January 2023 - Announce - AlmaLinux List Archives

[Security Advisory] ALSA-2023:0446: go-toolset:rhel8 security and bug fix update (Moderate)
by AlmaLinux Errata Notifications 27 Jan '23

27 Jan '23

Hi, You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux. AlmaLinux: 8 Type: Security Severity: Moderate Release date: 2023-01-27 Summary: Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix(es): * golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879) * golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880) * golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Internal linking fails on ppc64le (BZ#2144545) * crypto testcases fail on golang on s390x [rhel-8] (BZ#2149313) Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2023-0446.html This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/. Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org. Kind regards, AlmaLinux Team

1 0

[Security Advisory] ALSA-2023:0304: libreoffice security update (Moderate)
by AlmaLinux Errata Notifications 27 Jan '23

27 Jan '23

Hi, You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux. AlmaLinux: 9 Type: Security Severity: Moderate Release date: 2023-01-24 Summary: LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extended office suite. Security Fix(es): * libreoffice: Macro URL arbitrary script execution (CVE-2022-3140) * libreoffice: Execution of Untrusted Macros Due to Improper Certificate Validation (CVE-2022-26305) * libreoffice: Static Initialization Vector Allows to Recover Passwords for Web Connections Without Knowing the Master Password (CVE-2022-26306) * libreoffice: Weak Master Keys (CVE-2022-26307) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2023-0304.html This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/. Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org. Kind regards, AlmaLinux Team

1 0

[Security Advisory] ALSA-2023:0463: thunderbird security update (Important)
by AlmaLinux Errata Notifications 27 Jan '23

27 Jan '23

Hi, You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux. AlmaLinux: 8 Type: Security Severity: Important Release date: 2023-01-27 Summary: Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.7.1. Security Fix(es): * Mozilla: libusrsctp library out of date (CVE-2022-46871) * Mozilla: Arbitrary file read from GTK drag and drop on Linux (CVE-2023-23598) * Mozilla: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7 (CVE-2023-23605) * Mozilla: Malicious command could be hidden in devtools output (CVE-2023-23599) * Mozilla: URL being dragged from cross-origin iframe into same tab triggers navigation (CVE-2023-23601) * Mozilla: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers (CVE-2023-23602) * Mozilla: Fullscreen notification bypass (CVE-2022-46877) * Mozilla: Calls to <code>console.log</code> allowed bypasing Content Security Policy via format directive (CVE-2023-23603) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Full details, updated packages, references, and other related information: https://errata.almalinux.org/8/ALSA-2023-0463.html This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/. Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org. Kind regards, AlmaLinux Team

1 0

[Security Advisory] ALSA-2023:0335: dbus security update (Moderate)
by AlmaLinux Errata Notifications 25 Jan '23

25 Jan '23

Hi, You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux. AlmaLinux: 9 Type: Security Severity: Moderate Release date: 2023-01-24 Summary: D-Bus is a system for sending messages between applications. It is used both for the system-wide message bus service, and as a per-user-login-session messaging facility. Security Fix(es): * dbus: dbus-daemon crashes when receiving message with incorrectly nested parentheses and curly brackets (CVE-2022-42010) * dbus: dbus-daemon can be crashed by messages with array length inconsistent with element type (CVE-2022-42011) * dbus: `_dbus_marshal_byteswap` doesn't process fds in messages with "foreign" endianness correctly (CVE-2022-42012) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2023-0335.html This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/. Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org. Kind regards, AlmaLinux Team

1 0

[Security Advisory] ALSA-2023:0304: libreoffice security update (Moderate)
by AlmaLinux Errata Notifications 25 Jan '23

25 Jan '23

Hi, You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux. AlmaLinux: 9 Type: Security Severity: Moderate Release date: 2023-01-24 Summary: LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extended office suite. Security Fix(es): * libreoffice: Macro URL arbitrary script execution (CVE-2022-3140) * libreoffice: Execution of Untrusted Macros Due to Improper Certificate Validation (CVE-2022-26305) * libreoffice: Static Initialization Vector Allows to Recover Passwords for Web Connections Without Knowing the Master Password (CVE-2022-26306) * libreoffice: Weak Master Keys (CVE-2022-26307) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2023-0304.html This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/. Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org. Kind regards, AlmaLinux Team

1 0

[Security Advisory] ALSA-2023:0321: nodejs and nodejs-nodemon security, bug fix, and enhancement update (Moderate)
by AlmaLinux Errata Notifications 25 Jan '23

