjdk-devel-11.0.8.10-0.el8_2.s390x.rpm
java-11-openjdk-devel-debuginfo-11.0.8.10-0.el8_2.s390x.rpm
java-11-openjdk-headless-11.0.8.10-0.el8_2.s390x.rpm
java-11-openjdk-headless-debuginfo-11.0.8.10-0.el8_2.s390x.rpm
java-11-openjdk-javadoc-11.0.8.10-0.el8_2.s390x.rpm
java-11-openjdk-javadoc-zip-11.0.8.10-0.el8_2.s390x.rpm
java-11-openjdk-jmods-11.0.8.10-0.el8_2.s390x.rpm
java-11-openjdk-src-11.0.8.10-0.el8_2.s390x.rpm
java-11-openjdk-static-libs-11.0.8.10-0.el8_2.s390x.rpm

x86_64:
java-11-openjdk-11.0.8.10-0.el8_2.x86_64.rpm
java-11-openjdk-debuginfo-11.0.8.10-0.el8_2.x86_64.rpm
java-11-openjdk-debugsource-11.0.8.10-0.el8_2.x86_64.rpm
java-11-openjdk-demo-11.0.8.10-0.el8_2.x86_64.rpm
java-11-openjdk-devel-11.0.8.10-0.el8_2.x86_64.rpm
java-11-openjdk-devel-debuginfo-11.0.8.10-0.el8_2.x86_64.rpm
java-11-openjdk-headless-11.0.8.10-0.el8_2.x86_64.rpm
java-11-openjdk-headless-debuginfo-11.0.8.10-0.el8_2.x86_64.rpm
java-11-openjdk-javadoc-11.0.8.10-0.el8_2.x86_64.rpm
java-11-openjdk-javadoc-zip-11.0.8.10-0.el8_2.x86_64.rpm
java-11-openjdk-jmods-11.0.8.10-0.el8_2.x86_64.rpm
java-11-openjdk-src-11.0.8.10-0.el8_2.x86_64.rpm
java-11-openjdk-static-libs-11.0.8.10-0.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-14556
https://access.redhat.com/security/cve/CVE-2020-14562
https://access.redhat.com/security/cve/CVE-2020-14573
https://access.redhat.com/security/cve/CVE-2020-14577
https://access.redhat.com/security/cve/CVE-2020-14583
https://access.redhat.com/security/cve/CVE-2020-14593
https://access.redhat.com/security/cve/CVE-2020-14621
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBXxAVQtzjgjWX9erEAQiK8Q/+KyZOUHeZ7WImaEue2N/GCtJaK1WkoFp6
yrMGnT1RXz4mNnU7lwWfCFDs49FnljBxD8DX0G9hhVutcVZ6MN7bodFnaU0X65Xs
YLM5SMFCbM9sn8AV364s6wSBUQ9THmONMxKbQhxhtm41KmYmZp8Ip4zOJTCL/n2s
dCntflzNAYeY/1cptC27Tm0cepKMfsWEuTGUV0cFUUo4G5zEonclXyZFThX/PhjS
pAbiip44y43Y/bN3kBphIa5ExXZatYGnC0zszdqlrQrHJrPUV6Jmp19hznz0nnDy
Bt0XpIyKKhaY5YIq3e0/2WS/mr3Wmj7gx1tCCdEHI0NGY/+NvFRwWTqC09uDYKss
BTQeV2/K9X72ZAWfO+0cWz6mutq2Dv/BDk2nRCxhG1XDo1ZZSea17jqJNpc5fAjN
2e5RrENp21cRsXydxJ++PqymRkwJ/2S4vFIaUeWsuwPSGZ1Lfn2YfdT2QNMMVnWZ
8vYwvqotIWxQGACDRcKfqpZz43AMcYNDQIP1Qzc9QqrR4fyZpCeDkal6nAfwvk0o
lgMAQcgIiE1xYh5VizmjgA/W6XYs1HKLKY0Qul2s3DROA9VniocZhKMIhcP7as3g
so8EXjW0jNgWNnsU1Ti1bAYggFM+AcPywEgk2CQdluj9emaMHo1dgD30FaQWuBXN
+uFui6YYz8s=
=x3dF
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

