https://bugzilla.redhat.com/show_bug.cgi?id=2122357
Bug ID: 2122357
Summary: CVE-2020-35532 LibRaw: Out-of-bounds read in
simple_decode_row() function
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: dchen(a)redhat.com, debarshir(a)redhat.com,
epel-packagers-sig(a)lists.fedoraproject.org,
gwync(a)protonmail.com, hobbes1069(a)gmail.com,
jridky(a)redhat.com, manisandro(a)gmail.com,
mattdm(a)redhat.com, mattia.verga(a)proton.me,
michel(a)michel-slm.name, ngompa13(a)gmail.com,
nphilipp(a)redhat.com, sebastian(a)sdziallas.com,
sergio(a)serjux.com, siddharth.kde(a)gmail.com,
sipoyare(a)redhat.com, thibault(a)north.li
Target Milestone: ---
Classification: Other
In LibRaw, an out-of-bounds read vulnerability exists within the
"simple_decode_row()" function (libraw\src\x3f\x3f_utils_patched.cpp) which can
be triggered via an image with a large row_stride field.
Upstream issue:
https://github.com/LibRaw/LibRaw/issues/271
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2122357
https://bugzilla.redhat.com/show_bug.cgi?id=2122356
Bug ID: 2122356
Summary: CVE-2020-35531 LibRaw: Out-of-bounds read in
get_huffman_diff() function
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: dchen(a)redhat.com, debarshir(a)redhat.com,
epel-packagers-sig(a)lists.fedoraproject.org,
gwync(a)protonmail.com, hobbes1069(a)gmail.com,
jridky(a)redhat.com, manisandro(a)gmail.com,
mattdm(a)redhat.com, mattia.verga(a)proton.me,
michel(a)michel-slm.name, ngompa13(a)gmail.com,
nphilipp(a)redhat.com, sebastian(a)sdziallas.com,
sergio(a)serjux.com, siddharth.kde(a)gmail.com,
sipoyare(a)redhat.com, thibault(a)north.li
Target Milestone: ---
Classification: Other
In LibRaw, an out-of-bounds read vulnerability exists within the
get_huffman_diff() function (libraw\src\x3f\x3f_utils_patched.cpp) when reading
data from an image file.
Upstream issue:
https://github.com/LibRaw/LibRaw/issues/270
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2122356
https://bugzilla.redhat.com/show_bug.cgi?id=2122159
Bug ID: 2122159
Summary: xmlstarlet missing in EPEL8
Product: Fedora EPEL
Version: epel8
Hardware: All
OS: Linux
Status: NEW
Component: xmlstarlet
Severity: high
Assignee: stickster(a)gmail.com
Reporter: vashastr(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: adeza(a)redhat.com, bhubbard(a)redhat.com,
daltonminer(a)gmail.com, dcavalca(a)fb.com,
epel-packagers-sig(a)lists.fedoraproject.org,
extras-qa(a)fedoraproject.org,
ghenadii.batalski(a)conitas.de,
guenther.reim(a)allianz.at, michel(a)michel-slm.name,
ngompa13(a)gmail.com, olivier.lahaye1(a)free.fr,
skimeer(a)gmail.com, stickster(a)gmail.com
Depends On: 1757000
Target Milestone: ---
Classification: Fedora
+++ This bug was initially created as a clone of Bug #1757000 +++
Description of problem:
xmlstarlet is missing in EPEL8
As there is no alternative to this tool (validate or query xml files from
cmdline), it's important to have it on EPEL-8
--- Additional comment from Alfredo Deza on 2019-10-18 19:26:22 UTC ---
The Ceph project depends on this missing package for builds, we've had to
install it directly from the commandline (!) as a workaround. Any progress on
this would be greatly appreciated.
--- Additional comment from Fedora Update System on 2019-11-09 20:02:11 UTC ---
FEDORA-EPEL-2019-3b10f1dd23 has been submitted as an update to Fedora EPEL 8.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-3b10f1dd23
--- Additional comment from Paul W. Frields on 2019-11-09 20:02:59 UTC ---
@Brad, @Alfredo -- if you'd like to see this available sooner, please encourage
people to test the update from the link above.
