Download
| Alert*
|
oval:org.secpod.oval:def:506972
PostgreSQL is an advanced object-relational database management system . The following packages have been upgraded to a later upstream version: postgresql . Security Fix: * postgresql: Autovacuum, REINDEX, and others omit security restricted operation sandbox For more details about the security iss ... oval:org.secpod.oval:def:506971 The gzip packages contain the gzip data compression utility. gzip is used to compress regular files. It replaces them with files containing the .gz extension, while retaining ownership modes, access, and modification times. Security Fix: * gzip: arbitrary-file-write vulnerability For more details ... oval:org.secpod.oval:def:506976 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.9.1 ESR. Security Fix: * Mozilla: Untrusted input used in JavaScript object indexing, leading to prototype pollution * Mozilla: Prototype pollut ... oval:org.secpod.oval:def:506992 XZ Utils is an integrated collection of user-space file compression utilities based on the Lempel-Ziv-Markov chain algorithm , which performs lossless data compression. The algorithm provides a high compression ratio while keeping the decompression time short. Security Fix: * gzip: arbitrary-file-wr ... oval:org.secpod.oval:def:507347 The dpdk packages provide the Data Plane Development Kit, which is a set of libraries and drivers for fast packet processing in the user space. Security Fix: * dpdk: DoS when a Vhost header crosses more than two descriptors and exhausts all mbufs * DPDK: out-of-bounds read/write in vhost_user_set_i ... oval:org.secpod.oval:def:507353 The logrotate utility simplifies the administration of multiple log files by allowing their automatic rotation, compression, removal, and mailing. Security Fix: * logrotate: potential DoS from unprivileged users via the state file For more details about the security issue, including the impact, a C ... oval:org.secpod.oval:def:507479 The USBGuard software framework provides system protection against intrusive USB devices by implementing basic whitelisting and blacklisting capabilities based on device attributes. To enforce a user-defined policy, USBGuard uses the Linux kernel USB device authorization feature. Security Fix: * usb ... oval:org.secpod.oval:def:507476 PostgreSQL is an advanced object-relational database management system. The postgresql-jdbc package includes the .jar files needed for Java programs to access a PostgreSQL database. Security Fix: * postgresql: SQL Injection in ResultSet.refreshRow with malicious column names For more details about ... oval:org.secpod.oval:def:507359 Ignition is a utility used to manipulate systems during the initramfs. This includes partitioning disks, formatting partitions, writing files , and configuring users. On first boot, Ignition reads its configuration from a source of truth and applies the configuration. The following packages have be ... oval:org.secpod.oval:def:507360 Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or ... oval:org.secpod.oval:def:507365 FLAC stands for Free Lossless Audio Codec. FLAC is similar to Ogg Vorbis, but lossless. The FLAC project consists of the stream format, reference encoders and decoders in library form, a command-line program to encode and decode FLAC files, and a command-line metadata editor for FLAC files. Security ... oval:org.secpod.oval:def:507125 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.13.0. Security Fix: * Mozilla: Address bar spoofing via XSLT error handling * Mozilla: Cross-origin XSLT Documents would have inherited the parent"s permissions * Mozilla: Memory safety bu ... oval:org.secpod.oval:def:507250 The lua packages provide support for Lua, a powerful light-weight programming language designed for extending applications. Lua is also frequently used as a general-purpose, stand-alone language. Security Fix: * lua: heap buffer overflow in luaG_errormsg in ldebug.c due to uncontrolled recursion in ... oval:org.secpod.oval:def:507371 SWTPM is a TPM emulator built on libtpms providing TPM functionality for QEMU VMs. Security Fix: * swtpm: Unchecked header size indicator against expected size For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the ... oval:org.secpod.oval:def:507370 Keylime is a TPM based highly scalable remote boot attestation and runtime integrity measurement solution. Security Fix: * keylime: exception handling and impedance match in tornado_requests For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other re ... oval:org.secpod.oval:def:507132 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.13.0 ESR. Security Fix: * Mozilla: Address bar spoofing via XSLT error handling * Mozilla: Cross-origin XSLT Documents would have inherited the ... oval:org.secpod.oval:def:507373 Poppler is a Portable Document Format rendering library, used by applications such as Evince. Security Fix: * poppler: A logic error in the Hints::Hints function can cause denial of service For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other re ... oval:org.secpod.oval:def:507257 The Public Key Infrastructure Core contains fundamental packages required by Red Hat Certificate System. Security Fix: * pki-core: access to external entities when parsing XML can lead to XXE For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other ... oval:org.secpod.oval:def:86915 systemd-coredump file should configured properly oval:org.secpod.oval:def:86909 The system login banner text should be set correctly for remote login users. oval:org.secpod.oval:def:86908 The system login banner text should be set correctly. oval:org.secpod.oval:def:507140 The Open Virtual Machine Tools are the open source implementation of the VMware Tools. They are a set of guest operating system virtualization components that enhance performance and user experience of virtual machines. Security Fix: * open-vm-tools: local root privilege escalation in the virtual ma ... oval:org.secpod.oval:def:507380 Mutt is a low resource, highly configurable, text-based MIME e-mail client. Mutt supports most e-mail storing formats, such as mbox and Maildir, as well as most protocols, including POP3 and IMAP. Security Fix: * mutt: buffer overflow in uudecoder function For more details about the security issue, ... oval:org.secpod.oval:def:507396 The skopeo command lets you inspect images from container image registries, get images and image layers, and use signatures to create and verify files. Security Fix: * containers/storage: DoS via malicious image * golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inp ... oval:org.secpod.oval:def:507395 WavPack is a completely open audio compression format providing lossless, high-quality lossy, and a unique hybrid compression mode. Security Fix: * wavpack: Heap out-of-bounds read in WavpackPackSamples For more details about the security issue, including the impact, a CVSS score, acknowledgments, ... oval:org.secpod.oval:def:507163 The GNU Privacy Guard is a tool for encrypting data and creating digital signatures, compliant with OpenPGP and S/MIME standards. Security Fix: * gpg: Signature spoofing via status line injection For more details about the security issue, including the impact, a CVSS score, acknowledgments, and ot ... oval:org.secpod.oval:def:507161 WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. The following packages have been upgraded to a later upstream version: webkit2gtk3 . Security Fix: * webkitgtk: processing maliciously crafted web content may lead to arbitrary code execution For more details abo ... oval:org.secpod.oval:def:506965 Red Hat Enterprise Linux 9 is installed oval:org.secpod.oval:def:506967 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.9.1. Security Fix: * Mozilla: Untrusted input used in JavaScript object indexing, leading to prototype pollution * Mozilla: Prototype pollution in Top-Level Await implementation For more d ... oval:org.secpod.oval:def:507374 The libguestfs packages contain a library used for accessing and modifying virtual machine disk images. Security Fix: * libguestfs: Buffer overflow in get_keys leads to DoS For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, ... oval:org.secpod.oval:def:507386 guestfs-tools is a set of tools that can be used to make batch configuration changes to guests, get disk used/free statistics, perform backups and guest clones, change registry/UUID/hostname info, build guests from scratch, and much more. Security Fix: * libguestfs: Buffer overflow in get_keys leads ... oval:org.secpod.oval:def:507385 The virt-v2v package provides a tool for converting virtual machines to use the KVM hypervisor or Red Hat Enterprise Virtualization. The tool modifies both the virtual machine image and its associated libvirt metadata. Also, virt-v2v can configure a guest to use VirtIO drivers if possible. Security ... oval:org.secpod.oval:def:507349 OpenJPEG is an open source library for reading and writing image files in JPEG2000 format. Security Fix: * openjpeg: segmentation fault in opj2_decompress due to uninitialized pointer For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related i ... oval:org.secpod.oval:def:507557 The lua packages provide support for Lua, a powerful light-weight programming language designed for extending applications. Lua is also frequently used as a general-purpose, stand-alone language. Security Fix: * lua: use after free allows Sandbox Escape * lua: stack overflow in lua_resume of ldo.c ... oval:org.secpod.oval:def:86907 The contents of the /etc/issue file are displayed to users prior to login for local terminals. oval:org.secpod.oval:def:507418 Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don"t have to create the same web page over and over again, giving the website a significant speed up. Security Fix: * varnish: Request Forgery Vulnerability For more details about the security issue, ... oval:org.secpod.oval:def:507470 The libtiff packages contain a library of functions for manipulating Tagged Image File Format files. Security Fix: * LibTiff: DoS from Divide By Zero Error * libtiff: Double free or corruption in rotateImage function at tiffcrop.c * libtiff: tiffcrop: heap-buffer-overflow in extractImageSection i ... oval:org.secpod.oval:def:507383 The runC tool is a lightweight, portable implementation of the Open Container Format that provides container runtime. Security Fix: * runc: incorrect handling of inheritable capabilities For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other relat ... oval:org.secpod.oval:def:507352 The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. The following packages have been upgraded to a later upstream version: unbound . Security Fix: * unbound: novel ghost domain attack that allows attackers to trigger continued resolvability of malicious domain ... oval:org.secpod.oval:def:507357 The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices. Security Fix: * device-mapper-multipath: Regression of CVE-2022-41974 fix in Red Hat Enterprise Linux For more details about the security issue, including the impact, a ... oval:org.secpod.oval:def:84227 Ensure ip6tables in enabled and running oval:org.secpod.oval:def:84204 The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivil ... oval:org.secpod.oval:def:84267 If any users' home directories do not exist, create them and make sure the respective user owns the directory. Users without an assigned home directory should be removed or assigned a home directory as appropriate. oval:org.secpod.oval:def:84244 Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automat ... oval:org.secpod.oval:def:84248 All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user. oval:org.secpod.oval:def:84240 iptables allows configuration of the IPv4 tables in the linux kernel and the rules stored within them. Most firewall configuration utilities operate as a front end to iptables. oval:org.secpod.oval:def:84229 The dovecot service should be disabled if possible. oval:org.secpod.oval:def:84213 The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable. oval:org.secpod.oval:def:84274 chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a ... oval:org.secpod.oval:def:84241 Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters. Rationale: SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden. oval:org.secpod.oval:def:84287 Verify that Shared Library Files Have Root Ownership (/lib, /lib64, /usr/lib or /usr/lib64) should be configured appropriately. oval:org.secpod.oval:def:84290 Ensure root is the only UID 0 account oval:org.secpod.oval:def:84260 Ensure mounting of FAT filesystems is limited oval:org.secpod.oval:def:84297 Change the default policy to DROP (from ACCEPT) for the OUTPUT built-in chain (/etc/sysconfig/iptables). oval:org.secpod.oval:def:84238 The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability. oval:org.secpod.oval:def:84228 Ensure cron daemon is enabled and running oval:org.secpod.oval:def:84254 The .netrcfile presents a significant security risk since it stores passwords in unencrypted form. Even if FTP is disabled, user accounts may have brought over .netrcfiles from other systems which could pose a risk to those systems. oval:org.secpod.oval:def:84258 The requirement for a password to boot into single-user mode should be configured correctly. oval:org.secpod.oval:def:84239 Ensure LDAP Client is not installed oval:org.secpod.oval:def:84252 sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy. oval:org.secpod.oval:def:84247 Ensure users' home directories permissions are 750 or more restrictive oval:org.secpod.oval:def:84210 Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp oval:org.secpod.oval:def:84255 The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Server Message Block (SMB) protocol. Windows desktop users will be able to mount these directories ... oval:org.secpod.oval:def:84246 Record events affecting the group, passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribu ... oval:org.secpod.oval:def:84200 Disable Automounting oval:org.secpod.oval:def:84256 The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login. oval:org.secpod.oval:def:84209 Since the /var/tmp partition is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. oval:org.secpod.oval:def:84224 Ensure iptables in enabled and running oval:org.secpod.oval:def:84218 Periodic checking of the filesystem integrity is needed to detect changes to the filesystem. oval:org.secpod.oval:def:84251 Ensure sudo log file exists oval:org.secpod.oval:def:84259 Ensure rsyslog default file permissions configured oval:org.secpod.oval:def:84299 The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP ... oval:org.secpod.oval:def:84249 The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group. oval:org.secpod.oval:def:84277 A firewall zone defines the trust level for a connection, interface or source address binding. This is a one to many relation, which means that a connection, interface or source can only be part of one zone, but a zone can be used for many network connections, interfaces and sources. oval:org.secpod.oval:def:84280 The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. oval:org.secpod.oval:def:84291 Ensure no duplicate group names account oval:org.secpod.oval:def:84272 TMOUT is an environmental setting that determines the timeout of a shell in seconds. oval:org.secpod.oval:def:84205 Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. oval:org.secpod.oval:def:84293 