 

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: java-11-openjdk security update
Advisory ID: RHSA-2020:2969-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2969
Issue date: 2020-07-16
CVE Names: CVE-2020-14556 CVE-2020-14562 CVE-2020-14573
CVE-2020-14577 CVE-2020-14583 CVE-2020-14593
CVE-2020-14621
=====================================================================

1. Summary:

An update for java-11-openjdk is now available for Red Hat Enterprise Linux
7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) – x86_64
Red Hat Enterprise Linux Client Optional (v. 7) – x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) – x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) – x86_64
Red Hat Enterprise Linux Server (v. 7) – ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) – ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) – x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) – x86_64

3. Description:

The java-11-openjdk packages provide the OpenJDK 11 Java Runtime
Environment and the OpenJDK 11 Java Software Development Kit.

Security Fix(es):

* OpenJDK: Bypass of boundary checks in nio.Buffer via concurrent access
(Libraries, 8238920) (CVE-2020-14583)

* OpenJDK: Incomplete bounds checks in Affine Transformations (2D, 8240119)
(CVE-2020-14593)

* OpenJDK: Incorrect handling of access control context in ForkJoinPool
(Libraries, 8237117) (CVE-2020-14556)

* OpenJDK: Excessive memory usage in ImageIO TIFF plugin (ImageIO, 8233239)
(CVE-2020-14562)

* OpenJDK: Incomplete interface type checks in Graal compiler (Hotspot,
8236867) (CVE-2020-14573)

* OpenJDK: XML validation manipulation due to incomplete application of the
use-grammar-pool-only feature (JAXP, 8242136) (CVE-2020-14621)

* OpenJDK: HostnameChecker does not ensure X.509 certificate names are in
normalized form (JSSE, 8237592) (CVE-2020-14577)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of OpenJDK Java must be restarted for this update to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1856448 – CVE-2020-14583 OpenJDK: Bypass of boundary checks in nio.Buffer via concurrent access (Libraries, 8238920)
1856784 – CVE-2020-14593 OpenJDK: Incomplete bounds checks in Affine Transformations (2D, 8240119)
1856810 – CVE-2020-14562 OpenJDK: Excessive memory usage in ImageIO TIFF plugin (ImageIO, 8233239)
1856885 – CVE-2020-14621 OpenJDK: XML validation manipulation due to incomplete application of the use-grammar-pool-only feature (JAXP, 8242136)
1856896 – CVE-2020-14556 OpenJDK: Incorrect handling of access control context in ForkJoinPool (Libraries, 8237117)
1856951 – CVE-2020-14573 OpenJDK: Incomplete interface type checks in Graal compiler (Hotspot, 8236867)
1856988 – CVE-2020-14577 OpenJDK: HostnameChecker does not ensure X.509 certificate names are in normalized form (JSSE, 8237592)

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:
java-11-openjdk-11.0.8.10-0.el7_8.src.rpm

x86_64:
java-11-openjdk-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-debuginfo-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-debuginfo-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-headless-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-headless-11.0.8.10-0.el7_8.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:
java-11-openjdk-debuginfo-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-debuginfo-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-demo-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-demo-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-devel-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-devel-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-javadoc-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-javadoc-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-javadoc-zip-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-javadoc-zip-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-jmods-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-jmods-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-src-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-src-11.0.8.10-0.el7_8.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
java-11-openjdk-11.0.8.10-0.el7_8.src.rpm

x86_64:
java-11-openjdk-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-debuginfo-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-debuginfo-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-headless-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-headless-11.0.8.10-0.el7_8.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