--- Additional comment from Brad Hubbard on 2019-11-10 00:06:58 UTC ---
(In reply to Paul W. Frields from comment #3)
> @Brad, @Alfredo -- if you'd like to see this available sooner, please
> encourage people to test the update from the link above.
ACK. Thanks Paul.
--- Additional comment from Fedora Update System on 2019-11-11 03:15:37 UTC ---
xmlstarlet-1.6.1-11.el8 has been pushed to the Fedora EPEL 8 testing
repository. If problems still persist, please make note of it in this bug
report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here:
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-3b10f1dd23
--- Additional comment from Gena on 2019-11-15 14:43:41 UTC ---
Could you please provide this package in a UBI8 repo. We use the keycloak image
from now based on ubi8 and need to adapt the xml configuration on image build.
Thank you and kind regards, Gena
--- Additional comment from Paul W. Frields on 2019-11-15 17:44:58 UTC ---
@Gena: Is there a reason a package in the EPEL 8 repository won't work for this
purpose?
--- Additional comment from Gena on 2019-11-19 08:01:54 UTC ---
(In reply to Paul W. Frields from comment #7)
> @Gena: Is there a reason a package in the EPEL 8 repository won't work for
> this purpose?
May be, but i only have 2 repositories available:
sh-4.4# dnf repolist
repo id repo name
ubi-8-appstream Red Hat Universal Base Image 8 (RPMs) - AppStream
ubi-8-baseos Red Hat Universal Base Image 8 (RPMs) - BaseOS
EPEL is not listed there
--- Additional comment from Fedora Update System on 2019-11-27 01:03:39 UTC ---
xmlstarlet-1.6.1-11.el8 has been pushed to the Fedora EPEL 8 stable repository.
If problems still persist, please make note of it in this bug report.
--- Additional comment from Paul W. Frields on 2019-12-03 01:41:32 UTC ---
Please refer to the UBI FAQ for info:
https://developers.redhat.com/articles/ubi-faq/#community
--- Additional comment from Gena on 2019-12-05 09:10:00 UTC ---
(In reply to Paul W. Frields from comment #10)
> Please refer to the UBI FAQ for info:
> https://developers.redhat.com/articles/ubi-faq/#community
thank you for the hint, but it says nothing about, how to use the UBI8 image
outside the playground: i prefer to install my packages from approved repos.
The simple enablement of EPEL via microdnf is not described. The only library
to work with xml from the console is the xmlstarlet, so, in my opinion, it
should be put into default repo just like it's done by alpine, debian,
ubuntu...
--- Additional comment from Paul W. Frields on 2019-12-06 16:28:23 UTC ---
To enable EPEL on UBI Standard or Multi-service, simply use the instructions at
https://fedoraproject.org/wiki/EPEL and you can `yum install xmlstarlet`.
To enable with microdnf, you must create a suitable .repo file in your UBI
environment. At a minimum:
[epel]
name=EPEL 8
baseurl=https://download.fedoraproject.org/pub/epel/8/Everything/x86_64
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
And grab the GPG key from the epel-release source repo:
$ curl -o /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
https://src.fedoraproject.org/rpms/epel-release/raw/epel8/f/RPM-GPG-KEY-EPE…
You can then `microdnf install xmlstarlet`.
--- Additional comment from Shailesh on 2022-08-29 08:12:22 UTC ---
We are facing an issue again with rockylinux:8.6 container image.
Steps followed are as below -
1. Create a container from rockylinux:8.6
[root@ssc-vm-rhev4-0707 ~]# docker run --rm -it rockylinux:8.6
2. Enable powertools and install epel-release package
[root@acb8441a9bb1 /]# dnf install dnf-plugin-config-manager -y ;dnf
config-manager --set-enabled powertools
Rocky Linux 8 - AppStream
9.2
MB/s | 9.6 MB 00:01
Rocky Linux 8 - BaseOS
4.1
MB/s | 6.7 MB 00:01
Rocky Linux 8 - Extras
28
kB/s | 11 kB 00:00
Dependencies resolved.