Audit rules should detect modification to system files that hold information about users and groups. oval:org.secpod.oval:def:84236 Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. oval:org.secpod.oval:def:84289 File permissions for /bin, /usr/bin, /usr/local/bin, /sbin, /usr/sbin and /usr/local/sbin should be set correctly. oval:org.secpod.oval:def:84298 Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The /var/run/failock directory maint ... oval:org.secpod.oval:def:84275 Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters. oval:org.secpod.oval:def:84263 Ensure auditd service is enabled and running oval:org.secpod.oval:def:84203 The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. oval:org.secpod.oval:def:84281 It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. oval:org.secpod.oval:def:84294 Change the default policy to DROP (from ACCEPT) for the FORWARD built-in chain (/etc/sysconfig/ip6tables). oval:org.secpod.oval:def:84223 Ensure inactive password lock is 30 days or less oval:org.secpod.oval:def:84201 SELinux gives that extra layer of security to the resources in the system. It provides the MAC (mandatory access control) as contrary to the DAC (Discretionary access control). oval:org.secpod.oval:def:84250 System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. oval:org.secpod.oval:def:84234 Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. oval:org.secpod.oval:def:84219 Periodic checking of the filesystem integrity is needed to detect changes to the filesystem. oval:org.secpod.oval:def:84233 The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to use ... oval:org.secpod.oval:def:84220 nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames and is the successor to iptables. oval:org.secpod.oval:def:84269 auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk oval:org.secpod.oval:def:84286 Verify that Shared Library Files Have Restrictive Permissions (/lib, /lib64, /usr/lib or /usr/lib64) should be configured appropriately. oval:org.secpod.oval:def:84271 Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only u ... oval:org.secpod.oval:def:84237 Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. oval:org.secpod.oval:def:84206 Since the /tmp partition is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. oval:org.secpod.oval:def:84214 There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data. oval:org.secpod.oval:def:84222 Ensure journald is configured to write logfiles to persistent disk oval:org.secpod.oval:def:84295 Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (::1).Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback net ... oval:org.secpod.oval:def:84276 If a users recorded password change date is in the future then they could bypass any set password expiration. oval:org.secpod.oval:def:84262 >Ensure mail transfer agent is configured for local-only mode oval:org.secpod.oval:def:84282 The /etc/shadow- file is used to store backup information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information. oval:org.secpod.oval:def:84230 Ensure ntp is configured oval:org.secpod.oval:def:84257 sudo can be configured to run only from a pseudo-pty oval:org.secpod.oval:def:84285 Ensure no duplicate user names account oval:org.secpod.oval:def:84225 Ensure rsyslog Service is enabled and running oval:org.secpod.oval:def:84217 Ensure iptables packages are installed oval:org.secpod.oval:def:84231 Ensure no users have .forward files oval:org.secpod.oval:def:84243 The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su co ... oval:org.secpod.oval:def:84278 The file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information. oval:org.secpod.oval:def:84300 Change the default policy to DROP (from ACCEPT) for the OUTPUT built-in chain (/etc/sysconfig/ip6tables). oval:org.secpod.oval:def:84296 Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8).Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loop ... oval:org.secpod.oval:def:84221 Ensure journald is configured to send logs to rsyslog oval:org.secpod.oval:def:84266 Groups defined in the /etc/passwd file but not in the /etc/group file pose a threat to system security since group permissions are not properly managed. oval:org.secpod.oval:def:84235 Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. oval:org.secpod.oval:def:84207 Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp oval:org.secpod.oval:def:84216 There are two important reasons to ensure that data gathered by is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based ... oval:org.secpod.oval:def:84265 The file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information. oval:org.secpod.oval:def:84208 Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp oval:org.secpod.oval:def:84273 Ensure default group for the root account is GID 0 oval:org.secpod.oval:def:84270 Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only u ... oval:org.secpod.oval:def:84242 GDM is the GNOME Display Manager which handles graphical login for GNOME based systems. Rationale: Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system ... oval:org.secpod.oval:def:84245 Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written t ... oval:org.secpod.oval:def:84253 Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user dot file permissions and determine the action to be taken in accordance with site po ... oval:org.secpod.oval:def:84211 Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp oval:org.secpod.oval:def:84288 Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them. oval:org.secpod.oval:def:84284 Ensure root is the only UID 0 account oval:org.secpod.oval:def:84202 The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unau ... oval:org.secpod.oval:def:84212 The /home directory is used to support disk storage needs of local users. oval:org.secpod.oval:def:84283 It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected. Other/world should not have the ability to view this information. Group should not have the ability to modify this information. oval:org.secpod.oval:def:84261 Ensure use of privileged commands is collected oval:org.secpod.oval:def:84232 The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file. oval:org.secpod.oval:def:84292 Ensure root is the only UID 0 account oval:org.secpod.oval:def:84264 All password hashes should be shadowed. oval:org.secpod.oval:def:84226 Ensure firewalld service is enabled and running oval:org.secpod.oval:def:84215 There are two important reasons to ensure that data gathered by is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based ... oval:org.secpod.oval:def:84279 The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. oval:org.secpod.oval:def:507166 dbus-broker is an implementation of a message bus as defined by the D-Bus specification. Its aim is to provide high performance and reliability, while keeping compatibility to the D-Bus reference implementation. It is exclusively written for Linux systems, and makes use of many modern features provi ... oval:org.secpod.oval:def:507683 The sysstat packages provide the sar and iostat commands. These commands enable system monitoring of disk, network, and other I/O activity. Security Fix: * sysstat: arithmetic overflow in allocate_structures on 32 bit systems For more details about the security issue, including the impact, a CVSS s ... oval:org.secpod.oval:def:507703 Poppler is a Portable Document Format rendering library, used by applications such as Evince. Security Fix: * poppler: integer overflow in JBIG2 decoder using malformed files For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related informati ... oval:org.secpod.oval:def:507684 GNU Emacs is a powerful, customizable, self-documenting text editor. It provides special code editing features, a scripting language , and the capability to read e-mail and news. Security Fix: * emacs: ctags local command execution vulnerability For more details about the security issue, including ... oval:org.secpod.oval:def:507699 The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. Security Fix: * unbound: NRDelegation attack leads to uncontrolled resource consumption For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related inform ... oval:org.secpod.oval:def:507701 The wireshark packages contain a network protocol analyzer used to capture and browse the traffic running on a computer network. Security Fix: * wireshark: f5ethtrailer Infinite loop in legacy style dissector For more details about the security issue, including the impact, a CVSS score, acknowledgm ... oval:org.secpod.oval:def:507639 The net-snmp packages provide various libraries and tools for the Simple Network Management Protocol , including an SNMP library, an extensible agent, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which us ... oval:org.secpod.oval:def:507670 The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable ... oval:org.secpod.oval:def:507707 The lua packages provide support for Lua, a powerful light-weight programming language designed for extending applications. Lua is also frequently used as a general-purpose, stand-alone language. Security Fix: * lua: heap buffer overread For more details about the security issue, including the impa ... oval:org.secpod.oval:def:507556 The GNU tar program can save multiple files in an archive and restore files from an archive. Security Fix: * tar: heap buffer overflow at from_header in list.c via specially crafted checksum For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other re ... oval:org.secpod.oval:def:507366 FriBidi is a library to handle bidirectional scripts , so that the display is done in the proper way, while the text data itself is always written in logical order. Security Fix: * fribidi: Stack based buffer overflow * fribidi: Heap-buffer-overflow in fribidi_cap_rtl_to_unicode * fribidi: SEGV in ... oval:org.secpod.oval:def:506977 The rsyslog packages provide an enhanced, multi-threaded syslog daemon. It supports MySQL, syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part, and fine-grained control over output format. Security Fix: * rsyslog: Heap-based overflow in TCP syslog server For more details abo ... oval:org.secpod.oval:def:507682 GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-good packages contain a collection of well-supported plug-ins of good quality and under the LGPL license. Security Fix: * gstreamer-plugins-good: Potential heap overwrite in gst_ma ... oval:org.secpod.oval:def:84097 The RPM package tftp should be installed. oval:org.secpod.oval:def:84019 num_logs setting in /etc/audit/auditd.conf is set to at least a certain value oval:org.secpod.oval:def:84138 The RPM package aide should be installed. oval:org.secpod.oval:def:84083 SSL capabilities should be enabled for the mail server. oval:org.secpod.oval:def:84034 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:84195 SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into ... oval:org.secpod.oval:def:84057 Limit Users SSH Access should be configured appropriately. oval:org.secpod.oval:def:84122 The kernel runtime parameter "net.ipv4.conf.all.log_martians" should be set to "1". oval:org.secpod.oval:def:84012 The RPM package libreswan should be installed. oval:org.secpod.oval:def:84140 The /etc/shadow file should be owned by the appropriate user. oval:org.secpod.oval:def:84016 The 'rsyslog' to Accept Messages via TCP, if Acting As Log Server should be enabled or disabled as appropriate. oval:org.secpod.oval:def:84082 The kernel module hfs should be disabled. oval:org.secpod.oval:def:84162 The SSH ClientAliveCountMax should be set to an appropriate value (and dependencies are met) oval:org.secpod.oval:def:84139 The number of allowed failed logins should be set correctly. oval:org.secpod.oval:def:84077 The RPM package httpd should be removed. oval:org.secpod.oval:def:84124 The kernel runtime parameter "net.ipv4.conf.default.accept_redirects" should be set to "0". oval:org.secpod.oval:def:84173 The SELinux policy should be set appropriately. oval:org.secpod.oval:def:84027 Record attempts to alter time through clock_settime. oval:org.secpod.oval:def:84052 The RPM package tftp-server should be removed. oval:org.secpod.oval:def:84046 Audit rules that detect the mounting of filesystems should be enabled. oval:org.secpod.oval:def:84163 The maximum number of concurrent login sessions per user should meet minimum requirements. oval:org.secpod.oval:def:84113 The default umask for users of the csh shell oval:org.secpod.oval:def:84045 Audit rules about the Unauthorized Access Attempts to Files (unsuccessful) are enabled oval:org.secpod.oval:def:84135 The password minclass should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:84095 The RPM package rsh should be installed. oval:org.secpod.oval:def:84198 To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon. oval:org.secpod.oval:def:84064 Postfix network listening should be disabled oval:org.secpod.oval:def:84086 Plaintext authentication of mail clients should be enabled or disabled as appropriate. oval:org.secpod.oval:def:84136 The password difok should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:84069 Ensure Insecure File Locking is Not Allowed (/etc/exports) should be configured appropriately. oval:org.secpod.oval:def:84033 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:84109 The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. Any .netrc files should be removed. oval:org.secpod.oval:def:84015 rsyslogd should reject remote messages oval:org.secpod.oval:def:84066 Require the use of TLS for ldap clients. oval:org.secpod.oval:def:84035 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:84042 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:84105 The kernel runtime parameter "kernel.randomize_va_space" should be set to "2". oval:org.secpod.oval:def:84132 The root account is the only system account that should have a login shell. oval:org.secpod.oval:def:84157 The /etc/group file should be owned by the appropriate group. oval:org.secpod.oval:def:84144 Remote connections (SSH) from accounts with empty passwords should be disabled (and dependencies are met). oval:org.secpod.oval:def:84192 Ensure only strong MAC algorithms are used oval:org.secpod.oval:def:84061 A remote chrony Server for time synchronization should be specified (and dependencies are met) oval:org.secpod.oval:def:84079 The kernel module jffs2 should be disabled. oval:org.secpod.oval:def:84014 Syslog logs should be sent to a remote loghost oval:org.secpod.oval:def:84159 The RPM package telnet should be installed. oval:org.secpod.oval:def:84125 The kernel runtime parameter "net.ipv4.conf.default.secure_redirects" should be set to "0". oval:org.secpod.oval:def:84197 The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure. oval:org.secpod.oval:def:84081 The RPM package dovecot should be removed. oval:org.secpod.oval:def:84196 When usePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access ... oval:org.secpod.oval:def:84006 The kernel runtime parameter "net.ipv6.conf.default.accept_redirects" should be set to "0". oval:org.secpod.oval:def:84068 Specify UID and GID for Anonymous NFS Connections (/etc/exports) should be configured appropriately. oval:org.secpod.oval:def:84013 The RPM package rsyslog should be installed. oval:org.secpod.oval:def:84080 The mod_security package installation should be configured appropriately. oval:org.secpod.oval:def:84184 Ensure nftables is