x86_64:
java-11-openjdk-debuginfo-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-debuginfo-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-demo-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-demo-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-devel-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-devel-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-javadoc-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-javadoc-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-javadoc-zip-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-javadoc-zip-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-jmods-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-jmods-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-src-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-src-11.0.8.10-0.el7_8.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
java-11-openjdk-11.0.8.10-0.el7_8.src.rpm

ppc64:
java-11-openjdk-11.0.8.10-0.el7_8.ppc64.rpm
java-11-openjdk-debuginfo-11.0.8.10-0.el7_8.ppc64.rpm
java-11-openjdk-devel-11.0.8.10-0.el7_8.ppc64.rpm
java-11-openjdk-headless-11.0.8.10-0.el7_8.ppc64.rpm

ppc64le:
java-11-openjdk-11.0.8.10-0.el7_8.ppc64le.rpm
java-11-openjdk-debuginfo-11.0.8.10-0.el7_8.ppc64le.rpm
java-11-openjdk-devel-11.0.8.10-0.el7_8.ppc64le.rpm
java-11-openjdk-headless-11.0.8.10-0.el7_8.ppc64le.rpm

s390x:
java-11-openjdk-11.0.8.10-0.el7_8.s390x.rpm
java-11-openjdk-debuginfo-11.0.8.10-0.el7_8.s390x.rpm
java-11-openjdk-devel-11.0.8.10-0.el7_8.s390x.rpm
java-11-openjdk-headless-11.0.8.10-0.el7_8.s390x.rpm

x86_64:
java-11-openjdk-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-debuginfo-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-debuginfo-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-devel-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-devel-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-headless-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-headless-11.0.8.10-0.el7_8.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

ppc64:
java-11-openjdk-debuginfo-11.0.8.10-0.el7_8.ppc64.rpm
java-11-openjdk-demo-11.0.8.10-0.el7_8.ppc64.rpm
java-11-openjdk-javadoc-11.0.8.10-0.el7_8.ppc64.rpm
java-11-openjdk-javadoc-zip-11.0.8.10-0.el7_8.ppc64.rpm
java-11-openjdk-jmods-11.0.8.10-0.el7_8.ppc64.rpm
java-11-openjdk-src-11.0.8.10-0.el7_8.ppc64.rpm

ppc64le:
java-11-openjdk-debuginfo-11.0.8.10-0.el7_8.ppc64le.rpm
java-11-openjdk-demo-11.0.8.10-0.el7_8.ppc64le.rpm
java-11-openjdk-javadoc-11.0.8.10-0.el7_8.ppc64le.rpm
java-11-openjdk-javadoc-zip-11.0.8.10-0.el7_8.ppc64le.rpm
java-11-openjdk-jmods-11.0.8.10-0.el7_8.ppc64le.rpm
java-11-openjdk-src-11.0.8.10-0.el7_8.ppc64le.rpm

s390x:
java-11-openjdk-debuginfo-11.0.8.10-0.el7_8.s390x.rpm
java-11-openjdk-demo-11.0.8.10-0.el7_8.s390x.rpm
java-11-openjdk-javadoc-11.0.8.10-0.el7_8.s390x.rpm
java-11-openjdk-javadoc-zip-11.0.8.10-0.el7_8.s390x.rpm
java-11-openjdk-jmods-11.0.8.10-0.el7_8.s390x.rpm
java-11-openjdk-src-11.0.8.10-0.el7_8.s390x.rpm

x86_64:
java-11-openjdk-debuginfo-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-debuginfo-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-demo-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-demo-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-javadoc-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-javadoc-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-javadoc-zip-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-javadoc-zip-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-jmods-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-jmods-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-src-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-src-11.0.8.10-0.el7_8.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
java-11-openjdk-11.0.8.10-0.el7_8.src.rpm