=========================================================================================================================================================================================
Package Architecture
Version Repository
Size
=========================================================================================================================================================================================
Installing:
dnf-plugins-core noarch
4.0.21-11.el8 baseos
70 k
Installing dependencies:
dbus-glib x86_64
0.110-2.el8 baseos
126 k
python3-dateutil noarch
1:2.6.1-6.el8 baseos
250 k
python3-dbus x86_64
1.2.4-15.el8 baseos
133 k
python3-dnf-plugins-core noarch
4.0.21-11.el8 baseos
239 k
python3-six noarch
1.11.0-8.el8 baseos
37 k
Transaction Summary
=========================================================================================================================================================================================
Install 6 Packages
Total download size: 854 k
Installed size: 2.3 M
Downloading Packages:
(1/6): dnf-plugins-core-4.0.21-11.el8.noarch.rpm
268
kB/s | 70 kB 00:00
(2/6): dbus-glib-0.110-2.el8.x86_64.rpm
430
kB/s | 126 kB 00:00
(3/6): python3-dbus-1.2.4-15.el8.x86_64.rpm
1.2
MB/s | 133 kB 00:00
(4/6): python3-dateutil-2.6.1-6.el8.noarch.rpm
656
kB/s | 250 kB 00:00
(5/6): python3-dnf-plugins-core-4.0.21-11.el8.noarch.rpm
2.0
MB/s | 239 kB 00:00
(6/6): python3-six-1.11.0-8.el8.noarch.rpm
690
kB/s | 37 kB 00:00
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total
1.5
MB/s | 854 kB 00:00
Rocky Linux 8 - BaseOS
1.6
MB/s | 1.6 kB 00:00
Importing GPG key 0x6D745A60:
Userid : "Release Engineering <infrastructure(a)rockylinux.org>"
Fingerprint: 7051 C470 A929 F454 CEBE 37B7 15AF 5DAC 6D74 5A60
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing :
1/1
Installing : python3-six-1.11.0-8.el8.noarch
1/6
Installing : python3-dateutil-1:2.6.1-6.el8.noarch
2/6
Installing : dbus-glib-0.110-2.el8.x86_64
3/6
Running scriptlet: dbus-glib-0.110-2.el8.x86_64
3/6
Installing : python3-dbus-1.2.4-15.el8.x86_64
4/6
Installing : python3-dnf-plugins-core-4.0.21-11.el8.noarch
5/6
Installing : dnf-plugins-core-4.0.21-11.el8.noarch
6/6
Running scriptlet: dnf-plugins-core-4.0.21-11.el8.noarch
6/6
Verifying : dbus-glib-0.110-2.el8.x86_64
1/6
Verifying : dnf-plugins-core-4.0.21-11.el8.noarch
2/6
Verifying : python3-dateutil-1:2.6.1-6.el8.noarch
3/6
Verifying : python3-dbus-1.2.4-15.el8.x86_64
4/6
Verifying : python3-dnf-plugins-core-4.0.21-11.el8.noarch
5/6
Verifying : python3-six-1.11.0-8.el8.noarch
6/6
Installed:
dbus-glib-0.110-2.el8.x86_64
dnf-plugins-core-4.0.21-11.el8.noarch
python3-dateutil-1:2.6.1-6.el8.noarch python3-dbus-1.2.4-15.el8.x86_64
python3-dnf-plugins-core-4.0.21-11.el8.noarch
python3-six-1.11.0-8.el8.noarch
Complete!
[root@acb8441a9bb1 /]# yum install epel-release -y
Rocky Linux 8 - PowerTools
1.5
MB/s | 2.4 MB 00:01
Last metadata expiration check: 0:00:02 ago on Mon Aug 29 07:59:48 2022.
