Hello,
Once last week and again earlier today we've had instances of erroneous
notices being sent out to the AlmaLinux Announcement mailing list
subscribers citing removal from the list due to too many bounces.
The underlying issue was indeed bounces - but not on the end of
subscribers. We are partnered with an email delivery service which we
relay all messages through and they have automatic rate limits in place
which scale based on historical sending statistics. This doesn't play too
nicely with the very bursty nature of a mailing list when a lot of posts
hit the list at once, as was the case this morning when 11 Security
Advisories hit the list together. Multiply 11 by the number of subscribers
to the announcement mailing list and we had many thousands of messages
hitting our partners relay at the same time. Their system automatically
flagged this as suspicious and enacted a rate limit. That rate limit shows
up to the mailing list software as a bounce, thus resulting in the emails
everyone received.
Since many people did not get the proper announcements due to the issues,
the details of the security advisories, including the 11 from this morning,
are always available at https://errata.almalinux.org in addition to the mailing
list archives
<https://lists.almalinux.org/archives/list/announce@lists.almalinux.org/>.
We have since fixed everyone's subscriptions and tweaked our MTA's
(Postfix) configuration to help limit the volume of email leaving the list
server at any given time while working with our partner to make sure the
relaying can happen quickly and efficiently without getting blocked or
falsely triggering rate limits on their end.
We understand the importance of timely Security Advisory notices as well as
keeping this list as low-volume and worry-free as possible for subscribers
and apologize for any confusion or inconvenience this has caused.
--
Jonathan Wright
AlmaLinux Foundation
Mattermost: chat <https://chat.almalinux.org/almalinux/messages/@jonathan>
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 8
Type: Security
Severity: Moderate
Release date: 2022-11-24
Summary:
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
Security Fix(es):
* nodejs: DNS rebinding in --inspect via invalid IP addresses (CVE-2022-32212)
* nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding (CVE-2022-32213)
* nodejs: HTTP request smuggling due to improper delimiting of header fields (CVE-2022-32214)
* nodejs: HTTP request smuggling due to incorrect parsing of multi-line Transfer-Encoding (CVE-2022-32215)
* got: missing verification of requested URLs allows redirects to UNIX sockets (CVE-2022-33987)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* nodejs:14/nodejs: rebase to latest upstream release (BZ#2106367)
* nodejs:14/nodejs: Specify --with-default-icu-data-dir when using bootstrap build (BZ#2111417)
Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2022-6448.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 8
Type: Security
Severity: Moderate
Release date: 2022-11-24
Summary:
Kernel-based Virtual Machine (KVM) offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems.
Security Fix(es):
* QEMU: QXL: integer overflow in cursor_alloc() can lead to heap buffer overflow (CVE-2021-4206)
* QEMU: QXL: double fetch in qxl_cursor() can lead to heap buffer overflow (CVE-2021-4207)
* QEMU: virtio-net: map leaking on error during receive (CVE-2022-26353)
* QEMU: vhost-vsock: missing virtqueue detach on error can lead to memory leak (CVE-2022-26354)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* AlmaLinux 9.0 guest with vsock device migration failed from AlmaLinux 9.0 > AlmaLinux 8.6 (BZ#2071103)
* Fail to rebuild the reference count tables of qcow2 image on host block devices (e.g. LVs) (BZ#2072242)
* Remove upstream-only devices from the qemu-kvm binary (BZ#2077928)
* When doing a cpu-baseline between skylake and cascadelake, cascadelake is selected as baseline. (BZ#2084030)
* Virt-v2v can't convert rhel8.6 guest from VMware on rhel8.6 (BZ#2093415)
Enhancement(s):
* Allow memory prealloc from multiple threads (BZ#2075569)
Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2022-5821.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 8
Type: Security
Severity: Moderate
Release date: 2022-11-24
Summary:
The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.
Security Fix(es):
* cri-o: memory exhaustion on the node when access to the kube api (CVE-2022-1708)
* golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191)
* runc: incorrect handling of inheritable capabilities (CVE-2022-29162)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2022-7469.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 8
Type: Security
Severity: Moderate
Release date: 2022-11-24
Summary:
PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.
The following packages have been upgraded to a later upstream version: php (7.4.30), php-pear (1.10.13). (BZ#2055422)
Security Fix(es):
* php: Special character breaks path in xml parsing (CVE-2021-21707)
* php: Use after free due to php_filter_float() failing for ints (CVE-2021-21708)
* php-pear: Directory traversal vulnerability (CVE-2021-32610)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2022-7628.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 8
Type: Security
Severity: Moderate
Release date: 2022-11-24
Summary:
PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.
The following packages have been upgraded to a later upstream version: php (8.0.20). (BZ#2100876)
Security Fix(es):
* php: Use after free due to php_filter_float() failing for ints (CVE-2021-21708)
* php: Uninitialized array in pg_query_params() leading to RCE (CVE-2022-31625)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2022-7624.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 8
Type: Security
Severity: Important
Release date: 2022-11-23
Summary:
PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.
Security Fix(es):
* php: password of excessive length triggers buffer overflow leading to RCE (CVE-2022-31626)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2022-5468.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 8
Type: Security
Severity: Moderate
Release date: 2022-11-23
Summary:
PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.
Security Fix(es):
* php: uninitialized array in pg_query_params() leading to RCE (CVE-2022-31625)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2022-6158.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 8
Type: Security
Severity: Moderate
Release date: 2022-11-23
Summary:
PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.
Security Fix(es):
* Archive_Tar: allows an unserialization attack because phar: is blocked but PHAR: is not blocked (CVE-2020-28948)
* Archive_Tar: improper filename sanitization leads to file overwrites (CVE-2020-28949)
* Archive_Tar: directory traversal due to inadequate checking of symbolic links (CVE-2020-36193)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2022-6542.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team
Hi,
You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.
AlmaLinux: 8
Type: Security
Severity: Important
Release date: 2022-11-23
Summary:
The Public Key Infrastructure (PKI) Core contains fundamental packages required by AlmaLinux Certificate System.
Security Fix(es):
* pki-core: access to external entities when parsing XML can lead to XXE (CVE-2022-2414)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.
Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2022-7470.html
This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.
Kind regards,
AlmaLinux Team