x86_64:
java-11-openjdk-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-debuginfo-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-debuginfo-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-devel-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-devel-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-headless-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-headless-11.0.8.10-0.el7_8.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:
java-11-openjdk-debuginfo-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-debuginfo-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-demo-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-demo-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-javadoc-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-javadoc-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-javadoc-zip-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-javadoc-zip-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-jmods-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-jmods-11.0.8.10-0.el7_8.x86_64.rpm
java-11-openjdk-src-11.0.8.10-0.el7_8.i686.rpm
java-11-openjdk-src-11.0.8.10-0.el7_8.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-14556
https://access.redhat.com/security/cve/CVE-2020-14562
https://access.redhat.com/security/cve/CVE-2020-14573
https://access.redhat.com/security/cve/CVE-2020-14577
https://access.redhat.com/security/cve/CVE-2020-14583
https://access.redhat.com/security/cve/CVE-2020-14593
https://access.redhat.com/security/cve/CVE-2020-14621
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBXxAeo9zjgjWX9erEAQgd7RAAgcVGqm2g0wANub+/UAybCBPvJ0SWOAv6
JrOmv2xNY+5BbALhZpnT8oeiC2Qa0biSxOYxuxJ87K3QEX2HD6/tIgybDFnExcFX
eYTyuob5prMb96p8U8Y5ai1OFnDUAAfE6hYYmdjMzcdwW7AMsuBzb6ovYcrki5sl
CJy1HJPXGstRYSeYN4qAUXP90pt5MPInMjBkdsahLOdIlXvF42mHppjMCMNuLa9G
eHOEpqO/Yj+FBWCaiVadL9UD5oOj7dKSut2Yybs1wUOXFSRJgPrIJnJT3RSJlE4X
lptm57pKAcbE8HZ/sGmKAJ3fO3wFK0VAXteMSFbWAu3/Ht0Wg/ryRqOd265xsEki
23ZDW6ZheabFJS5QgOgx1sfrDqiardT3i/lHeQM/WFSqFN+3cqu0GLeg2m2XOdto
tKnE+/ogNG+gB546aMx6S2V1b1/pCbltoFeSF8rh7DYyXVJuWWk1uK2Lt8RZVla5
hEyeW3A9SLC6d9aRRfpGl7ZI5mZEwD61SOLJBBq+H3ocSu1tF7ynIGdh7TV2r98g
enKSBhsbD+i3vSw9UFby7/mO5QiT55HBAoIdIxNPxuFxjvpCa9WpvI4b1x36NAsG
5tNMHf/7Z6ZxfjpvM6ubk41M9fjrkMVS43ruyoiCF8rd2bgHIjL1T9TEbnWZOVHU
aBunczXim8s=
=kY6H
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

The post Sigurnosni nedostaci programskog paketa java-11-openjdk appeared first on CERT.hr.

Sigurnosni nedostatak programskog paketa jbig2dec

čet, 2020-07-16 15:44
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LRH

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: jbig2dec security update
Advisory ID: RHSA-2020:2971-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2971
Issue date: 2020-07-16
CVE Names: CVE-2020-12268
=====================================================================

1. Summary:

An update for jbig2dec is now available for Red Hat Enterprise Linux 8.1
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v. 8.1) – aarch64, ppc64le, s390x, x86_64

3. Description:

jbig2dec is a decoder implementation of the JBIG2 image compression format.

Security Fix(es):

* jbig2dec: heap-based buffer overflow in jbig2_image_compose in
jbig2_image.c (CVE-2020-12268)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1848518 – CVE-2020-12268 jbig2dec: heap-based buffer overflow in jbig2_image_compose in jbig2_image.c

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v. 8.1):

