Vulnerability-Lookup

CVE-2022-27664 (GCVE-0-2022-27664)

Vulnerability from cvelistv5 – Published: 2022-09-06 17:29 – Updated: 2024-08-03 05:32

Summary

In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.

Severity

No CVSS data available.

CWE

Assigner

mitre

References

6 references

URL	Tags
https://groups.google.com/g/golang-announce	x_refsource_MISC
https://groups.google.com/g/golang-announce/c/x49…	x_refsource_CONFIRM
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://security.netapp.com/advisory/ntap-2022092…	x_refsource_CONFIRM
https://security.gentoo.org/glsa/202209-26	vendor-advisoryx_refsource_GENTOO

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:32:59.884Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/golang-announce"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
          },
          {
            "name": "FEDORA-2022-67ec8c61d0",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXS2OQ57KZC5XZKK5UW4SYKPVQAHIOJX/"
          },
          {
            "name": "FEDORA-2022-45097317b4",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXKTHIGE5F576MAPFYCIJXNRGBSPISUF/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220923-0004/"
          },
          {
            "name": "GLSA-202209-26",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202209-26"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-09-29T16:06:56.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/g/golang-announce"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
        },
        {
          "name": "FEDORA-2022-67ec8c61d0",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXS2OQ57KZC5XZKK5UW4SYKPVQAHIOJX/"
        },
        {
          "name": "FEDORA-2022-45097317b4",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXKTHIGE5F576MAPFYCIJXNRGBSPISUF/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220923-0004/"
        },
        {
          "name": "GLSA-202209-26",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202209-26"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2022-27664",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://groups.google.com/g/golang-announce",
              "refsource": "MISC",
              "url": "https://groups.google.com/g/golang-announce"
            },
            {
              "name": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s",
              "refsource": "CONFIRM",
              "url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"
            },
            {
              "name": "FEDORA-2022-67ec8c61d0",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXS2OQ57KZC5XZKK5UW4SYKPVQAHIOJX/"
            },
            {
              "name": "FEDORA-2022-45097317b4",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXKTHIGE5F576MAPFYCIJXNRGBSPISUF/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220923-0004/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220923-0004/"
            },
            {
              "name": "GLSA-202209-26",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202209-26"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-27664",
    "datePublished": "2022-09-06T17:29:08.000Z",
    "dateReserved": "2022-03-23T00:00:00.000Z",
    "dateUpdated": "2024-08-03T05:32:59.884Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2022-27664",
      "date": "2026-05-27",
      "epss": "0.00098",
      "percentile": "0.26741"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-27664\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2022-09-06T18:15:12.747\",\"lastModified\":\"2024-11-21T06:56:07.703\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.\"},{\"lang\":\"es\",\"value\":\"En net/http en Go versiones anteriores a 1.18.6 y 1.19.x anteriores a 1.19.1, los atacantes pueden causar una denegaci\u00f3n de servicio porque una conexi\u00f3n HTTP/2 puede colgarse durante el cierre si el apagado fue adelantado por un error fatal.\\n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.18.6\",\"matchCriteriaId\":\"5FD1F793-7C7B-454B-BD2D-CE56C91E8573\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:1.19.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6173F8B9-F925-4166-9D3A-6793082D6A6F\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E30D0E6F-4AE8-4284-8716-991DFA48CC5D\"}]}]}],\"references\":[{\"url\":\"https://groups.google.com/g/golang-announce\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://groups.google.com/g/golang-announce/c/x49AQzIVX-s\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXKTHIGE5F576MAPFYCIJXNRGBSPISUF/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXS2OQ57KZC5XZKK5UW4SYKPVQAHIOJX/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://security.gentoo.org/glsa/202209-26\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20220923-0004/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://groups.google.com/g/golang-announce\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://groups.google.com/g/golang-announce/c/x49AQzIVX-s\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXKTHIGE5F576MAPFYCIJXNRGBSPISUF/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXS2OQ57KZC5XZKK5UW4SYKPVQAHIOJX/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.gentoo.org/glsa/202209-26\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20220923-0004/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}

alsa-2022:7129

Vulnerability from osv_almalinux

Published

2022-10-25 00:00

Modified

2022-10-27 09:34

Summary

Moderate: git-lfs security and bug fix update

Details

Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.

