September 2022 - Announce - AlmaLinux List Archives

[Security Advisory] ALSA-2022:5468: php:8.0 security update (Important)
by AlmaLinux Errata Notifications 16 Sep '22

16 Sep '22

Hi, You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux. AlmaLinux: 8 Type: Security Severity: Important Release date: 2022-09-15 Summary: PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix(es): * php: password of excessive length triggers buffer overflow leading to RCE (CVE-2022-31626) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2022-5468.html This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/. Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org. Kind regards, AlmaLinux Team

1 0

[Security Advisory] ALSA-2022:6206: systemd security update (Important)
by AlmaLinux Errata Notifications 07 Sep '22

07 Sep '22

Hi, You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux. AlmaLinux: 8 Type: Security Severity: Important Release date: 2022-09-02 Summary: The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es): * systemd-resolved: use-after-free when dealing with DnsStream in resolved-dns-stream.c (CVE-2022-2526) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2022-6206.html This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/. Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org. Kind regards, AlmaLinux Team

1 0

[Security Advisory] ALSA-2022:6224: openssl security and bug fix
by AlmaLinux Errata Notifications 02 Sep '22

02 Sep '22

Hi, You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux. AlmaLinux: 9 Type: Security Severity: Moderate Release date: 2022-09-02 Summary: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Security Fix(es): * openssl: c_rehash script allows command injection (CVE-2022-1292) * openssl: Signer certificate verification returns inaccurate response when using OCSP_NOCHECKS (CVE-2022-1343) * openssl: OPENSSL_LH_flush() breaks reuse of memory (CVE-2022-1473) * openssl: the c_rehash script allows command injection (CVE-2022-2068) * openssl: AES OCB fails to encrypt some bytes (CVE-2022-2097) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * openssl occasionally sends internal error to gnutls when using FFDHE (BZ#2080323) * openssl req defaults to 3DES (BZ#2085499) * OpenSSL accepts custom elliptic curve parameters when p is large [rhel-9] (BZ#2085508) * OpenSSL mustn't work with ECDSA with explicit curve parameters in FIPS mode (BZ#2085521) * openssl s_server -groups secp256k1 in FIPS fails because X25519/X448 (BZ#2086554) * Converting FIPS power-on self test to KAT (BZ#2086866) * Small RSA keys work for some operations in FIPS mode (BZ#2091938) * FIPS provider doesn't block RSA encryption for key transport (BZ#2091977) * OpenSSL testsuite certificates expired (BZ#2095696) * [IBM 9.1 HW OPT] POWER10 performance enhancements for cryptography: OpenSSL (BZ#2103044) * [FIPS lab review] self-test (BZ#2112978) * [FIPS lab review] DH tuning (BZ#2115856) * [FIPS lab review] EC tuning (BZ#2115857) * [FIPS lab review] RSA tuning (BZ#2115858) * [FIPS lab review] RAND tuning (BZ#2115859) * [FIPS lab review] zeroization (BZ#2115861) * [FIPS lab review] HKDF limitations (BZ#2118388) Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2022-6224.html This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/. Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org. Kind regards, AlmaLinux Team

1 0