Dependencies resolved.
=========================================================================================================================================================================================
Package Architecture
Version Repository
Size
=========================================================================================================================================================================================
Installing:
epel-release noarch
8-17.el8 extras
24 k
Transaction Summary
=========================================================================================================================================================================================
Install 1 Package
Total download size: 24 k
Installed size: 34 k
Downloading Packages:
epel-release-8-17.el8.noarch.rpm
216
kB/s | 24 kB 00:00
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total
119
kB/s | 24 kB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing :
1/1
Installing : epel-release-8-17.el8.noarch
1/1
Running scriptlet: epel-release-8-17.el8.noarch
1/1
Many EPEL packages require the CodeReady Builder (CRB) repository.
It is recommended that you run /usr/bin/crb enable to enable the CRB
repository.
Verifying : epel-release-8-17.el8.noarch
1/1
Installed:
epel-release-8-17.el8.noarch
Complete!
[root@acb8441a9bb1 /]#
3. Test installation of xmlstarlet
[root@acb8441a9bb1 /]# yum list xmlstarlet
Extra Packages for Enterprise Linux 8 - x86_64
2.4
MB/s | 13 MB 00:05
Extra Packages for Enterprise Linux Modular 8 - x86_64
340
kB/s | 734 kB 00:02
Last metadata expiration check: 0:00:01 ago on Mon Aug 29 08:01:40 2022.
Error: No matching Packages to list
[root@acb8441a9bb1 /]#
--- Additional comment from Shailesh on 2022-08-29 08:13:43 UTC ---
We are facing an issue again with rockylinux:8.6 container image.
Steps followed are as below -
1. Create a container from rockylinux:8.6
[root@test-node ~]# docker run --rm -it rockylinux:8.6
2. Enable powertools and install epel-release package
[root@acb8441a9bb1 /]# dnf install dnf-plugin-config-manager -y ;dnf
config-manager --set-enabled powertools
Rocky Linux 8 - AppStream
9.2
MB/s | 9.6 MB 00:01
Rocky Linux 8 - BaseOS
4.1
MB/s | 6.7 MB 00:01
Rocky Linux 8 - Extras
28
kB/s | 11 kB 00:00
Dependencies resolved.
=========================================================================================================================================================================================
Package Architecture
Version Repository
Size
=========================================================================================================================================================================================
Installing:
dnf-plugins-core noarch
4.0.21-11.el8 baseos
70 k
Installing dependencies:
dbus-glib x86_64
0.110-2.el8 baseos
126 k
python3-dateutil noarch
1:2.6.1-6.el8 baseos
250 k
python3-dbus x86_64
1.2.4-15.el8 baseos
133 k
python3-dnf-plugins-core noarch
4.0.21-11.el8 baseos
239 k
python3-six noarch
1.11.0-8.el8 baseos
37 k
Transaction Summary
=========================================================================================================================================================================================
Install 6 Packages
Total download size: 854 k
Installed size: 2.3 M
Downloading Packages:
(1/6): dnf-plugins-core-4.0.21-11.el8.noarch.rpm
268
kB/s | 70 kB 00:00
(2/6): dbus-glib-0.110-2.el8.x86_64.rpm
430