not installed or stopped and masked oval:org.secpod.oval:def:84166 The kernel module sctp should be disabled. oval:org.secpod.oval:def:84183 Ensure nfs-utils is not installed or the nfs-server service is masked oval:org.secpod.oval:def:84170 The '/etc/shadow' file should be owned by the appropriate group. oval:org.secpod.oval:def:84011 The kernel module tipc should be disabled. oval:org.secpod.oval:def:84187 An SSH public key is one of two files used in SSH public key authentication. In this authentication method, a public key is a key that can be used for verifying digital signatures generated using a corresponding private key. Only a public key that corresponds to a private key will be able to authent ... oval:org.secpod.oval:def:84191 An SSH private key is one of two files used in SSH public key authentication. In this authentication method, The possession of the private key is proof of identity. Only a private key that corresponds to a public key will be able to authenticate successfully. The private keys need to be stored and ... oval:org.secpod.oval:def:84175 The password ocredit should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:84020 max_log_file setting in /etc/audit/auditd.conf is set to at least a certain value oval:org.secpod.oval:def:84128 The kernel runtime parameter "net.ipv4.tcp_syncookies" should be set to "1". oval:org.secpod.oval:def:84180 Audit files deletion events. oval:org.secpod.oval:def:84053 Disable Prelinking (/etc/sysconfig/prelink) should be configured appropriately. oval:org.secpod.oval:def:84119 The kernel runtime parameter "net.ipv4.ip_forward" should be set to "0". oval:org.secpod.oval:def:84021 max_log_file_action setting in /etc/audit/auditd.conf is set to a certain action oval:org.secpod.oval:def:84178 The password dcredit should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:84038 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:84094 The RPM package mcstrans should be installed. oval:org.secpod.oval:def:84149 The /etc/group file should be owned by the appropriate user. oval:org.secpod.oval:def:84158 Only SSH protocol version 2 connections should be permitted. oval:org.secpod.oval:def:84024 action_mail_acct setting in /etc/audit/auditd.conf is set to a certain account oval:org.secpod.oval:def:84156 Emulation of the rsh command through the ssh server should be disabled (and dependencies are met) oval:org.secpod.oval:def:84131 The kernel module bluetooth should be disabled. oval:org.secpod.oval:def:84186 Ensure rsync is not installed or the rsyncd service is masked oval:org.secpod.oval:def:84161 The password hashing algorithm should be set correctly in /etc/libuser.conf. oval:org.secpod.oval:def:84085 Configure Dovecot to Use the SSL Key file should be configured appropriately. oval:org.secpod.oval:def:84071 The RPM package vsftpd should be removed. oval:org.secpod.oval:def:84176 The /etc/gshadow file should be owned by the appropriate user. oval:org.secpod.oval:def:84008 Change the default policy to DROP (from ACCEPT) for the INPUT built-in chain (/etc/sysconfig/iptables). oval:org.secpod.oval:def:84009 IP forwarding should be enabled or disabled as appropriate. oval:org.secpod.oval:def:84174 The /etc/passwd file should be owned by the appropriate user. oval:org.secpod.oval:def:84096 The RPM package ypbind should be installed. oval:org.secpod.oval:def:84025 Record attempts to alter time through adjtimex. oval:org.secpod.oval:def:84127 The kernel runtime parameter "net.ipv4.icmp_ignore_bogus_error_responses" should be set to "1". oval:org.secpod.oval:def:84193 To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon. oval:org.secpod.oval:def:84148 The passwords to remember should be set correctly. oval:org.secpod.oval:def:84151 File permissions for '/etc/group' should be set correctly. oval:org.secpod.oval:def:84039 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:84078 The kernel module freevxfs should be disabled. oval:org.secpod.oval:def:84041 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:84114 The default umask for all users should be set correctly oval:org.secpod.oval:def:84121 The kernel runtime parameter "net.ipv4.conf.all.secure_redirects" should be set to "0". oval:org.secpod.oval:def:84044 Audit rules should capture information about session initiation. oval:org.secpod.oval:def:84152 PermitUserEnvironment should be disabled oval:org.secpod.oval:def:84031 Record Events that Modify the System's Discretionary Access Controls - chmod. The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:84076 File uploads via vsftpd should be enabled or disabled as appropriate oval:org.secpod.oval:def:84100 The RPM package talk should be installed. oval:org.secpod.oval:def:84074 The kernel module cramfs should be disabled. oval:org.secpod.oval:def:84115 The default umask for all users specified in /etc/login.defs oval:org.secpod.oval:def:84036 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:84048 Force a reboot to change audit rules is enabled oval:org.secpod.oval:def:84065 Protect against unnecessary release of information. oval:org.secpod.oval:def:84098 The squashfs Kernel Module should be enabled or disabled as appropriate. oval:org.secpod.oval:def:84030 Audit rules that detect changes to the system's mandatory access controls (SELinux) are enabled. oval:org.secpod.oval:def:84005 The kernel runtime parameter "net.ipv6.conf.default.accept_ra" should be set to "0". oval:org.secpod.oval:def:84126 The kernel runtime parameter "net.ipv4.icmp_echo_ignore_broadcasts" should be set to "1". oval:org.secpod.oval:def:84146 This test makes sure that '/etc/passwd' has proper permission. If the target file or directory has an extended ACL then it will fail the mode check. oval:org.secpod.oval:def:84142 The kernel module dccp should be disabled. oval:org.secpod.oval:def:84153 The password ucredit should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:84129 The kernel runtime parameter "net.ipv4.conf.all.rp_filter" should be set to "1". oval:org.secpod.oval:def:84072 Logging of vsftpd transactions should be enabled or disabled as appropriate oval:org.secpod.oval:def:84062 Specify Additional Remote chrony Servers (/etc/chrony.conf) should be configured appropriately. oval:org.secpod.oval:def:84188 Ensure only strong Key Exchange algorithms are used oval:org.secpod.oval:def:84051 The RPM package ypserv should be removed. oval:org.secpod.oval:def:84154 The gpgcheck option should be used to ensure that checking of an RPM package's signature always occurs prior to its installation. oval:org.secpod.oval:def:84040 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:84118 The kernel runtime parameter "net.ipv4.conf.all.send_redirects" should be set to "0". oval:org.secpod.oval:def:84055 The anacron service should be enabled or disabled as appropriate. oval:org.secpod.oval:def:84102 The daemon umask should be set as appropriate oval:org.secpod.oval:def:84017 The rsyslog to Accept Messages via UDP, if Acting As Log Server should be enabled or disabled as appropriate. oval:org.secpod.oval:def:84164 This test makes sure that '/etc/shadow' file permission is setted as appropriate. If the target file or directory has an extended ACL then it will fail the mode check. oval:org.secpod.oval:def:84037 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:84010 The kernel module rds should be disabled. oval:org.secpod.oval:def:84150 Root login via SSH should be disabled (and dependencies are met) oval:org.secpod.oval:def:84103 Core dumps for all users should be disabled oval:org.secpod.oval:def:84060 Logging (/etc/rsyslog.conf) should be configured appropriately. oval:org.secpod.oval:def:84050 The RPM package rsh-server should be removed. oval:org.secpod.oval:def:84199 Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy. oval:org.secpod.oval:def:84084 Dovecot plaintext authentication of clients should be enabled or disabled as necessary oval:org.secpod.oval:def:84130 The kernel runtime parameter "net.ipv4.conf.default.rp_filter" should be set to "1". oval:org.secpod.oval:def:84075 Restrict Access to Anonymous Users should be configured appropriately. oval:org.secpod.oval:def:84194 SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only re ... oval:org.secpod.oval:def:84190 Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disa ... oval:org.secpod.oval:def:84091 Ensure Default Password Is Not Used (/etc/snmp/snmpd.conf) should be configured appropriately. oval:org.secpod.oval:def:84169 The password hashing algorithm should be set correctly in /etc/login.defs. oval:org.secpod.oval:def:84090 The RPM package net-snmp should be removed. oval:org.secpod.oval:def:84043 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:84101 The kernel module udf should be enabled or disabled as appropriate. oval:org.secpod.oval:def:84116 The RPM package tmux should be installed. oval:org.secpod.oval:def:84147 The number of allowed failed logins should be set correctly. oval:org.secpod.oval:def:84032 The changing of file permissions and attributes should be audited. oval:org.secpod.oval:def:84171 The audit rules should be configured to log information about kernel module loading and unloading. oval:org.secpod.oval:def:84179 The RPM package telnet-server should be removed. oval:org.secpod.oval:def:84160 Limit the ciphers to those which are FIPS-approved and only use ciphers in counter (CTR) mode. oval:org.secpod.oval:def:84059 The RPM package dhcpd should be removed. oval:org.secpod.oval:def:84165 The password hashing algorithm should be set correctly in /etc/pam.d/system-auth. oval:org.secpod.oval:def:84143 The /etc/gshadow file should be owned by the appropriate group. oval:org.secpod.oval:def:84022 space_left_action setting in /etc/audit/auditd.conf is set to a certain action oval:org.secpod.oval:def:84070 The RPM package bind should be removed. oval:org.secpod.oval:def:84058 Disable Avahi Publishing (/etc/avahi/avahi-daemon.conf) should be configured appropriately. oval:org.secpod.oval:def:84120 The kernel runtime parameter "net.ipv4.conf.all.accept_redirects" should be set to "0". oval:org.secpod.oval:def:84104 The kernel runtime parameter "fs.suid_dumpable" should be set to "0". oval:org.secpod.oval:def:84167 The password lcredit should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:84054 The kernel module usb-storage should be disabled. oval:org.secpod.oval:def:84111 The number of allowed failed logins should be set correctly. oval:org.secpod.oval:def:84063 The RPM package sendmail should be removed. oval:org.secpod.oval:def:84028 Record attempts to alter time through /etc/localtime oval:org.secpod.oval:def:84185 Ensure rpcbind is not installed or the rpcbind services are masked oval:org.secpod.oval:def:84137 The /etc/passwd file should be owned by the appropriate group. oval:org.secpod.oval:def:84117 The kernel runtime parameter "net.ipv4.conf.default.send_redirects" should be set to "0". oval:org.secpod.oval:def:84088 The RPM package squid should be removed. oval:org.secpod.oval:def:84181 The system login banner text should be set correctly. oval:org.secpod.oval:def:84168 The password minimum length should be set appropriately. oval:org.secpod.oval:def:84029 The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. oval:org.secpod.oval:def:84141 The SELinux state should be enforcing the local policy. oval:org.secpod.oval:def:84189 While the complete removal of /etc/sshd/sshd_config files is recommended if any are required on the system secure permissions must be applied. oval:org.secpod.oval:def:84093 The RPM package setroubleshoot should be installed. oval:org.secpod.oval:def:84067 The RPM package openldap-servers should be removed. oval:org.secpod.oval:def:84099 The RPM package talk-server should be installed. oval:org.secpod.oval:def:84182 SSH warning banner should be enabled (and dependencies are met). oval:org.secpod.oval:def:84172 The password retry should meet minimum requirements using pam_cracklib oval:org.secpod.oval:def:84026 Record attempts to alter time through settimeofday. oval:org.secpod.oval:def:84049 The RPM package xinetd should be removed. oval:org.secpod.oval:def:84087 Require samba clients which use smb.conf, such as smbclient, to use packet signing. A Samba client should only communicate with servers who can support SMB packet signing. oval:org.secpod.oval:def:84056 If inbound SSH access is not needed, the firewall should disallow or reject access to the SSH port (22). oval:org.secpod.oval:def:84145 SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization. oval:org.secpod.oval:def:84007 Change the default policy to DROP (from ACCEPT) for the INPUT built-in chain (/etc/sysconfig/ip6tables). oval:org.secpod.oval:def:84177 This test makes sure that '/etc/gshadow' is setted appropriate permission. If the target file or directory has an extended ACL then it will fail the mode check. oval:org.secpod.oval:def:84106 Systems that are using the 64-bit x86 kernel package do not need to install the kernel-PAE package because the 64-bit x86 kernel already includes this support. However, if the system is 32-bit and also supports the PAE and NX features as determined in the previous section, the kernel-PAE package sho ... oval:org.secpod.oval:def:84073 A warning banner for all FTP users should be enabled or disabled as appropriate oval:org.secpod.oval:def:84004 Global IPv6 initialization should be disabled. oval:org.secpod.oval:def:84123 The Kernel Parameter for Accepting Source-Routed Packets By Default and all interfaces should be enabled or disabled as appropriate oval:org.secpod.oval:def:84108 Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the system using the root account. oval:org.secpod.oval:def:84089 The kernel module hfsplus should be disabled. oval:org.secpod.oval:def:84023 admin_space_left_action setting in /etc/audit/auditd.conf is set to a certain action oval:org.secpod.oval:def:84047 Audit actions taken by system administrators on the system. oval:org.secpod.oval:def:84110 Set Password to Maximum of Three Consecutive Repeating Characters should be configured appropriately. oval:org.secpod.oval:def:84112 The default umask for users of the bash shell oval:org.secpod.oval:def:507675 The Public Key Infrastructure Core contains fundamental packages required by Red Hat Certificate System. Security Fix: * pki-core: When using the caServerKeygen_DirUserCert profile, user can get certificates for other UIDs by entering name in Subject field For more details about the security issue ... oval:org.secpod.oval:def:507233 KSBA is a library to make X.509 certificates as well as the CMS easily accessible by other applications. Both specifications are building blocks of S/MIME and TLS. Security Fix: * libksba: integer overflow may lead to remote code execution For more details about the security issue, including the i ... oval:org.secpod.oval:def:84107 Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. oval:org.secpod.oval:def:84092 The maximum password age policy should meet minimum requirements. oval:org.secpod.oval:def:84018 The logrotate (syslog rotater) service should be enabled. oval:org.secpod.oval:def:86912 Without cryptographic integrity protections, information can be altered by unauthorized users which can not be detected.The system-wide crypto-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system-wide. oval:org.secpod.oval:def:84155 The minimum password age policy should be set appropriately. oval:org.secpod.oval:def:84134 