Download
| Alert*
|
oval:org.secpod.oval:def:503398
The GNU Debugger allows users to debug programs written in various programming languages including C, C++, and Fortran. Security Fix: * libiberty: Memory leak in demangle_template function resulting in a denial of service For more details about the security issue, including the impact, a CVSS scor ... oval:org.secpod.oval:def:503487 .NET Core is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET Core that address security vulnerabilities are now available. The updated versions are .NET Core SDK 3.0.102 and .NET Core Run ... oval:org.secpod.oval:def:503402 The libqb packages provide a library with the primary purpose of providing high performance client/server reusable features, such as high performance logging, tracing, inter-process communication, and polling. Security Fix: * libqb: Insecure treatment of IPC files For more details about the securi ... oval:org.secpod.oval:def:55740 Avahi publishing of IP addresses should be enabled or disabled as appropriate. oval:org.secpod.oval:def:55741 The CUPS print service can be configured to broadcast a list of available printers to the network. Other machines on the network, also running the CUPS print service, can be configured to listen to these broadcasts and add and configure these printers for immediate use. By disabling this browsing ca ... oval:org.secpod.oval:def:55737 Avahi should be configured to accept packets with a TTL field not equal to 255 or not as appropriate. oval:org.secpod.oval:def:55738 Avahi should be configured to allow other stacks from binding to port 5353 or not as appropriate. oval:org.secpod.oval:def:55736 The Avahi daemon should be configured to serve via Ipv6 or not as appropriate. oval:org.secpod.oval:def:55744 The dynamic DNS feature of the DHCP server should be enabled or disabled as appropriate. oval:org.secpod.oval:def:55745 DHCPDECLINE messages should be accepted or denied by the DHCP server as appropriate oval:org.secpod.oval:def:55742 By default, locally configured printers will not be shared over the network, but if this functionality has somehow been enabled, these recommendations will disable it again. Be sure to disable outgoing printer list broadcasts, or remote users will still be able to see the locally configured printers ... oval:org.secpod.oval:def:55746 BOOTP queries should be accepted or denied by the DHCP server as appropriate. oval:org.secpod.oval:def:55762 Restriction of NFS clients to privileged ports should be enabled or disabled as appropriate oval:org.secpod.oval:def:55761 Root squashing should be enabled or disabled as appropriate for all NFS shares. oval:org.secpod.oval:def:55756 The lockd service should be configured to use a static port or a dynamic portmapper port for TCP as appropriate. oval:org.secpod.oval:def:55753 Require the use of TLS for ldap clients. oval:org.secpod.oval:def:55759 The mountd service should be configured to use a static port or a dynamic portmapper port as appropriate oval:org.secpod.oval:def:55757 The lockd service should be configured to use a static port or a dynamic portmapper port for UDP as appropriate. oval:org.secpod.oval:def:55758 Configure statd to use static port (/etc/sysconfig/nfs) should be configured appropriately. oval:org.secpod.oval:def:55773 The apache2 server's ServerSignature value should be set appropriately. oval:org.secpod.oval:def:55774 Disable HTTP Digest Authentication (/etc/httpd/conf/httpd.conf) should be configured appropriately. oval:org.secpod.oval:def:55772 The apache2 server's ServerTokens value should be set appropriately oval:org.secpod.oval:def:55714 Audit rules should be configured to log successful and unsuccessful logon and logout events. oval:org.secpod.oval:def:55717 Audit rules about the Information on the Use of Privileged Commands are enabled oval:org.secpod.oval:def:55730 The rhnsd service should be disabled if possible. oval:org.secpod.oval:def:55723 The rexec service should be disabled if possible. oval:org.secpod.oval:def:55726 The '.rhosts' or 'hosts.equiv' files should exists or doesn't exists on the system. oval:org.secpod.oval:def:55724 The rsh service should be disabled if possible. oval:org.secpod.oval:def:55725 The rlogin service should be disabled if possible. oval:org.secpod.oval:def:55729 The TFTP daemon should use secure mode. oval:org.secpod.oval:def:55904 The telnet service should be enabled or disabled as appropriate. oval:org.secpod.oval:def:55909 Audit rules should detect modification to system files that hold information about users and groups. oval:org.secpod.oval:def:505369 The fapolicyd software framework introduces a form of file access control based on a user-defined policy. The application file access control feature provides one of the most efficient ways to prevent running untrusted and possibly malicious applications on the system. Bug Fix: * When an update repl ... oval:org.secpod.oval:def:55780 Disable WebDAV (Distributed Authoring and Versioning) (/etc/httpd/conf/httpd.conf) should be configured appropriately. oval:org.secpod.oval:def:55781 Disable Server Activity Status (/etc/httpd/conf/httpd.conf) should be configured appropriately. oval:org.secpod.oval:def:55784 The HTTPD Proxy Module Support should be enabled or disabled as appropriate. oval:org.secpod.oval:def:55785 Disable Cache Support (/etc/httpd/conf/httpd.conf) should be configured appropriately. oval:org.secpod.oval:def:55782 Disable Web Server Configuration Display (/etc/httpd/conf/httpd.conf) should be configured appropriately. oval:org.secpod.oval:def:55783 Disable URL Correction on Misspelled Entries (/etc/httpd/conf/httpd.conf) should be configured appropriately. oval:org.secpod.oval:def:55778 Disable Server Side Includes (/etc/httpd/conf/httpd.conf) should be configured appropriately. oval:org.secpod.oval:def:55775 Disable HTTP mod_rewrite (/etc/httpd/conf/httpd.conf) should be configured appropriately. oval:org.secpod.oval:def:55776 Disable LDAP Support (/etc/httpd/conf/httpd.conf) should be configured appropriately. oval:org.secpod.oval:def:55779 Disable MIME Magic (/etc/httpd/conf/httpd.conf) should be configured appropriately. oval:org.secpod.oval:def:55791 Directory permissions for /etc/httpd/conf/ should be set as appropriate. oval:org.secpod.oval:def:55792 The /etc/httpd/conf/* files should have the appropriate permissions. oval:org.secpod.oval:def:55790 Directory permissions for /var/log/httpd should be set appropriately. oval:org.secpod.oval:def:55788 mod_ssl package installation should be configured appropriately. oval:org.secpod.oval:def:55786 Disable CGI Support (/etc/httpd/conf/httpd.conf) should be configured appropriately. oval:org.secpod.oval:def:55853 The disable option will allow the IPv6 module to be inserted, but prevent address assignment and activation of the network stack. oval:org.secpod.oval:def:55870 Ensure all yum repositories utilize signature checking. oval:org.secpod.oval:def:55864 Verify which group owns the /boot/grub2/grub.cfg file. oval:org.secpod.oval:def:55867 The '/boot/grub2/grub.cfg' file should be owned by appropriate User. oval:org.secpod.oval:def:55881 System Audit Logs Must Have Mode 0640 or Less Permissive (/var/log/audit/*) should be configured appropriately. oval:org.secpod.oval:def:55882 The file /etc/pam.d/system-auth should not contain the nullok option oval:org.secpod.oval:def:55889 File permissions for '/boot/grub2/grub.cfg' should be set appropriate. oval:org.secpod.oval:def:55815 Configure Periodic Execution of AIDE (/etc/crontab) should be configured appropriately. oval:org.secpod.oval:def:55821 The kernel runtime parameter "kernel.dmesg_restrict" should be set to "1". oval:org.secpod.oval:def:55822 The SELinux state should be set appropriately. oval:org.secpod.oval:def:55823 Logins through the Direct root Logins Not Allowed should be enabled or disabled as appropriate. oval:org.secpod.oval:def:55827 Configure the system to notify users of last logon/access using pam_lastlog. oval:org.secpod.oval:def:55836 Disable Zeroconf automatic route assignment in the 169.254.0.0 subnet. oval:org.secpod.oval:def:55803 Configure SNMP Service to Use Only SNMPv3 or Newer (/etc/snmp/snmpd.conf) should be configured appropriately. oval:org.secpod.oval:def:55699 System Audit Logs Must Be Owned By Root (/var/log/*) should be configured appropriately. oval:org.secpod.oval:def:502654 Red Hat Enterprise Linux 8 is installed oval:org.secpod.oval:def:55670 Enable privacy extensions for IPv6 oval:org.secpod.oval:def:55671 Define default gateways for IPv6 traffic oval:org.secpod.oval:def:55666 The RPC IPv6 Support should be configured appropriately based rpc services. oval:org.secpod.oval:def:55669 Manually configure addresses for IPv6 oval:org.secpod.oval:def:55685 Check if SplitHosts line in logwatch.conf is set appropriately. oval:org.secpod.oval:def:55686 Disable Logwatch on Clients if a Logserver Exists (/etc/cron.daily/0logwatch) should be configured appropriately. oval:org.secpod.oval:def:55684 Test if HostLimit line in logwatch.conf is set appropriately. On a central logserver, you want Logwatch to summarize all syslog entries, including those which did not originate on the logserver itself. The HostLimit setting tells Logwatch to report on all hosts, not just the one on which it is runni ... oval:org.secpod.oval:def:55695 Record attempts to alter time through stime, note that this is only relevant on 32bit architecture. oval:org.secpod.oval:def:503337 NET Core is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET Core that address security vulnerabilities are now available. The updated versions are .NET Core SDK 2.1.509 and Runtime 2.1.13 ... oval:org.secpod.oval:def:503423 The libseccomp library provides an interface to the Linux Kernel"s syscall filtering mechanism, seccomp. The libseccomp API allows an application to specify which system calls or system call arguments the application is allowed to execute, all of which are then enforced by the Linux Kernel. The foll ... oval:org.secpod.oval:def:55834 Ctrl-Alt-Del Reboot Activation should be set as appropriate. oval:org.secpod.oval:def:503404 The mod_auth_mellon module for the Apache HTTP Server is an authentication service that implements the SAML 2.0 federation protocol. The module grants access based on the attributes received in assertions generated by an IdP server. Security Fix: * mod_auth_mellon: open redirect in logout url when u ... oval:org.secpod.oval:def:503408 Libreswan is an implementation of IPsec and IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks such as virtual private network . The fo ... oval:org.secpod.oval:def:503411 The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable ... oval:org.secpod.oval:def:503436 Evolution is a GNOME application that provides integrated email, calendar, contact management, and communications functionality. Security Fix: * evolution-ews: all certificate errors ignored if configured to ignore an initial error in gnome-online-accounts creation resulting in the connection open t ... oval:org.secpod.oval:def:55840 The kernel runtime parameter "net.ipv4.conf.all.accept_source_route" should be set to "0". oval:org.secpod.oval:def:503574 The ipmitool packages contain a command-line utility for interfacing with devices that support the Intelligent Platform Management Interface specification. IPMI is an open standard for machine health, inventory, and remote power control. Security Fix: * ipmitool: Buffer overflow in read_fru_area_se ... oval:org.secpod.oval:def:503449 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: -dSAFER escape in .charkeys For more details about the security issue, inc ... oval:org.secpod.oval:def:503434 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix: * QEMU: slirp: heap buffer overflow during packet reassembly * containers/image: not enforcing TLS when sending username+password credentials to token servers leading to c ... oval:org.secpod.oval:def:503571 LibVNCServer is a C library that enables you to implement VNC server functionality into own programs. Security Fix: * libvncserver: HandleCursorShape integer overflow resulting in heap-based buffer overflow For more details about the security issue, including the impact, a CVSS score, acknowledgmen ... oval:org.secpod.oval:def:505222 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 78.5.1. Security Fix: * Mozilla: Stack overflow due to incorrect parsing of SMTP server response codes For more details about the security issue, including the impact, a CVSS score, acknowledg ... oval:org.secpod.oval:def:503381 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes usi ... oval:org.secpod.oval:def:503431 The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix: * sudo: Privilege escalation via "Runas" specifica ... oval:org.secpod.oval:def:503505 The libarchive programming library can create and read several different streaming archive formats, including GNU tar, cpio, and ISO 9660 CD-ROM images. Libarchive is used notably in the bsdtar utility, scripting language bindings such as python-libarchive, and several popular desktop file managers. ... oval:org.secpod.oval:def:503387 The gnutls packages provide the GNU Transport Layer Security library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS. The following packages have been upgraded to a later upstream version: gnutls . Security Fix: * gnutls: use-after-free/double-free in certificat ... oval:org.secpod.oval:def:503382 The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix: * curl: NTLM type-2 heap out-of-bounds buffer read * wget: Information exposure in set_file_metadata function in xattr.c * cur ... oval:org.secpod.oval:def:503758 FreeRDP is a free implementation of the Remote Desktop Protocol , released under the Apache license. The xfreerdp client can connect to RDP servers such as Microsoft Windows machines, xrdp, and VirtualBox. Security Fix: * freerdp: Out-of-bounds write in planar.c * freerdp: Integer overflow in regio ... oval:org.secpod.oval:def:503409 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Security Fix: * bind: An assertion failure if a trust anchor rolls over to an unsupporte ... oval:org.secpod.oval:def:503389 Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server, and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages. Security Fix: * dovecot: ... oval:org.secpod.oval:def:503401 The libtiff packages contain a library of functions for manipulating Tagged Image File Format files. Security Fix: * libtiff: Heap-based buffer overflow in the cpSeparateBufToContigBuf function resulting in a denial of service or possibly code execution For more details about the security issue, i ... oval:org.secpod.oval:def:503390 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix: * golang: malformed hosts in URLs leads to authorization bypass For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related i ... oval:org.secpod.oval:def:503516 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix: * golang: HTTP/1.1 headers with a space before the colon leads to filter bypass or request smuggling * golang: invalid public key causes panic in dsa.Verify For more details abou ... oval:org.secpod.oval:def:503437 The glibc packages provide the standard C libraries , POSIX thread libraries , standard math libraries , and the name service cache daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix: * glibc: getaddrinfo should reject I ... oval:org.secpod.oval:def:503414 Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. Security Fix: * qt5-qtbase: Double free in QXmlStreamReader * qt5-qtbase: QImage allocation failure in qgifhandler * qt5-qtbase: QBmpHandler segmentation faul ... oval:org.secpod.oval:def:503386 The libarchive programming library can create and read several different streaming archive formats, including GNU tar, cpio, and ISO 9660 CD-ROM images. Libarchive is used notably in the bsdtar utility, scripting language bindings such as python-libarchive, and several popular desktop file managers. ... oval:org.secpod.oval:def:503405 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a later upstream version: samba . Se ... oval:org.secpod.oval:def:503426 The gettext packages provide a documentation for producing multi-lingual messages in programs, set of conventions about how programs should be written, a runtime library, and a directory and file naming organization for the message catalogs. Security Fix: * gettext: double free in default_add_messag ... oval:org.secpod.oval:def:503432 The libvorbis package contains runtime libraries for use in programs that support Ogg Vorbis, a fully open, non-proprietary, patent- and royalty-free, general-purpose compressed format for audio and music at fixed and variable bitrates. Security Fix: * libvorbis: heap buffer overflow in mapping0_for ... oval:org.secpod.oval:def:503433 The libjpeg-turbo packages contain a library of functions for manipulating JPEG images. They also contain simple client programs for accessing the libjpeg functions. These packages provide the same functionality and API as libjpeg but with better performance. Security Fix: * libjpeg-turbo: heap-base ... oval:org.secpod.oval:def:503410 Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. Security Fix: * squid: XSS via user_name or auth parameter in cachemgr.cgi For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other relat ... oval:org.secpod.oval:def:503650 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix: * QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu For more details about the security issue, including the impact, a CVSS score, acknowledgments, a ... oval:org.secpod.oval:def:505909 Stunnel is a wrapper for network connections. It can be used to tunnel an unencrypted network connection over an encrypted connection or to provide an encrypted means of connecting to services that do not natively support encryption. Security Fix: * stunnel: client certificate not correctly verifie ... oval:org.secpod.oval:def:504692 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes usi ... oval:org.secpod.oval:def:504697 The libpcap packages provide a portable framework for low-level network monitoring. The libpcap library provides network statistics collection, security monitoring, and network debugging. The following packages have been upgraded to a later upstream version: libpcap . Security Fix: * libpcap: Resou ... oval:org.secpod.oval:def:506234 EDK is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix: * edk2: possible heap corruption with LzmaUefiDecompressGetInfo For more details about the security issue, including the impact, a CVSS score, acknowled ... oval:org.secpod.oval:def:504762 The librabbitmq packages provide an Advanced Message Queuing Protocol client library that allows you to communicate with AMQP servers using protocol version 0-9-1. Security Fix: * librabbitmq: integer overflow in amqp_handle_input in amqp_connection.c leads to heap-based buffer overflow For more d ... oval:org.secpod.oval:def:504760 Evolution is a GNOME application that provides integrated email, calendar, contact management, and communications functionality. The evolution-data-server packages provide a unified back end for applications which interact with contacts, tasks and calendar information. Evolution Data Server was orig ... oval:org.secpod.oval:def:504765 Vim is an updated and improved version of the vi editor. Security Fix: * vim: users can execute arbitrary OS commands via scripting interfaces in the rvim restricted mode For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, ... oval:org.secpod.oval:def:504763 File Roller is an application for creating and viewing archives files, such as tar or zip files. Security Fix: * file-roller: path traversal vulnerability via a specially crafted filename contained in malicious archive * file-roller: directory traversal via directory symlink pointing outside of the ... oval:org.secpod.oval:def:504764 The cryptsetup packages provide a utility for setting up disk encryption using the dm-crypt kernel module. The following packages have been upgraded to a later upstream version: cryptsetup . Security Fix: * cryptsetup: Out-of-bounds write when validating segments For more details about the securit ... oval:org.secpod.oval:def:504767 The dpdk packages provide the Data Plane Development Kit, which is a set of libraries and drivers for fast packet processing in the user space. The following packages have been upgraded to a later upstream version: dpdk . Security Fix: * dpdk: librte_vhost Malicious guest could cause segfault by se ... oval:org.secpod.oval:def:504777 Subversion is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. Security Fix: * subversion: remotely triggerable DoS vulnerability in svnserve "get-deleted-rev ... oval:org.secpod.oval:def:504778 The libgcrypt library provides general-purpose implementations of various cryptographic algorithms. The following packages have been upgraded to a later upstream version: libgcrypt . Security Fix: * libgcrypt: ECDSA timing attack allowing private key leak For more details about the security issue, ... oval:org.secpod.oval:def:504720 EDK is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix: * edk2: memory leak in ArpOnFrameRcvdDpc For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other relat ... oval:org.secpod.oval:def:504729 Oniguruma is a regular expressions library that supports a variety of character encodings. Security Fix: * oniguruma: NULL pointer dereference in match_at in regexec.c For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refe ... oval:org.secpod.oval:def:504728 The OpenSC set of libraries and utilities provides support for working with smart cards. OpenSC focuses on cards that support cryptographic operations and enables their use for authentication, mail encryption, or digital signatures. The following packages have been upgraded to a later upstream versi ... oval:org.secpod.oval:def:504730 The SpamAssassin tool provides a way to reduce unsolicited commercial email from incoming email. Security Fix: * spamassassin: crafted configuration files can run system commands without any output or errors * spamassassin: crafted email message can lead to DoS * spamassassin: command injection v ... oval:org.secpod.oval:def:504736 The cloud-init packages provide a set of init scripts for cloud instances. Cloud instances need special scripts to run during initialization to retrieve and install SSH keys, and to let the user run various scripts. Security Fix: * cloud-init: Use of random.choice when generating random password * ... oval:org.secpod.oval:def:504740 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. The following packages have been upgraded to a later upstream version: openssl . Security Fix: * openssl: Integer overflow in RSAZ ... oval:org.secpod.oval:def:504743 The libtiff packages contain a library of functions for manipulating Tagged Image File Format files. Security Fix: * libtiff: integer overflow leading to heap-based buffer overflow in tif_getimage.c For more details about the security issue, including the impact, a CVSS score, acknowledgments, and ... oval:org.secpod.oval:def:504742 Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server, and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages. Security Fix: * dovecot: ... oval:org.secpod.oval:def:504745 The cyrus-sasl packages contain the Cyrus implementation of