kB/s | 126 kB 00:00
(3/6): python3-dbus-1.2.4-15.el8.x86_64.rpm
1.2
MB/s | 133 kB 00:00
(4/6): python3-dateutil-2.6.1-6.el8.noarch.rpm
656
kB/s | 250 kB 00:00
(5/6): python3-dnf-plugins-core-4.0.21-11.el8.noarch.rpm
2.0
MB/s | 239 kB 00:00
(6/6): python3-six-1.11.0-8.el8.noarch.rpm
690
kB/s | 37 kB 00:00
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total
1.5
MB/s | 854 kB 00:00
Rocky Linux 8 - BaseOS
1.6
MB/s | 1.6 kB 00:00
Importing GPG key 0x6D745A60:
Userid : "Release Engineering <infrastructure(a)rockylinux.org>"
Fingerprint: 7051 C470 A929 F454 CEBE 37B7 15AF 5DAC 6D74 5A60
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing :
1/1
Installing : python3-six-1.11.0-8.el8.noarch
1/6
Installing : python3-dateutil-1:2.6.1-6.el8.noarch
2/6
Installing : dbus-glib-0.110-2.el8.x86_64
3/6
Running scriptlet: dbus-glib-0.110-2.el8.x86_64
3/6
Installing : python3-dbus-1.2.4-15.el8.x86_64
4/6
Installing : python3-dnf-plugins-core-4.0.21-11.el8.noarch
5/6
Installing : dnf-plugins-core-4.0.21-11.el8.noarch
6/6
Running scriptlet: dnf-plugins-core-4.0.21-11.el8.noarch
6/6
Verifying : dbus-glib-0.110-2.el8.x86_64
1/6
Verifying : dnf-plugins-core-4.0.21-11.el8.noarch
2/6
Verifying : python3-dateutil-1:2.6.1-6.el8.noarch
3/6
Verifying : python3-dbus-1.2.4-15.el8.x86_64
4/6
Verifying : python3-dnf-plugins-core-4.0.21-11.el8.noarch
5/6
Verifying : python3-six-1.11.0-8.el8.noarch
6/6
Installed:
dbus-glib-0.110-2.el8.x86_64
dnf-plugins-core-4.0.21-11.el8.noarch
python3-dateutil-1:2.6.1-6.el8.noarch python3-dbus-1.2.4-15.el8.x86_64
python3-dnf-plugins-core-4.0.21-11.el8.noarch
python3-six-1.11.0-8.el8.noarch
Complete!
[root@acb8441a9bb1 /]# yum install epel-release -y
Rocky Linux 8 - PowerTools
1.5
MB/s | 2.4 MB 00:01
Last metadata expiration check: 0:00:02 ago on Mon Aug 29 07:59:48 2022.
Dependencies resolved.
=========================================================================================================================================================================================
Package Architecture
Version Repository
Size
=========================================================================================================================================================================================
Installing:
epel-release noarch
8-17.el8 extras
24 k
Transaction Summary
=========================================================================================================================================================================================
Install 1 Package
Total download size: 24 k
Installed size: 34 k
Downloading Packages:
epel-release-8-17.el8.noarch.rpm
216
kB/s | 24 kB 00:00
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total
119
kB/s | 24 kB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing :
1/1
Installing : epel-release-8-17.el8.noarch
1/1
Running scriptlet: epel-release-8-17.el8.noarch
1/1
Many EPEL packages require the CodeReady Builder (CRB) repository.
It is recommended that you run /usr/bin/crb enable to enable the CRB
repository.
Verifying : epel-release-8-17.el8.noarch
1/1
Installed:
epel-release-8-17.el8.noarch
Complete!
[root@acb8441a9bb1 /]#
3. Test installation of xmlstarlet
[root@acb8441a9bb1 /]# yum list xmlstarlet
Extra Packages for Enterprise Linux 8 - x86_64
2.4
MB/s | 13 MB 00:05
Extra Packages for Enterprise Linux Modular 8 - x86_64
340
kB/s | 734 kB 00:02
Last metadata expiration check: 0:00:01 ago on Mon Aug 29 08:01:40 2022.