The SSH idle timeout interval should be set to an appropriate value. oval:org.secpod.oval:def:86910 The pam_faillock.so module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than deny consecutive failed authentications. It stores the failure records into per-user files in the tally directory. oval:org.secpod.oval:def:86911 A custom profile can be created by copying and customizing one of the default profiles. The default profiles include: sssd, winbind, or the nis. This profile can then be customized to follow site specific requirements. oval:org.secpod.oval:def:86906 Unless a system is specifically set up to act as a DHCP server, it is recommended that dhcpd service should be disabled to reduce the potential attack surface. oval:org.secpod.oval:def:84133 The password warning age should be set appropriately. oval:org.secpod.oval:def:86914 Running firewalld and IPtables concurrently may lead to conflict, therefore IPtables should be stopped and masked when using firewalld. oval:org.secpod.oval:def:86916 If there is no need to mount directories and file systems to Windows systems, then smb service can be disabled to reduce the potential attack surface. oval:org.secpod.oval:def:507642 FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User Service server, designed to allow centralized authentication and authorization for a network. Security Fix: * freeradius: Information leakage in EAP-PWD * freeradius: Crash on unknown option in EAP-SIM ... oval:org.secpod.oval:def:507394 The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes. Security Fix: * podman: possible information disclosure and modification * buildah: possible information di ... oval:org.secpod.oval:def:507351 lxml is an XML processing library providing access to libxml2 and libxslt libraries using the Python ElementTree API. Security Fix: * lxml: NULL Pointer Dereference in lxml For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, ... oval:org.secpod.oval:def:507350 The protobuf packages provide Protocol Buffers, Google"s data interchange format. Protocol Buffers can encode structured data in an efficient yet extensible format, and provide a flexible, efficient, and automated mechanism for serializing structured data. Security Fix: * protobuf: Incorrect parsing ... oval:org.secpod.oval:def:507657 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. The following packages have been upgraded to a later upstream version: qemu-kvm . Security Fix: ... oval:org.secpod.oval:def:507658 The libguestfs-winsupport package adds support for Windows guests to libguestfs, a set of tools and libraries allowing users to access and modify virtual machine disk images. Security Fix: * ntfs-3g: heap-based buffer overflow in ntfsck * ntfs-3g: crafted NTFS image can cause heap exhaustion in nt ... oval:org.secpod.oval:def:507361 HarfBuzz is an implementation of the OpenType Layout engine. Security Fix: * harfbuzz: integer overflow in the component hb-ot-shape-fallback.cc For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page liste ... oval:org.secpod.oval:def:507497 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes usi ... oval:org.secpod.oval:def:507549 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes usi ... oval:org.secpod.oval:def:507553 The python-setuptools package provides a collection of enhancements to Python distribution utilities allowing convenient building and distribution of Python packages. Security Fix: * pypa-setuptools: Regular Expression Denial of Service in package_index.py For more details about the security issue ... oval:org.secpod.oval:def:507417 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.5.0 ESR. Security Fix: * Mozilla: Service Workers might have learned size of cross-origin media files * Mozilla: Fullscreen notification bypass ... oval:org.secpod.oval:def:507415 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.5.0. Security Fix: * Mozilla: Service Workers might have learned size of cross-origin media files * Mozilla: Fullscreen notification bypass * Mozilla: Use-after-free in InputStream implem ... oval:org.secpod.oval:def:506974 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.10.0. Security Fix: * Mozilla: Braille space character caused incorrect sender email to be shown for a digitally signed email * Mozilla: Cross-Origin resource"s length leaked * Mozilla: He ... oval:org.secpod.oval:def:506982 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.10.0 ESR. Security Fix: * Mozilla: Cross-Origin resource"s length leaked * Mozilla: Heap buffer overflow in WebGL * Mozilla: Browser window spo ... oval:org.secpod.oval:def:506973 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.9.0 ESR. Security Fix: * Mozilla: Bypassing permission prompt in nested browsing contexts * Mozilla: iframe Sandbox bypass * Mozilla: Fullscree ... oval:org.secpod.oval:def:506966 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.9.0. Security Fix: * Mozilla: Bypassing permission prompt in nested browsing contexts * Mozilla: iframe Sandbox bypass * Mozilla: Fullscreen notification bypass using popups * Mozilla: Le ... oval:org.secpod.oval:def:507475 The libxml2 library is a development toolbox providing the implementation of various XML standards. Security Fix: * libxml2: integer overflows with XML_PARSE_HUGE * libxml2: dict corruption caused by entity reference cycles For more details about the security issue, including the impact, a CVSS sc ... oval:org.secpod.oval:def:507473 A library that provides Abstract Syntax Notation One parsing and structures management, and Distinguished Encoding Rules encoding and decoding functions. Security Fix: * libtasn1: Out-of-bound access in ETYPE_OK For more details about the security issue, including the impact, a CVSS score, acknow ... oval:org.secpod.oval:def:507689 Mako is a template library written in Python. It provides a familiar, non-XML syntax which compiles into Python modules for maximum performance. Security Fix: * python-mako: REDoS in Lexer class For more details about the security issue, including the impact, a CVSS score, acknowledgments, and othe ... oval:org.secpod.oval:def:507129 The rsync utility enables the users to copy and synchronize files locally or across a network. Synchronization with rsync is fast because rsync only sends the differences in files over the network instead of sending whole files. The rsync utility is also used as a mirroring tool. Security Fix: * rsy ... oval:org.secpod.oval:def:507693 The gdk-pixbuf2 packages provide an image loading library that can be extended by loadable modules for new image formats. It is used by toolkits such as GTK+ or clutter. Security Fix: * gdk-pixbuf: heap-buffer overflow when decoding the lzw compressed stream of image data * gdk-pixbuf: heap-based b ... oval:org.secpod.oval:def:507402 The libtirpc packages contain SunLib"s implementation of transport-independent remote procedure call documentation, which includes a library required by programs in the nfs-utils and rpcbind packages. Security Fix: * libtirpc: DoS vulnerability with lots of connections For more details about the s ... oval:org.secpod.oval:def:507389 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. The following packages have been upgraded to a later upstream version: 389-ds-base . Security Fix: * 389-ds- ... oval:org.secpod.oval:def:507356 The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to: Create a working container, either from scratch or using an image as a starting point; Create an image, either from a working container or using the instructions in a Docke ... oval:org.secpod.oval:def:507399 The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes. Security Fix: * golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing - -u- extension * go ... oval:org.secpod.oval:def:507247 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.4.0. Security Fix: * Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack by malicious server administrators * Mozilla: Matrix SDK bundled with Thunderbird vu ... oval:org.secpod.oval:def:507631 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix: * samba: RC4/HMAC-MD5 NetLogon Secure Channel is weak and should be ... oval:org.secpod.oval:def:86310 Netlogon RPC Elevation of Privilege Vulnerability. oval:org.secpod.oval:def:507705 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a later upstream version: samba . Se ... oval:org.secpod.oval:def:507634 The fence-agents packages provide a collection of scripts for handling remote power management for cluster devices. They allow failed or unreachable nodes to be forcibly restarted and removed from the cluster. Security Fix: * python-oauthlib: DoS when attacker provides malicious IPV6 URI For more d ... oval:org.secpod.oval:def:507348 The e2fsprogs packages provide a number of utilities for creating, checking, modifying, and correcting the ext2, ext3, and ext4 file systems. Security Fix: * e2fsprogs: out-of-bounds read/write via crafted filesystem For more details about the security issue, including the impact, a CVSS score, ack ... oval:org.secpod.oval:def:507419 Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos ... oval:org.secpod.oval:def:85678 A vulnerability was found in MIT krb5. This flaw allows an authenticated attacker to cause a KDC or kadmind process to crash by reading beyond the bounds of allocated memory, creating a denial of service. A privileged attacker may similarly be able to cause a Kerberos or GSS application service to c ... oval:org.secpod.oval:def:507493 X.Org X11 libXpm runtime library. Security Fix: * libXpm: compression commands depend on $PATH * libXpm: Runaway loop on width of 0 and enormous height * libXpm: Infinite loop on unclosed comments For more details about the security issue, including the impact, a CVSS score, acknowledgments, and ... oval:org.secpod.oval:def:507791 The c-ares C library defines asynchronous DNS requests and provides name resolving API. Security Fix: * c-ares: 0-byte UDP payload Denial of Service For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page ... oval:org.secpod.oval:def:507927 The Common UNIX Printing System provides a portable printing layer for Linux, UNIX, and similar operating systems. Security Fix: * cups: Information leak through Cups-Get-Document operation For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other re ... oval:org.secpod.oval:def:507872 CJose is C library implementing the Javascript Object Signing and Encryption . Security Fix: * cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE For more details about the security issue, including the impact, a CVSS score, acknowledgments, and oth ... oval:org.secpod.oval:def:507912 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.121 and .NET Runtime 6.0.21. Securit ... oval:org.secpod.oval:def:507911 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 7.0.110 and .NET Runtime 7.0.10. Securit ... oval:org.secpod.oval:def:507914 The subscription-manager packages provide programs and libraries to allow users to manage subscriptions and yum repositories from the Red Hat entitlement platform. Security Fix: * subscription-manager: inadequate authorization of com.redhat.RHSM1 D-Bus interface allows local users to modify configur ... oval:org.secpod.oval:def:507236 The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices. Security Fix: * device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket For more details about the se ... oval:org.secpod.oval:def:507692 The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices. Security Fix: * device-mapper-multipath: multipathd: insecure handling of files in /dev/shm leading to symlink attack For more details about the security issue, includi ... oval:org.secpod.oval:def:507390 The dnsmasq packages contain Dnsmasq, a lightweight DNS forwarder and DHCP server. Security Fix: * dnsmasq: Heap use after free in dhcp6_no_relay For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page li ... oval:org.secpod.oval:def:507368 The GIMP is an image composition and editing program. GIMP provides a large image manipulation toolbox, including channel operations and layers, effects, sub-pixel imaging and anti-aliasing, and conversions, all with multi-level undo. Security Fix: * gimp: buffer overflow through a crafted XCF file ... oval:org.secpod.oval:def:506978 The rsync utility enables the users to copy and synchronize files locally or across a network. Synchronization with rsync is fast because rsync only sends the differences in files over the network instead of sending whole files. The rsync utility is also used as a mirroring tool. Security Fix: * zli ... oval:org.secpod.oval:def:506983 The zlib packages provide a general-purpose lossless data compression library that is used by many different programs. Security Fix: * zlib: A flaw found in zlib when compressing certain inputs For more details about the security issue, including the impact, a CVSS score, acknowledgments, and othe ... oval:org.secpod.oval:def:506985 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. compat-openssl11 provides the legacy 1.1 version of OpenSSL for use with older binaries. Security Fix: * openssl: Infinite loop in ... oval:org.secpod.oval:def:507346 WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Security Fix: * webkitgtk: Use-after-free leading to arbitrary code execution * webkitgtk: Use-after-free leading to arbitrary code execution * webkitgtk: Buffer overflow leading to arbitrary code execution * w ... oval:org.secpod.oval:def:507645 FRRouting is free software that manages TCP/IP based routing protocols. It supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP and BFD. The following packages have been upgraded to a later upstream version: frr . Security Fix: * frr: out-of-bounds read in the BGP daemon may lead ... oval:org.secpod.oval:def:507524 KSBA is a library to make X.509 certificates as well as the CMS easily accessible by other applications. Both specifications are building blocks of S/MIME and TLS. Security Fix: * libksba: integer overflow to code executiona For more details about the security issue, including the impact, a CVSS s ... oval:org.secpod.oval:def:507525 Virtual Network Computing is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients. Security F ... oval:org.secpod.oval:def:507655 Virtual Network Computing is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients. Security F ... oval:org.secpod.oval:def:507704 Xwayland is an X server for running X clients under Wayland. Security Fix: * xorg-x11-server: buffer overflow in _GetCountedString in xkb/xkb.c * xorg-x11-server: XkbGetKbdByName use-after-free * xorg-x11-server: XTestSwapFakeInput stack overflow * xorg-x11-server: XIPassiveUngrab out-of-bounds a ... oval:org.secpod.oval:def:507669 X.