Security Fix(es):

golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension (CVE-2020-28851)
golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag (CVE-2020-28852)
golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)
golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)
golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

git-lfs needs to be rebuild with golang 1.17.7-1 or above

References

URL

Type

	https://access.redhat.com/errata/RHSA-2022:7129	ADVISORY
	https://access.redhat.com/security/cve/CVE-2020-28851	REPORT
	https://access.redhat.com/security/cve/CVE-2020-28852	REPORT
	https://access.redhat.com/security/cve/CVE-2022-1705	REPORT
	https://access.redhat.com/security/cve/CVE-2022-27664	REPORT
	https://access.redhat.com/security/cve/CVE-2022-30630	REPORT
	https://access.redhat.com/security/cve/CVE-2022-30632	REPORT
	https://access.redhat.com/security/cve/CVE-2022-30635	REPORT
	https://access.redhat.com/security/cve/CVE-2022-32148	REPORT
	https://access.redhat.com/security/cve/CVE-2022-32189	REPORT
	https://bugzilla.redhat.com/1913333	REPORT
	https://bugzilla.redhat.com/1913338	REPORT
	https://bugzilla.redhat.com/2107371	REPORT
	https://bugzilla.redhat.com/2107374	REPORT
	https://bugzilla.redhat.com/2107383	REPORT
	https://bugzilla.redhat.com/2107386	REPORT
	https://bugzilla.redhat.com/2107388	REPORT
	https://bugzilla.redhat.com/2113814	REPORT
	https://bugzilla.redhat.com/2124669	REPORT
	https://errata.almalinux.org/8/ALSA-2022-7129.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "git-lfs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.13.3-3.el8_6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.\n\nSecurity Fix(es):\n\n* golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension (CVE-2020-28851)\n* golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag (CVE-2020-28852)\n* golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)\n* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)\n* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)\n* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)\n* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)\n* golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)\n* golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* git-lfs needs to be rebuild with golang 1.17.7-1 or above",
  "id": "ALSA-2022:7129",
  "modified": "2022-10-27T09:34:45Z",
  "published": "2022-10-25T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2022:7129"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2020-28851"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2020-28852"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-1705"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-27664"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-30630"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-30632"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-30635"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-32148"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-32189"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/1913333"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/1913338"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2107371"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2107374"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2107383"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2107386"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2107388"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2113814"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2124669"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2022-7129.html"
    }
  ],
  "related": [
    "CVE-2020-28851",
    "CVE-2020-28852",
    "CVE-2022-1705",
    "CVE-2022-27664",
    "CVE-2022-30630",
    "CVE-2022-30632",
    "CVE-2022-30635",
    "CVE-2022-32148",
    "CVE-2022-32189"
  ],
  "summary": "Moderate: git-lfs security and bug fix update"
}

alsa-2023:2167

Vulnerability from osv_almalinux

Published

2023-05-09 00:00

Modified

2023-05-11 17:41

Summary

Moderate: grafana security and enhancement update

Details

Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.

Security Fix(es):

golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
grafana: Escalation from admin to server admin when auth proxy is used (CVE-2022-35957)
grafana: using email as a username can block other users from signing in (CVE-2022-39229)
golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2023:2167	ADVISORY
	https://access.redhat.com/security/cve/CVE-2022-27664	REPORT
	https://access.redhat.com/security/cve/CVE-2022-2880	REPORT
	https://access.redhat.com/security/cve/CVE-2022-35957	REPORT
	https://access.redhat.com/security/cve/CVE-2022-39229	REPORT
	https://access.redhat.com/security/cve/CVE-2022-41715	REPORT
	https://bugzilla.redhat.com/2124669	REPORT
	https://bugzilla.redhat.com/2125514	REPORT
	https://bugzilla.redhat.com/2131149	REPORT
	https://bugzilla.redhat.com/2132868	REPORT
	https://bugzilla.redhat.com/2132872	REPORT
	https://errata.almalinux.org/9/ALSA-2023-2167.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "grafana"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.0.9-2.el9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB. \n\nSecurity Fix(es):\n\n* golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)\n* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)\n* grafana: Escalation from admin to server admin when auth proxy is used (CVE-2022-35957)\n* grafana: using email as a username can block other users from signing in (CVE-2022-39229)\n* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
  "id": "ALSA-2023:2167",
  "modified": "2023-05-11T17:41:17Z",
  "published": "2023-05-09T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2023:2167"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-27664"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-2880"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-35957"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-39229"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-41715"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2124669"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2125514"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2131149"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2132868"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2132872"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2023-2167.html"
    }
  ],
  "related": [
    "CVE-2022-2880",
    "CVE-2022-27664",
    "CVE-2022-35957",
    "CVE-2022-39229",
    "CVE-2022-41715"
  ],
  "summary": "Moderate: grafana security and enhancement update"
}