Error: No matching Packages to list
[root@acb8441a9bb1 /]#
--- Additional comment from Guenther on 2022-08-29 11:00:42 UTC ---
i´m facing the same issue.
seems that xmlstarlet is no longer available in epel... can`t find it here:
https://dl.fedoraproject.org/pub/epel/8/Everything/x86_64/Packages/x/
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1757000
[Bug 1757000] xmlstarlet missing in EPEL8
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2122159
https://bugzilla.redhat.com/show_bug.cgi?id=2104905
Bug ID: 2104905
Summary: CVE-2022-2097 openssl: AES OCB fails to encrypt some
bytes
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: mcascell(a)redhat.com
CC: bdettelb(a)redhat.com, berrange(a)redhat.com,
bootloader-eng-team(a)redhat.com, caswilli(a)redhat.com,
cfergeau(a)redhat.com, cllang(a)redhat.com,
crobinso(a)redhat.com,
crypto-team(a)lists.fedoraproject.org,
csutherl(a)redhat.com, dbelyavs(a)redhat.com,
ddepaula(a)redhat.com, dffrench(a)redhat.com,
dhalasz(a)redhat.com, dkuc(a)redhat.com, dueno(a)redhat.com,
elima(a)redhat.com,
epel-packagers-sig(a)lists.fedoraproject.org,
erik-fedora(a)vanpienbroek.nl, f4bug(a)amsat.org,
fjansen(a)redhat.com, fmartine(a)redhat.com,
gzaronik(a)redhat.com, jary(a)redhat.com,
jburrell(a)redhat.com, jclere(a)redhat.com,
jferlan(a)redhat.com, jkoehler(a)redhat.com,
jwong(a)redhat.com, jwon(a)redhat.com, kaycoth(a)redhat.com,
krathod(a)redhat.com, kraxel(a)redhat.com,
kshier(a)redhat.com, ktietz(a)redhat.com,
marcandre.lureau(a)redhat.com,
michal.skrivanek(a)redhat.com, michel(a)michel-slm.name,
micjohns(a)redhat.com, mjg59(a)srcf.ucam.org,
mmadzin(a)redhat.com, mperina(a)redhat.com,
mspacek(a)redhat.com, mturk(a)redhat.com,
ngough(a)redhat.com, pbonzini(a)redhat.com,
peholase(a)redhat.com, pjindal(a)redhat.com,
pjones(a)redhat.com, plodge(a)redhat.com,
redhat-bugzilla(a)linuxnetz.de, rgodfrey(a)redhat.com,
rharwood(a)redhat.com, rh-spice-bugs(a)redhat.com,
rjones(a)redhat.com, sahana(a)redhat.com,
sbonazzo(a)redhat.com, stcannon(a)redhat.com,
sthirugn(a)redhat.com, szappis(a)redhat.com,
tfister(a)redhat.com, tm(a)t8m.info,
virt-maint(a)lists.fedoraproject.org,
virt-maint(a)redhat.com, vkrizan(a)redhat.com,
vkumar(a)redhat.com, vmugicag(a)redhat.com
Blocks: 2104175
Target Milestone: ---
Classification: Other
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
implementation will not encrypt the entirety of the data under some
circumstances. This could reveal sixteen bytes of data that was preexisting in
the memory that wasn't written. In the special case of "in place" encryption,
sixteen bytes of the plaintext would be revealed.