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Security Fix: * xorg-x11-server: buffer overflow in _GetCountedString in xkb/xkb.c * xorg-x11-server: XkbGetKbdByName use-after ... oval:org.secpod.oval:def:507369 The libtiff packages contain a library of functions for manipulating Tagged Image File Format files. Security Fix: * libtiff: Denial of Service via crafted TIFF file * libtiff: Null source pointer lead to Denial of Service via crafted TIFF file * libtiff: reachable assertion * libtiff: Out-of-bo ... oval:org.secpod.oval:def:507838 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.13.0 ESR. Security Fix: * Mozilla: Use-after-free in WebRTC certificate generation * Mozilla: Potential use-after-free from compartment mismatc ... oval:org.secpod.oval:def:507836 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.13.0. Security Fix: * Mozilla: Use-after-free in WebRTC certificate generation * Mozilla: Potential use-after-free from compartment mismatch in SpiderMonkey * Mozilla: Memory safety bugs ... oval:org.secpod.oval:def:507381 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 7.0.100 RC 2 and .NET Runtime 7.0.0 RC 2 ... oval:org.secpod.oval:def:507662 Jackson is a suite of data-processing tools for Java, including the flagship streaming JSON parser / generator library, matching data-binding library, and additional modules to process data encoded in various other data formats. Security Fix: * jackson-databind: denial of service via a large depth o ... oval:org.secpod.oval:def:507152 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET 6.0 to SDK 6.0.109 and Runtime 6.0.9. Securi ... oval:org.secpod.oval:def:506979 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET Core that address a security vulnerability are now available. The updated versions are .NET Core SDK 6.0.105 and .NET Core Runtime ... oval:org.secpod.oval:def:506968 Subversion is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. Security Fix: * subversion: Subversion"s mod_dav_svn is vulnerable to memory corruption For mo ... oval:org.secpod.oval:def:507805 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix: * c-ares: 0-byte UDP payload Denial of Service * c-ares: Buffer Underwrite in ares_inet_net_pton * c-ares: Insufficient randomness in generation of D ... oval:org.secpod.oval:def:507901 D-Bus is a system for sending messages between applications. It is used both for the system-wide message bus service, and as a per-user-login-session messaging facility. Security Fix: * dbus: dbus-daemon: assertion failure when a monitor is active and a message from the driver cannot be delivered F ... oval:org.secpod.oval:def:507490 D-Bus is a system for sending messages between applications. It is used both for the system-wide message bus service, and as a per-user-login-session messaging facility. Security Fix: * dbus: dbus-daemon crashes when receiving message with incorrectly nested parentheses and curly brackets * dbus: d ... oval:org.secpod.oval:def:507358 The libldb packages provide an extensible library that implements an LDAP-like API to access remote LDAP servers, or use local TDB databases. The following packages have been upgraded to a later upstream version: libldb . Security Fix: * samba: AD users can induce a use-after-free in the server pro ... oval:org.secpod.oval:def:507491 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:507833 Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB OpenTSDB. Security Fix: * grafana: account takeover possible when using Azure AD OAuth For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related ... oval:org.secpod.oval:def:507913 Rust Toolset provides the Rust programming language compiler rustc, the cargo build tool and dependency manager, and required libraries. Security Fix: * rust-cargo: cargo does not respect the umask when extracting dependencies For more details about the security issue, including the impact, a CVSS ... oval:org.secpod.oval:def:507877 Libeconf is a highly flexible and configurable library to parse and manage key=value configuration files. It reads configuration file snippets from different directories and builds the final configuration file from it. Security Fix: * libeconf: stack-based buffer overflow in read_file in lib/getfile ... oval:org.secpod.oval:def:507627 GNU Emacs is a powerful, customizable, self-documenting text editor. It provides special code editing features, a scripting language , and the capability to read e-mail and news. Security Fix: * emacs: command injection vulnerability in org-mode For more details about the security issue, including ... oval:org.secpod.oval:def:507685 GNU Emacs is a powerful, customizable, self-documenting text editor. It provides special code editing features, a scripting language , and the capability to read e-mail and news. Security Fix: * emacs: Regression of CVE-2023-28617 fixes in the Red Hat Enterprise Linux * emacs: command execution via ... oval:org.secpod.oval:def:507637 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Security Fix: * bind: processing large delegations may severely degrade resolver perform ... oval:org.secpod.oval:def:507638 The fwupd packages provide a service that allows session software to update device firmware. Security Fix: * fwupd: world readable password in /etc/fwupd/redfish.conf * shim: 3rd party shim allow secure boot bypass * shim: 3rd party shim allow secure boot bypass * shim: 3rd party shim allow secur ... oval:org.secpod.oval:def:507794 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 7.0.107 and .NET Runtime 7.0.7. The foll ... oval:org.secpod.oval:def:507842 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. The following packages have been upgraded to a later upstream version: dotnet6.0 . Security Fix: * dotnet: race condition in Core SignInManageTUse Pass ... oval:org.secpod.oval:def:507843 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. The following packages have been upgraded to a later upstream version: dotnet7.0 . Security Fix: * dotnet: race condition in Core SignInManageTUse Pass ... oval:org.secpod.oval:def:507590 Virtual Network Computing is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients. Security F ... oval:org.secpod.oval:def:95299 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 115.5.0. Security Fix(es): * Mozilla: Out-of-bound memory access in WebGL2 blitFramebuffer (CVE-2023-6204) * Mozilla: Use-after-free in MessagePort::Entangled (CVE-2023-6205) * Mozilla: Clickja ... oval:org.secpod.oval:def:95289 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 115.5.0 ESR. Security Fix(es): * Mozilla: Out-of-bound memory access in WebGL2 blitFramebuffer (CVE-2023-6204) * Mozilla: Use-after-free in MessageP ... oval:org.secpod.oval:def:507384 Yet Another JSON Library is a small event-driven JSON parser written in ANSI C, and a small validating JSON generator. Security Fix: * yajl: heap-based buffer overflow when handling large inputs due to an integer overflow For more details about the security issue, including the impact, a CVSS sco ... oval:org.secpod.oval:def:507648 FreeRDP is a free implementation of the Remote Desktop Protocol , released under the Apache license. The xfreerdp client can connect to RDP servers such as Microsoft Windows machines, xrdp, and VirtualBox. Security Fix: * freerdp: clients using `/parallel` command line switch might read uninitialize ... oval:org.secpod.oval:def:507673 Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work ... oval:org.secpod.oval:def:507388 Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server, and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages. Security Fix: * dovecot: ... oval:org.secpod.oval:def:507485 Expat is a C library for parsing XML documents. Security Fix: * expat: use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refe ... oval:org.secpod.oval:def:507404 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Security Fix: * bind: DNS forwarders - cache poisoning vulnerability * bind: DoS from s ... oval:org.secpod.oval:def:507363 The Qt5 libraries packages provide Qt 5, version 5 of the Qt cross-platform application framework. Security Fix: * qt: QProcess could execute a binary from the current working directory when not found in the PATH For more details about the security issue, including the impact, a CVSS score, acknowl ... oval:org.secpod.oval:def:507379 The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable ... oval:org.secpod.oval:def:507883 The python-requests package contains a library designed to make HTTP requests easy for developers. Security Fix: * python-requests: Unintended leak of Proxy-Authorization header For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related informa ... oval:org.secpod.oval:def:507560 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: * httpd: mod_dav: out-of-bounds read/write of zero byte * httpd: mod_proxy_ajp: Possible request smuggling * httpd: mod_proxy: HTTP response splitting For more details about the secu ... oval:org.secpod.oval:def:507391 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. The following packages have been upgraded to a later upstream version: httpd . Security Fix: * httpd: mod_sed: Read/write beyond bounds * httpd: mod_lua: Use of uninitialized value of in r:parsebod ... oval:org.secpod.oval:def:81884 A flaw was found in OpenSSL. The issue in CVE-2022-1292 did not find other places in the c_rehash script where it possibly passed the file names of certificates being hashed to a command executed through the shell. Some operating systems distribute this script in a manner where it is automatically e ... oval:org.secpod.oval:def:507865 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix: * samba: SMB2 packet signing is not enforced when server signing = r ... oval:org.secpod.oval:def:507551 Vim is an updated and improved version of the vi editor. Security Fix: * vim: no check if the return value of XChangeGC is NULL For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the Referen ... oval:org.secpod.oval:def:86995 In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affecte ... oval:org.secpod.oval:def:507495 The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix: * sudo: arbitrary file write with privileges of th ... oval:org.secpod.oval:def:87850 A vulnerability was found in Git. Using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GIT_DIR/objects directory contains symbolic links (CVE-2022-39253), the objects d ... oval:org.secpod.oval:def:87851 A vulnerability was found in Git. This security issue occurs when feeding a crafted input to "git apply." A path outside the working tree can be overwritten by the user running "git apply." oval:org.secpod.oval:def:508207 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 115.6.0. Security Fix: Mozilla: Heap-buffer-overflow affecting WebGL DrawElementsInstanced method with Mesa VM driver Mozilla: Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and T ... oval:org.secpod.oval:def:508209 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 115.6.0 ESR. Security Fix: Mozilla: Heap-buffer-overflow affecting WebGL DrawElementsInstanced method with Mesa VM driver Mozilla: Memory safety bu ... oval:org.secpod.oval:def:87673 A flaw was found in OpenSSL. An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions. This may result in an application crash which could lead to a denial of service. The TLS impl ... oval:org.secpod.oval:def:87670 A timing-based side channel exists in the OpenSSL RSA Decryption implementation, which could be sufficient to recover a ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption, an attacker would have to be able to send a very large number of trial messages fo ... oval:org.secpod.oval:def:87671 A use-after-free vulnerability was found in OpenSSL's BIO_new_NDEF function. The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally by OpenSSL to support the SMIME, CMS, and PKCS7 streaming capabilities, but it may also be c ... oval:org.secpod.oval:def:87672 A double-free vulnerability was found in OpenSSL's PEM_read_bio_ex function. The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (for example, "CERTIFICATE"), any header data, and the payload data. If the function succeeds, then the "name_out," "header," and ... oval:org.secpod.oval:def:87669 A timing-based side channel exists in the OpenSSL RSA Decryption implementation, which could be sufficient to recover a ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption, an attacker would have to be able to send a very large number of trial messages fo ... oval:org.secpod.oval:def:507661 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Security Fix: * openssl: Using a Custom Cipher with NID_undef may lead to NULL encryption For more details about the security issu ... oval:org.secpod.oval:def:507354 X.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Security Fix: * xorg-x11-server: X.Org Server ProcXkbSetGeometry out-of-bounds access * xorg-x11-server: out-of-bounds access i ... oval:org.secpod.oval:def:507355 Xwayland is an X server for running X clients under Wayland. Security Fix: * xorg-x11-server: X.Org Server ProcXkbSetGeometry out-of-bounds access * xorg-x11-server: out-of-bounds access in ProcXkbSetDeviceInfo request handler of the Xkb extension For more details about the security issue, includi ... oval:org.secpod.oval:def:97888 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix: php: 1-byte array overrun in common path resolve code php: DoS vulnerability when parsing multipart request body php: Missing error check and insufficient random bytes in HTTP Digest authentication ... oval:org.secpod.oval:def:507772 Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work ... oval:org.secpod.oval:def:507898 Iperf is a tool which can measure maximum TCP bandwidth and tune various parameters and UDP characteristics. Iperf reports bandwidth, delay jitter, and data-gram loss. Security Fix: * iperf3: memory allocation hazard and crash For more details about the security issue, including the impact, a CVSS ... oval:org.secpod.oval:def:507696 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs . Security Fix: * glob-parent: Regular Expression Denial of Service * c-ares: buffer o ... oval:org.secpod.oval:def:507887 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.14.0 ESR. Security Fix: * Mozilla: Offscreen Canvas could have bypassed cross-origin restrictions * Mozilla: Incorrect value used during WASM c ... oval:org.secpod.oval:def:507891 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.14.0. Security Fix: * Mozilla: Offscreen Canvas could have bypassed cross-origin restrictions * Mozilla: Incorrect value used during WASM compilation * Mozilla: Potential permissions requ ... oval:org.secpod.oval:def:507613 The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit. Security Fix: * OpenJDK: improper connection handling during TLS handshake * OpenJDK: Swing HTML parsing issue * OpenJDK: incorrect enqueue of references in garbage coll ... oval:org.secpod.oval:def:507695 Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos ... oval:org.secpod.oval:def:87675 A NULL pointer vulnerability was found in OpenSSL, which can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available, ... oval:org.secpod.oval:def:507659 EDK is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix: * openssl: X.400 address type confusion in X.509 GeneralName * edk2: integer underflow in SmmEntryPoint function leads to potential SMM privilege escala ... oval:org.secpod.oval:def:87674 A flaw was found in OpenSSL. An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the EVP_PKEY_public_check() function, most likely leading to an application crash. This function can be called on public keys supplied from untrusted ... oval:org.secpod.oval:def:507561 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Security Fix: * openssl: read buffer overflow in X.509 certificate verification * openssl: timing attack in RSA Decryption impleme ... oval:org.secpod.oval:def:507633 Butane translates human-readable Butane Configs into machine-readable Ignition configs