alsa-2023:2177

Vulnerability from osv_almalinux

Published

2023-05-09 00:00

Modified

2023-05-12 12:18

Summary

Moderate: grafana-pcp security and enhancement update

Details

The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards.

Security Fix(es):

golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2023:2177	ADVISORY
	https://access.redhat.com/security/cve/CVE-2022-27664	REPORT
	https://bugzilla.redhat.com/2124669	REPORT
	https://errata.almalinux.org/9/ALSA-2023-2177.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "grafana-pcp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.1.1-1.el9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards.\n\nSecurity Fix(es):\n\n* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
  "id": "ALSA-2023:2177",
  "modified": "2023-05-12T12:18:28Z",
  "published": "2023-05-09T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2023:2177"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-27664"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2124669"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2023-2177.html"
    }
  ],
  "related": [
    "CVE-2022-27664"
  ],
  "summary": "Moderate: grafana-pcp security and enhancement update"
}

alsa-2023:2193

Vulnerability from osv_almalinux

Published

2023-05-09 00:00

Modified

2023-05-12 12:18

Summary

Moderate: butane security, bug fix, and enhancement update

Details

Butane translates human-readable Butane Configs into machine-readable Ignition configs for provisioning operating systems that use Ignition.

The following packages have been upgraded to a later upstream version: butane (0.16.0). (BZ#2135475)

Security Fix(es):

golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2023:2193	ADVISORY
	https://access.redhat.com/security/cve/CVE-2022-27664	REPORT
	https://access.redhat.com/security/cve/CVE-2022-32189	REPORT
	https://bugzilla.redhat.com/2113814	REPORT
	https://bugzilla.redhat.com/2124669	REPORT
	https://errata.almalinux.org/9/ALSA-2023-2193.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "butane"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.16.0-1.el9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Butane translates human-readable Butane Configs into machine-readable Ignition configs for provisioning operating systems that use Ignition.\n\nThe following packages have been upgraded to a later upstream version: butane (0.16.0). (BZ#2135475)\n\nSecurity Fix(es):\n\n* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)\n* golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
  "id": "ALSA-2023:2193",
  "modified": "2023-05-12T12:18:29Z",
  "published": "2023-05-09T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2023:2193"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-27664"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-32189"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2113814"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2124669"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2023-2193.html"
    }
  ],
  "related": [
    "CVE-2022-27664",
    "CVE-2022-32189"
  ],
  "summary": "Moderate: butane security, bug fix, and enhancement update"
}

alsa-2023:2204

Vulnerability from osv_almalinux

Published

2023-05-09 00:00

Modified

2023-05-12 13:23

Summary

Moderate: Image Builder security, bug fix, and enhancement update

Details

Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood.