Source:
jbig2dec-0.14-4.el8_1.src.rpm

aarch64:
jbig2dec-debuginfo-0.14-4.el8_1.aarch64.rpm
jbig2dec-debugsource-0.14-4.el8_1.aarch64.rpm
jbig2dec-libs-0.14-4.el8_1.aarch64.rpm
jbig2dec-libs-debuginfo-0.14-4.el8_1.aarch64.rpm

ppc64le:
jbig2dec-debuginfo-0.14-4.el8_1.ppc64le.rpm
jbig2dec-debugsource-0.14-4.el8_1.ppc64le.rpm
jbig2dec-libs-0.14-4.el8_1.ppc64le.rpm
jbig2dec-libs-debuginfo-0.14-4.el8_1.ppc64le.rpm

s390x:
jbig2dec-debuginfo-0.14-4.el8_1.s390x.rpm
jbig2dec-debugsource-0.14-4.el8_1.s390x.rpm
jbig2dec-libs-0.14-4.el8_1.s390x.rpm
jbig2dec-libs-debuginfo-0.14-4.el8_1.s390x.rpm

x86_64:
jbig2dec-debuginfo-0.14-4.el8_1.i686.rpm
jbig2dec-debuginfo-0.14-4.el8_1.x86_64.rpm
jbig2dec-debugsource-0.14-4.el8_1.i686.rpm
jbig2dec-debugsource-0.14-4.el8_1.x86_64.rpm
jbig2dec-libs-0.14-4.el8_1.i686.rpm
jbig2dec-libs-0.14-4.el8_1.x86_64.rpm
jbig2dec-libs-debuginfo-0.14-4.el8_1.i686.rpm
jbig2dec-libs-debuginfo-0.14-4.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-12268
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBXxAS6tzjgjWX9erEAQiJ3xAAk3BGn+TuJGYd/f4wsYQ6jrzcqI6MZCPE
u+VFtMDoSEUWtMGbNjq7KlTT688XVAeZg3fvElHm3j1mmU/nfWbiAydZ+pVge1g5
U/B+Z6KUJDmkk5Vr1dG7BfFcyd9ve7PDVbMuUxYy8gJ4gzpz6/yeCspSDC6axUOL
xmGRr7tjJ3AIKjoobYCrgmV102/P8TI3ugYCfs9gdBKsXS+liNhqlw+P4LgSNxfZ
XGYoxcn87M5D6wyFI5cgVvpcexOjClhKJECJS1dzrSnS7YLAaznmV1V2wqUyRod0
a2y5WAl6BXMI4ysxwsd+dq3tIUuMXJoI57MmwwgyPS/R4msnjNj7r3NnvWYdASWp
WvRdxWnZa02tM5aRnacANO2mAT8/AeDrULy9tmf1P8RRStG6xoDzRwmSCs0XbQ2P
OUS+Bi6N9BE7+is5IYhznB1bD+PmG0skjUL+EulziObP3NYFrYQWeO8nvGbg+R6X
9Be1/L2ILmWmDz0s5za2mFvUUtN53AT5hFETnThM5oWMTB4sSPFS463M+A14olix
feWHBo6FrRAE42L7hc8lOa0NvoGtlYYBNCSWMUeGhZ2liMk4lMfMU9poUawALKbq
NVV4PPWqiGUmua6FwNPYJP+KyDi0PbqTDQ3oJdNObijVmmeOa/vL67ktd4e95WyN
uGMgjDpg9ng=
=jdHp
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

The post Sigurnosni nedostatak programskog paketa jbig2dec appeared first on CERT.hr.

Sigurnosni nedostaci programskog paketa thunderbird

čet, 2020-07-16 15:40
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LRH

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: thunderbird security update
Advisory ID: RHSA-2020:2966-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2966
Issue date: 2020-07-16
CVE Names: CVE-2020-12418 CVE-2020-12419 CVE-2020-12420
CVE-2020-12421
=====================================================================

1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 6) – i386, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) – i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) – i386, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 68.10.0.