for provisioning operating systems that use Ignition. The following packages have been upgraded to a later upstream version: butane . Security Fix: * golang: net/http: handle server errors after sending GOAWAY * ... oval:org.secpod.oval:def:507400 Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB OpenTSDB. The following packages have been upgraded to a later upstream version: grafana . Security Fix: * sanitize-url: XSS due to improper sanitization in sanitizeUrl function * golang: net/http: im ... oval:org.secpod.oval:def:507656 Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB amp; OpenTSDB. Security Fix: * golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * golang: net/http: handle server errors after sending GOAWAY * grafana: Escalati ... oval:org.secpod.oval:def:507345 The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards. Security Fix: * golang: net/http: improper sanitization of Transfer-Encoding header * golang: io ... oval:org.secpod.oval:def:507474 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The golang packages provide the Go programming language compiler. Security Fix: * golang: archive/tar: unbounded memory consumption when reading headers * golang: net/http/httputil: ReverseProx ... oval:org.secpod.oval:def:507681 The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards. Security Fix: * golang: net/http: handle server errors after sending GOAWAY For more details abo ... oval:org.secpod.oval:def:507398 Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Security Fix: * golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service For ... oval:org.secpod.oval:def:507397 Toolbox is a tool for Linux operating systems, which allows the use of containerized command line environments. It is built on top of Podman and other standard container technologies from OCI. Security Fix: * golang: net/http: improper sanitization of Transfer-Encoding header * golang: io/fs: stack ... oval:org.secpod.oval:def:97890 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 115.7.0. Security Fix: Mozilla: Out of bounds write in ANGLE Mozilla: Failure to update user input timestamp Mozilla: Crash when listing printers on Linux Mozilla: Bypass of Content Security ... oval:org.secpod.oval:def:97892 The GIMP is an image composition and editing program. GIMP provides a large image manipulation toolbox, including channel operations and layers, effects, sub-pixel imaging and anti-aliasing, and conversions, all with multi-level undo. Security Fix: gimp: dds buffer overflow RCE gimp: PSD buffer ov ... oval:org.secpod.oval:def:506970 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: Defective secure validation in Apache Santuario * OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions * OpenJDK: Impr ... oval:org.secpod.oval:def:506975 The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit. Security Fix: * OpenJDK: Improper ECDSA signature verification * OpenJDK: Defective secure validation in Apache Santuario * OpenJDK: Unbounded memory allocation when com ... oval:org.secpod.oval:def:506964 The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix: * OpenJDK: Defective secure validation in Apache Santuario * OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions * OpenJDK: Impro ... oval:org.secpod.oval:def:509065 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 115.7.0 ESR. Security Fix: Mozilla: Out of bounds write in ANGLE Mozilla: Failure to update user input timestamp Mozilla: Crash when listing print ... oval:org.secpod.oval:def:507643 OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Security Fix: * openssh: the functions order_hostkeyalgs and list_hostkey_types leads to double-free vulnerabili ... oval:org.secpod.oval:def:507393 FreeType is a free, high-quality, portable font engine that can open and manage font files. FreeType loads, hints, and renders individual glyphs efficiently. Security Fix: * FreeType: Buffer overflow in sfnt_init_face * FreeType: Segmentation violation via FNT_Size_Request * Freetype: Segmentation ... oval:org.secpod.oval:def:507796 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.118 and .NET Runtime 6.0.18. The fol ... oval:org.secpod.oval:def:509078 The python-urllib3 package provides the Python HTTP module with connection pooling and file POST abilities. Security Fix: python-urllib3: Cookie request header isn"t stripped during cross-origin redirects urllib3: Request body not stripped after redirect from 303 status changes request method to GE ... oval:org.secpod.oval:def:509092 The grub2 packages provide version 2 of the Grand Unified Boot Loader , a highly configurable and customizable boot loader with modular architecture. The packages support a variety of kernel formats, file systems, computer architectures, and hardware devices. Security Fix: grub2: bypass the GRUB pas ... oval:org.secpod.oval:def:509076 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: tomcat: Open Redirect vulnerability in FORM authentication tomcat: FileUpload: DoS due to accumulation of temporary files on Windows tomcat: improper cleaning of recycled objects could lead ... oval:org.secpod.oval:def:509100 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 115.8.0 ESR. Security Fix: Mozilla: Out-of-bounds memory read in networking channels Mozilla: Alert dialog could have been spoofed on another site ... oval:org.secpod.oval:def:509087 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: tomcat: HTTP request smuggling via malformed trailer headers For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, ref ... oval:org.secpod.oval:def:509055 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 115.8.0. Security Fix: Mozilla: Out-of-bounds memory read in networking channels Mozilla: Alert dialog could have been spoofed on another site Mozilla: Memory safety bugs fixed in Firefox 123 ... oval:org.secpod.oval:def:509049 The RPM Package Manager is a command-line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages. Security Fix: rpm: TOCTOU race in checks for unsafe symlinks rpm: races with chown/chmod/capabilities calls during installation rpm: ... oval:org.secpod.oval:def:509038 Red Hat Identity Management is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. Security Fix: ipa: Invalid CSRF protection For more details about the security issue, including the impact, a CVSS score, ackno ... oval:org.secpod.oval:def:509083 EDK is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix: edk2: Buffer overflow in the DHCPv6 client via a long Server ID option edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise me ... oval:org.secpod.oval:def:507765 The Apache Portable Runtime is a portability library used by the Apache HTTP Server and other projects. apr-util is a library which provides additional utility interfaces for APR; including support for XML parsing, LDAP, database interfaces, URI parsing, and more. Security Fix: * apr-util: out-of-b ... oval:org.secpod.oval:def:507512 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: improper restrictions in CORBA deserialization * OpenJDK: soundbank URL remote loading For more details about the security issue, including the ... oval:org.secpod.oval:def:507486 The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit. Security Fix: * OpenJDK: handshake DoS attack against DTLS connections * OpenJDK: soundbank URL remote loading For more details about the security issue, including the i ... oval:org.secpod.oval:def:507868 PostgreSQL is an advanced object-relational database management system . Security Fix: * postgresql: schema_element defeats protective search_path changes * postgresql: row security policies disregard user ID changes after inlining. For more details about the security issue, including the impact, ... oval:org.secpod.oval:def:509044 PostgreSQL is an advanced object-relational database management system . Security Fix: postgresql: non-owner "REFRESH MATERIALIZED VIEW CONCURRENTLY" executes arbitrary SQL For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, ... oval:org.secpod.oval:def:509058 PostgreSQL is an advanced object-relational database management system . Security Fix: postgresql: non-owner "REFRESH MATERIALIZED VIEW CONCURRENTLY" executes arbitrary SQL For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, ... oval:org.secpod.oval:def:507511 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.7.1. Security Fix: * Mozilla: libusrsctp library out of date * Mozilla: Arbitrary file read from GTK drag and drop on Linux * Mozilla: Memory safety bugs fixed in Firefox 109 and Firefox ... oval:org.secpod.oval:def:507583 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix: * nss: Arbitrary memory write via PKCS 12 Bug Fix: * In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output s ... oval:org.secpod.oval:def:507481 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.7.0 ESR. Security Fix: * Mozilla: libusrsctp library out of date * Mozilla: Arbitrary file read from GTK drag and drop on Linux * Mozilla: Mem ... oval:org.secpod.oval:def:507628 The libwebp packages provide a library and tools for the WebP graphics format. WebP is an image format with a lossy compression of digital photographic images. WebP consists of a codec based on the VP8 format, and a container based on the Resource Interchange File Format . Webmasters, web developers ... oval:org.secpod.oval:def:507764 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.11.0. Security Fix: * Mozilla: Browser prompts could have been obscured by popups * Mozilla: Crash in RLBox Expat driver * Mozilla: Potential permissions request bypass via clickjacking ... oval:org.secpod.oval:def:507767 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.11.0 ESR. Security Fix: * Mozilla: Browser prompts could have been obscured by popups * Mozilla: Crash in RLBox Expat driver * Mozilla: Potent ... oval:org.secpod.oval:def:507609 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.10.0 ESR. Security Fix: * MFSA-TMP-2023-0001 Mozilla: Double-free in libwebp * Mozilla: Fullscreen notification obscured * Mozilla: Potential ... oval:org.secpod.oval:def:507611 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.10.0. Security Fix: * Thunderbird: Revocation status of S/Mime recipient certificates was not checked * Mozilla: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack ... oval:org.secpod.oval:def:507793 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.12.0 ESR. Security Fix: * Mozilla: Click-jacking certificate exceptions through rendering lag * Mozilla: Memory safety bugs fixed in Firefox 11 ... oval:org.secpod.oval:def:507576 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.9.0 ESR. Security Fix: * Mozilla: Incorrect code generation during JIT compilation * Mozilla: Memory safety bugs fixed in Firefox 111 and Firef ... oval:org.secpod.oval:def:507579 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.9.0. Security Fix: * Mozilla: Incorrect code generation during JIT compilation * Mozilla: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9 * Mozilla: Potential out-of-bounds ... oval:org.secpod.oval:def:507802 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.12.0. Security Fix: * Mozilla: Click-jacking certificate exceptions through rendering lag * Mozilla: Memory safety bugs fixed in Firefox 114 and Firefox ESR 102.12 For more details about ... oval:org.secpod.oval:def:93827 A flaw was found in the Curl package. This flaw allows an attacker to insert cookies into a running program using libcurl if the specific series of conditions are met. oval:org.secpod.oval:def:509082 The OpenSC set of libraries and utilities provides support for working with smart cards. OpenSC focuses on cards that support cryptographic operations and enables their use for authentication, mail encryption, or digital signatures. Security Fix: OpenSC: Side-channel leaks while stripping encryption ... oval:org.secpod.oval:def:509073 The gnutls packages provide the GNU Transport Layer Security library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS. Security Fix: gnutls: timing side-channel in the RSA-PSK authentication gnutls: incomplete fix for CVE-2023-5981 gnutls: rejects certificate ch ... oval:org.secpod.oval:def:507702 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs , nodejs-nodemon . Security Fix: * c-ares: buffer overflow in config_sortlist due to mi ... oval:org.secpod.oval:def:507803 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix: * c-ares: 0-byte UDP payload Denial of Service * c-ares: Buffer Underwrite in ares_inet_net_pton * c-ares: Insufficient randomness in generation of D ... oval:org.secpod.oval:def:507869 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The package has been upgraded to a later upstream version: nodejs . Security Fix: * nodejs: mainModule.proto bypass experimental policy mechanism * nodejs: process ... oval:org.secpod.oval:def:507870 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The package has been upgraded to a later upstream version: nodejs . Security Fix: * nodejs: mainModule.proto bypass experimental policy mechanism * nodejs: process ... oval:org.secpod.oval:def:507647 The libarchive programming library can create and read several different streaming archive formats, including GNU tar, cpio, and ISO 9660 CD-ROM images. Libarchive is used notably in the bsdtar utility, scripting language bindings such as python-libarchive, and several popular desktop file managers. ... oval:org.secpod.oval:def:507700 PostgreSQL is an advanced object-relational database management system. The postgresql-jdbc package includes the .jar files needed for Java programs to access a PostgreSQL database. Security Fix: * postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permission ... oval:org.secpod.oval:def:507478 The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix: * curl: POST following PUT confusion For more details about the security issue, including the impact, a CVSS score, acknowledgm ... oval:org.secpod.oval:def:507403 The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. The following packages have been upgraded to a later upstream version: libvir ... oval:org.secpod.oval:def:507372 The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix: * curl: bad local IPv6 connection reuse For more details about the security issue, including the impact, a CVSS score, acknowle ... oval:org.secpod.oval:def:509152 Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. The following packages have been upgraded to a later upstream version: ruby . Security Fix: ruby/cgi-gem: HTTP response splitting in CGI ruby: ReDo ... oval:org.secpod.oval:def:507876 OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Security Fix: * openssh: Remote code execution in ssh-agent PKCS#11 support For more details about the security ... oval:org.secpod.oval:def:507660 The libtpms is a library providing Trusted Platform Module functionality for virtual machines. Security Fix: * tpm: TCG TPM2.0 implementations vulnerable to memory corruption * tpm2: TCG TPM2.0 implementations vulnerable to memory corruption For more details about the security issue, including th ... oval:org.secpod.oval:def:507482 SQLite is a C library that implements an SQL database engine. A large subset of SQL92 is supported. A complete database is stored in a single disk file. The API is designed for convenience and ease of use. Applications that link against SQLite can enjoy the power