Simple Authentication and Security Layer . SASL is a method for adding authentication support to connection-based protocols. Security Fix: * cyrus-sasl: denial of service in _sasl_add_string function For more details about the security iss ... oval:org.secpod.oval:def:506175 This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Security Fix: * kernel: userspace applications can misuse the KVM API to cause a write of 16 bytes at an offset up to 32 GB from vcpurun For more details about the ... oval:org.secpod.oval:def:506178 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: userspace applications can misuse the KVM API to cause a write of 16 bytes at an offset up to 32 GB from vcpu-run * kernel: nitro_enclaves stale file descriptors on failed usercopy For mor ... oval:org.secpod.oval:def:503757 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Security Fix: * bind: BIND does not sufficiently limit the number of fetches performed w ... oval:org.secpod.oval:def:503636 The haproxy packages provide a reliable, high-performance network load balancer for TCP and HTTP-based applications. Security Fix: * haproxy: malformed HTTP/2 requests can lead to out-of-bounds writes For more details about the security issue, including the impact, a CVSS score, acknowledgments, an ... oval:org.secpod.oval:def:505190 Security Fix: * hw: Information disclosure issue in Intel SGX via RAPL interface * hw: Vector Register Leakage-Active * hw: Fast forward store predictor For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE ... oval:org.secpod.oval:def:503503 SQLite is a C library that implements an SQL database engine. A large subset of SQL92 is supported. A complete database is stored in a single disk file. The API is designed for convenience and ease of use. Applications that link against SQLite can enjoy the power and flexibility of an SQL database w ... oval:org.secpod.oval:def:506494 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix: * buildah: Host environment variables leaked in build container when using chroot isolation * containers/storage: DoS via malicious image For more details about the secur ... oval:org.secpod.oval:def:506528 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix: * buildah: Host environment variables leaked in build container when using chroot isolation For more details about the security issue, including the impact, a CVSS score, ... oval:org.secpod.oval:def:503364 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: Improper handling of Kerberos proxy credentials * OpenJDK: Unexpected exception thrown during regular expression processing in Nashorn * OpenJD ... oval:org.secpod.oval:def:503363 The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix: * OpenJDK: Improper handling of Kerberos proxy credentials * OpenJDK: Unexpected exception thrown during regular expression processing in Nashorn * OpenJDK ... oval:org.secpod.oval:def:503485 The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix: * OpenJDK: Use of unsafe RSA-MD5 checkum in Kerberos TGS * OpenJDK: Serialization filter changes via jdk.serialFilter property modification * OpenJDK: Impr ... oval:org.secpod.oval:def:505928 IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR6. Security Fix: * OpenJDK: Unexpected exception thrown during regular expression processing in Nashorn * OpenJDK: Incorrect handling of nest ... oval:org.secpod.oval:def:505929 IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR6-FP5. Security Fix: * OpenJDK: Serialization filter changes via jdk.serialFilter property modification * OpenJDK: Incorrect isBuiltinStreamH ... oval:org.secpod.oval:def:503391 D-Bus is a system for sending messages between applications. It is used both for the system-wide message bus service, and as a per-user-login-session messaging facility. Security Fix: * dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass For more details about the security issue, including the ... oval:org.secpod.oval:def:506290 Rust Toolset provides the Rust programming language compiler rustc, the cargo build tool and dependency manager, and required libraries. The following packages have been upgraded to a later upstream version: rust . Security Fix: * rust: optimization for joining strings can cause uninitialized bytes ... oval:org.secpod.oval:def:503637 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix: * ICU: Integer overflow in UnicodeString::doAppend For more details about the security issue, including the impact, a CVSS score, acknowledgments, and ... oval:org.secpod.oval:def:503635 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix: * ICU: Integer overflow in UnicodeString::doAppend For more details about the security issue, including the impact, a CVSS score, acknowledgments, and ... oval:org.secpod.oval:def:503565 The International Components for Unicode library provides robust and full-featured Unicode services. Security Fix: * ICU: Integer overflow in UnicodeString::doAppend For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer ... oval:org.secpod.oval:def:507263 WavPack is a completely open audio compression format providing lossless, high-quality lossy and a unique hybrid compression mode. Security Fix: * wavpack: Heap out-of-bounds read in WavpackPackSamples For more details about the security issue, including the impact, a CVSS score, acknowledgments, a ... oval:org.secpod.oval:def:507333 GStreamer is a streaming media framework based on graphs of filters that operate on media data. The gstreamer1-plugins-good packages contain a collection of well-supported plug-ins of good quality and under the LGPL license. Security Fix: * gstreamer-plugins-good: Use-after-free in matroska demuxing ... oval:org.secpod.oval:def:507288 OpenBLAS is an optimized BLAS library based on GotoBLAS2 1.13 BSD version. Security Fix: * lapack: Out-of-bounds read in *larrv For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the Referenc ... oval:org.secpod.oval:def:507264 The gdisk packages provide the gdisk partitioning utility for GUID Partition Table disks. The utility features a command-line interface similar to fdisk, direct manipulation of partition table structures, recovery tools to deal with corrupt partition tables, and the ability to convert Master Boot R ... oval:org.secpod.oval:def:504719 Mailman is a program used to help manage e-mail discussion lists. Security Fix: * mailman: XSS via file attachments in list archives For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the Ref ... oval:org.secpod.oval:def:503464 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 68.3.0. Security Fix: * Mozilla: Use-after-free in worker destruction * Mozilla: Memory safety bugs fixed in Firefox 71 and Firefox ESR 68.3 * Mozilla: Buffer overflow in plain text serialize ... oval:org.secpod.oval:def:503486 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 68.4.1. Security Fix: * Mozilla: IonMonkey type confusion with StoreElementHole and FallibleStoreElement * Mozilla: Bypass of @namespace CSS sanitization during pasting * Mozilla: Type Confus ... oval:org.secpod.oval:def:503506 OpenJPEG is an open source library for reading and writing image files in JPEG2000 format. Security Fix: * openjpeg: Heap-based buffer overflow in opj_t1_clbl_decode_processor For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related informati ... oval:org.secpod.oval:def:504693 The oddjob packages contain a D-Bus service which performs particular tasks for clients which connect to it and issue requests using the system-wide message bus. The following packages have been upgraded to a later upstream version: oddjob . Security Fix: * oddjob: race condition in oddjob_selinux_ ... oval:org.secpod.oval:def:504702 Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don"t have to create the same web page over and over again, giving the website a significant speed up. The following packages have been upgraded to a later upstream version: varnish . Security Fix: * ... oval:org.secpod.oval:def:504708 The libarchive programming library can create and read several different streaming archive formats, including GNU tar, cpio, and ISO 9660 CD-ROM images. Libarchive is used notably in the bsdtar utility, scripting language bindings such as python-libarchive, and several popular desktop file managers. ... oval:org.secpod.oval:def:504741 The cyrus-imapd packages contain a high-performance mail server with IMAP, POP3, NNTP, and SIEVE support. Security Fix: * cyrus-imapd: privilege escalation in HTTP request * cyrus-imapd: lmtpd component created mailboxes with administrator privileges if the fileinto was used, bypassing ACL checks ... oval:org.secpod.oval:def:504707 The librsvg2 packages provide a Scalable Vector Graphics library based on the libart library. Security Fix: * librsvg: Resource exhaustion via crafted SVG file with nested patterns For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related inf ... oval:org.secpod.oval:def:504722 The sysstat packages provide the sar and iostat commands. These commands enable system monitoring of disk, network, and other I/O activity. Security Fix: * sysstat: memory corruption due to an integer overflow in remap_struct in sa_common.c For more details about the security issue, including the i ... oval:org.secpod.oval:def:507127 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.13.0. Security Fix: * Mozilla: Address bar spoofing via XSLT error handling * Mozilla: Cross-origin XSLT Documents would have inherited the parent"s permissions * Mozilla: Memory safety bu ... oval:org.secpod.oval:def:507131 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.13.0 ESR. Security Fix: * Mozilla: Address bar spoofing via XSLT error handling * Mozilla: Cross-origin XSLT Documents would have inherited the ... oval:org.secpod.oval:def:507294 Mutt is a low resource, highly configurable, text-based MIME e-mail client. Mutt supports most e-mail storing formats, such as mbox and Maildir, as well as most protocols, including POP3 and IMAP. Security Fix: * mutt: buffer overflow in uudecoder function For more details about the security issue, ... oval:org.secpod.oval:def:507286 Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or ... oval:org.secpod.oval:def:507244 The gnutls packages provide the GNU Transport Layer Security library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS. Security Fix: * gnutls: Double free during gnutls_pkcs7_verify. For more details about the security issue, including the impact, a CVSS score, a ... oval:org.secpod.oval:def:507334 Poppler is a Portable Document Format rendering library, used by applications such as Evince. Security Fix: * poppler: A logic error in the Hints::Hints function can cause denial of service For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other re ... oval:org.secpod.oval:def:507141 The Open Virtual Machine Tools are the open source implementation of the VMware Tools. They are a set of guest operating system virtualization components that enhance performance and user experience of virtual machines. Security Fix: * open-vm-tools: local root privilege escalation in the virtual ma ... oval:org.secpod.oval:def:507156 WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. The following packages have been upgraded to a later upstream version: webkit2gtk3 . Security Fix: * webkitgtk: processing maliciously crafted web content may lead to arbitrary code execution For more details abo ... oval:org.secpod.oval:def:507146 The GNU Privacy Guard is a tool for encrypting data and creating digital signatures, compliant with OpenPGP and S/MIME standards. Security Fix: * gpg: Signature spoofing via status line injection For more details about the security issue, including the impact, a CVSS score, acknowledgments, and ot ... oval:org.secpod.oval:def:503566 The zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell , but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions , a his ... oval:org.secpod.oval:def:507137 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes usi ... oval:org.secpod.oval:def:504727 Poppler is a Portable Document Format rendering library, used by applications such as Evince. Security Fix: * poppler: divide-by-zero in function SplashOutputDev::tilingPatternFill in SplashOutputDev.cc For more details about the security issue, including the impact, a CVSS score, acknowledgments, ... oval:org.secpod.oval:def:504723 The libexif packages provide a library for extracting extra information from image files. The following packages have been upgraded to a later upstream version: libexif . Security Fix: * libexif: out of bounds write in exif-data.c * libexif: out of bounds read due to a missing bounds check in exif ... oval:org.secpod.oval:def:507274 The Public Key Infrastructure Core contains fundamental packages required by Red Hat Certificate System. Security Fix: * pki-core: access to external entities when parsing XML can lead to XXE For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other ... oval:org.secpod.oval:def:504776 The libldb packages provide an extensible library that implements an LDAP-like API to access remote LDAP servers, or use local TDB databases. The following packages have been upgraded to a later upstream version: libldb . Security Fix: * samba: NULL pointer de-reference and use-after-free in Samba ... oval:org.secpod.oval:def:504782 The libsolv packages provide a library for resolving package dependencies using a satisfiability algorithm. The following packages have been upgraded to a later upstream version: libsolv . Security Fix: * libsolv: out-of-bounds read in repodata_schema2id in repodata.c For more details about the se ... oval:org.secpod.oval:def:506963 PostgreSQL is an advanced object-relational database management system . The following packages have been upgraded to a later upstream version: postgresql . Security Fix: * postgresql: Autovacuum, REINDEX, and others omit security restricted operation sandbox For more details about the security iss ... oval:org.secpod.oval:def:507225 PostgreSQL is an advanced object-relational database management system . Security Fix: * postgresql: Extension scripts replace objects not belonging to the extension. For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer ... oval:org.secpod.oval:def:506490 The glibc packages provide the standard C libraries , POSIX thread libraries , standard math libraries , and the name service cache daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix: * glibc: Arbitrary read in wordexp ... oval:org.secpod.oval:def:503376 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a later upstream version: mariadb , galera . Security Fix: * mysql: InnoDB unspecified vulnerability * mysql: Server: DDL unspecified vulnerability * my ... oval:org.secpod.oval:def:506023 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a later upstream version: mariadb , galera . Security Fix: * mariadb: writable system variables allows a database user with SUPER privilege to execute arbitr ... oval:org.secpod.oval:def:507157 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix: * Archive_Tar: allows an unserialization attack because phar: is blocked but PHAR: is not blocked * Archive_Tar: improper filename sanitization leads to file overwrites * Archive_Tar: directory trav ... oval:org.secpod.oval:def:507267 OpenJPEG is an open source library for reading and writing image files in JPEG2000 format. Security Fix: * openjpeg: segmentation fault in opj2_decompress due to uninitialized pointer For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related i ... oval:org.secpod.oval:def:504726 The gnome-software packages contain an application that makes it easy to add, remove, and update software in the GNOME desktop. The appstream-data package provides the distribution specific AppStream metadata required for the GNOME and KDE software centers. The fwupd packages provide a service that ... oval:org.secpod.oval:def:503528 KornShell is a Unix shell developed by AT&T Bell Laboratories, which is backward-compatible with the Bourne shell and includes many features of the C shell. The most recent version is KSH-93. KornShell complies with the POSIX.2 standard . Security Fix: * ksh: certain environment variables inte ... oval:org.secpod.oval:def:503395 Virtual Machine Manager is a graphical tool for administering virtual machines for KVM, Xen, and Linux Containers . The virt-manager utility uses the libvirt API and can start, stop, add or remove virtualized devices, connect to a graphical or serial console, and view resource usage statistics for ... oval:org.secpod.oval:def:504739 Openwsman is a project intended to provide an open source implementation of the Web Services Management specification and to expose system management information on the Linux operating system using the WS-Management protocol. WS-Management is based on a suite of web services specifications and usag ... oval:org.secpod.oval:def:503435 The lldpad packages provide the Linux user space daemon and configuration tool for Intel"s Link Layer Discovery Protocol Agent with Enhanced Ethernet support. Security Fix: * lldptool: improper sanitization of shell-escape codes For more details about the security issue, including the impact, a CV ... oval:org.secpod.oval:def:504750 The binutils packages provide a collection of binary utilities for the manipulation of object code in various object file formats. It includes the ar, as, gprof, ld, nm, objcopy, objdump, ranlib, readelf, size, strings, strip, and addr2line utilities. Security Fix: * binutils: denial of service via ... oval:org.secpod.oval:def:507421 Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don"t have to create the same web page over and over again, giving the website a significant speed up. Security Fix: * varnish: Request Forgery Vulnerability For more details about the security issue, ... oval:org.secpod.oval:def:504768 The targetcli package contains an administration shell for configuring Internet Small Computer System Interface , Fibre Channel over Ethernet , and other SCSI targets, using the Target Core Mod/Linux-IO kernel target subsystem. FCoE users also need to install and use the fcoe-utils package. The fol ... oval:org.secpod.oval:def:504706 Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB OpenTSDB. The following packages have been upgraded to a later upstream version: grafana . Security Fix: * grafana: XSS vulnerability via a column style on the Dashboard Table Panel screen * grafana ... oval:org.secpod.oval:def:503392 The osinfo-db package contains a database that provides information about operating systems and hypervisor platforms to facilitate the automated configuration and provisioning of new virtual machines. The libosinfo packages provide a library that allows virtualization provisioning tools to determine ... oval:org.secpod.oval:def:503415 The elfutils packages contain a number of utility programs and libraries related to the creation and maintenance of executable code. The following packages have been upgraded to a later upstream version: elfutils . Security Fix: * elfutils: buffer over-read in the ebl_object_note function in eblobj ... oval:org.secpod.oval:def:504747 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix: * containernetworking/plugins: IPv6 router advertisements allow for MitM attacks on IPv4 clusters * QEMU: slirp: networking out-of-bounds read information disclosure vulne ... oval:org.secpod.oval:def:503837 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime provides platform independence for non-GUI operating system facilities. The following packages have been upgraded to a la ... oval:org.secpod.oval:def:504759 The GNU Privacy Guard is a tool for encrypting data and creating digital signatures, compliant with OpenPGP and S/MIME standards. The following packages have been upgraded to a later upstream version: gnupg2 . Security Fix: * GnuPG: interaction between the sks-keyserver code and GnuPG allows for a ... oval:org.secpod.oval:def:507290 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:503407 GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures. Security Fix: * glib2: file_copy_fallback in gi ... oval:org.secpod.oval:def:503380 OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. The following packages have been upgraded to a later upstream version: openssh . Security Fix: * openssh: scp c ... oval:org.secpod.oval:def:507302 The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. The following packages have been upgraded to a later upstream version: unbound . Security Fix: * unbound: the novel ghost domain where malicious users to trigger continued resolvability of malicious domain nam ... oval:org.secpod.oval:def:504781 The libvpx packages provide the VP8 SDK, which allows the encoding and decoding of the VP8 video codec, commonly used with the WebM multimedia container file format. Security Fix: * libvpx: Double free in ParseContentEncodingEntry in mkvparser.cc * libvpx: Out of bounds read in vp8_norm table * li ... oval:org.secpod.oval:def:506288 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The following packages have been upgraded to a later upstream version: golang . Security Fix: * golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader * g ... oval:org.secpod.oval:def:506295 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix: * 389-ds-base: CRYPT password hash with asterisk allows any bind attempt to succeed For more d ... oval:org.secpod.oval:def:503425 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. The following packages have been upgraded to a later upstream version: 389-ds-base . Security Fix: * 389-ds- ... oval:org.secpod.oval:def:506287 The cloud-init packages provide a set of init scripts for cloud instances. Cloud instances need special scripts to run during initialization to retrieve and install SSH keys, and to let the user run various scripts. Security Fix: * cloud-init: randomly generated passwords logged in clear-text to wor ... oval:org.secpod.oval:def:503453 Simple DirectMedia Layer is a cross-platform multimedia library designed to provide fast access to the graphics frame buffer and audio device. Security Fix: * SDL: heap-based buffer overflow in SDL blit functions in video/SDL_blit*.c For more details about the security issue, including the impact, ... oval:org.secpod.oval:def:504766 Simple DirectMedia Layer is a cross-platform multimedia library designed to provide fast access to the graphics frame buffer and audio device. Security Fix: * SDL: buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c * SDL: heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c * S ... oval:org.secpod.oval:def:502729 .NET Core is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. A new version of .NET Core that address security vulnerabilities is now available. The updated version is .NET Core Runtime 2.1.11 and SDK 2.1.507. ... oval:org.secpod.oval:def:507523 KSBA is a library to make X.509 certificates as well as the CMS easily accessible by other applications. Both specifications are building blocks of S/MIME and TLS. Security Fix: * libksba: integer overflow to code executiona For more details about the security issue, including the impact, a CVSS s ... oval:org.secpod.oval:def:507239 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix: * 389-ds-base: SIGSEGV in sync_repl For more details about the security issue, including the i ... oval:org.secpod.oval:def:504682 