25 Jan '23

Hi, You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux. AlmaLinux: 9 Type: Security Severity: Moderate Release date: 2023-01-24 Summary: Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (16.18.1), nodejs-nodemon (2.0.20). Security Fix(es): * minimist: prototype pollution (CVE-2021-44906) * nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517) * nodejs: HTTP Request Smuggling due to incorrect parsing of header fields (CVE-2022-35256) * nodejs: DNS rebinding in inspect via invalid octal IP address (CVE-2022-43548) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * nodejs: Packaged version of undici does not fit with declared version. [rhel-9] (BZ#2151627) Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2023-0321.html This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/. Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org. Kind regards, AlmaLinux Team

1 0

[Security Advisory] ALSA-2023:0328: go-toolset and golang security and bug fix update (Moderate)
by AlmaLinux Errata Notifications 25 Jan '23

25 Jan '23

Hi, You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux. AlmaLinux: 9 Type: Security Severity: Moderate Release date: 2023-01-24 Summary: Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The golang packages provide the Go programming language compiler. Security Fix(es): * golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879) * golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880) * golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Internal linking fails on ppc64le (BZ#2144547) * crypto testcases fail on golang on s390x [rhel-9] (BZ#2149311) Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2023-0328.html This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/. Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org. Kind regards, AlmaLinux Team

1 0

[Security Advisory] ALSA-2023:0334: kernel security and bug fix update (Important)
by AlmaLinux Errata Notifications 25 Jan '23

25 Jan '23

Hi, You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux. AlmaLinux: 9 Type: Security Severity: Important Release date: 2023-01-24 Summary: The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * kernel: watch queue race condition can lead to privilege escalation (CVE-2022-2959) * kernel: memory corruption in AX88179_178A based USB ethernet device. (CVE-2022-2964) * kernel: i915: Incorrect GPU TLB flush can lead to random memory access (CVE-2022-4139) * kernel: nfsd buffer overflow by RPC message over TCP with garbage data (CVE-2022-43945) * kernel: i2c: unbounded length leads to buffer overflow in ismt_access() (CVE-2022-3077) * kernel: Unprivileged users may use PTRACE_SEIZE to set PTRACE_O_SUSPEND_SECCOMP option (CVE-2022-30594) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Intel 9.2: Important iavf bug fixes (BZ#2127884) * vfio zero page mappings fail after 2M instances (BZ#2128514) * nvme-tcp automatic reconnect fails intermittently during EMC powerstore NDU operation (BZ#2131359) * ice: Driver Update to 5.19 (BZ#2132070) * WARNING: CPU: 116 PID: 3440 at arch/x86/mm/extable.c:105 ex_handler_fprestore+0x3f/0x50 (BZ#2134588) * drm: duplicated call of drm_privacy_screen_register_notifier() in drm_connector_register() (BZ#2134619) * updating the appid field through sysfs is returning an -EINVAL error (BZ#2136914) * DELL EMC: System is not booting into RT Kernel with perc12. (BZ#2139213) * No signal showed in the VGA monitor when installing AlmaLinux9 in the legacy bios mode (BZ#2140153) * Practically limit "Dummy wait" workaround to old Intel systems (BZ#2142168) * ppc64le: unexpected oom panic when there's enough memory left in zswap test (BZ#2143976) * fatal error: error in backend: Branch target out of insn range (BZ#2144902) * AMdCLIENT: The kernel command line parameter "nomodeset" not working properly (BZ#2145217) * Azure: PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time (BZ#2150910) * Azure z-stream: Sometimes newly deployed VMs are not getting accelerated network during provisioning (BZ#2151605) * DELL 9.0 RT - On PE R760 system, call traces are observed dmesg when system is running stress (BZ#2154407) Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2023-0334.html This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/. Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org. Kind regards, AlmaLinux Team

1 0

[Security Advisory] ALSA-2023:0336: systemd security update (Moderate)
by AlmaLinux Errata Notifications 25 Jan '23

25 Jan '23

Hi, You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux. AlmaLinux: 9 Type: Security Severity: Moderate Release date: 2023-01-24 Summary: The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es): * systemd: buffer overrun in format_timespan() function (CVE-2022-3821) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2023-0336.html This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/. Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org. Kind regards, AlmaLinux Team

1 0

[Security Advisory] ALSA-2023:0383: libXpm security update (Important)
by AlmaLinux Errata Notifications 25 Jan '23

25 Jan '23

Hi, You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux. AlmaLinux: 9 Type: Security Severity: Important Release date: 2023-01-24 Summary: X.Org X11 libXpm runtime library. Security Fix(es): * libXpm: compression commands depend on $PATH (CVE-2022-4883) * libXpm: Runaway loop on width of 0 and enormous height (CVE-2022-44617) * libXpm: Infinite loop on unclosed comments (CVE-2022-46285) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Full details, updated packages, references, and other related information: https://errata.almalinux.org/9/ALSA-2023-0383.html This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/. Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org. Kind regards, AlmaLinux Team

1 0