and flexibility of an SQL database w ... oval:org.secpod.oval:def:507671 The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix: * curl: Incorrect handling of control code characters in cookies * curl: Use-after-free triggered by an HTTP proxy deny respons ... oval:org.secpod.oval:def:507471 This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Security Fix: * kernel: watch queue race condition can lead to privilege escalation * kernel: memory corruption in AX88179_178A based USB ethernet device. * kerne ... oval:org.secpod.oval:def:507252 This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Security Fix: * posix cpu timer use-after-free may lead to local privilege escalation For more details about the security issue, including the impact, a CVSS score ... oval:org.secpod.oval:def:507258 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * posix cpu timer use-after-free may lead to local privilege escalation * Unprivileged users may use PTRACE_SEIZE to set PTRACE_O_SUSPEND_SECCOMP option For more details about the security issue, in ... oval:org.secpod.oval:def:507498 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: watch queue race condition can lead to privilege escalation * kernel: memory corruption in AX88179_178A based USB ethernet device. * kernel: i915: Incorrect GPU TLB flush can lead to rando ... oval:org.secpod.oval:def:507158 This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Security Fix: * kernel: heap overflow in nft_set_elem_init For more details about the security issue, including the impact, a CVSS score, acknowledgments, and othe ... oval:org.secpod.oval:def:507164 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: heap overflow in nft_set_elem_init * kernel: vulnerability of buffer overflow in nft_set_desc_concat_parse For more details about the security issue, including the impact, a CVSS score, ac ... oval:org.secpod.oval:def:507407 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * pyt ... oval:org.secpod.oval:def:507254 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * pyt ... oval:org.secpod.oval:def:507798 Python is an accessible, high-level, dynamically typed, interpreted programming language, designed with an emphasis on code readability. It includes an extensive standard library, and has a vast ecosystem of third-party libraries. Security Fix: * python: urllib.parse url blocklisting bypass For mor ... oval:org.secpod.oval:def:507554 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * Pyt ... oval:org.secpod.oval:def:507804 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * pyt ... oval:org.secpod.oval:def:507382 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. The following packages have been upgraded to a later upstream version: qemu-kvm . Security Fix: ... oval:org.secpod.oval:def:507484 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs , nodejs-nodemon . Security Fix: * minimist: prototype pollution * nodejs-minimatch: R ... oval:org.secpod.oval:def:507362 Speex is a patent-free compression format designed especially for speech. It is specialized for voice communications at low bit-rates. Security Fix: * speex: divide by zero in read_samples via crafted WAV file For more details about the security issue, including the impact, a CVSS score, acknowledg ... oval:org.secpod.oval:def:507425 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs . Security Fix: * nodejs-minimatch: ReDoS via the braceExpand function * nodejs: DNS ... oval:org.secpod.oval:def:507162 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs , nodejs-nodemon . Security Fix: * nodejs-ini: Prototype pollution via malicious INI f ... oval:org.secpod.oval:def:507401 The rsync utility enables the users to copy and synchronize files locally or across a network. Synchronization with rsync is fast because rsync only sends the differences in files over the network instead of sending whole files. The rsync utility is also used as a mirroring tool. Security Fix: * zli ... oval:org.secpod.oval:def:507651 The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix: * curl: FTP too eager connection reuse For more details about the security issue, including the impact, a CVSS score, acknowled ... oval:org.secpod.oval:def:507256 The zlib packages provide a general-purpose lossless data compression library that is used by many different programs. Security Fix: * zlib: a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field For more details about the security issue, includ ... oval:org.secpod.oval:def:507674 MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon and many client programs and libraries. The following packages have been upgraded to a later upstream version: mysql . Security Fix: * mysql: Server: Security: Privileges unspecified vulnerability * ... oval:org.secpod.oval:def:507165 Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. The following packages have been upgraded to a later upstream version: ruby . Security Fix: * Ruby: Double free in Regexp compilation * Ruby: Buffe ... oval:org.secpod.oval:def:507392 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. The following packages have been upgraded to a later upstream version: php . Security Fix: * php: Use after free due to php_filter_float failing for ints * php: Uninitialized array in pg_query_params leading to R ... oval:org.secpod.oval:def:95298 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.125 and .NET Runtime 6.0.25. Securit ... oval:org.secpod.oval:def:95293 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 7.0.114 and .NET Runtime 7.0.14. Securit ... oval:org.secpod.oval:def:95291 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. Security Fix(es): * dotnet: Arbitrary File Write and Deletion Vulnerability: FormatFtpCommand (CVE-2023-36049) * dotnet: ASP.NET Security Feature Bypass ... oval:org.secpod.oval:def:509016 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.127 and .NET Runtime 6.0.27. Securit ... oval:org.secpod.oval:def:509022 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 8.0.102 and .NET Runtime 8.0.2. Security ... oval:org.secpod.oval:def:509056 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 7.0.116 and .NET Runtime 7.0.16. Securit ... oval:org.secpod.oval:def:84268 Configure grub or lilo so that processes that are capable of being audited can be audited even if they start up prior to auditd startup.Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected. oval:org.secpod.oval:def:97238 Without re-authentication, users may access resources or perform tasks for which they do not have authorization. oval:org.secpod.oval:def:97240 Without re-authentication, users may access resources or perform tasks for which they do not have authorization. oval:org.secpod.oval:def:97248 The noexec mount option specifies that the filesystem cannot contain executable . Rationale: Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot run executable binaries from /var/log . oval:org.secpod.oval:def:97254 Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management.Rationale:Storing log data on a remote host protects log integrity from local attacks. If an attacker gains ... oval:org.secpod.oval:def:97256 systemd-coredump file should configured properly oval:org.secpod.oval:def:97257 The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /var/log/audit filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log/audit. oval:org.secpod.oval:def:97259 The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /var/log/audit filesystem is only intended for variable files such as logs, set this option to ensure that users cannot create setuid files in /var/log/audit. oval:org.secpod.oval:def:97243 GDM is the GNOME Display Manager which handles graphical login for GNOME based systems. The disable-user-list option controls is a list of users is displayed on the login screen. Rationale: Displaying the user list eliminates half of the Userid/Password equation that an unauthorized ... oval:org.secpod.oval:def:97244 By default GNOME automatically mounts removable media when inserted as a convenience to the user. Rationale: With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it ... oval:org.secpod.oval:def:97246 The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /var filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var. oval:org.secpod.oval:def:97233 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one oval:org.secpod.oval:def:97234 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one oval:org.secpod.oval:def:97235 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one oval:org.secpod.oval:def:97236 Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one oval:org.secpod.oval:def:97241 The contents of the /etc/issue file are displayed to users prior to login for local terminals. Rationale: If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information. oval:org.secpod.oval:def:97252 Journald includes the capability of rotating log files regularly to avoid filling up the system with logs or making the logs unmanageably large. The file /etc/systemd/journald.conf is the configuration file used to specify how logs generated by Journald should be rotated.Rationale:By keeping the log ... oval:org.secpod.oval:def:97253 Journald (via systemd-journal-remote) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management.Rationale:Storing log data on a remote host protects log integrity from local attacks. If an attacker gains ... oval:org.secpod.oval:def:97255 Journald supports the ability to receive messages from remote hosts, thus acting as a log server. Clients should not receive data from other hosts.Rationale:If a client is configured to also receive data, thus turning it into a server, the client system is acting outside it's operational boundary. oval:org.secpod.oval:def:97231 The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who ... oval:org.secpod.oval:def:97258 The noexec mount option specifies that the filesystem cannot contain executable binaries. Rationale: Since the /var/log/audit filesystem is only intended for audit logs, set this option to ensure that users cannot run executable binaries from /var/log/audit oval:org.secpod.oval:def:97237 sudo provides users with temporary elevated privileges to perform operations, either as the superuser or another user. Creating an audit log of users with temporary elevated privileges and the operation(s) they performed is essential to reporting. Administrators will want to correlate the events wr ... oval:org.secpod.oval:def:97242 The /tmp directory is a world-writable directory used for temporary storage by all users and some applications. Rationale: Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It ... oval:org.secpod.oval:def:97249 The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /var/log filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/log. oval:org.secpod.oval:def:97247 The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /home filesystem is only intended for user file storage, set this option to ensure that users cannot create setuid files in /home oval:org.secpod.oval:def:97229 Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command i ... oval:org.secpod.oval:def:97230 The GNOME Display Manager (GDM) is a program that manages graphical display servers and handles graphical user logins. If a Graphical User Interface (GUI) is not required, it should be removed to reduce the attack surface of the system. oval:org.secpod.oval:def:97232 Ensure that the systemd-journald service is enabled to allow capturing of logging events. If the systemd-journald service is not enabled to start on boot, the system will not capture logging events. oval:org.secpod.oval:def:97239 Sudo caches used credentials for a default of 15 minutes. This is for ease of use when there are multiple administrative tasks to perform. The timeout can be modified to suit local security policies. oval:org.secpod.oval:def:97245 The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /var/log filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/log. oval:org.secpod.oval:def:97250 The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /var filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var. oval:org.secpod.oval:def:97894 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 7.0.115 and .NET Runtime 7.0.15. Securit ... oval:org.secpod.oval:def:97895 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 8.0.101 and .NET Runtime 8.0.1. Security ... oval:org.secpod.oval:def:97893 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 7.0.115 and .NET Runtime 7.0.15. Securit ... oval:org.secpod.oval:def:86913 Without cryptographic integrity protections, information can be altered by unauthorized users which can not be detected.The system-wide crypto-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system-wide. oval:org.secpod.oval:def:509062 Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. Security Fix: squid: Denial of Service in SSL Certificate validation squid: NULL pointer dereference in the gopher protocol code squid: Buffer over-read in the HTTP Message processing f ... oval:org.secpod.oval:def:507550 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: use-after-free caused by l2cap_reassemble_sdu in net/bluetooth/l2cap_core.c * kernel: stack overflow in do_proc_dointvec and proc_skip_spaces * kernel: use-after-free in __nfs42_ssc_open i ... oval:org.secpod.oval:def:507558 This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Security Fix: * kernel: use-after-free caused by l2cap_reassemble_sdu in net/bluetooth/l2cap_core.c * kernel: stack overflow in do_proc_dointvec and proc_skip_spac ... oval:org.secpod.oval:def:507878 This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Security Fix: * kernel: ipvlan: out-of-bounds write caused by unclear skb-cb * kernel: cls_flower: out-of-bounds write in fl_set_geneve_opt For more details about ... oval:org.secpod.oval:def:509150 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix: nodejs: code injection and privilege escalation through Linux capabilities nodejs: reading unprocessed HTTP request with unbounded chunk extension all ... oval:org.secpod.oval:def:509088 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: pytho ... oval:org.secpod.oval:def:509060 The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Bug Fix and Enhancement: CVE-2023-28487 sudo: Sudo does not esca ... oval:org.secpod.oval:def:507880 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: ipvlan: out-of-bounds write caused by unclear skb-cb * kernel: cls_flower: out-of-bounds write in fl_set_geneve_opt * kernel: KVM: x86/mmu: race condition in direct_page_fault * kernel: s ... oval:org.secpod.oval:def:507587 This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Security Fix: * kernel: tun: avoid double free in tun_free_netdev * ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF For more details about the ... oval:org.secpod.oval:def:507586 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: tun: avoid double free in tun_free_netdev * ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF * kernel: net: CPU soft lockup in TC mirred egress-to-ingress action For mor ... oval:org.secpod.oval:def:507697 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * use-after-free in l2cap_connect and l2cap_le_connect_req in net/bluetooth/l2cap_core.c * net/ulp: use-after-free in listening ULP sockets * cpu: AMD CPUs may transiently