Security Fix(es):

golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)
golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2023:2204	ADVISORY
	https://access.redhat.com/security/cve/CVE-2022-27664	REPORT
	https://access.redhat.com/security/cve/CVE-2022-2879	REPORT
	https://access.redhat.com/security/cve/CVE-2022-2880	REPORT
	https://access.redhat.com/security/cve/CVE-2022-41715	REPORT
	https://access.redhat.com/security/cve/CVE-2022-41717	REPORT
	https://bugzilla.redhat.com/2124669	REPORT
	https://bugzilla.redhat.com/2132867	REPORT
	https://bugzilla.redhat.com/2132868	REPORT
	https://bugzilla.redhat.com/2132872	REPORT
	https://bugzilla.redhat.com/2161274	REPORT
	https://errata.almalinux.org/9/ALSA-2023-2204.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "osbuild-composer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "76-2.el9_2.alma"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "osbuild-composer-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "76-2.el9_2.alma"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "osbuild-composer-dnf-json"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "76-2.el9_2.alma"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "osbuild-composer-worker"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "76-2.el9_2.alma"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "weldr-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "35.9-1.el9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood.\n\nSecurity Fix(es):\n\n* golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)\n* golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)\n* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)\n* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)\n* golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
  "id": "ALSA-2023:2204",
  "modified": "2023-05-12T13:23:32Z",
  "published": "2023-05-09T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2023:2204"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-27664"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-2879"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-2880"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-41715"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-41717"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2124669"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2132867"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2132868"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2132872"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2161274"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2023-2204.html"
    }
  ],
  "related": [
    "CVE-2022-2879",
    "CVE-2022-2880",
    "CVE-2022-27664",
    "CVE-2022-41715",
    "CVE-2022-41717"
  ],
  "summary": "Moderate: Image Builder security, bug fix, and enhancement update"
}

alsa-2023:2236

Vulnerability from osv_almalinux

Published

2023-05-09 00:00

Modified

2023-05-12 12:18

Summary

Moderate: toolbox security and bug fix update

Details

Toolbox is a tool for Linux operating systems, which allows the use of containerized command line environments. It is built on top of Podman and other standard container technologies from OCI.

Security Fix(es):

golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2023:2236	ADVISORY
	https://access.redhat.com/security/cve/CVE-2022-27664	REPORT
	https://access.redhat.com/security/cve/CVE-2022-32189	REPORT
	https://access.redhat.com/security/cve/CVE-2022-41717	REPORT
	https://bugzilla.redhat.com/2113814	REPORT
	https://bugzilla.redhat.com/2124669	REPORT
	https://bugzilla.redhat.com/2161274	REPORT
	https://errata.almalinux.org/9/ALSA-2023-2236.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "toolbox"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.99.3-9.el9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "toolbox-tests"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.99.3-9.el9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Toolbox is a tool for Linux operating systems, which allows the use of containerized command line environments. It is built on top of Podman and other standard container technologies from OCI.\n\nSecurity Fix(es):\n\n* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)\n* golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)\n* golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
  "id": "ALSA-2023:2236",
  "modified": "2023-05-12T12:18:33Z",
  "published": "2023-05-09T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2023:2236"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-27664"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-32189"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-41717"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2113814"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2124669"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2161274"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2023-2236.html"
    }
  ],
  "related": [
    "CVE-2022-27664",
    "CVE-2022-41717",
    "CVE-2022-32189"
  ],
  "summary": "Moderate: toolbox security and bug fix update"
}

alsa-2023:2357

Vulnerability from osv_almalinux

Published

2023-05-09 00:00

Modified

2023-05-12 06:02

Summary

Moderate: git-lfs security and bug fix update

Details

Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.

Security Fix(es):

golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)
golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)
golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2023:2357	ADVISORY
	https://access.redhat.com/security/cve/CVE-2022-1705	REPORT
	https://access.redhat.com/security/cve/CVE-2022-27664	REPORT
	https://access.redhat.com/security/cve/CVE-2022-2880	REPORT
	https://access.redhat.com/security/cve/CVE-2022-30630	REPORT
	https://access.redhat.com/security/cve/CVE-2022-30632	REPORT
	https://access.redhat.com/security/cve/CVE-2022-30635	REPORT
	https://access.redhat.com/security/cve/CVE-2022-32148	REPORT
	https://access.redhat.com/security/cve/CVE-2022-32189	REPORT
	https://access.redhat.com/security/cve/CVE-2022-41715	REPORT
	https://access.redhat.com/security/cve/CVE-2022-41717	REPORT
	https://bugzilla.redhat.com/2107371	REPORT
	https://bugzilla.redhat.com/2107374	REPORT
	https://bugzilla.redhat.com/2107383	REPORT
	https://bugzilla.redhat.com/2107386	REPORT
	https://bugzilla.redhat.com/2107388	REPORT
	https://bugzilla.redhat.com/2113814	REPORT
	https://bugzilla.redhat.com/2124669	REPORT
	https://bugzilla.redhat.com/2132868	REPORT
	https://bugzilla.redhat.com/2132872	REPORT
	https://bugzilla.redhat.com/2161274	REPORT
	https://errata.almalinux.org/9/ALSA-2023-2357.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "git-lfs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.0-1.el9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server.\n\nSecurity Fix(es):\n\n* golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)\n* golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)\n* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)\n* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)\n* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)\n* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)\n* golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)\n* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)\n* golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)\n* golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
  "id": "ALSA-2023:2357",
  "modified": "2023-05-12T06:02:25Z",
  "published": "2023-05-09T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2023:2357"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-1705"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-27664"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-2880"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-30630"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-30632"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-30635"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-32148"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-32189"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-41715"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-41717"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2107371"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2107374"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2107383"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2107386"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2107388"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2113814"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2124669"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2132868"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2132872"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2161274"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2023-2357.html"
    }
  ],
  "related": [
    "CVE-2022-1705",
    "CVE-2022-2880",
    "CVE-2022-27664",
    "CVE-2022-30630",
    "CVE-2022-30632",
    "CVE-2022-30635",
    "CVE-2022-32148",
    "CVE-2022-41715",
    "CVE-2022-41717",
    "CVE-2022-32189"
  ],
  "summary": "Moderate: git-lfs security and bug fix update"
}

alsa-2023:2758

Vulnerability from osv_almalinux

Published

2023-05-16 00:00

Modified

2023-05-22 10:20

Summary

Moderate: container-tools:rhel8 security, bug fix, and enhancement update

Details

The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.

Security Fix(es):

golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)
golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)
golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)
golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
podman: symlink exchange attack in podman export volume (CVE-2023-0778)
golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)
golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2023:2758	ADVISORY
	https://access.redhat.com/security/cve/CVE-2022-1705	REPORT
	https://access.redhat.com/security/cve/CVE-2022-1962	REPORT
	https://access.redhat.com/security/cve/CVE-2022-27664	REPORT
	https://access.redhat.com/security/cve/CVE-2022-28131	REPORT
	https://access.redhat.com/security/cve/CVE-2022-30629	REPORT
	https://access.redhat.com/security/cve/CVE-2022-30630	REPORT
	https://access.redhat.com/security/cve/CVE-2022-30631	REPORT
	https://access.redhat.com/security/cve/CVE-2022-30632	REPORT
	https://access.redhat.com/security/cve/CVE-2022-30633	REPORT
	https://access.redhat.com/security/cve/CVE-2022-30635	REPORT
	https://access.redhat.com/security/cve/CVE-2022-32148	REPORT
	https://access.redhat.com/security/cve/CVE-2022-32189	REPORT
	https://access.redhat.com/security/cve/CVE-2022-41717	REPORT
	https://access.redhat.com/security/cve/CVE-2023-0778	REPORT
	https://bugzilla.redhat.com/2092793	REPORT
	https://bugzilla.redhat.com/2107342	REPORT
	https://bugzilla.redhat.com/2107371	REPORT
	https://bugzilla.redhat.com/2107374	REPORT
	https://bugzilla.redhat.com/2107376	REPORT
	https://bugzilla.redhat.com/2107383	REPORT
	https://bugzilla.redhat.com/2107386	REPORT
	https://bugzilla.redhat.com/2107388	REPORT
	https://bugzilla.redhat.com/2107390	REPORT
	https://bugzilla.redhat.com/2107392	REPORT
	https://bugzilla.redhat.com/2113814	REPORT
	https://bugzilla.redhat.com/2124669	REPORT
	https://bugzilla.redhat.com/2161274	REPORT
	https://bugzilla.redhat.com/2168256	REPORT
	https://errata.almalinux.org/8/ALSA-2023-2758.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "aardvark-dns"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2:1.5.0-2.module_el8.8.0+3470+252b1910"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "buildah"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:1.29.1-1.module_el8.8.0+3470+252b1910"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "buildah-tests"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:1.29.1-1.module_el8.8.0+3470+252b1910"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "cockpit-podman"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "63.1-1.module_el8.8.0+3557+7ba9cc13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "conmon"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3:2.1.6-1.module_el8.8.0+3470+252b1910"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "container-selinux"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2:2.205.0-2.module_el8.8.0+3557+7ba9cc13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "containernetworking-plugins"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:1.2.0-1.module_el8.8.0+3470+252b1910"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "containers-common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2:1-63.module_el8.8.0+3568+e8578284"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "crit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.15-3.module_el8.7.0+3407+95aa0ca9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "criu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.15-3.module_el8.7.0+3407+95aa0ca9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "criu-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.15-3.module_el8.7.0+3407+95aa0ca9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "criu-libs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.15-3.module_el8.7.0+3407+95aa0ca9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "crun"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.1-2.module_el8.8.0+3568+e8578284"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "fuse-overlayfs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10-1.module_el8.8.0+3470+252b1910"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "libslirp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.4.0-1.module_el8.7.0+3407+95aa0ca9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "libslirp-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.4.0-1.module_el8.7.0+3407+95aa0ca9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "netavark"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2:1.5.0-4.module_el8.8.0+3470+252b1910"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "oci-seccomp-bpf-hook"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.8-1.module_el8.8.0+3470+252b1910"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "podman"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3:4.4.1-8.module_el8.8.0+3568+e8578284"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "podman-catatonit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3:4.4.1-8.module_el8.8.0+3568+e8578284"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "podman-docker"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3:4.4.1-8.module_el8.8.0+3568+e8578284"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "podman-gvproxy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3:4.4.1-8.module_el8.8.0+3568+e8578284"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "podman-plugins"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3:4.4.1-8.module_el8.8.0+3568+e8578284"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "podman-remote"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3:4.4.1-8.module_el8.8.0+3568+e8578284"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "podman-tests"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3:4.4.1-8.module_el8.8.0+3568+e8578284"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "python3-criu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.15-3.module_el8.7.0+3407+95aa0ca9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "python3-podman"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.4.1-1.module_el8.8.0+3470+252b1910"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "runc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:1.1.4-1.module_el8.7.0+3407+95aa0ca9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "skopeo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2:1.11.2-0.2.module_el8.8.0+3470+252b1910"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "skopeo-tests"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2:1.11.2-0.2.module_el8.8.0+3470+252b1910"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "slirp4netns"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.0-2.module_el8.7.0+3407+95aa0ca9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "toolbox"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.99.3-7.module_el8.8.0+3470+252b1910"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "toolbox-tests"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.99.3-7.module_el8.8.0+3470+252b1910"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "udica"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.6-20.module_el8.8.0+3470+252b1910"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.\n\nSecurity Fix(es):\n\n* golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)\n* golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)\n* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)\n* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)\n* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)\n* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)\n* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)\n* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)\n* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)\n* golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)\n* golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)\n* podman: symlink exchange attack in podman export volume (CVE-2023-0778)\n* golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)\n* golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
  "id": "ALSA-2023:2758",
  "modified": "2023-05-22T10:20:38Z",
  "published": "2023-05-16T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2023:2758"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-1705"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-1962"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-27664"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-28131"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-30629"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-30630"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-30631"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-30632"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-30633"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-30635"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-32148"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-32189"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-41717"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-0778"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2092793"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2107342"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2107371"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2107374"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2107376"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2107383"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2107386"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2107388"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2107390"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2107392"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2113814"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2124669"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2161274"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2168256"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2023-2758.html"
    }
  ],
  "related": [
    "CVE-2022-1705",
    "CVE-2022-1962",
    "CVE-2022-27664",
    "CVE-2022-28131",
    "CVE-2022-30630",
    "CVE-2022-30631",
    "CVE-2022-30632",
    "CVE-2022-30633",
    "CVE-2022-30635",
    "CVE-2022-32148",
    "CVE-2022-41717",
    "CVE-2023-0778",
    "CVE-2022-30629",
    "CVE-2022-32189"
  ],
  "summary": "Moderate: container-tools:rhel8 security, bug fix, and enhancement update"
}

alsa-2023:2780

Vulnerability from osv_almalinux

Published

2023-05-16 00:00

Modified

2023-05-20 19:14

Summary

Moderate: Image Builder security, bug fix, and enhancement update

Details

Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood.