Security Fix(es):

* Mozilla: Information disclosure due to manipulated URL object
(CVE-2020-12418)

* Mozilla: Use-after-free in nsGlobalWindowInner (CVE-2020-12419)

* Mozilla: Use-After-Free when trying to connect to a STUN server
(CVE-2020-12420)

* Mozilla: Add-On updates did not respect the same certificate trust rules
as software updates (CVE-2020-12421)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1853015 – CVE-2020-12418 Mozilla: Information disclosure due to manipulated URL object
1853016 – CVE-2020-12419 Mozilla: Use-after-free in nsGlobalWindowInner
1853017 – CVE-2020-12420 Mozilla: Use-After-Free when trying to connect to a STUN server
1853018 – CVE-2020-12421 Mozilla: Add-On updates did not respect the same certificate trust rules as software updates

6. Package List:

Red Hat Enterprise Linux Desktop (v. 6):

Source:
thunderbird-68.10.0-1.el6_10.src.rpm

i386:
thunderbird-68.10.0-1.el6_10.i686.rpm
thunderbird-debuginfo-68.10.0-1.el6_10.i686.rpm

x86_64:
thunderbird-68.10.0-1.el6_10.x86_64.rpm
thunderbird-debuginfo-68.10.0-1.el6_10.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 6):

Source:
thunderbird-68.10.0-1.el6_10.src.rpm

i386:
thunderbird-68.10.0-1.el6_10.i686.rpm
thunderbird-debuginfo-68.10.0-1.el6_10.i686.rpm

ppc64:
thunderbird-68.10.0-1.el6_10.ppc64.rpm
thunderbird-debuginfo-68.10.0-1.el6_10.ppc64.rpm

s390x:
thunderbird-68.10.0-1.el6_10.s390x.rpm
thunderbird-debuginfo-68.10.0-1.el6_10.s390x.rpm

x86_64:
thunderbird-68.10.0-1.el6_10.x86_64.rpm
thunderbird-debuginfo-68.10.0-1.el6_10.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 6):

Source:
thunderbird-68.10.0-1.el6_10.src.rpm

i386:
thunderbird-68.10.0-1.el6_10.i686.rpm
thunderbird-debuginfo-68.10.0-1.el6_10.i686.rpm

x86_64:
thunderbird-68.10.0-1.el6_10.x86_64.rpm
thunderbird-debuginfo-68.10.0-1.el6_10.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-12418
https://access.redhat.com/security/cve/CVE-2020-12419
https://access.redhat.com/security/cve/CVE-2020-12420
https://access.redhat.com/security/cve/CVE-2020-12421
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBXxAD6tzjgjWX9erEAQgdfA/+NI92uVEITQvCmwzc6yd4dGO/pIaKhwXa
R7dNZZpdbdz4tPGvFGBAJygBdd3RTO0CDZa7IpDpVhRvTXGOc+iT+DLAOvsjynDj
4Sl5u0XBW3NEnCViJ0pLnXtFqNN77QFSJkC5YW6ThEwmp818YGOvm18pL48ZUQ5D
xrAj8jwWLgnXhe3Coq/v4gV4VjZ8jqDjjkiQsNCbFAZIuH14RCfr2WAtUaeOsJVj
Tp6mQx9P0hj9sHwYISg78bxawnVGuoEOvidV11BEsg5dZC51n+WdHB9Uy4I8Ykz9
li3IC0Q9AJBL6HDHotPBFSrIuVM62JnUUJGZfmUTq3wqB5cWGiod68XTYl3HIkLz
NHyDcHM5ZtMBVDnfKCXEOhDXqf4gOhH1hVwB5feI1xnih9niTVm+ZTvKoRMn5bYm
xx9ISnz1bjszjADEWKfg3dbeldMe4nA/F7GBG721LS1XOeTWQcoAnPGrPCRiz2dS
d7sYIucApYHYnMdD8Gs//USrA/93KuAng8Ru8kBACtWgROLamke3P6II1R8crKpz
Bxwy7qsIMkvfdZjWgPdn9q9G5hQ8ixeCr2JzMCueXOn6+EuW/OPJ9MDwxZRHfSOK
dgHMaBZeURN+36RoNozeXjARE+ohOy6ymAspEPG4NRuTsDLaTPpymi1pbZwdzwkc
Mj/hEuNtfa0=
=bFq2
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

The post Sigurnosni nedostaci programskog paketa thunderbird appeared first on CERT.hr.

Stranice