execute beyond uncondition ... oval:org.secpod.oval:def:509037 The java-21-openjdk packages provide the OpenJDK 21 Java Runtime Environment and the OpenJDK 21 Java Software Development Kit. Security Fix: OpenJDK: array out-of-bounds access due to missing range check in C1 compiler OpenJDK: RSA padding issue and timing side-channel attack against TLS OpenJDK ... oval:org.secpod.oval:def:509040 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: OpenJDK: array out-of-bounds access due to missing range check in C1 compiler OpenJDK: RSA padding issue and timing side-channel attack against TLS OpenJD ... oval:org.secpod.oval:def:509057 The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix: OpenJDK: array out-of-bounds access due to missing range check in C1 compiler OpenJDK: RSA padding issue and timing side-channel attack against TLS OpenJDK ... oval:org.secpod.oval:def:509063 The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit. Security Fix: OpenJDK: array out-of-bounds access due to missing range check in C1 compiler OpenJDK: incorrect handling of ZIP files with duplicate entries OpenJDK: RSA ... oval:org.secpod.oval:def:507496 The bash packages provide Bash , which is the default shell for Red Hat Enterprise Linux. Security Fix: * bash: a heap-buffer-overflow in valid_parameter_transform For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to ... oval:org.secpod.oval:def:509106 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix: nss: timing attack against RSA decryption For more details about the security issue, including the impact, a CVSS score, acknowledgme ... oval:org.secpod.oval:def:509071 Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix: nss: vulnerable to Minerva side-channel information leak For more details about the security issue, including the impact, a CVSS scor ... oval:org.secpod.oval:def:95297 Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. Security Fix(es): * squid: DoS against HTTP and HTTPS (CVE-2023-5824) oval:org.secpod.oval:def:507653 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. The following packages have been upgraded to a later upstream version: php . Security Fix: * XKCP: buffer overflow in the SHA-3 reference implementation * php: standard insecure cookie could be treated as a "__Hos ... oval:org.secpod.oval:def:507555 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. The following packages have been upgraded to a later upstream version: php . Security Fix: * XKCP: buffer overflow in the SHA-3 reference implementation * php: standard insecure cookie could be treated as a `__Ho ... oval:org.secpod.oval:def:509112 FRRouting is free software that manages TCP/IP based routing protocols. It supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP and BFD. Security Fix: ffr: Flowspec overflow in bgpd/bgp_flowspec.c ffr: Out of bounds read in bgpd/bgp_label.c frr: crash from specially crafted MP_UN ... oval:org.secpod.oval:def:94002 An update for nodejs is now available for Red Hat Enterprise Linux 9. oval:org.secpod.oval:def:94003 An update for nghttp2 is now available for Red Hat Enterprise Linux 9. oval:org.secpod.oval:def:94000 An update for .NET 7.0 is now available for Red Hat Enterprise Linux 9. oval:org.secpod.oval:def:94006 An update for tomcat is now available for Red Hat Enterprise Linux 9. oval:org.secpod.oval:def:94004 An update for nghttp2 is now available for Red Hat Enterprise Linux 9. oval:org.secpod.oval:def:94005 An update for grafana is now available for Red Hat Enterprise Linux 9. oval:org.secpod.oval:def:93999 An update for go-toolset and golang is now available for Red Hat Enterprise Linux 9. oval:org.secpod.oval:def:93997 An update for dotnet6.0 is now available for Red Hat Enterprise Linux 9. oval:org.secpod.oval:def:93998 An update for nginx is now available for Red Hat Enterprise Linux 9. oval:org.secpod.oval:def:509101 Keylime is a TPM based highly scalable remote boot attestation and runtime integrity measurement solution. Security Fix: keylime: Attestation failure when the quote"s signature does not validate For more details about the security issue, including the impact, a CVSS score, acknowledgments, and othe ... oval:org.secpod.oval:def:507343 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a later upstream version: samba . Se ... oval:org.secpod.oval:def:507367 FRRouting is free software that manages TCP/IP based routing protocols. It supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP and BFD. The following packages have been upgraded to a later upstream version: frr . Security Fix: * frrouting: overflow bugs in unpack_tlv_router_cap ... oval:org.secpod.oval:def:94001 An update for curl is now available for Red Hat Enterprise Linux 9. oval:org.secpod.oval:def:509158 Expat is a C library for parsing XML documents. Security Fix: expat: parsing large tokens can trigger a denial of service expat: XML Entity Expansion oval:org.secpod.oval:def:97891 The runC tool is a lightweight, portable implementation of the Open Container Format that provides container runtime. Security Fix: runc: file descriptor leak For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the ... oval:org.secpod.oval:def:87668 A type confusion vulnerability was found in OpenSSL when OpenSSL X.400 addresses processing inside an X.509 GeneralName. When CRL checking is enabled (for example, the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp ca ... oval:org.secpod.oval:def:507138 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Security Fix: * openssl: c_rehash script allows command injection * openssl: Signer certificate verification returns inaccurate re ... oval:org.secpod.oval:def:507170 MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon and many client programs and libraries. The following packages have been upgraded to a later upstream version: mysql . Security Fix: * mysql: Server: Optimizer multiple unspecified vulnerabilities * ... oval:org.secpod.oval:def:509110 The golang packages provide the Go programming language compiler. Security Fix: golang: net/http/internal: Denial of Service via Resource Consumption via HTTP requests golang: cmd/go: Protocol Fallback when fetching modules For more details about the security issue, including the impact, a CVSS s ... oval:org.secpod.oval:def:507644 The skopeo command lets you inspect images from container image registries, get images and image layers, and use signatures to create and verify files. Security Fix: * golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests * golang: crypto/tls: session tickets lack rando ... oval:org.secpod.oval:def:507646 Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Security Fix: * golang: archive/tar: unbounded memory consumption when reading headers * golang: net/http/httputil: ReverseProxy should not forward unparseable qu ... oval:org.secpod.oval:def:507650 Conmon is an OCI container runtime monitor. Security Fix: * golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed ... oval:org.secpod.oval:def:507776 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The golang packages provide the Go programming language compiler. Security Fix: * golang: html/template: improper handling of JavaScript whitespace For more details about the security issue, in ... oval:org.secpod.oval:def:507654 The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to: Create a working container, either from scratch or using an image as a starting point; Create an image, either from a working container or using the instructions in a Docke ... oval:org.secpod.oval:def:507652 Git Large File Storage replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server. Security Fix: * golang: net/http: improper sanitization of Transfer-Encoding header * golang: net/http/httputil: Reve ... oval:org.secpod.oval:def:507672 Toolbox is a tool for Linux operating systems, which allows the use of containerized command line environments. It is built on top of Podman and other standard container technologies from OCI. Security Fix: * golang: net/http: handle server errors after sending GOAWAY * golang: net/http: An attacke ... oval:org.secpod.oval:def:507688 The Container Network Interface project consists of a specification and libraries for writing plug-ins for configuring network interfaces in Linux containers, along with a number of supported plug-ins. CNI concerns itself only with network connectivity of containers and removing allocated resources ... oval:org.secpod.oval:def:507687 The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes. Security Fix: * golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests * golang ... oval:org.secpod.oval:def:97853 A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete syste ... oval:org.secpod.oval:def:507364 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * off-path attacker may inject data or terminate victim"s TCP session. oval:org.secpod.oval:def:97887 This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Security Fix: kernel: tun: bugs for oversize packet when napi frags enabled in tun_napi_alloc_frags kernel: net/sched: sch_hfsc UAF kernel: use after free in unix ... oval:org.secpod.oval:def:509094 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: kernel: tun: bugs for oversize packet when napi frags enabled in tun_napi_alloc_frags kernel: use after free in unix_stream_sendpage kernel: net/sched: sch_hfsc UAF kernel: use after free in nvmet_ ... oval:org.secpod.oval:def:508217 Virtual Network Computing is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients. Security F ... oval:org.secpod.oval:def:509089 Virtual Network Computing is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients. Security F ... oval:org.secpod.oval:def:507630 Libreswan is an implementation of IPsec and IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks such as virtual private network . Securi ... oval:org.secpod.oval:def:507766 Libreswan is an implementation of IPsec and IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks such as virtual private network . Securi ... oval:org.secpod.oval:def:507694 Libreswan is an implementation of IPsec and IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks such as virtual private network . Securi ... oval:org.secpod.oval:def:509149 Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB OpenTSDB. Security Fix: grafana: golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads oval:org.secpod.oval:def:509154 grafana-pcp is an open source Grafana plugin for PCP. Security Fix: grafana-pcp: golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads oval:org.secpod.oval:def:509160 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 115.9.0. Security Fix: nss: timing attack against RSA decryption Mozilla: Crash in NSS TLS method Mozilla: Leaking of encrypted email subjects to other conversations Mozilla: JIT code failed ... oval:org.secpod.oval:def:509045 The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. Security Fix: bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources For more details about the security issue, including the i ... oval:org.secpod.oval:def:509074 The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix: curl: information disclosure by exploiting a mixed case flaw For more details about the security issue, including the impact, a ... oval:org.secpod.oval:def:509153 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 115.9.1 ESR. Security Fix: nss: timing attack against RSA decryption Mozilla: Crash in NSS TLS method Mozilla: JIT code failed to save return regi ... oval:org.secpod.oval:def:509104 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Security Fix: openssl: Incorrect cipher key and IV length processing For more details about the security issue, including the impa ... oval:org.secpod.oval:def:509252 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Security Fix: openssl: AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries openssl ... oval:org.secpod.oval:def:509219 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 115.10.0. Security Fix: Mozilla: Denial of Service using HTTP/2 CONTINUATION frames For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other re ... oval:org.secpod.oval:def:509315 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: kernel: Marvin vulnerability side-channel leakage in the RSA decryption operation CVE-2024-25743 hw: amd: Instruction raise #VC exception at exit Bug Fix: ffdhe* algortihms introduced in 0a2e5b90902 ... oval:org.secpod.oval:def:99513 A Marvin vulnerability side-channel leakage was found in the RSA decryption operation in the Linux Kernel. This issue may allow a network attacker to decrypt ciphertexts or forge signatures, limiting the services that use that private key. oval:org.secpod.oval:def:509080 SQLite is a C library that implements an SQL database engine. A large subset of SQL92 is supported. A complete database is stored in a single disk file. The API is designed for convenience and ease of use. Applications that link against SQLite can enjoy the power and flexibility of an SQL database w ... oval:org.secpod.oval:def:509299 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: kernel: GSM multiplexing race condition leads to privilege escalation kernel: multiple use-after-free vulnerabilities kernel: Bluetooth BR/EDR PIN Pairing procedure is vulnerable to an impersonation ... oval:org.secpod.oval:def:507881 The libxml2 library is a development toolbox providing the implementation of various XML standards. Security Fix: * libxml2: NULL dereference in xmlSchemaFixupComplexType * libxml2: Hashing of empty dict strings isn"t deterministic For more details about the security issue, including the impact, a ... oval:org.secpod.oval:def:507873 The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix: * curl: IDN wildcard match may lead to Improper Cerificate Validation * curl: more POST-after-PUT confusion For more details a ... oval:org.secpod.oval:def:507405 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. The following packa ... oval:org.secpod.oval:def:507641 WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Security Fix: * webkitgtk: use-after-free issue leading to arbitrary code execution * webkitgtk: memory corruption issue leading to arbitrary code execution * webkitgtk: memory corruption issue leading to arbitr ... oval:org.secpod.oval:def:507649 The libtiff packages contain a library of functions for manipulating Tagged Image File Format files. Security Fix: * libtiff: heap Buffer overflows in tiffcrop.c * libtiff: out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix * libtiff: out-of-bounds write in extractContigSamplesShifted24bits i ... oval:org.secpod.oval:def:507616 WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Security Fix: * WebKitGTK: use-after-free leads to arbitrary code execution For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to ... oval:org.secpod.oval:def:507548 WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Security Fix: * webkitgtk: processing maliciously crafted web content may be exploited for arbitrary code execution For more details about the security issue, including the impact, a CVSS score, acknowledgments, ... oval:org.secpod.oval:def:507686 WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Security Fix: * WebKitGTK: Regression of CVE-2023-28205 fixes in the Red Hat Enterprise Linux For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related info ... |