OpenSSL security advisory:
https://www.openssl.org/news/secadv/20220705.txt
Upstream fix:
https://github.com/openssl/openssl/commit/6ebf6d51596f51d23ccbc17930778d104…
[master]
https://github.com/openssl/openssl/commit/919925673d6c9cfed3c1085497f5dfbbe…
[1_1_1-stable]
https://github.com/openssl/openssl/commit/a98f339ddd7e8f487d6e0088d4a9a4232…
[openssl-3.0]
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2104905
https://bugzilla.redhat.com/show_bug.cgi?id=2081494
Bug ID: 2081494
Summary: CVE-2022-1292 openssl: c_rehash script allows command
injection
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: pdelbell(a)redhat.com
CC: aos-bugs(a)redhat.com, asoldano(a)redhat.com,
bbaranow(a)redhat.com, bdettelb(a)redhat.com,
berrange(a)redhat.com, bmaxwell(a)redhat.com,
bootloader-eng-team(a)redhat.com,
brian.stansberry(a)redhat.com, caswilli(a)redhat.com,
cdewolf(a)redhat.com, cfergeau(a)redhat.com,
chazlett(a)redhat.com, crobinso(a)redhat.com,
crypto-team(a)lists.fedoraproject.org,
csutherl(a)redhat.com, darran.lofthouse(a)redhat.com,
dbelyavs(a)redhat.com, ddepaula(a)redhat.com,
dhalasz(a)redhat.com, dkreling(a)redhat.com,
dkuc(a)redhat.com, dosoudil(a)redhat.com,
dueno(a)redhat.com, elima(a)redhat.com,
epel-packagers-sig(a)lists.fedoraproject.org,
erik-fedora(a)vanpienbroek.nl, f4bug(a)amsat.org,
fjansen(a)redhat.com, fjuma(a)redhat.com,
fmartine(a)redhat.com, gparvin(a)redhat.com,
gzaronik(a)redhat.com, iweiss(a)redhat.com,
jburrell(a)redhat.com, jclere(a)redhat.com,
jferlan(a)redhat.com, jkoehler(a)redhat.com,
jochrist(a)redhat.com, jramanat(a)redhat.com,
jwong(a)redhat.com, jwon(a)redhat.com, kaycoth(a)redhat.com,
krathod(a)redhat.com, kraxel(a)redhat.com,
ktietz(a)redhat.com, lgao(a)redhat.com,
marcandre.lureau(a)redhat.com,
michal.skrivanek(a)redhat.com, michel(a)michel-slm.name,
micjohns(a)redhat.com, mjg59(a)srcf.ucam.org,
mosmerov(a)redhat.com, mperina(a)redhat.com,
msochure(a)redhat.com, mspacek(a)redhat.com,
msvehla(a)redhat.com, mturk(a)redhat.com,
njean(a)redhat.com, nwallace(a)redhat.com,
pahickey(a)redhat.com, pbonzini(a)redhat.com,
pjindal(a)redhat.com, pjones(a)redhat.com,
pmackay(a)redhat.com, redhat-bugzilla(a)linuxnetz.de,
rfreiman(a)redhat.com, rharwood(a)redhat.com,
rh-spice-bugs(a)redhat.com, rjones(a)redhat.com,
rstancel(a)redhat.com, rsvoboda(a)redhat.com,
sahana(a)redhat.com, sbonazzo(a)redhat.com,
smaestri(a)redhat.com, stcannon(a)redhat.com,
sthirugn(a)redhat.com, szappis(a)redhat.com,
tmeszaro(a)redhat.com, tm(a)t8m.info,
tom.jenkinson(a)redhat.com,
virt-maint(a)lists.fedoraproject.org,
virt-maint(a)redhat.com, vkrizan(a)redhat.com,
vkumar(a)redhat.com, vmugicag(a)redhat.com
Target Milestone: ---
Classification: Other
The c_rehash script does not properly sanitise shell metacharacters to
prevent command injection. This script is distributed by some operating
systems in a manner where it is automatically executed. On such operating
systems, an attacker could execute arbitrary commands with the privileges
of the script.
Use of the c_rehash script is considered obsolete and should be replaced
by the OpenSSL rehash command line tool.
This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.
OpenSSL 1.0.2 users should upgrade to 1.0.2ze
OpenSSL 1.1.1 users should upgrade to 1.1.1o
OpenSSL 3.0 users should upgrade to 3.0.3
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2081494
https://bugzilla.redhat.com/show_bug.cgi?id=2122935
Bug ID: 2122935
Summary: Please branch and build python-pillow for EPEL 8
Product: Fedora EPEL
Version: epel8
Status: NEW
Component: python-pillow
Assignee: manisandro(a)gmail.com
Reporter: gigeti2945(a)yubua.com
CC: epel-packagers-sig(a)lists.fedoraproject.org,
infra-sig(a)lists.fedoraproject.org,
manisandro(a)gmail.com, miminar(a)redhat.com,
python-sig(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
Please can you branch and build python-pillow for EPEL 8 thanks
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2122935