Security Fix(es):

golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)
golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2023:2780	ADVISORY
	https://access.redhat.com/security/cve/CVE-2022-27664	REPORT
	https://access.redhat.com/security/cve/CVE-2022-2879	REPORT
	https://access.redhat.com/security/cve/CVE-2022-2880	REPORT
	https://access.redhat.com/security/cve/CVE-2022-41715	REPORT
	https://access.redhat.com/security/cve/CVE-2022-41717	REPORT
	https://bugzilla.redhat.com/2124669	REPORT
	https://bugzilla.redhat.com/2132867	REPORT
	https://bugzilla.redhat.com/2132868	REPORT
	https://bugzilla.redhat.com/2132872	REPORT
	https://bugzilla.redhat.com/2161274	REPORT
	https://errata.almalinux.org/8/ALSA-2023-2780.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "osbuild-composer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "75-1.el8.alma"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "osbuild-composer-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "75-1.el8.alma"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "osbuild-composer-dnf-json"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "75-1.el8.alma"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "osbuild-composer-worker"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "75-1.el8.alma"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "weldr-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "35.9-2.el8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood.\n\nSecurity Fix(es):\n\n* golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)\n* golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)\n* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)\n* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)\n* golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
  "id": "ALSA-2023:2780",
  "modified": "2023-05-20T19:14:40Z",
  "published": "2023-05-16T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2023:2780"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-27664"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-2879"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-2880"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-41715"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-41717"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2124669"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2132867"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2132868"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2132872"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2161274"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2023-2780.html"
    }
  ],
  "related": [
    "CVE-2022-2879",
    "CVE-2022-2880",
    "CVE-2022-27664",
    "CVE-2022-41715",
    "CVE-2022-41717"
  ],
  "summary": "Moderate: Image Builder security, bug fix, and enhancement update"
}

alsa-2023:2784

Vulnerability from osv_almalinux

Published

2023-05-16 00:00

Modified

2023-05-19 21:59

Summary

Moderate: grafana security update

Details

Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.

Security Fix(es):

golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
grafana: using email as a username can block other users from signing in (CVE-2022-39229)
golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2023:2784	ADVISORY
	https://access.redhat.com/security/cve/CVE-2022-27664	REPORT
	https://access.redhat.com/security/cve/CVE-2022-2880	REPORT
	https://access.redhat.com/security/cve/CVE-2022-39229	REPORT
	https://access.redhat.com/security/cve/CVE-2022-41715	REPORT
	https://bugzilla.redhat.com/2124669	REPORT
	https://bugzilla.redhat.com/2131149	REPORT
	https://bugzilla.redhat.com/2132868	REPORT
	https://bugzilla.redhat.com/2132872	REPORT
	https://errata.almalinux.org/8/ALSA-2023-2784.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "grafana"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.5.15-4.el8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB. \n\nSecurity Fix(es):\n\n* golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)\n* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)\n* grafana: using email as a username can block other users from signing in (CVE-2022-39229)\n* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
  "id": "ALSA-2023:2784",
  "modified": "2023-05-19T21:59:59Z",
  "published": "2023-05-16T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2023:2784"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-27664"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-2880"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-39229"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2022-41715"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2124669"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2131149"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2132868"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2132872"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2023-2784.html"
    }
  ],
  "related": [
    "CVE-2022-2880",
    "CVE-2022-27664",
    "CVE-2022-39229",
    "CVE-2022-41715"
  ],
  "summary": "Moderate: grafana security update"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-27664 (GCVE-0-2022-27664)

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Tags

Sightings

Nomenclature