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. The following packa ... oval:org.secpod.oval:def:504733 Prometheus JMX Exporter is a JMX to Prometheus exporter: a collector that can be configured to scrape and expose MBeans of a JMX target. Security Fix: * snakeyaml: Billion laughs attack via alias feature For more details about the security issue, including the impact, a CVSS score, acknowledgments, ... oval:org.secpod.oval:def:503210 The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations. IcedTea-Web now also contains PolicyEditor - ... oval:org.secpod.oval:def:507718 The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. Security Fix: * unbound: NRDelegation attack leads to uncontrolled resource consumption For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related inform ... oval:org.secpod.oval:def:507733 The sysstat packages provide the sar and iostat commands. These commands enable system monitoring of disk, network, and other I/O activity. Security Fix: * sysstat: arithmetic overflow in allocate_structures on 32 bit systems For more details about the security issue, including the impact, a CVSS s ... oval:org.secpod.oval:def:507708 Poppler is a Portable Document Format rendering library, used by applications such as Evince. Security Fix: * poppler: integer overflow in JBIG2 decoder using malformed files For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related informati ... oval:org.secpod.oval:def:507752 Ctags is a C programming language indexing and cross-reference tool. Security Fix: * ctags: arbitrary command execution via a tag file with a crafted filename For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the ... oval:org.secpod.oval:def:507721 The libtar packages contain a C library for manipulating tar archives. The library supports both the strict POSIX tar format and many of the commonly used GNU extensions. Security Fix: * libtar: out-of-bounds read in gnu_longlink * libtar: out-of-bounds read in gnu_longname * libtar: memory leak f ... oval:org.secpod.oval:def:507740 The net-snmp packages provide various libraries and tools for the Simple Network Management Protocol , including an SNMP library, an extensible agent, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which us ... oval:org.secpod.oval:def:507741 The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable ... oval:org.secpod.oval:def:507720 GNU Emacs is a powerful, customizable, self-documenting text editor. It provides special code editing features, a scripting language , and the capability to read e-mail and news. Security Fix: * emacs: ctags local command execution vulnerability For more details about the security issue, including ... oval:org.secpod.oval:def:504749 libssh is a library which implements the SSH protocol. It can be used to implement client and server applications. The following packages have been upgraded to a later upstream version: libssh . Security Fix: * libssh: denial of service when handling AES-CTR ciphers * libssh: unsanitized location ... oval:org.secpod.oval:def:503406 The System Security Services Daemon service provides a set of daemons to manage access to remote directories and authentication mechanisms. It also provides the Name Service Switch and the Pluggable Authentication Modules interfaces toward the system, and a pluggable back-end system to connect to ... oval:org.secpod.oval:def:507538 The GNU tar program can save multiple files in an archive and restore files from an archive. Security Fix: * tar: heap buffer overflow at from_header in list.c via specially crafted checksum For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other re ... oval:org.secpod.oval:def:502704 Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Security Fix: * flatpak: Sandbox bypass via IOCSTI For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pa ... oval:org.secpod.oval:def:502705 FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User Service server, designed to allow centralized authentication and authorization for a network. Security Fix: * freeradius: eap-pwd: authentication bypass via an invalid curve attack * freeradius: eap-pw ... oval:org.secpod.oval:def:502657 Openwsman is a project intended to provide an open source implementation of the Web Services Management specification and to expose system management information on the Linux operating system using the WS-Management protocol. WS-Management is based on a suite of web services specifications and usag ... oval:org.secpod.oval:def:503640 Telnet is a popular protocol for logging in to remote systems over the Internet. The telnet-server packages include a telnet service that supports remote logins into the host machine. The telnet service is disabled by default. Security Fix: * telnet-server: no bounds checks in nextitem function allo ... oval:org.secpod.oval:def:507291 FriBidi is a library to handle bidirectional scripts , so that the display is done in the proper way, while the text data itself is always written in logical order. Security Fix: * fribidi: Stack based buffer overflow * fribidi: Heap-buffer-overflow in fribidi_cap_rtl_to_unicode * fribidi: SEGV in ... oval:org.secpod.oval:def:503388 The lua packages provide support for Lua, a powerful light-weight programming language designed for extending applications. Lua is also frequently used as a general-purpose, stand-alone language. Security Fix: * lua: use-after-free in lua_upvaluejoin in lapi.c resulting in denial of service For mor ... oval:org.secpod.oval:def:71987 Ensure ip6tables in enabled and running oval:org.secpod.oval:def:71964 The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivil ... oval:org.secpod.oval:def:72027 If any users' home directories do not exist, create them and make sure the respective user owns the directory. Users without an assigned home directory should be removed or assigned a home directory as appropriate. oval:org.secpod.oval:def:72004 Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automat ... oval:org.secpod.oval:def:72008 All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user. oval:org.secpod.oval:def:72000 iptables allows configuration of the IPv4 tables in the linux kernel and the rules stored within them. Most firewall configuration utilities operate as a front end to iptables. oval:org.secpod.oval:def:71989 The dovecot service should be disabled if possible. oval:org.secpod.oval:def:71973 The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable. oval:org.secpod.oval:def:72034 chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a ... oval:org.secpod.oval:def:72001 Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters. Rationale: SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden. oval:org.secpod.oval:def:72047 Verify that Shared Library Files Have Root Ownership (/lib, /lib64, /usr/lib or /usr/lib64) should be configured appropriately. oval:org.secpod.oval:def:72050 Ensure root is the only UID 0 account oval:org.secpod.oval:def:72020 Ensure mounting of FAT filesystems is limited oval:org.secpod.oval:def:71998 The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability. oval:org.secpod.oval:def:71988 Ensure cron daemon is enabled and running oval:org.secpod.oval:def:72014 The .netrcfile presents a significant security risk since it stores passwords in unencrypted form. Even if FTP is disabled, user accounts may have brought over .netrcfiles from other systems which could pose a risk to those systems. oval:org.secpod.oval:def:72018 The requirement for a password to boot into single-user mode should be configured correctly. oval:org.secpod.oval:def:71999 Ensure LDAP Client is not installed oval:org.secpod.oval:def:72012 sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy. oval:org.secpod.oval:def:72007 Ensure users' home directories permissions are 750 or more restrictive oval:org.secpod.oval:def:71970 Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp oval:org.secpod.oval:def:72015 The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Server Message Block (SMB) protocol. Windows desktop users will be able to mount these directories ... oval:org.secpod.oval:def:72006 Record events affecting the group, passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribu ... oval:org.secpod.oval:def:71960 Disable Automounting oval:org.secpod.oval:def:72016 The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login. oval:org.secpod.oval:def:71969 Since the /var/tmp partition is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. oval:org.secpod.oval:def:71984 Ensure iptables in enabled and running oval:org.secpod.oval:def:71978 Periodic checking of the filesystem integrity is needed to detect changes to the filesystem. oval:org.secpod.oval:def:72011 Ensure sudo log file exists oval:org.secpod.oval:def:72019 Ensure rsyslog default file permissions configured oval:org.secpod.oval:def:72009 The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group. oval:org.secpod.oval:def:72037 A firewall zone defines the trust level for a connection, interface or source address binding. This is a one to many relation, which means that a connection, interface or source can only be part of one zone, but a zone can be used for many network connections, interfaces and sources. oval:org.secpod.oval:def:72040 The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. oval:org.secpod.oval:def:72051 Ensure no duplicate group names account oval:org.secpod.oval:def:72032 TMOUT is an environmental setting that determines the timeout of a shell in seconds. oval:org.secpod.oval:def:71965 Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. oval:org.secpod.oval:def:72122 Audit rules should detect modification to system files that hold information about users and groups. oval:org.secpod.oval:def:71996 Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. oval:org.secpod.oval:def:72049 File permissions for /bin, /usr/bin, /usr/local/bin, /sbin, /usr/sbin and /usr/local/sbin should be set correctly. oval:org.secpod.oval:def:72035 Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters. oval:org.secpod.oval:def:72023 Ensure auditd service is enabled and running oval:org.secpod.oval:def:71963 The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. oval:org.secpod.oval:def:72041 It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. oval:org.secpod.oval:def:71983 Ensure inactive password lock is 30 days or less oval:org.secpod.oval:def:71961 SELinux gives that extra layer of security to the resources in the system. It provides the MAC (mandatory access control) as contrary to the DAC (Discretionary access control). oval:org.secpod.oval:def:72010 System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. oval:org.secpod.oval:def:71994 Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. oval:org.secpod.oval:def:71979 Periodic checking of the filesystem integrity is needed to detect changes to the filesystem. oval:org.secpod.oval:def:71993 The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to use ... oval:org.secpod.oval:def:71980 nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables. oval:org.secpod.oval:def:72029 auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk oval:org.secpod.oval:def:72046 Verify that Shared Library Files Have Restrictive Permissions (/lib, /lib64, /usr/lib or /usr/lib64) should be configured appropriately. oval:org.secpod.oval:def:72031 Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only u ... oval:org.secpod.oval:def:71997 Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. oval:org.secpod.oval:def:71966 Since the /tmp partition is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. oval:org.secpod.oval:def:71974 There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data. oval:org.secpod.oval:def:71982 Ensure journald is configured to write logfiles to persistent disk oval:org.secpod.oval:def:74445 Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (::1).Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback net ... oval:org.secpod.oval:def:72036 If a users recorded password change date is in the future then they could bypass any set password expiration. oval:org.secpod.oval:def:72022 >Ensure mail transfer agent is configured for local-only mode oval:org.secpod.oval:def:72042 The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information. oval:org.secpod.oval:def:71990 Ensure ntp is configured oval:org.secpod.oval:def:72017 sudo can be configured to run only from a pseudo-pty oval:org.secpod.oval:def:71985 Ensure rsyslog Service is enabled and running oval:org.secpod.oval:def:72045 Ensure no duplicate user names account oval:org.secpod.oval:def:71991 Ensure no users have .forward files oval:org.secpod.oval:def:72003 The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su co ... oval:org.secpod.oval:def:72038 The file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information. oval:org.secpod.oval:def:71981 Ensure journald is configured to send logs to rsyslog oval:org.secpod.oval:def:72026 Groups defined in the /etc/passwd file but not in the /etc/group file pose a threat to system security since group permissions are not properly managed. oval:org.secpod.oval:def:71995 Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. oval:org.secpod.oval:def:71967 Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp oval:org.secpod.oval:def:71976 There are two important reasons to ensure that data gathered by is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based ... oval:org.secpod.oval:def:72025 The file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information. oval:org.secpod.oval:def:71968 Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp oval:org.secpod.oval:def:72033 Ensure default group for the root account is GID 0 oval:org.secpod.oval:def:72030 Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only u ... oval:org.secpod.oval:def:72002 GDM is the GNOME Display Manager which handles graphical login for GNOME based systems. Rationale: Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system ... oval:org.secpod.oval:def:72005 Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written t ... oval:org.secpod.oval:def:72013 Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user dot file permissions and determine the action to be taken in accordance with site po ... oval:org.secpod.oval:def:71971 Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp oval:org.secpod.oval:def:72048 Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them. oval:org.secpod.oval:def:72044 Ensure root is the only UID 0 account oval:org.secpod.oval:def:71962 The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unau ... oval:org.secpod.oval:def:71972 The /home directory is used to support disk storage needs of local users. oval:org.secpod.oval:def:72043 It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected. Other/world should not have the ability to view this information. Group should not have the ability to modify this information. oval:org.secpod.oval:def:72021 Ensure use of privileged commands is collected oval:org.secpod.oval:def:71992 The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file. oval:org.secpod.oval:def:72121 Ensure root is the only UID 0 account oval:org.secpod.oval:def:72024 All password hashes should be shadowed. oval:org.secpod.oval:def:71986 Ensure firewalld service is enabled and running oval:org.secpod.oval:def:71975 There are two important reasons to ensure that data gathered by is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based ... oval:org.secpod.oval:def:72039 The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. oval:org.secpod.oval:def:507593 The pesign packages provide the pesign utility for signing UEFI binaries as well as other associated tools. Security Fix: * pesign: Local privilege escalation on pesign systemd service For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related ... oval:org.secpod.oval:def:507240 KSBA is a library to make X.509 certificates as well as the CMS easily accessible by other applications. Both specifications are building blocks of S/MIME and TLS. Security Fix: * libksba: integer overflow may lead to remote code execution For more details about the security issue, including the i ... oval:org.secpod.oval:def:507238 SQLite is a C library that implements an SQL database engine. A large subset of SQL92 is supported. A complete database is stored in a single disk file. The API is designed for convenience and ease of use. Applications that link against SQLite can enjoy the power and flexibility of an SQL database w ... oval:org.secpod.oval:def:503568 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 68.6.0. Security Fix: * Mozilla: Use-after-free when removing data about origins * Mozilla: BodyStream::OnInputStreamReady was missing protections against state confusion * Mozilla: Use-after ... oval:org.secpod.oval:def:55768 The kernel module cramfs should be disabled. oval:org.secpod.oval:def:55905 The /etc/gshadow file should be owned by the appropriate user. oval:org.secpod.oval:def:55777 The kernel module freevxfs should be disabled. oval:org.secpod.oval:def:55787 The kernel module jffs2 should be disabled. oval:org.secpod.oval:def:55862 The /etc/shadow file should be owned by the appropriate user. oval:org.secpod.oval:def:55859 The /etc/passwd file should be owned by the appropriate group. oval:org.secpod.oval:def:55871 This test makes sure that '/etc/passwd' has proper permission. If the target file or directory has an extended ACL then it will fail the mode check. oval:org.secpod.oval:def:55866 The /etc/gshadow file should be owned by the appropriate group. oval:org.secpod.oval:def:55863 The SELinux state should be enforcing the local policy. oval:org.secpod.oval:def:55869 SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization. oval:org.secpod.oval:def:55880 The minimum password age policy should be set appropriately. oval:org.secpod.oval:def:55884 The /etc/group file should be owned by the appropriate group. oval:org.secpod.oval:def:55874 The /etc/group file should be owned by the appropriate user. oval:org.secpod.oval:def:55879 The gpgcheck option should be used to ensure that checking of an RPM package's signature always occurs prior to its installation. oval:org.secpod.oval:def:55890 The SSH ClientAliveCountMax should be set to an appropriate value (and dependencies are met) oval:org.secpod.oval:def:55887 Limit the ciphers to those which are FIPS-approved and only use ciphers in counter (CTR) mode. oval:org.secpod.oval:def:55805 The maximum password age policy should meet minimum requirements. oval:org.secpod.oval:def:55896 The password minimum length should be set appropriately. oval:org.secpod.oval:def:55693 Record attempts to alter time through adjtimex. oval:org.secpod.oval:def:507735 FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User Service server, designed to allow centralized authentication and authorization for a network. Security Fix: * freeradius: Information leakage in EAP-PWD * freeradius: Crash on unknown option in EAP-SIM ... oval:org.secpod.oval:def:507287 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix: * podman: possible information disclosure and modification * buildah: possible information disclosure and modification For more details about the security issue, includin ... oval:org.secpod.oval:def:507299 The protobuf packages provide Protocol Buffers, Google"s data interchange format. Protocol Buffers can encode structured data in an efficient yet extensible format, and provide a flexible, efficient, and automated mechanism for serializing structured data. Security Fix: * protobuf: Incorrect parsing ... oval:org.secpod.oval:def:507728 Wayland is a protocol for a compositor to talk to its clients, as well as a C library implementation of that protocol. The compositor can be a standalone display server running on Linux kernel modesetting and evdev input devices, an X application, or a wayland client itself. The clients can be tradi ... oval:org.secpod.oval:def:61189 A microarchitectural timing flaw was found on some Intel processors. In a corner case where data in-flight during the eviction process can end up in the fill buffers and not properly cleared by the MDS mitigations. The fill buffer contents (which were expected to be blank) can be inferred using MDS ... oval:org.secpod.oval:def:57647 PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authenticated user can overflow a stack-based buffer by changing the user's own password to a purpose-crafted value. This often suffices to execute arbitrary code as the PostgreSQL ... oval:org.secpod.oval:def:55733 The anacron service should be enabled or disabled as appropriate. oval:org.secpod.oval:def:55734 If inbound SSH access is not needed, the firewall should disallow or reject access to the SSH port (22). oval:org.secpod.oval:def:55731 Disable Prelinking (/etc/sysconfig/prelink) should be configured appropriately. oval:org.secpod.oval:def:55732 The kernel module usb-storage should be disabled. oval:org.secpod.oval:def:55735 Limit Users SSH Access should be configured appropriately. oval:org.secpod.oval:def:55739 Disable Avahi Publishing (/etc/avahi/avahi-daemon.conf) should be configured appropriately. oval:org.secpod.oval:def:55751 Postfix network listening should be disabled oval:org.secpod.oval:def:55752 Protect against unnecessary release of information. oval:org.secpod.oval:def:55750 The RPM package sendmail should be removed. oval:org.secpod.oval:def:55743 The RPM package dhcpd should be removed. oval:org.secpod.oval:def:55748 A remote chrony Server for time synchronization should be specified (and dependencies are met) oval:org.secpod.oval:def:55749 Specify Additional Remote chrony Servers (/etc/chrony.conf) should be configured appropriately. oval:org.secpod.oval:def:55747 Logging (/etc/rsyslog.conf) should be configured appropriately. oval:org.secpod.oval:def:55763 Ensure Insecure File Locking is Not Allowed (/etc/exports) should be configured appropriately. oval:org.secpod.oval:def:55760 Specify UID and GID for Anonymous NFS Connections (/etc/exports) should be configured appropriately. oval:org.secpod.oval:def:55755 The RPM package openldap-servers should be removed. oval:org.secpod.oval:def:55754 Require the use of TLS for ldap clients. oval:org.secpod.oval:def:55770 File uploads via vsftpd should be enabled or disabled as appropriate oval:org.secpod.oval:def:55771 The RPM package httpd should be removed. oval:org.secpod.oval:def:55766 Logging of vsftpd transactions should be enabled or disabled as appropriate oval:org.secpod.oval:def:55767 A warning banner for all FTP users should be enabled or disabled as appropriate oval:org.secpod.oval:def:55764 The RPM package bind should be removed. oval:org.secpod.oval:def:55765 The RPM package vsftpd should be removed. oval:org.secpod.oval:def:55769 Restrict Access to Anonymous Users should be configured appropriately. oval:org.secpod.oval:def:74459 Change the default policy to DROP (from ACCEPT) for the OUTPUT built-in chain (/etc/sysconfig/iptables). oval:org.secpod.oval:def:55700 Audit rules that detect changes to the system's mandatory access controls (SELinux) are enabled. oval:org.secpod.oval:def:55701 Record Events that Modify the System's Discretionary Access Controls - chmod. The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:74452 Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8).Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loop ... oval:org.secpod.oval:def:55704 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:55705 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:55702 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:55703 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:55708 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:55709 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:55706 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:55707 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:55711 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:55712 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:55710 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:55715 Audit rules should capture information about session initiation. oval:org.secpod.oval:def:74480 Change the default policy to DROP (from ACCEPT) for the OUTPUT built-in chain (/etc/sysconfig/ip6tables). oval:org.secpod.oval:def:55716 Audit rules about the Unauthorized Access Attempts to Files (unsuccessful) are enabled oval:org.secpod.oval:def:55713 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:55719 Audit actions taken by system administrators on the system. oval:org.secpod.oval:def:55718 Audit rules that detect the mounting of filesystems should be enabled. oval:org.secpod.oval:def:74466 Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The /var/run/failock directory maint ... oval:org.secpod.oval:def:55722 The RPM package rsh-server should be removed. oval:org.secpod.oval:def:74473 The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP ... oval:org.secpod.oval:def:55720 Force a reboot to change audit rules is enabled oval:org.secpod.oval:def:55721 The RPM package xinetd should be removed. oval:org.secpod.oval:def:55727 The RPM package ypserv should be removed. oval:org.secpod.oval:def:55728 The RPM package tftp-server should be removed. oval:org.secpod.oval:def:55902 The /etc/passwd file should be owned by the appropriate user. oval:org.secpod.oval:def:55903 The password ocredit should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:55900 The password retry should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:55901 The SELinux policy should be set appropriately. oval:org.secpod.oval:def:55906 This test makes sure that '/etc/gshadow' is setted appropriate permission. If the target file or directory has an extended ACL then it will fail the mode check. oval:org.secpod.oval:def:55907 The password dcredit should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:55908 The RPM package telnet-server should be removed. oval:org.secpod.oval:def:74438 Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (::1).Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback net ... oval:org.secpod.oval:def:74431 Change the default policy to DROP (from ACCEPT) for the FORWARD built-in chain (/etc/sysconfig/ip6tables). oval:org.secpod.oval:def:55910 Audit files deletion events. oval:org.secpod.oval:def:55911 The system login banner text should be set correctly. oval:org.secpod.oval:def:55912 SSH warning banner should be enabled (and dependencies are met). oval:org.secpod.oval:def:55795 SSL capabilities should be enabled for the mail server. oval:org.secpod.oval:def:55796 Dovecot plaintext authentication of clients should be enabled or disabled as necessary oval:org.secpod.oval:def:55793 The RPM package dovecot should be removed. oval:org.secpod.oval:def:55794 The kernel module hfs should be disabled. oval:org.secpod.oval:def:55789 The mod_security package installation should be configured appropriately. oval:org.secpod.oval:def:55799 Require samba clients which use smb.conf, such as smbclient, to use packet signing. A Samba client should only communicate with servers who can support SMB packet signing. oval:org.secpod.oval:def:55797 Configure Dovecot to Use the SSL Key file should be configured appropriately. oval:org.secpod.oval:def:55798 Plaintext authentication of mail clients should be enabled or disabled as appropriate. oval:org.secpod.oval:def:55861 The number of allowed failed logins should be set correctly. oval:org.secpod.oval:def:55860 The RPM package aide should be installed. oval:org.secpod.oval:def:55854 The root account is the only system account that should have a login shell. oval:org.secpod.oval:def:55855 The password warning age should be set appropriately. oval:org.secpod.oval:def:55852 The kernel module bluetooth should be disabled. oval:org.secpod.oval:def:55858 The password difok should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:55856 The SSH idle timeout interval should be set to an appropriate value. oval:org.secpod.oval:def:55857 The password minclass should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:55872 The number of allowed failed logins should be set correctly. oval:org.secpod.oval:def:55873 The passwords to remember should be set correctly. oval:org.secpod.oval:def:55865 The kernel module dccp should be disabled. oval:org.secpod.oval:def:55868 Remote connections (SSH) from accounts with empty passwords should be disabled (and dependencies are met). oval:org.secpod.oval:def:55883 Emulation of the rsh command through the ssh server should be disabled (and dependencies are met) oval:org.secpod.oval:def:55876 File permissions for '/etc/group' should be set correctly. oval:org.secpod.oval:def:55877 PermitUserEnvironment should be disabled oval:org.secpod.oval:def:55875 Root login via SSH should be disabled (and dependencies are met) oval:org.secpod.oval:def:55878 The password ucredit should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:55891 The maximum number of concurrent login sessions per user should meet minimum requirements. oval:org.secpod.oval:def:55894 The kernel module sctp should be disabled. oval:org.secpod.oval:def:55895 The password lcredit should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:55892 This test makes sure that '/etc/shadow' file permission is setted as appropriate. If the target file or directory has an extended ACL then it will fail the mode check. oval:org.secpod.oval:def:55893 The password hashing algorithm should be set correctly in /etc/pam.d/system-auth. oval:org.secpod.oval:def:55888 The password hashing algorithm should be set correctly in /etc/libuser.conf. oval:org.secpod.oval:def:55885 Only SSH protocol version 2 connections should be permitted. oval:org.secpod.oval:def:55810 The RPM package tftp should be installed. oval:org.secpod.oval:def:55811 The squashfs Kernel Module should be enabled or disabled as appropriate. oval:org.secpod.oval:def:55814 The kernel module udf should be enabled or disabled as appropriate. oval:org.secpod.oval:def:55812 The RPM package talk-server should be installed. oval:org.secpod.oval:def:55813 The RPM package talk should be installed. oval:org.secpod.oval:def:55818 The kernel runtime parameter "fs.suid_dumpable" should be set to "0". oval:org.secpod.oval:def:55819 The kernel runtime parameter "kernel.randomize_va_space" should be set to "2". oval:org.secpod.oval:def:55816 The daemon umask should be set as appropriate oval:org.secpod.oval:def:55817 Core dumps for all users should be disabled oval:org.secpod.oval:def:55820 Systems that are using the 64-bit x86 kernel package do not need to install the kernel-PAE package because the 64-bit x86 kernel already includes this support. However, if the system is 32-bit and also supports the PAE and NX features as determined in the previous section, the kernel-PAE package sho ... oval:org.secpod.oval:def:55825 Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the system using the root account. oval:org.secpod.oval:def:55826 The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. Any .netrc files should be removed. oval:org.secpod.oval:def:55824 Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. oval:org.secpod.oval:def:55829 The number of allowed failed logins should be set correctly. oval:org.secpod.oval:def:55828 Set Password to Maximum of Three Consecutive Repeating Characters should be configured appropriately. oval:org.secpod.oval:def:55832 The default umask for all users should be set correctly oval:org.secpod.oval:def:55833 The default umask for all users specified in /etc/login.defs oval:org.secpod.oval:def:55830 The default umask for users of the bash shell oval:org.secpod.oval:def:55831 The default umask for users of the csh shell oval:org.secpod.oval:def:55837 The kernel runtime parameter "net.ipv4.conf.default.send_redirects" should be set to "0". oval:org.secpod.oval:def:55835 The RPM package tmux should be installed. oval:org.secpod.oval:def:55838 The kernel runtime parameter "net.ipv4.conf.all.send_redirects" should be set to "0". oval:org.secpod.oval:def:55839 The kernel runtime parameter "net.ipv4.ip_forward" should be set to "0". oval:org.secpod.oval:def:55850 The kernel runtime parameter "net.ipv4.conf.all.rp_filter" should be set to "1". oval:org.secpod.oval:def:55851 The kernel runtime parameter "net.ipv4.conf.default.rp_filter" should be set to "1". oval:org.secpod.oval:def:55843 The kernel runtime parameter "net.ipv4.conf.all.log_martians" should be set to "1". oval:org.secpod.oval:def:55844 The Kernel Parameter for Accepting Source-Routed Packets By Default and all interfaces should be enabled or disabled as appropriate oval:org.secpod.oval:def:55841 The kernel runtime parameter "net.ipv4.conf.all.accept_redirects" should be set to "0". oval:org.secpod.oval:def:55842 The kernel runtime parameter "net.ipv4.conf.all.secure_redirects" should be set to "0". oval:org.secpod.oval:def:55847 The kernel runtime parameter "net.ipv4.icmp_echo_ignore_broadcasts" should be set to "1". oval:org.secpod.oval:def:55848 The kernel runtime parameter "net.ipv4.icmp_ignore_bogus_error_responses" should be set to "1". oval:org.secpod.oval:def:55845 The kernel runtime parameter "net.ipv4.conf.default.accept_redirects" should be set to "0". oval:org.secpod.oval:def:55846 The kernel runtime parameter "net.ipv4.conf.default.secure_redirects" should be set to "0". oval:org.secpod.oval:def:55849 The kernel runtime parameter "net.ipv4.tcp_syncookies" should be set to "1". oval:org.secpod.oval:def:55800 The RPM package squid should be removed. oval:org.secpod.oval:def:55804 Ensure Default Password Is Not Used (/etc/snmp/snmpd.conf) should be configured appropriately. oval:org.secpod.oval:def:55801 The kernel module hfsplus should be disabled. oval:org.secpod.oval:def:55802 The RPM package net-snmp should be removed. oval:org.secpod.oval:def:55807 The RPM package mcstrans should be installed. oval:org.secpod.oval:def:55808 The RPM package rsh should be installed. oval:org.secpod.oval:def:55806 The RPM package setroubleshoot should be installed. oval:org.secpod.oval:def:55809 The RPM package ypbind should be installed. oval:org.secpod.oval:def:71977 Ensure iptables packages are installed oval:org.secpod.oval:def:55698 The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. oval:org.secpod.oval:def:55898 The '/etc/shadow' file should be owned by the appropriate group. oval:org.secpod.oval:def:55899 The audit rules should be configured to log information about kernel module loading and unloading. oval:org.secpod.oval:def:55897 The password hashing algorithm should be set correctly in /etc/login.defs. oval:org.secpod.oval:def:55674 IP forwarding should be enabled or disabled as appropriate. oval:org.secpod.oval:def:55675 The kernel module rds should be disabled. oval:org.secpod.oval:def:55672 Change the default policy to DROP (from ACCEPT) for the INPUT built-in chain (/etc/sysconfig/ip6tables). oval:org.secpod.oval:def:55673 Change the default policy to DROP (from ACCEPT) for the INPUT built-in chain (/etc/sysconfig/iptables). oval:org.secpod.oval:def:55667 The kernel runtime parameter "net.ipv6.conf.default.accept_ra" should be set to "0". oval:org.secpod.oval:def:55668 The kernel runtime parameter "net.ipv6.conf.default.accept_redirects" should be set to "0". oval:org.secpod.oval:def:55665 Global IPv6 initialization should be disabled. oval:org.secpod.oval:def:55681 The 'rsyslog' to Accept Messages via TCP, if Acting As Log Server should be enabled or disabled as appropriate. oval:org.secpod.oval:def:55682 The rsyslog to Accept Messages via UDP, if Acting As Log Server should be enabled or disabled as appropriate. oval:org.secpod.oval:def:55680 rsyslogd should reject remote messages oval:org.secpod.oval:def:55683 The logrotate (syslog rotater) service should be enabled. oval:org.secpod.oval:def:55678 The RPM package rsyslog should be installed. oval:org.secpod.oval:def:55679 Syslog logs should be sent to a remote loghost oval:org.secpod.oval:def:55676 The kernel module tipc should be disabled. oval:org.secpod.oval:def:55677 The RPM package libreswan should be installed. oval:org.secpod.oval:def:55692 action_mail_acct setting in /etc/audit/auditd.conf is set to a certain account oval:org.secpod.oval:def:55690 space_left_action setting in /etc/audit/auditd.conf is set to a certain action oval:org.secpod.oval:def:55691 admin_space_left_action setting in /etc/audit/auditd.conf is set to a certain action oval:org.secpod.oval:def:55696 Record attempts to alter time through clock_settime. oval:org.secpod.oval:def:55697 Record attempts to alter time through /etc/localtime oval:org.secpod.oval:def:55694 Record attempts to alter time through settimeofday. oval:org.secpod.oval:def:55689 max_log_file_action setting in /etc/audit/auditd.conf is set to a certain action oval:org.secpod.oval:def:55687 num_logs setting in /etc/audit/auditd.conf is set to at least a certain value oval:org.secpod.oval:def:55688 max_log_file setting in /etc/audit/auditd.conf is set to at least a certain value oval:org.secpod.oval:def:507541 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes usi ... oval:org.secpod.oval:def:506296 EDK is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix: * edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe For more details about the security issue, including the impact, a CVSS ... oval:org.secpod.oval:def:507539 The python-setuptools package provides a collection of enhancements to Python distribution utilities allowing convenient building and distribution of Python packages. Security Fix: * pypa-setuptools: Regular Expression Denial of Service in package_index.py For more details about the security issue ... oval:org.secpod.oval:def:507409 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.5.0. Security Fix: * Mozilla: Service Workers might have learned size of cross-origin media files * Mozilla: Fullscreen notification bypass * Mozilla: Use-after-free in InputStream implem ... oval:org.secpod.oval:def:507413 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.5.0 ESR. Security Fix: * Mozilla: Service Workers might have learned size of cross-origin media files * Mozilla: Fullscreen notification bypass ... oval:org.secpod.oval:def:506961 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.10.0 ESR. Security Fix: * Mozilla: Cross-Origin resource"s length leaked * Mozilla: Heap buffer overflow in WebGL * Mozilla: Browser window spo ... oval:org.secpod.oval:def:506980 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.10.0. Security Fix: * Mozilla: Braille space character caused incorrect sender email to be shown for a digitally signed email * Mozilla: Cross-Origin resource"s length leaked * Mozilla: He ... oval:org.secpod.oval:def:507742 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Security Fix: * bind: processing large delegations may severely degrade resolver perform ... oval:org.secpod.oval:def:507756 Mako is a template library written in Python. It provides a familiar, non-XML syntax which compiles into Python modules for maximum performance. Security Fix: * mako: REDoS in Lexer class For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other relat ... oval:org.secpod.oval:def:507123 The rsync utility enables the users to copy and synchronize files locally or across a network. Synchronization with rsync is fast because rsync only sends the differences in files over the network instead of sending whole files. The rsync utility is also used as a mirroring tool. Security Fix: * rsy ... oval:org.secpod.oval:def:507149 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a later upstream version: mariadb , galera . Security Fix: * mariadb: MariaDB through 10.5.9 allows attackers to trigger a convert_const_to_int use-after-fre ... oval:org.secpod.oval:def:507303 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix: * golang: net/http/httputil: panic due to racy read of persistConn after handler panic * cri-o: memory exhaustion on the node when access to the kube api * golang: crash ... oval:org.secpod.oval:def:507262 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix: * cri-o: memory exhaustion on the node when access to the kube api * golang: crash in a golang.org/x/crypto/ssh server * runc: incorrect handling of inheritable capabilit ... oval:org.secpod.oval:def:506574 This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Security Fix: * kernel: Insufficient validation of user-supplied sizes for the MSG_CRYPTO message type For more details about the security issue, including the imp ... oval:org.secpod.oval:def:506501 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * pyt ... oval:org.secpod.oval:def:504721 The tcpdump packages contain the tcpdump utility for monitoring network traffic. The tcpdump utility can capture and display the packet headers on a particular network interface or on all interfaces. The following packages have been upgraded to a later upstream version: tcpdump . Security Fix: * tc ... oval:org.secpod.oval:def:506435 Qt is a software toolkit for developing applications. The following packages have been upgraded to a later upstream version: adwaita-qt , python-qt5 , qgnomeplatform , qt5 , qt5-qt3d , qt5-qtbase , qt5-qtconnectivity , qt5-qtdeclarative , qt5-qtdoc , qt5-qtgraphicaleffects , qt5-qtimageformats , qt5 ... oval:org.secpod.oval:def:507246 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.4.0. Security Fix: * Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack by malicious server administrators * Mozilla: Matrix SDK bundled with Thunderbird vu ... oval:org.secpod.oval:def:507537 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix: * samba: RC4/HMAC-MD5 NetLogon Secure Channel is weak and should be ... oval:org.secpod.oval:def:86310 Netlogon RPC Elevation of Privilege Vulnerability. oval:org.secpod.oval:def:507726 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a later upstream version: samba . Se ... oval:org.secpod.oval:def:504752 Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. Security Fix: * qt: XML entity expansion vulnerability * qt5-qtwebsockets: websocket implementation allows only limited size for frames and messages therefore ... oval:org.secpod.oval:def:507340 The e2fsprogs packages provide a number of utilities for creating, checking, modifying, and correcting the ext2, ext3, and ext4 file systems. Security Fix: * e2fsprogs: out-of-bounds read/write via crafted filesystem For more details about the security issue, including the impact, a CVSS score, ack ... oval:org.secpod.oval:def:85678 A vulnerability was found in MIT krb5. This flaw allows an authenticated attacker to cause a KDC or kadmind process to crash by reading beyond the bounds of allocated memory, creating a denial of service. A privileged attacker may similarly be able to cause a Kerberos or GSS application service to c ... oval:org.secpod.oval:def:507420 Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos ... oval:org.secpod.oval:def:506028 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 78.10.0 ESR. Security Fix: * Mozilla: Out of bound write due to lazy initialization * Mozilla: Use-after-free in Responsive Design Mode * Mozilla: ... oval:org.secpod.oval:def:506030 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 78.10.0. Security Fix: * Mozilla: Out of bound write due to lazy initialization * Mozilla: Use-after-free in Responsive Design Mode * Mozilla: More internal network hosts could have been prob ... oval:org.secpod.oval:def:507494 X.Org X11 libXpm runtime library. Security Fix: * libXpm: compression commands depend on $PATH * libXpm: Runaway loop on width of 0 and enormous height * libXpm: Infinite loop on unclosed comments For more details about the security issue, including the impact, a CVSS score, acknowledgments, and ... oval:org.secpod.oval:def:504754 FreeRDP is a free implementation of the Remote Desktop Protocol , released under the Apache license. The xfreerdp client can connect to RDP servers such as Microsoft Windows machines, xrdp, and VirtualBox. The vinagre packages provide the Vinagre remote desktop viewer for the GNOME desktop. The foll ... oval:org.secpod.oval:def:507790 The c-ares C library defines asynchronous DNS requests and provides name resolving API. Security Fix: * c-ares: 0-byte UDP payload Denial of Service For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page ... oval:org.secpod.oval:def:507928 The Common UNIX Printing System provides a portable printing layer for Linux, UNIX, and similar operating systems. Security Fix: * cups: Information leak through Cups-Get-Document operation For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other re ... oval:org.secpod.oval:def:507874 The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server. Security Fix: * cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag pr ... oval:org.secpod.oval:def:507908 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.121 and .NET Runtime 6.0.21. Securit ... oval:org.secpod.oval:def:507910 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 7.0.110 and .NET Runtime 7.0.10. Securit ... oval:org.secpod.oval:def:502735 Kernel-based Virtual Machine offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtua ... oval:org.secpod.oval:def:507736 The gssntlmssp is a GSSAPI NTLM mechanism that allows to perform NTLM authentication in GSSAPI programs. Security Fix: * gssntlmssp: multiple out-of-bounds read when decoding NTLM fields * gssntlmssp: memory corruption when decoding UTF16 strings * gssntlmssp: incorrect free when decoding target i ... oval:org.secpod.oval:def:507760 Libreswan is an implementation of IPsec and IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks such as virtual private network . Securi ... oval:org.secpod.oval:def:507632 Libreswan is an implementation of IPsec and IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks such as virtual private network . Securi ... oval:org.secpod.oval:def:507716 Libreswan is an implementation of IPsec and IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks such as virtual private network . Securi ... oval:org.secpod.oval:def:58412 A flaw was found in samba when certain parameters were set in the samba configuration file. An unauthenticated attacker could use this flaw to escape the shared directory and access the contents of directories outside of the share. oval:org.secpod.oval:def:503320 Pango is a library for laying out and rendering of text, with an emphasis on internationalization. Pango forms the core of text and font handling for the GTK+ widget toolkit. Security Fix: * pango: pango_log2vis_get_embedding_levels heap-based buffer overflow For more details about the security iss ... oval:org.secpod.oval:def:503323 Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. Security Fix: * squid: heap-based buffer overflow in HttpHeader::getAuth For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related ... oval:org.secpod.oval:def:507921 The subscription-manager packages provide programs and libraries to allow users to manage subscriptions and yum repositories from the Red Hat entitlement platform. Security Fix: * subscription-manager: inadequate authorization of com.redhat.RHSM1 D-Bus interface allows local users to modify configur ... oval:org.secpod.oval:def:504746 The libxml2 library is a development toolbox providing the implementation of various XML standards. Security Fix: * libxml2: memory leak in xmlParseBalancedChunkMemoryRecover in parser.c * libxml2: memory leak in xmlSchemaPreRun in xmlschemas.c * libxml2: infinite loop in xmlStringLenDecodeEntitie ... oval:org.secpod.oval:def:504388 GNOME is the default desktop environment of Red Hat Enterprise Linux. Security Fix: * evince: uninitialized memory use in function tiff_document_render and tiff_document_get_thumbnail * gvfs: improper authorization in daemon/gvfsdaemon.c in gvfsd For more details about the security issue, includin ... oval:org.secpod.oval:def:504691 libxslt is a library for transforming XML files into other textual formats using the standard XSLT stylesheet transformation mechanism. Security Fix: * libxslt: xsltCheckRead and xsltCheckWrite routines security bypass by crafted URL * libxslt: use after free in xsltCopyText in transform.c could l ... oval:org.secpod.oval:def:507746 The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices. Security Fix: * device-mapper-multipath: multipathd: insecure handling of files in /dev/shm leading to symlink attack For more details about the security issue, includi ... oval:org.secpod.oval:def:507342 The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices. Security Fix: * device-mapper-multipath: Regression of CVE-2022-41974 fix in Red Hat Enterprise Linux For more details about the security issue, including the impact, a ... oval:org.secpod.oval:def:507242 The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices. Security Fix: * device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket For more details about the se ... oval:org.secpod.oval:def:507295 The dnsmasq packages contain Dnsmasq, a lightweight DNS forwarder and DHCP server. Security Fix: * dnsmasq: Heap use after free in dhcp6_no_relay For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page li ... oval:org.secpod.oval:def:507306 WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions ... oval:org.secpod.oval:def:78329 The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. oval:org.secpod.oval:def:506807 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Security Fix: * openssl: Infinite loop in BN_mod_sqrt reachable when parsing certificates For more details about the security issu ... oval:org.secpod.oval:def:507719 FRRouting is free software that manages TCP/IP based routing protocols. It supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP and BFD. Security Fix: * frr: out-of-bounds read in the BGP daemon may lead to information disclosure or denial of service For more details about the sec ... oval:org.secpod.oval:def:502702 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. SQLAlchemy is an Ob ... oval:org.secpod.oval:def:502736 The Pacemaker cluster resource manager is a collection of technologies working together to maintain data integrity and application availability in the event of failures. Security Fix: * pacemaker: Insufficient local IPC client-server authentication on the client"s side can lead to local privesc * p ... oval:org.secpod.oval:def:503171 Vim is an updated and improved version of the vi editor. Security Fix: * vim/neovim: ":source!" command allows arbitrary command execution via modelines For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE p ... oval:org.secpod.oval:def:502707 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.6.1. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 * Mozilla: Use-after-free when removing in-use DOM elements * Mozilla: Type inference is incorrec ... oval:org.secpod.oval:def:502690 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes usi ... oval:org.secpod.oval:def:502692 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: superexec operator is available * ghostscript: forceput in DefineResource ... oval:org.secpod.oval:def:502655 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.6.1 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 * Mozilla: Use-after-free when removing in-use DO ... oval:org.secpod.oval:def:502689 The wget packages provide the GNU Wget file retrieval utility for HTTP, HTTPS, and FTP protocols. Security Fix: * wget: do_conversion heap-based buffer overflow vulnerability For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related informatio ... oval:org.secpod.oval:def:503169 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.7.2. Security Fix: * Mozilla: Type confusion in Array.pop * thunderbird: Stack buffer overflow in icalrecur_add_bydayrules in icalrecur.c * Mozilla: Sandbox escape using Prompt:Open * thu ... oval:org.secpod.oval:def:502708 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Security Fix: * bind: Limiting simultaneous TCP clients is ineffective For more details ... oval:org.secpod.oval:def:503310 Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or ... oval:org.secpod.oval:def:59044 A flaw was found in the way sudo implemented running commands with arbitrary user ID. If a sudoers entry is written to allow the attacker to run a command as any user except root, this flaw can be used by the attacker to bypass that restriction. oval:org.secpod.oval:def:503311 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: -dSAFER escape via .buildfont1 For more details about the security issue, ... oval:org.secpod.oval:def:503318 Subversion is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. Security Fix: * subversion: NULL pointer dereference in svnserve leading to an unauthenticated ... oval:org.secpod.oval:def:503322 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: Safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator * ghostsc ... oval:org.secpod.oval:def:58236 A heap buffer overflow issue was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the ip_reass() routine while reassembling incoming packets if the first fragment is bigger than the m->m_dat[] buffer. An attacker could use this flaw to crash the QEMU process on ... oval:org.secpod.oval:def:504373 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix: * QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu For more details about the security issue, including the impact, a CVSS score, acknowledgments, a ... oval:org.secpod.oval:def:503315 MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon, mysqld, and many client programs. The following packages have been upgraded to a later upstream version: mysql . Security Fix: * mysql: Server: Replication multiple unspecified vulnerabilities * mysql ... oval:org.secpod.oval:def:504275 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 68.12.0. Security Fix: * Mozilla: Attacker-induced prompt for extension installation * Mozilla: Use-After-Free when aborting an operation For more details about the security issue, including ... oval:org.secpod.oval:def:504290 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 78.3.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3 * Mozilla: XSS when pasting attacker-controlled da ... oval:org.secpod.oval:def:502653 The mod_auth_mellon module for the Apache HTTP Server is an authentication service that implements the SAML 2.0 federation protocol. The module grants access based on the attributes received in assertions generated by an IdP server. Security Fix: * mod_auth_mellon: authentication bypass in ECP flow ... oval:org.secpod.oval:def:507748 Xwayland is an X server for running X clients under Wayland. Security Fix: * xorg-x11-server: buffer overflow in _GetCountedString in xkb/xkb.c * xorg-x11-server: XkbGetKbdByName use-after-free * xorg-x11-server: XTestSwapFakeInput stack overflow * xorg-x11-server: XIPassiveUngrab out-of-bounds a ... oval:org.secpod.oval:def:507750 Virtual Network Computing is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients. Security F ... oval:org.secpod.oval:def:507526 Virtual Network Computing is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients. Security F ... oval:org.secpod.oval:def:507713 X.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Security Fix: * xorg-x11-server: buffer overflow in _GetCountedString in xkb/xkb.c * xorg-x11-server: XkbGetKbdByName use-after ... oval:org.secpod.oval:def:507283 The libtiff packages contain a library of functions for manipulating Tagged Image File Format files. Security Fix: * libtiff: Denial of Service via crafted TIFF file * libtiff: Null source pointer lead to Denial of Service via crafted TIFF file * libtiff: reachable assertion * libtiff: Out-of-bo ... oval:org.secpod.oval:def:507840 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.13.0 ESR. Security Fix: * Mozilla: Use-after-free in WebRTC certificate generation * Mozilla: Potential use-after-free from compartment mismatc ... oval:org.secpod.oval:def:507845 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.13.0. Security Fix: * Mozilla: Use-after-free in WebRTC certificate generation * Mozilla: Potential use-after-free from compartment mismatch in SpiderMonkey * Mozilla: Memory safety bugs ... oval:org.secpod.oval:def:507311 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 7.0.100 RC 2 and .NET Runtime 7.0.0 RC 2 ... oval:org.secpod.oval:def:507155 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.109 and .NET Runtime 6.0.9. Security ... oval:org.secpod.oval:def:507153 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 3.1.423 and .NET Runtime 3.1.29. Securit ... oval:org.secpod.oval:def:506993 Subversion is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. Security Fix: * subversion: Subversion"s mod_dav_svn is vulnerable to memory corruption For mo ... oval:org.secpod.oval:def:507335 Flatpak-builder is a tool for building flatpaks from sources. Security Fix: * flatpak: flatpak-builder --mirror-screenshots-url can access files outside the build directory For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, ... oval:org.secpod.oval:def:507594 PostgreSQL is an advanced object-relational database management system . Security Fix: * postgresql: Extension scripts replace objects not belonging to the extension. * postgresql: Client memory disclosure when connecting with Kerberos to modified server For more details about the security issue, ... oval:org.secpod.oval:def:95283 [1.13.0-9.1] - Resolves: RHEL-11931 - Buffer Underwrite in ares_inet_net_pton [rhel-8.9.0.z] [1.13.0-9] - Resolves: rhbz#2238293 - CVE-2020-22217 c-ares: read-heap-buffer-overflow in ares_parse_soa_reply [rhel-8] [rhel-8.9.0.z] oval:org.secpod.oval:def:507835 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix: * c-ares: 0-byte UDP payload Denial of Service * c-ares: Buffer Underwrite in ares_inet_net_pton * c-ares: Insufficient randomness in generation of D ... oval:org.secpod.oval:def:507890 D-Bus is a system for sending messages between applications. It is used both for the system-wide message bus service, and as a per-user-login-session messaging facility. Security Fix: * dbus: dbus-daemon: assertion failure when a monitor is active and a message from the driver cannot be delivered F ... oval:org.secpod.oval:def:506298 .NET Core is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET Core that address a security vulnerability are now available. The updated versions are .NET Core SDK 2.1.525 and .NET Core Run ... oval:org.secpod.oval:def:506297 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address security vulnerabilities are now available. The updated versions are .NET SDK 3.1.118 and .NET Runtime 3.1.18. Securit ... oval:org.secpod.oval:def:506299 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address security vulnerabilities are now available. The updated versions are .NET SDK 5.0.206 and .NET Runtime 5.0.9. Security ... oval:org.secpod.oval:def:506163 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 5.0.203 and .NET Runtime 5.0.6. Security ... oval:org.secpod.oval:def:506167 .NET Core is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET Core that address a security vulnerability are now available. The updated versions are .NET Core SDK 3.1.115 and .NET Core Run ... oval:org.secpod.oval:def:507309 The libldb packages provide an extensible library that implements an LDAP-like API to access remote LDAP servers, or use local TDB databases. The following packages have been upgraded to a later upstream version: libldb . Security Fix: * samba: AD users can induce a use-after-free in the server pro ... oval:org.secpod.oval:def:507902 Libcap is a library for getting and setting POSIX.1e draft 15 capabilities. Security Fix: * libcap: Integer Overflow in _libcap_strdup * libcap: Memory Leak on pthread_create Error For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related in ... oval:org.secpod.oval:def:507909 Rust Toolset provides the Rust programming language compiler rustc, the cargo build tool and dependency manager, and required libraries. Security Fix: * rust-cargo: cargo does not respect the umask when extracting dependencies For more details about the security issue, including the impact, a CVSS ... oval:org.secpod.oval:def:507727 GNU Emacs is a powerful, customizable, self-documenting text editor. It provides special code editing features, a scripting language , and the capability to read e-mail and news. Security Fix: * emacs: Regression of CVE-2023-28617 fixes in the Red Hat Enterprise Linux For more details about the sec ... oval:org.secpod.oval:def:507755 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Security Fix: * bind: processing large delegations may severely degrade resolver perform ... oval:org.secpod.oval:def:507789 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 7.0.107 and .NET Runtime 7.0.7. The foll ... oval:org.secpod.oval:def:507841 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. The following packages have been upgraded to a later upstream version: dotnet7.0 . Security Fix: * dotnet: race condition in Core SignInManageTUse Pass ... oval:org.secpod.oval:def:507844 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. The following packages have been upgraded to a later upstream version: dotnet6.0 . Security Fix: * dotnet: race condition in Core SignInManageTUse Pass ... oval:org.secpod.oval:def:96273 The noexec mount option specifies that the filesystem cannot contain executable binaries. Rationale: Since the /var filesystem is only intended for variable files such as logs, set this option to ensure that users cannot run executable binaries from /var oval:org.secpod.oval:def:96264 Journald will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files.Rationale:It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected. oval:org.secpod.oval:def:96239 The usrquota mount option allows for the filesystem to have disk quotas configured. Rationale: To ensure the availability of disk space on /home, it is important to limit the impact a single user or group can cause for other users (or the wider system) by accidentally filling up th ... oval:org.secpod.oval:def:96248 While no .rhosts files are shipped by default, users can easily create them. Rationale: This action is only meaningful if .rhosts support is permitted in the file /etc/pam.conf . Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf , they may have b ... oval:org.secpod.oval:def:96238 The grpquota mount option allows for the filesystem to have disk quotas configured. Rationale: To ensure the availability of disk space on /home, it is important to limit the impact a single user or group can cause for other users (or the wider system) by accidentally filling up th ... oval:org.secpod.oval:def:96235 An account with an empty password field means that anybody may log in as that user without providing a password. Rationale: All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user. oval:org.secpod.oval:def:95290 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 115.5.0 ESR. Security Fix(es): * Mozilla: Out-of-bound memory access in WebGL2 blitFramebuffer (CVE-2023-6204) * Mozilla: Use-after-free in MessageP ... oval:org.secpod.oval:def:95296 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 115.5.0. Security Fix(es): * Mozilla: Out-of-bound memory access in WebGL2 blitFramebuffer (CVE-2023-6204) * Mozilla: Use-after-free in MessagePort::Entangled (CVE-2023-6205) * Mozilla: Clickja ... oval:org.secpod.oval:def:507834 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix: * c-ares: 0-byte UDP payload Denial of Service * c-ares: buffer overflow in config_sortlist due to missing string length check * c-ares: Buffer Under ... oval:org.secpod.oval:def:504731 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:507292 Yet Another JSON Library is a small event-driven JSON parser written in ANSI C and a small validating JSON generator. Security Fix: * yajl: heap-based buffer overflow when handling large inputs due to an integer overflow For more details about the security issue, including the impact, a CVSS scor ... oval:org.secpod.oval:def:504694 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. The following packages have been upgraded to a later upstream version: bind . Security ... oval:org.secpod.oval:def:507759 FreeRDP is a free implementation of the Remote Desktop Protocol , released under the Apache license. The xfreerdp client can connect to RDP servers such as Microsoft Windows machines, xrdp, and VirtualBox. Security Fix: * freerdp: clients using `/parallel` command line switch might read uninitialize ... oval:org.secpod.oval:def:507739 Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work ... oval:org.secpod.oval:def:507331 Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages. Security Fix: * dovecot: P ... oval:org.secpod.oval:def:55886 The RPM package telnet should not be installed. oval:org.secpod.oval:def:503830 The grub2 packages provide version 2 of the Grand Unified Boot Loader , a highly configurable and customizable boot loader with modular architecture. The packages support a variety of kernel formats, file systems, computer architectures, and hardware devices. The shim package contains a first-stage ... oval:org.secpod.oval:def:507296 XML-RPC is a remote procedure call protocol that uses XML to encode its calls and HTTP as a transport mechanism. The xmlrpc-c packages provide a network protocol to allow a client program to make a simple RPC over the Internet. It converts an RPC into an XML document, sends it to a remote server u ... oval:org.secpod.oval:def:507341 The Qt5 libraries packages provide Qt 5, version 5 of the Qt cross-platform application framework. The following packages have been upgraded to a later upstream version: qt5 . Security Fix: * qt: QProcess could execute a binary from the current working directory when not found in the PATH For more ... oval:org.secpod.oval:def:507310 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Security Fix: * bind: DNS forwarders - cache poisoning vulnerability For more details a ... oval:org.secpod.oval:def:507337 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Security Fix: * bind: DNS forwarders - cache poisoning vulnerability * bind: DoS from s ... oval:org.secpod.oval:def:506289 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs . Security Fix: * nodejs-hosted-git-info: Regular Expression denial of service via sho ... oval:org.secpod.oval:def:506293 libuv is a multi-platform support library with a focus on asynchronous I/O. Security Fix: * libuv: out-of-bounds read in uv__idna_toascii can lead to information disclosures or crashes For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related ... oval:org.secpod.oval:def:507224 MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon and many client programs and libraries. The following packages have been upgraded to a later upstream version: mysql . Security Fix: * mysql: Server: DML multiple unspecified vulnerabilities * mysql: ... oval:org.secpod.oval:def:76612 A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerability though it might be possible to craft one. oval:org.secpod.oval:def:76611 A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery ... oval:org.secpod.oval:def:507546 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: * httpd: mod_dav: out-of-bounds read/write of zero byte * httpd: mod_proxy_ajp: Possible request smuggling * httpd: mod_proxy: HTTP response splitting For more details about the secu ... oval:org.secpod.oval:def:503422 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: * httpd: mod_auth_digest: access control bypass due to race condition * httpd: URL normalization inconsistency For more details about the security issue, including the impact, a CVSS ... oval:org.secpod.oval:def:81884 A flaw was found in OpenSSL. The issue in CVE-2022-1292 did not find other places in the c_rehash script where it possibly passed the file names of certificates being hashed to a command executed through the shell. Some operating systems distribute this script in a manner where it is automatically e ... oval:org.secpod.oval:def:504725 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. The following packages have been upgraded to a later upstream version: mod_http2 . Security Fix: * httpd: memory corruption on early pushes * httpd: read-after-free in h2 connection shutdown * htt ... oval:org.secpod.oval:def:507892 The python-requests package contains a library designed to make HTTP requests easy for developers. Security Fix: * python-requests: Unintended leak of Proxy-Authorization header For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related informa ... oval:org.secpod.oval:def:507268 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: * httpd: mod_sed: Read/write beyond bounds * httpd: mod_lua: Use of uninitialized value of in r:parsebody * httpd: core: Possible buffer overflow with very large or unlimited LimitXML ... oval:org.secpod.oval:def:502656 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: * httpd: privilege escalation from modules scripts * httpd: mod_ssl: access control bypass when using per-location client certification authentication For more details about the secur ... oval:org.secpod.oval:def:506804 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: * httpd: Errors encountered during the discarding of request body lead to HTTP request smuggling For more details about the security issue, including the impact, a CVSS score, acknowle ... oval:org.secpod.oval:def:502706 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: Font layout engine out of bounds access setCurrGlyphID * OpenJDK: Slow conversion of BigDecimal to long * OpenJDK: Incorrect skeleton selection ... oval:org.secpod.oval:def:504758 SQLite is a C library that implements an SQL database engine. A large subset of SQL92 is supported. A complete database is stored in a single disk file. The API is designed for convenience and ease of use. Applications that link against SQLite can enjoy the power and flexibility of an SQL database w ... oval:org.secpod.oval:def:503413 EDK is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix: * edk2: Stack buffer overflow with corrupted BMP * edk2: Buffer overflows in PartitionDxe and UdfDxe with long file names and invalid UDF media For mor ... oval:org.secpod.oval:def:502658 EDK is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix: * edk2: Buffer Overflow in BlockIo service for RAM disk For more details about the security issue, including the impact, a CVSS score, acknowledgments, ... oval:org.secpod.oval:def:505927 IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR5-FP35. Security Fix: * IBM JDK: buffer overflow in jio_snprintf and jio_vsnprintf * IBM JDK: missing null check when accelerating Unsafe call ... oval:org.secpod.oval:def:507867 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix: * samba: SMB2 packet signing is not enforced when server signing = r ... oval:org.secpod.oval:def:503412 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. The following packages have been upgraded to a later upstream version: openssl . Security Fix: * openssl: timing side channel atta ... oval:org.secpod.oval:def:86995 In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affecte ... oval:org.secpod.oval:def:507487 The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix: * sudo: arbitrary file write with privileges of th ... oval:org.secpod.oval:def:507592 The gnutls packages provide the GNU Transport Layer Security library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS. Security Fix: * gnutls: timing side-channel in the TLS RSA key exchange code For more details about the security issue, including the impact, a ... oval:org.secpod.oval:def:87850 A vulnerability was found in Git. Using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GIT_DIR/objects directory contains symbolic links (CVE-2022-39253), the objects d ... oval:org.secpod.oval:def:87851 A vulnerability was found in Git. This security issue occurs when feeding a crafted input to "git apply." A path outside the working tree can be overwritten by the user running "git apply." oval:org.secpod.oval:def:503508 The grub2 packages provide version 2 of the Grand Unified Boot Loader , a highly configurable and customizable boot loader with modular architecture. The packages support a variety of kernel formats, file systems, computer architectures, and hardware devices. Security Fix: * grub2: grub2-set-bootfla ... oval:org.secpod.oval:def:508215 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 115.6.0 ESR. Security Fix: Mozilla: Heap-buffer-overflow affecting WebGL DrawElementsInstanced method with Mesa VM driver Mozilla: Memory safety bu ... oval:org.secpod.oval:def:508218 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 115.6.0. Security Fix: Mozilla: Heap-buffer-overflow affecting WebGL DrawElementsInstanced method with Mesa VM driver Mozilla: Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and T ... oval:org.secpod.oval:def:95285 The Open Virtual Machine Tools are the open source implementation of the VMware Tools. They are a set of guest operating system virtualization components that enhance performance and user experience of virtual machines. Security Fix(es): * open-vm-tools: SAML token signature bypass (CVE-2023-34058) ... oval:org.secpod.oval:def:87671 A use-after-free vulnerability was found in OpenSSL's BIO_new_NDEF function. The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally by OpenSSL to support the SMIME, CMS, and PKCS7 streaming capabilities, but it may also be c ... oval:org.secpod.oval:def:87672 A double-free vulnerability was found in OpenSSL's PEM_read_bio_ex function. The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (for example, "CERTIFICATE"), any header data, and the payload data. If the function succeeds, then the "name_out," "header," and ... oval:org.secpod.oval:def:87669 A timing-based side channel exists in the OpenSSL RSA Decryption implementation, which could be sufficient to recover a ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption, an attacker would have to be able to send a very large number of trial messages fo ... oval:org.secpod.oval:def:507305 X.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Xwayland is an X server for running X clients under Wayland. Security Fix: * xorg-x11-server: X.Org Server ProcXkbSetGeometry ou ... oval:org.secpod.oval:def:506478 GNOME is the default desktop environment of Red Hat Enterprise Linux. The following packages have been upgraded to a later upstream version: gdm , webkit2gtk3 . Security Fix: * webkitgtk: Use-after-free in AudioSourceProviderGStreamer leading to arbitrary code execution * LibRaw: Stack buffer over ... oval:org.secpod.oval:def:503651 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 68.6.1 ESR. Security Fix: * Mozilla: Use-after-free while running the nsDocShell destructor * Mozilla: Use-after-free when handling a ReadableStrea ... oval:org.secpod.oval:def:97889 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: tomcat: HTTP request smuggling via malformed trailer headers For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, ref ... oval:org.secpod.oval:def:507773 Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work ... oval:org.secpod.oval:def:504737 Python is an interpreted, interactive, object-oriented programming language that supports modules, classes, exceptions, high-level dynamic data types, and dynamic typing. The python27 packages provide a stable release of Python 2.7 with a number of additional utilities and database connectors for My ... oval:org.secpod.oval:def:504738 pip is a package management system used to install and manage software packages written in Python. Many packages can be found in the Python Package Index . pip is a recursive acronym that can stand for either Pip Installs Packages or Pip Installs Python. Security Fix: * python-pip: directory travers ... oval:org.secpod.oval:def:504724 Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. The following packages have been upgraded to a later upstream version: squid . Security Fix: * squid: Improper input validation in request allows for proxy manipulation * squid: Off-by- ... oval:org.secpod.oval:def:508216 Virtual Network Computing is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients. Security F ... oval:org.secpod.oval:def:507899 Iperf is a tool which can measure maximum TCP bandwidth and tune various parameters and UDP characteristics. Iperf reports bandwidth, delay jitter, and data-gram loss. Security Fix: * iperf3: memory allocation hazard and crash For more details about the security issue, including the impact, a CVSS ... oval:org.secpod.oval:def:507885 TODO: add package description This update upgrades Firefox to version 102.14.0 ESR. Security Fix: * Mozilla: Offscreen Canvas could have bypassed cross-origin restrictions * Mozilla: Incorrect value used during WASM compilation * Mozilla: Potential permissions request bypass via clickjacking * Mo ... oval:org.secpod.oval:def:507889 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.14.0. Security Fix: * Mozilla: Offscreen Canvas could have bypassed cross-origin restrictions * Mozilla: Incorrect value used during WASM compilation * Mozilla: Potential permissions requ ... oval:org.secpod.oval:def:506026 The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix: * OpenJDK: Incomplete enforcement of JAR signing disabled algorithms For more details about the security issue, including the impact, a CVSS score, acknowled ... oval:org.secpod.oval:def:506024 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: Incomplete enforcement of JAR signing disabled algorithms For more details about the security issue, including the impact, a CVSS score, acknowle ... oval:org.secpod.oval:def:505925 IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR6-FP15. Security Fix: * OpenJDK: Use of unsafe RSA-MD5 checksum in Kerberos TGS * OpenJDK: Bypass of boundary checks in nio.Buffer via concur ... oval:org.secpod.oval:def:505930 IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR6-FP20. Security Fix: * OpenJDK: Incomplete check for invalid characters in URI to path conversion * OpenJDK: High memory usage during deseri ... oval:org.secpod.oval:def:95281 buildah [1:1.24.6-7] - rebuild for CVE-2023-29406 - Related: #2176055 cockpit-podman [46-1] - update to https://github.com/cockpit-project/cockpit-podman/releases/tag/46 - Related: #2061390 conmon [2:2.1.4-2] - update to https://github.com/containers/conmon/releases/tag/v2.1.4 - Related: #2176055 co ... oval:org.secpod.oval:def:504709 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: net: bluetooth: heap buffer overflow when processing extended advertising report events * kernel: Red Hat only CVE-2020-12351 regression * kernel: Red Hat only CVE-2020-12352 regression F ... oval:org.secpod.oval:def:503841 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 68.11.0. Security Fix: * chromium-browser: Use after free in ANGLE * chromium-browser: Inappropriate implementation in WebRTC * Mozilla: Potential leak of redirect targets when loading script ... oval:org.secpod.oval:def:504756 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 78.4.0. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4 * chromium-browser: Use after free in WebRTC For more details about the security issue, including ... oval:org.secpod.oval:def:504783 FreeType is a free, high-quality, portable font engine that can open and manage font files. FreeType loads, hints, and renders individual glyphs efficiently. Security Fix: * freetype: Heap-based buffer overflow due to integer truncation in Load_SBit_Png For more details about the security issue, in ... oval:org.secpod.oval:def:507715 EDK is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix: * openssl: X.400 address type confusion in X.509 GeneralName * openssl: timing attack in RSA Decryption implementation * openssl: double free after cal ... oval:org.secpod.oval:def:507580 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Security Fix: * openssl: X.400 address type confusion in X.509 GeneralName * openssl: timing attack in RSA Decryption implementati ... oval:org.secpod.oval:def:506460 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * pyt ... oval:org.secpod.oval:def:507744 The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards. Security Fix: * golang: net/http: handle server errors after sending GOAWAY For more details abo ... oval:org.secpod.oval:def:507509 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix: * golang: archive/tar: unbounded memory consumption when reading headers * golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * golang: regex ... oval:org.secpod.oval:def:507754 Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB OpenTSDB. Security Fix: * golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * golang: net/http: handle server errors after sending GOAWAY * grafana: using email ... oval:org.secpod.oval:def:507307 The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards. Security Fix: * golang: net/http: improper sanitization of Transfer-Encoding header * golang: io ... oval:org.secpod.oval:def:507338 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix: * golang: net/http: improper sanitization of Transfer-Encoding header * cri-o: memory exhaustion on the node when access to the kube api * golang: go/parser: stack exhaus ... oval:org.secpod.oval:def:507234 Git Large File Storage replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server. Security Fix: * golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing - -u- extension * golang.org/x ... oval:org.secpod.oval:def:507269 Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Security Fix: * golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service For ... oval:org.secpod.oval:def:507298 Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB OpenTSDB. The following packages have been upgraded to a later upstream version: grafana . Security Fix: * sanitize-url: XSS due to improper sanitization in sanitizeUrl function * golang: net/http: im ... oval:org.secpod.oval:def:97883 The gnutls packages provide the GNU Transport Layer Security library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS. Security Fix: gnutls: timing side-channel in the RSA-PSK authentication For more details about the security issue, including the impact, a CVSS ... oval:org.secpod.oval:def:509032 The libmaxminddb package contains the MaxMind DB library. Security Fix: libmaxminddb: improper initialization in dump_entry_data_list in maxminddb.c For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page l ... oval:org.secpod.oval:def:509014 The tcpdump packages contain the tcpdump utility for monitoring network traffic. The tcpdump utility can capture and display the packet headers on a particular network interface or on all interfaces. Security Fix: tcpslice: use-after-free in extract_slice For more details about the security issue, ... oval:org.secpod.oval:def:509020 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix: runc: file descriptor leak For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE ... oval:org.secpod.oval:def:509030 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix: runc: file descriptor leak A Red Hat Security Bulletin which addresses further details about the Leaky Vessels flaw is available in the References section. golang: net/ht ... oval:org.secpod.oval:def:509070 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 115.7.0. Security Fix: Mozilla: Out of bounds write in ANGLE Mozilla: Failure to update user input timestamp Mozilla: Crash when listing printers on Linux Mozilla: Bypass of Content Security ... oval:org.secpod.oval:def:509069 IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR8-FP15. Security Fix: IBM JDK: Eclipse OpenJ9 JVM denial of service OpenJDK: IOR deserialization issue in CORBA OpenJDK: certificate path va ... oval:org.secpod.oval:def:509072 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 115.8.0 ESR. Security Fix: Mozilla: Out-of-bounds memory read in networking channels Mozilla: Alert dialog could have been spoofed on another site ... oval:org.secpod.oval:def:507304 FreeType is a free, high-quality, portable font engine that can open and manage font files. FreeType loads, hints, and renders individual glyphs efficiently. Security Fix: * FreeType: Buffer overflow in sfnt_init_face * FreeType: Segmentation violation via FNT_Size_Request * Freetype: Segmentation ... oval:org.secpod.oval:def:507807 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.118 and .NET Runtime 6.0.18. The fol ... oval:org.secpod.oval:def:509105 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: pytho ... oval:org.secpod.oval:def:509097 The python-urllib3 package provides the Python HTTP module with connection pooling and file POST abilities. Security Fix: python-urllib3: Cookie request header isn"t stripped during cross-origin redirects urllib3: Request body not stripped after redirect from 303 status changes request method to GE ... oval:org.secpod.oval:def:509093 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: tomcat: Open Redirect vulnerability in FORM authentication tomcat: FileUpload: DoS due to accumulation of temporary files on Windows tomcat: improper cleaning of recycled objects could lead ... oval:org.secpod.oval:def:509086 Virtual Network Computing is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients. Security F ... oval:org.secpod.oval:def:509114 The fence-agents packages provide a collection of scripts for handling remote power management for cluster devices. They allow failed or unreachable nodes to be forcibly restarted and removed from the cluster. Security Fix: python-certifi: Removal of e-Tugra root certificate python-urllib3: Cookie ... oval:org.secpod.oval:def:509107 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix: golang: net/http/internal: Denial of Service via Resource Consumption via HTTP requests golang: cmd/go: Protocol Fallback when fetching modules For more details about the securi ... oval:org.secpod.oval:def:509102 EDK is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix: openssl: Excessive time spent checking DH keys and parameters For more details about the security issue, including the impact, a CVSS score, acknowledgm ... oval:org.secpod.oval:def:509084 Oniguruma is a regular expressions library that supports a variety of character encodings. Security Fix: oniguruma: Use-after-free in onig_new_deluxe in regext.c oniguruma: Stack exhaustion in regcomp.c because of recursion in regparse.c oniguruma: integer overflow in search_in_range function in r ... oval:org.secpod.oval:def:509116 MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon and many client programs and libraries. Security Fix: mysql: InnoDB unspecified vulnerability mysql: Server: DDL unspecified vulnerability mysql: Server: Optimizer unspecified vulnerability mysql ... oval:org.secpod.oval:def:509096 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 115.8.0. Security Fix: Mozilla: Out-of-bounds memory read in networking channels Mozilla: Alert dialog could have been spoofed on another site Mozilla: Memory safety bugs fixed in Firefox 123 ... oval:org.secpod.oval:def:509098 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix: golang: archive/tar: unbounded memory consumption when reading headers golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters golang: net ... oval:org.secpod.oval:def:509077 Kernel-based Virtual Machine offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtua ... oval:org.secpod.oval:def:509039 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 115.7.0 ESR. Security Fix: Mozilla: Out of bounds write in ANGLE Mozilla: Failure to update user input timestamp Mozilla: Crash when listing print ... oval:org.secpod.oval:def:509052 Virtual Network Computing is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients. Security F ... oval:org.secpod.oval:def:509036 The RPM Package Manager is a command-line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages. Security Fix: rpm: TOCTOU race in checks for unsafe symlinks rpm: races with chown/chmod/capabilities calls during installation rpm: ... oval:org.secpod.oval:def:509050 The GIMP is an image composition and editing program. GIMP provides a large image manipulation toolbox, including channel operations and layers, effects, sub-pixel imaging and anti-aliasing, and conversions, all with multi-level undo. Security Fix: gimp: PSD buffer overflow RCE gimp: psp off-by-on ... oval:org.secpod.oval:def:509054 Red Hat Identity Management is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. Security Fix: Kerberos: delegation constrain bypass in S4U2Proxy ipa: Invalid CSRF protection For more details about the secur ... oval:org.secpod.oval:def:509111 EDK is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix: edk2: Buffer overflow in the DHCPv6 client via a long Server ID option edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise me ... oval:org.secpod.oval:def:507758 The Apache Portable Runtime is a portability library used by the Apache HTTP Server and other projects. apr-util is a library which provides additional utility interfaces for APR; including support for XML parsing, LDAP, database interfaces, URI parsing, and more. Security Fix: * apr-util: out-of-b ... oval:org.secpod.oval:def:505926 IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR6-FP10. Security Fix: * OpenJDK: Improper handling of Kerberos proxy credentials * OpenJDK: Incorrect bounds checks in NIO Buffers * OpenJD ... oval:org.secpod.oval:def:507513 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: improper restrictions in CORBA deserialization * OpenJDK: soundbank URL remote loading For more details about the security issue, including the ... oval:org.secpod.oval:def:509115 PostgreSQL is an advanced object-relational database management system . Security Fix: postgresql: non-owner "REFRESH MATERIALIZED VIEW CONCURRENTLY" executes arbitrary SQL For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, ... oval:org.secpod.oval:def:507893 PostgreSQL is an advanced object-relational database management system . Security Fix: * postgresql: schema_element defeats protective search_path changes * postgresql: row security policies disregard user ID changes after inlining. For more details about the security issue, including the impact, ... oval:org.secpod.oval:def:507894 PostgreSQL is an advanced object-relational database management system . Security Fix: * postgresql: schema_element defeats protective search_path changes * postgresql: row security policies disregard user ID changes after inlining. For more details about the security issue, including the impact, ... oval:org.secpod.oval:def:507903 PostgreSQL is an advanced object-relational database management system . Security Fix: * postgresql: schema_element defeats protective search_path changes * postgresql: row security policies disregard user ID changes after inlining. * postgresql: Client memory disclosure when connecting with Kerbe ... oval:org.secpod.oval:def:509042 PostgreSQL is an advanced object-relational database management system . Security Fix: postgresql: non-owner "REFRESH MATERIALIZED VIEW CONCURRENTLY" executes arbitrary SQL For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, ... oval:org.secpod.oval:def:509046 PostgreSQL is an advanced object-relational database management system . Security Fix: postgresql: non-owner "REFRESH MATERIALIZED VIEW CONCURRENTLY" executes arbitrary SQL For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, ... oval:org.secpod.oval:def:509064 PostgreSQL is an advanced object-relational database management system . Security Fix: postgresql: non-owner "REFRESH MATERIALIZED VIEW CONCURRENTLY" executes arbitrary SQL For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, ... oval:org.secpod.oval:def:507508 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.7.1. Security Fix: * Mozilla: libusrsctp library out of date * Mozilla: Arbitrary file read from GTK drag and drop on Linux * Mozilla: Memory safety bugs fixed in Firefox 109 and Firefox ... oval:org.secpod.oval:def:507573 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix: * nss: Arbitrary memory write via PKCS 12 For more details about the security issue, including the impact, a CVSS score, acknowledgme ... oval:org.secpod.oval:def:507488 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.7.0 ESR. Security Fix: * Mozilla: libusrsctp library out of date * Mozilla: Arbitrary file read from GTK drag and drop on Linux * Mozilla: Mem ... oval:org.secpod.oval:def:507771 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.11.0. Security Fix: * Mozilla: Browser prompts could have been obscured by popups * Mozilla: Crash in RLBox Expat driver * Mozilla: Potential permissions request bypass via clickjacking ... oval:org.secpod.oval:def:507770 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.11.0 ESR. Security Fix: * Mozilla: Browser prompts could have been obscured by popups * Mozilla: Crash in RLBox Expat driver * Mozilla: Potent ... oval:org.secpod.oval:def:507582 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.9.0. Security Fix: * Mozilla: Incorrect code generation during JIT compilation * Mozilla: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9 * Mozilla: Potential out-of-bounds ... oval:org.secpod.oval:def:507797 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.12.0. Security Fix: * Mozilla: Click-jacking certificate exceptions through rendering lag * Mozilla: Memory safety bugs fixed in Firefox 114 and Firefox ESR 102.12 For more details about ... oval:org.secpod.oval:def:507578 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.9.0 ESR. Security Fix: * Mozilla: Incorrect code generation during JIT compilation * Mozilla: Memory safety bugs fixed in Firefox 111 and Firef ... oval:org.secpod.oval:def:507800 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.12.0 ESR. Security Fix: * Mozilla: Click-jacking certificate exceptions through rendering lag * Mozilla: Memory safety bugs fixed in Firefox 11 ... oval:org.secpod.oval:def:507629 The libwebp packages provide a library and tools for the WebP graphics format. WebP is an image format with a lossy compression of digital photographic images. WebP consists of a codec based on the VP8 format, and a container based on the Resource Interchange File Format . Webmasters, web developers ... oval:org.secpod.oval:def:507608 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.10.0 ESR. Security Fix: * MFSA-TMP-2023-0001 Mozilla: Double-free in libwebp * Mozilla: Fullscreen notification obscured * Mozilla: Potential ... oval:org.secpod.oval:def:507612 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.10.0. Security Fix: * Thunderbird: Revocation status of S/Mime recipient certificates was not checked * Mozilla: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack ... oval:org.secpod.oval:def:95284 Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. Security Fix(es): * squid: Denial of Service in HTTP Digest Authentication (CVE-2023-46847) * squid: Request/Response smuggling in HTTP/1.1 and ICAP (CVE-2023-46846) oval:org.secpod.oval:def:509109 The OpenSC set of libraries and utilities provides support for working with smart cards. OpenSC focuses on cards that support cryptographic operations and enables their use for authentication, mail encryption, or digital signatures. Security Fix: OpenSC: Side-channel leaks while stripping encryption ... oval:org.secpod.oval:def:509048 The gnutls packages provide the GNU Transport Layer Security library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS. Security Fix: gnutls: incomplete fix for CVE-2023-5981 For more details about the security issue, including the impact, a CVSS score, acknowledg ... oval:org.secpod.oval:def:507757 The libtiff packages contain a library of functions for manipulating Tagged Image File Format files. Security Fix: * libtiff: out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c * libtiff: integer overflow in function TIFFReadRGBATileExt of the file For more details about the security issue, ... oval:org.secpod.oval:def:509099 The python-pillow packages contain a Python image processing library that provides extensive file format support, an efficient internal representation, and powerful image-processing capabilities. Security Fix: pillow: Arbitrary Code Execution via the environment parameter For more details about the ... oval:org.secpod.oval:def:507896 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The package has been upgraded to a later upstream version: nodejs . Security Fix: * nodejs: mainModule.proto bypass experimental policy mechanism * nodejs: process ... oval:org.secpod.oval:def:507900 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The package has been upgraded to a later upstream version: nodejs . Security Fix: * nodejs: mainModule.proto bypass experimental policy mechanism * nodejs: process ... oval:org.secpod.oval:def:507751 PostgreSQL is an advanced object-relational database management system. The postgresql-jdbc package includes the .jar files needed for Java programs to access a PostgreSQL database. Security Fix: * postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permission ... oval:org.secpod.oval:def:507709 The libarchive programming library can create and read several different streaming archive formats, including GNU tar, cpio, and ISO 9660 CD-ROM images. Libarchive is used notably in the bsdtar utility, scripting language bindings such as python-libarchive, and several popular desktop file managers. ... oval:org.secpod.oval:def:507826 Kernel-based Virtual Machine offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtua ... oval:org.secpod.oval:def:506505 Kernel-based Virtual Machine offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtua ... oval:org.secpod.oval:def:504780 The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix: * curl: Incorrect argument check can allow remote servers to overwrite local files For more details about the security issue, i ... oval:org.secpod.oval:def:504698 Kernel-based Virtual Machine offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtua ... oval:org.secpod.oval:def:504753 The pcre2 package contains a new generation of the Perl Compatible Regular Expression libraries for implementing regular expression pattern matching using the same syntax and semantics as Perl. Security Fix: * pcre: Out of bounds read in JIT mode when \X is used in non-UTF mode For more details abo ... oval:org.secpod.oval:def:506285 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs . Security Fix: * nodejs-hosted-git-info: Regular Expression denial of service via sho ... oval:org.secpod.oval:def:509151 IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR8-FP15. Security Fix: For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related informa ... oval:org.secpod.oval:def:509161 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:507875 OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Security Fix: * openssh: Remote code execution in ssh-agent PKCS#11 support For more details about the security ... oval:org.secpod.oval:def:504705 GD is an open source code library for the dynamic creation of images by programmers. GD creates PNG, JPEG, GIF, WebP, XPM, BMP images, among other formats. Security Fix: * gd: Heap-based buffer overflow in gdImageColorMatch in gd_color_match.c * gd: NULL pointer dereference in gdImageClone * gd: D ... oval:org.secpod.oval:def:507717 Kernel-based Virtual Machine offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtua ... oval:org.secpod.oval:def:507761 The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix: * curl: Incorrect handling of control code characters in cookies * curl: Use-after-free triggered by an HTTP proxy deny respons ... oval:org.secpod.oval:def:97885 SQLite is a C library that implements an SQL database engine. A large subset of SQL92 is supported. A complete database is stored in a single disk file. The API is designed for convenience and ease of use. Applications that link against SQLite can enjoy the power and flexibility of an SQL database w ... oval:org.secpod.oval:def:509113 The libxml2 library is a development toolbox providing the implementation of various XML standards. Security Fix: libxml2: crafted xml can cause global buffer overflow For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refe ... oval:org.secpod.oval:def:507897 The libxml2 library is a development toolbox providing the implementation of various XML standards. Security Fix: * libxml2: NULL dereference in xmlSchemaFixupComplexType * libxml2: Hashing of empty dict strings isn"t deterministic For more details about the security issue, including the impact, a ... oval:org.secpod.oval:def:507285 The libxml2 library is a development toolbox providing the implementation of various XML standards. Security Fix: * libxml2: Incorrect server side include parsing can lead to XSS For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related inform ... oval:org.secpod.oval:def:507710 The binutils packages provide a collection of binary utilities for the manipulation of object code in various object file formats. It includes the ar, as, gprof, ld, nm, objcopy, objdump, ranlib, readelf, size, strings, strip, and addr2line utilities. Security Fix: * binutils: NULL pointer dereferen ... oval:org.secpod.oval:def:507226 This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Security Fix: * a use-after-free in cls_route filter implementation may lead to privilege escalation For more details about the security issue, including the impac ... oval:org.secpod.oval:def:507544 This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Security Fix: * kernel: mm/mremap.c use-after-free vulnerability * kernel: nfsd buffer overflow by RPC message over TCP with garbage data For more details about t ... oval:org.secpod.oval:def:507542 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: mm/mremap.c use-after-free vulnerability * kernel: nfsd buffer overflow by RPC message over TCP with garbage data * kernel: an out-of-bounds vulnerability in i2c-ismt driver For more deta ... oval:org.secpod.oval:def:507148 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * Incomplete cleanup of multi-core shared buffers * Incomplete cleanup of microarchitectural fill buffers * Incomplete cleanup in specific special register write operations For more details abou ... oval:org.secpod.oval:def:507241 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * A use-after-free in cls_route filter implementation may lead to privilege escalation * Information leak in scsi_ioctl * A kernel-info-leak issue in pfkey_register * RetBleed Arbitrary Speculative ... oval:org.secpod.oval:def:507272 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * off-path attacker may inject data or terminate victim"s TCP session. oval:org.secpod.oval:def:507753 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. The following packa ... oval:org.secpod.oval:def:507714 Python is an interpreted, interactive, object-oriented programming language that supports modules, classes, exceptions, high-level dynamic data types, and dynamic typing. The python27 packages provide a stable release of Python 2.7 with a number of additional utilities and database connectors for My ... oval:org.secpod.oval:def:507737 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. The following packa ... oval:org.secpod.oval:def:507301 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * pyt ... oval:org.secpod.oval:def:507543 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * pyt ... oval:org.secpod.oval:def:507792 Python is an accessible, high-level, dynamically typed, interpreted programming language, designed with an emphasis on code readability. It includes an extensive standard library, and has a vast ecosystem of third-party libraries. Security Fix: * python: urllib.parse url blocklisting bypass For mor ... oval:org.secpod.oval:def:507147 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * pyt ... oval:org.secpod.oval:def:507801 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * pyt ... oval:org.secpod.oval:def:507809 Python is an interpreted, interactive, object-oriented programming language that supports modules, classes, exceptions, high-level dynamic data types, and dynamic typing. The python27 packages provide a stable release of Python 2.7 with a number of additional utilities and database connectors for My ... oval:org.secpod.oval:def:507819 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * pyt ... oval:org.secpod.oval:def:507406 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * pyt ... oval:org.secpod.oval:def:507895 The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix: * curl: GSS delegation too eager connection re-use * curl: IDN wildcard match may lead to Improper Cerificate Validation For m ... oval:org.secpod.oval:def:507823 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * pyt ... oval:org.secpod.oval:def:507273 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * pyt ... oval:org.secpod.oval:def:507297 Python is an interpreted, interactive, object-oriented programming language that supports modules, classes, exceptions, high-level dynamic data types, and dynamic typing. Security Fix: * python: mailcap: findmatch function does not sanitize the second argument . For more details about the security i ... oval:org.secpod.oval:def:507336 Kernel-based Virtual Machine offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtua ... oval:org.secpod.oval:def:506291 Kernel-based Virtual Machine offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtua ... oval:org.secpod.oval:def:507453 Kernel-based Virtual Machine offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtua ... oval:org.secpod.oval:def:507747 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix: * golang: net/http: improper sanitization of Transfer-Encoding header * golang: go/parser: stack exhaustion in all Parse* functions * golang: net/http: handle server erro ... oval:org.secpod.oval:def:507712 Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Security Fix: * golang: archive/tar: unbounded memory consumption when reading headers * golang: net/http/httputil: ReverseProxy should not forward unparseable qu ... oval:org.secpod.oval:def:507725 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix: * golang: net/http: improper sanitization of Transfer-Encoding header * golang: go/parser: stack exhaustion in all Parse* functions * golang: net/http: handle server erro ... oval:org.secpod.oval:def:507723 Git Large File Storage replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server. Security Fix: * golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * golang: reg ... oval:org.secpod.oval:def:507339 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs . Security Fix: * nodejs: weak randomness in WebCrypto keygen * nodejs: HTTP Request ... oval:org.secpod.oval:def:507145 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix: * nodejs: DNS rebinding in --inspect via invalid IP addresses * nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding * nodejs: H ... oval:org.secpod.oval:def:507151 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix: * nodejs-ansi-regex: Regular expression denial of service matching ANSI escape codes * nodejs: DNS rebinding in --inspect via invalid IP addresses * ... oval:org.secpod.oval:def:507424 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs , nodejs-nodemon . Security Fix: * nodejs-minimatch: ReDoS via the braceExpand functio ... oval:org.secpod.oval:def:507284 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix: * nodejs: Improper handling of URI Subject Alternative Names * nodejs: Certificate Verification Bypass via String Injection * nodejs: Incorrect handl ... oval:org.secpod.oval:def:506571 The binutils packages provide a collection of binary utilities for the manipulation of object code in various object file formats. It includes the ar, as, gprof, ld, nm, objcopy, objdump, ranlib, readelf, size, strings, strip, and addr2line utilities. Security Fix: * Developer environment: Unicode"s ... oval:org.secpod.oval:def:506592 LLVM Toolset provides the LLVM compiler infrastructure framework, the Clang compiler for the C and C++ languages, the LLDB debugger, and related tools for code analysis. Security Fix: * Developer environment: Unicode"s bidirectional override characters can cause trojan source attacks The following ... oval:org.secpod.oval:def:507743 The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix: * curl: FTP too eager connection reuse For more details about the security issue, including the impact, a CVSS score, acknowled ... oval:org.secpod.oval:def:507724 MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon and many client programs and libraries. The following packages have been upgraded to a later upstream version: mysql . Security Fix: * mysql: Server: Security: Privileges unspecified vulnerability * ... oval:org.secpod.oval:def:507130 The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix: * curl: HTTP compression denial of service * curl: FTP-KRB bad message verification For more details about the security issue, ... oval:org.secpod.oval:def:507144 Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. The following packages have been upgraded to a later upstream version: ruby . Security Fix: * ruby: Regular expression denial of service vulnerabili ... oval:org.secpod.oval:def:507150 Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. The following packages have been upgraded to a later upstream version: ruby . Security Fix: * ruby: Regular expression denial of service vulnerabili ... oval:org.secpod.oval:def:507245 The zlib packages provide a general-purpose lossless data compression library that is used by many different programs. Security Fix: * zlib: a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field For more details about the security issue, includ ... oval:org.secpod.oval:def:507266 The rsync utility enables the users to copy and synchronize files locally or across a network. Synchronization with rsync is fast because rsync only sends the differences in files over the network instead of sending whole files. The rsync utility is also used as a mirroring tool. Security Fix: * zli ... oval:org.secpod.oval:def:506286 This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Security Fix: * kernel: race condition in net/can/bcm.c leads to local privilege escalation * kernel: Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass R ... oval:org.secpod.oval:def:506292 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: race condition in net/can/bcm.c leads to local privilege escalation * kernel: Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks * kernel: out-of-bounds write in xt_comp ... oval:org.secpod.oval:def:506335 This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Security Fix: * kernel: powerpc: KVM guest OS users can cause host OS memory corruption For more details about the security issue, including the impact, a CVSS sco ... oval:org.secpod.oval:def:506294 GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures. Security Fix: * glib: integer overflow in g_byt ... oval:org.secpod.oval:def:506177 GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures. Security Fix: * glib: integer overflow in g_byt ... oval:org.secpod.oval:def:504267 LibVNCServer is a C library that enables you to implement VNC server functionality into own programs. Security Fix: * libvncserver: websocket decoding buffer overflow For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer ... oval:org.secpod.oval:def:504695 FRRouting is free software that manages TCP/IP based routing protocols. It supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP and BFD. Security Fix: * frr: default permission issue eases information leaks For more details about the security issue, including the impact, a CVSS sc ... oval:org.secpod.oval:def:503831 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: lockdown: bypass through ACPI write via efivar_ssdt * kernel: lockdown: bypass through ACPI write via acpi_configfs For more details about the security issue, including the impact, a CVSS ... oval:org.secpod.oval:def:504689 The Public Key Infrastructure Core contains fundamental packages required by Red Hat Certificate System. Security Fix: * jquery: Cross-site scripting via cross-domain ajax requests * bootstrap: XSS in the data-target attribute * bootstrap: Cross-site Scripting in the collapse data-parent attribu ... oval:org.secpod.oval:def:504711 Red Hat Identity Management is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. The following packages have been upgraded to a later upstream version: ipa , softhsm , opendnssec . Security Fix: * js-jquery: ... oval:org.secpod.oval:def:504704 The Common UNIX Printing System provides a portable printing layer for Linux, UNIX, and similar operating systems. Security Fix: * cups: heap based buffer overflow in libcups"s ppdFindOption in ppd-mark.c For more details about the security issue, including the impact, a CVSS score, acknowledgment ... oval:org.secpod.oval:def:504755 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: use after free in the video driver leads to local privilege escalation * kernel: use-after-free in drivers/bluetooth/hci_ldisc.c * kernel: out-of-bounds access in function hclge_tm_schd_mo ... oval:org.secpod.oval:def:503452 This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Security Fix: * hw: Machine Check Error on Page Size Change * hw: TSX Transaction Asynchronous Abort 4. Solution: Before applying this update, make sure all pre ... oval:org.secpod.oval:def:503649 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: powerpc: local user can read vector registers of other users" processes via a Facility Unavailable exception * kernel: powerpc: local user can read vector registers of other users" processe ... oval:org.secpod.oval:def:503515 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: heap overflow in mwifiex_update_vs_ie function of Marvell WiFi driver * kernel: heap-based buffer overflow in mwifiex_process_country_ie function in drivers/net/wireless/marvell/mwifiex/sta ... oval:org.secpod.oval:def:503137 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * An integer overflow flaw was found in the way the Linux kernel"s networking subsystem processed TCP Selective Acknowledgment segments. While processing SACK segments, the Linux kernel"s socket buff ... oval:org.secpod.oval:def:502714 Kernel-based Virtual Machine offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtua ... oval:org.secpod.oval:def:502727 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * A flaw was found in the implementation of the quot;fill bufferquot;, a mechanism used by modern CPUs when a cache-miss is made on L1 CPU cache. If an attacker can generate a load operation that woul ... oval:org.secpod.oval:def:503309 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: broken permission and object lifetime handling for PTRACE_TRACEME * kernel: hw: Spectre SWAPGS gadget vulnerability For more details about the security issue, including the impact, a CVSS ... oval:org.secpod.oval:def:503379 FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User Service server, designed to allow centralized authentication and authorization for a network. Security Fix: * freeradius: privilege escalation due to insecure logrotate configuration For more details a ... oval:org.secpod.oval:def:504735 FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User Service server, designed to allow centralized authentication and authorization for a network. Security Fix: * freeradius: eap-pwd: DoS issues due to multithreaded BN_CTX access For more details about t ... oval:org.secpod.oval:def:507128 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix: * php: uninitialized array in pg_query_params leading to RCE For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to th ... oval:org.secpod.oval:def:507308 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. The following packages have been upgraded to a later upstream version: php . Security Fix: * php: Use after free due to php_filter_float failing for ints * php: Uninitialized array in pg_query_params leading to R ... oval:org.secpod.oval:def:507332 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. The following packages have been upgraded to a later upstream version: php , php-pear . Security Fix: * php: Special character breaks path in xml parsing * php: Use after free due to php_filter_float failing for ... oval:org.secpod.oval:def:502709 The python-jinja2 package contains Jinja2, a template engine written in pure Python. Jinja2 provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment. Security Fix: * python-jinja2: str.format_map allows sandbox escape For more details about the ... oval:org.secpod.oval:def:503132 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.7.0. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7 * Mozilla: Cross-origin theft of images with createImageBitmap * Mozilla: Stealing of cross-domain ... oval:org.secpod.oval:def:503187 The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix: * OpenJDK: Side-channel attack risks in Elliptic Curve cryptography * OpenJDK: Insufficient checks of suppressed exceptions in deserialization * OpenJDK: ... oval:org.secpod.oval:def:503189 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: Side-channel attack risks in Elliptic Curve cryptography * OpenJDK: Insufficient checks of suppressed exceptions in deserialization * OpenJDK: ... oval:org.secpod.oval:def:502731 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.7.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7 * Mozilla: Cross-origin theft of images with creat ... oval:org.secpod.oval:def:503427 The python-urllib3 package provides the Python HTTP module with connection pooling and file POST abilities. Security Fix: * python-urllib3: CRLF injection due to not encoding the "\r\n" sequence leading to possible attack on internal service * python-urllib3: Certification mishandle when error shou ... oval:org.secpod.oval:def:503400 The numpy packages provide NumPY. NumPY is an extension to the Python programming language, which adds support for large, multi-dimensional arrays and matrices, and a library of mathematical functions that operate on such arrays. Security Fix: * numpy: crafted serialized object passed in numpy.load ... oval:org.secpod.oval:def:504402 Python is an interpreted, interactive, object-oriented programming language that supports modules, classes, exceptions, high-level dynamic data types, and dynamic typing. Security Fix: * numpy: crafted serialized object passed in numpy.load in pickle python module allows arbitrary code execution * ... oval:org.secpod.oval:def:505924 IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR5-FP40. Security Fix: * IBM JDK: Out-of-bounds access in the String.getBytes method * IBM JDK: Failure to privatize a value pulled out of the ... oval:org.secpod.oval:def:503394 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * pyt ... oval:org.secpod.oval:def:58206 Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent ... oval:org.secpod.oval:def:58207 Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time ... oval:org.secpod.oval:def:58202 Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to ... oval:org.secpod.oval:def:58203 Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory ... oval:org.secpod.oval:def:58204 Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU. oval:org.secpod.oval:def:58205 Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STRE ... oval:org.secpod.oval:def:503421 The http-parser package provides a utility for parsing HTTP messages. It parses both requests and responses. The parser is designed to be used in performance HTTP applications. It does not make any system calls or allocations, it does not buffer data, and it can be interrupted at any time. Depending ... oval:org.secpod.oval:def:504779 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * pyt ... oval:org.secpod.oval:def:504710 Expat is a C library for parsing XML documents. Security Fix: * expat: large number of colons in input makes parser consume high amount of resources, leading to DoS * expat: heap-based buffer over-read via crafted XML input For more details about the security issue, including the impact, a CVSS sc ... oval:org.secpod.oval:def:503328 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 68.1.0 ESR. Security Fix: * Mozilla: Sandbox escape through Firefox Sync * Mozilla: Memory safety bugs fixed in Firefox 69 and Firefox ESR 68.1 * ... oval:org.secpod.oval:def:503339 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.9.0. Security Fix: * Mozilla: Covert Content Attack on S/MIME encryption using a crafted multipart/alternative message * Mozilla: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1, a ... oval:org.secpod.oval:def:502688 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. This package provid ... oval:org.secpod.oval:def:504751 The glibc packages provide the standard C libraries , POSIX thread libraries , standard math libraries , and the name service cache daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix: * glibc: array overflow in backtrace ... oval:org.secpod.oval:def:95280 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 7.0.114 and .NET Runtime 7.0.14. Securit ... oval:org.secpod.oval:def:95294 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.125 and .NET Runtime 6.0.25. Securit ... oval:org.secpod.oval:def:509027 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 8.0.102 and .NET Runtime 8.0.2. Security ... oval:org.secpod.oval:def:509081 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.127 and .NET Runtime 6.0.27. Securit ... oval:org.secpod.oval:def:509059 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 7.0.116 and .NET Runtime 7.0.16. Securit ... oval:org.secpod.oval:def:72028 Configure grub or lilo so that processes that are capable of being audited can be audited even if they start up prior to auditd startup.Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected. oval:org.secpod.oval:def:96267 Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management.Rationale:Storing log data on a remote host protects log integrity from local attacks. If an attacker gains ... oval:org.secpod.oval:def:96249 Without re-authentication, users may access resources or perform tasks for which they do not have authorization. oval:org.secpod.oval:def:96251 Without re-authentication, users may access resources or perform tasks for which they do not have authorization. oval:org.secpod.oval:def:96260 The noexec mount option specifies that the filesystem cannot contain executable . Rationale: Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot run executable binaries from /var/log . oval:org.secpod.oval:def:96263 X Display Manager Control Protocol (XDMCP) is designed to provide authenticated access to display management services for remote displays Rationale: XDMCP is inherently insecure. 1. XDMCP is not a ciphered protocol. This may allow an attacker to capture keystrokes entered by a ... oval:org.secpod.oval:def:96269 systemd-coredump file should configured properly oval:org.secpod.oval:def:96272 The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /var/log/audit filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var/log/audit. oval:org.secpod.oval:def:96270 The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /var/log/audit filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log/audit. oval:org.secpod.oval:def:96258 The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /var filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var. oval:org.secpod.oval:def:96256 By default GNOME automatically mounts removable media when inserted as a convenience to the user. Rationale: With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it ... oval:org.secpod.oval:def:96255 GDM is the GNOME Display Manager which handles graphical login for GNOME based systems. The disable-user-list option controls is a list of users is displayed on the login screen. Rationale: Displaying the user list eliminates half of the Userid/Password equation that an unauthorized ... oval:org.secpod.oval:def:96242 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one oval:org.secpod.oval:def:96268 Journald supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts.Rationale:If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary. oval:org.secpod.oval:def:96266 Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management.Rationale:Storing log data on a remote host protects log integrity from local attacks. If an attacker gains ... oval:org.secpod.oval:def:96245 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one oval:org.secpod.oval:def:96244 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one oval:org.secpod.oval:def:96252 The contents of the /etc/issue file are displayed to users prior to login for local terminals. Rationale: If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information. oval:org.secpod.oval:def:96265 Journald includes the capability of rotating log files regularly to avoid filling up the system with logs or making the logs unmanageably large. The file /etc/systemd/journald.conf is the configuration file used to specify how logs generated by Journald should be rotated.Rationale:By keeping the log ... oval:org.secpod.oval:def:96243 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one oval:org.secpod.oval:def:96240 The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who ... oval:org.secpod.oval:def:96271 The noexec mount option specifies that the filesystem cannot contain executable binaries. Rationale: Since the /var/log/audit filesystem is only intended for audit logs, set this option to ensure that users cannot run executable binaries from /var/log/audit oval:org.secpod.oval:def:96246 sudo provides users with temporary elevated privileges to perform operations, either as the superuser or another user. Creating an audit log of users with temporary elevated privileges and the operation(s) they performed is essential to reporting. Administrators will want to correlate the events wr ... oval:org.secpod.oval:def:96254 The /tmp directory is a world-writable directory used for temporary storage by all users and some applications. Rationale: Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It ... oval:org.secpod.oval:def:96259 The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /home filesystem is only intended for user file storage, set this option to ensure that users cannot create setuid files in /home oval:org.secpod.oval:def:96261 The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /var/log filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/log. oval:org.secpod.oval:def:96236 Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command i ... oval:org.secpod.oval:def:96237 The GNOME Display Manager (GDM) is a program that manages graphical display servers and handles graphical user logins. If a Graphical User Interface (GUI) is not required, it should be removed to reduce the attack surface of the system. oval:org.secpod.oval:def:96241 Ensure that the systemd-journald service is enabled to allow capturing of logging events. If the systemd-journald service is not enabled to start on boot, the system will not capture logging events. oval:org.secpod.oval:def:96250 Sudo caches used credentials for a default of 15 minutes. This is for ease of use when there are multiple administrative tasks to perform. The timeout can be modified to suit local security policies. oval:org.secpod.oval:def:96253 The contents of the file /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. oval:org.secpod.oval:def:96257 The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /var/log filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/log. oval:org.secpod.oval:def:96262 The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /var filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var. oval:org.secpod.oval:def:509035 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 7.0.115 and .NET Runtime 7.0.15. Securit ... oval:org.secpod.oval:def:509047 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 8.0.101 and .NET Runtime 8.0.1. Security ... oval:org.secpod.oval:def:509053 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.126 and .NET Runtime 6.0.26. Securit ... oval:org.secpod.oval:def:96247 Without cryptographic integrity protections, information can be altered by unauthorized users which can not be detected.The system-wide crypto-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system-wide. oval:org.secpod.oval:def:508208 Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. Security Fix: squid: Denial of Service in SSL Certificate validation squid: NULL pointer dereference in the gopher protocol code squid: Buffer over-read in the HTTP Message processing f ... oval:org.secpod.oval:def:509103 The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. Security Fix: bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources For more details about the security issue, including the i ... oval:org.secpod.oval:def:507734 The kernel packages contain the Linux kernel, the core of any Linux operating system. The following packages have been upgraded to a later upstream version: kernel . Security Fix: * use-after-free caused by l2cap_reassemble_sdu in net/bluetooth/l2cap_core.c * net/ulp: use-after-free in listening U ... oval:org.secpod.oval:def:507595 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: stack overflow in do_proc_dointvec and proc_skip_spaces * ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF * kernel: FUSE filesystem low-privileged user privileges escala ... oval:org.secpod.oval:def:507907 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: use-after-free in l2cap_connect and l2cap_le_connect_req in net/bluetooth/l2cap_core.c * kernel: tcindex: use-after-free vulnerability in traffic control index filter allows privilege escal ... oval:org.secpod.oval:def:507596 This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Security Fix: * kernel: stack overflow in do_proc_dointvec and proc_skip_spaces * ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF * kernel: FUS ... oval:org.secpod.oval:def:507904 This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Security Fix: * kernel: use-after-free in l2cap_connect and l2cap_le_connect_req in net/bluetooth/l2cap_core.c * kernel: tcindex: use-after-free vulnerability in t ... oval:org.secpod.oval:def:509162 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix: nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks nodejs: vulnerable to timing variant of the Bleichenbacher ... oval:org.secpod.oval:def:506461 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * pyt ... oval:org.secpod.oval:def:506488 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * pyt ... oval:org.secpod.oval:def:506735 Expat is a C library for parsing XML documents. Security Fix: * expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution * expat: Namespace-separator characters in xmlns[:prefix] attribute values can lead to arbitrary code execution * expat: Integer overflow in storeRawN ... oval:org.secpod.oval:def:87668 A type confusion vulnerability was found in OpenSSL when OpenSSL X.400 addresses processing inside an X.509 GeneralName. When CRL checking is enabled (for example, the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp ca ... oval:org.secpod.oval:def:509060 The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Bug Fix and Enhancement: CVE-2023-28487 sudo: Sudo does not esca ... oval:org.secpod.oval:def:95300 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): kernel: tun: avoid double free in tun_free_netdev (CVE-2022-4744) kernel: net/sched: multiple vulnerabilities (CVE-2023-3609, CVE-2023-3611, CVE-2023-4128, CVE-2023-4206, CVE-2023-4207, CVE-2023- ... oval:org.secpod.oval:def:99513 A Marvin vulnerability side-channel leakage was found in the RSA decryption operation in the Linux Kernel. This issue may allow a network attacker to decrypt ciphertexts or forge signatures, limiting the services that use that private key. oval:org.secpod.oval:def:509066 This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Security Fix: kernel: net/sched: sch_hfsc UAF kernel: use-after-free in sch_qfq network scheduler kernel: IGB driver inadequate buffer size for frames larger than ... oval:org.secpod.oval:def:509040 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: OpenJDK: array out-of-bounds access due to missing range check in C1 compiler OpenJDK: RSA padding issue and timing side-channel attack against TLS OpenJD ... oval:org.secpod.oval:def:509057 The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix: OpenJDK: array out-of-bounds access due to missing range check in C1 compiler OpenJDK: RSA padding issue and timing side-channel attack against TLS OpenJDK ... oval:org.secpod.oval:def:509063 The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit. Security Fix: OpenJDK: array out-of-bounds access due to missing range check in C1 compiler OpenJDK: incorrect handling of ZIP files with duplicate entries OpenJDK: RSA ... oval:org.secpod.oval:def:509068 The java-21-openjdk packages provide the OpenJDK 21 Java Runtime Environment and the OpenJDK 21 Java Software Development Kit. Security Fix: OpenJDK: array out-of-bounds access due to missing range check in C1 compiler OpenJDK: RSA padding issue and timing side-channel attack against TLS OpenJDK ... oval:org.secpod.oval:def:509091 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: kernel: net/sched: sch_hfsc UAF kernel: use-after-free in sch_qfq network scheduler kernel: inactive elements in nft_pipapo_walk kernel: IGB driver inadequate buffer size for frames larger than MTU ... oval:org.secpod.oval:def:509159 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 115.9.0. Security Fix: nss: timing attack against RSA decryption Mozilla: Crash in NSS TLS method Mozilla: Leaking of encrypted email subjects to other conversations Mozilla: JIT code failed ... oval:org.secpod.oval:def:509157 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 115.9.1 ESR. Security Fix: nss: timing attack against RSA decryption Mozilla: Crash in NSS TLS method Mozilla: JIT code failed to save return regi ... oval:org.secpod.oval:def:509031 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix: nss: vulnerable to Minerva side-channel information leak For more details about the security issue, including the impact, a CVSS scor ... oval:org.secpod.oval:def:509034 OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Security Fix: ssh: Prefix truncation attack on Binary Packet Protocol openssh: potential command injection via ... oval:org.secpod.oval:def:509043 libssh is a library which implements the SSH protocol. It can be used to implement client and server applications. Security Fix: ssh: Prefix truncation attack on Binary Packet Protocol For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related ... oval:org.secpod.oval:def:504769 GNOME is the default desktop environment of Red Hat Enterprise Linux. The following packages have been upgraded to a later upstream version: gnome-remote-desktop , pipewire , vte291 , webkit2gtk3 , xdg-desktop-portal , xdg-desktop-portal-gtk . Security Fix: * webkitgtk: Multiple security issues * ... oval:org.secpod.oval:def:507722 WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Security Fix: * WebKitGTK: Regression of CVE-2023-28205 fixes in the Red Hat Enterprise Linux For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related info ... oval:org.secpod.oval:def:507547 WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Security Fix: * webkitgtk: processing maliciously crafted web content may be exploited for arbitrary code execution For more details about the security issue, including the impact, a CVSS score, acknowledgments, ... oval:org.secpod.oval:def:507615 WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Security Fix: * WebKitGTK: use-after-free leads to arbitrary code execution For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to ... oval:org.secpod.oval:def:507745 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. The following packages have been upgraded to a later upstream version: php . Security Fix: * XKCP: buffer overflow in the SHA-3 reference implementation * php: standard insecure cookie could be treated as a "__Hos ... oval:org.secpod.oval:def:507536 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. The following packages have been upgraded to a later upstream version: php . Security Fix: * XKCP: buffer overflow in the SHA-3 reference implementation * php: standard insecure cookie could be treated as a `__Ho ... oval:org.secpod.oval:def:97853 A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete syste ... oval:org.secpod.oval:def:95292 Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix(es): * samba: smbd allows client access to unix domain soc ... oval:org.secpod.oval:def:97882 FRRouting is free software that manages TCP/IP based routing protocols. It supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP and BFD. Security Fix: ffr: Flowspec overflow in bgpd/bgp_flowspec.c ffr: Out of bounds read in bgpd/bgp_label.c frr: crash from specially crafted MP_UN ... oval:org.secpod.oval:def:507749 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix: * golang: crypto/tls: large handshake records may cause panics * golang: net/http, mime/multipart: denial of service from excessive resource consumption For more details about th ... oval:org.secpod.oval:def:507775 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix: * golang: html/template: improper handling of JavaScript whitespace For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other relat ... oval:org.secpod.oval:def:95287 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): * HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487) * nodejs: permission model impr ... oval:org.secpod.oval:def:93991 An update for the nginx:1.22 module is now available for Red Hat Enterprise Linux 8. oval:org.secpod.oval:def:93992 An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8. oval:org.secpod.oval:def:93990 An update for the nginx:1.20 module is now available for Red Hat Enterprise Linux 8. oval:org.secpod.oval:def:93995 An update for grafana is now available for Red Hat Enterprise Linux 8. oval:org.secpod.oval:def:93996 An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. oval:org.secpod.oval:def:93993 An update for nghttp2 is now available for Red Hat Enterprise Linux 8 oval:org.secpod.oval:def:93994 An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. oval:org.secpod.oval:def:93988 An update for dotnet7.0 is now available for Red Hat Enterprise Linux 8. oval:org.secpod.oval:def:93989 An update for dotnet6.0 is now available for Red Hat Enterprise Linux 8. oval:org.secpod.oval:def:507738 WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Security Fix: * webkitgtk: use-after-free issue leading to arbitrary code execution * webkitgtk: memory corruption issue leading to arbitrary code execution * webkitgtk: memory corruption issue leading to arbitr ... oval:org.secpod.oval:def:507229 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix: * samba: server memory information leak via SMB1 For more details a ... oval:org.secpod.oval:def:506337 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: powerpc: KVM guest OS users can cause host OS memory corruption * kernel: slab-out-of-bounds access in xdr_set_page_base in net/sunrpc/xdr.c For more details about the security issue, incl ... oval:org.secpod.oval:def:503399 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: nfs: use-after-free in svc_process_common * Kernel: vhost_net: infinite loop while receiving packets leads to DoS * Kernel: page cache side channel attacks * hardware: bluetooth: BR/EDR e ... |
