ID

VAR-202004-2199

CVE

CVE-2020-11023

TITLE

jQuery Cross-site scripting vulnerability

DESCRIPTION

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. jQuery is an open source, cross-browser JavaScript library developed by American John Resig programmers. The library simplifies the operation between HTML and JavaScript, and has the characteristics of modularization and plug-in extension. A cross-site scripting vulnerability exists in jQuery versions 1.0.3 through 3.5.0. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code. For the oldstable distribution (stretch), these problems have been fixed in version 7.52-2+deb9u10. We recommend that you upgrade your drupal7 packages. For the detailed security status of drupal7 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/drupal7 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl7NhRgACgkQEMKTtsN8 TjZELQ//ao+AlYru8sTlC4Axs1r3QfXyq/FFn55C2faDkZonWP3+S4O5GjJaDwcH q9J1OBhvlkTsRkP55qGplUi9pLxs8OTdnJD5VnRXsvijVEhhZ5DOYnLJcLQ5Ggq5 Io8ImGbrGY64qItxmEXUyFfI0YrJ/s1aagUBodORaF6yeJ6DwqIxRVRBS4A3UD61 AH0u/cw69y7WHf1FLpPYAWZSZ0lzkPFxUbi8DlYzwPZApQfhOFCYoWjdziUbxZUU yZH8M0CORFG2ron8K+sbgKPpepRc6u55OxYU1WxzejJSfKKnGhhaNBrztbgomtIB pLQ+BSB2tD5iOR/QcdXgmhhTrApUSiR6dF2iPwXt1Bo2+1l2ChEVYfi1q1ggTx5O e6xulfy+3xSPI4afi4gL1KTHJkg9OZnU1pST3kSxBp/gp+/I473EYqwzhlB14msU SqNy5kId+GsYzMsvcufbOEsqR2ffAGDz9RNPF7NkfphvAT9YyaXq0kgmnxtMiac1 Um1/7oDh4dZBTzFNnvWRYWQcydgfDvEzW1TQdCd2hp8YTXjhCFNeJrxQx0O9eLxv jcWC+z0rfQeiUAk7VtqeoCDRS6deVxm1TfXXcV0vgyKGQh5/FBVo9V2L9ag/8phO 0l0TPROG766wZDooBFXNWerf85AT5zCIFopeZopPyuQNIjJA2UU= =yOQd -----END PGP SIGNATURE----- . Description: Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. Security Fix(es): * jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358) * jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251) * bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040) * jquery: Untrusted code execution via <option> tag in HTML passed to DOM manipulation methods (CVE-2020-11023) * jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022) * bootstrap: XSS in the data-target attribute (CVE-2016-10735) * bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy (CVE-2018-14041) * sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047) * woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152) * bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042) * bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331) * nodejs-moment: Regular expression denial of service (CVE-2017-18214) * wildfly-elytron: possible timing attacks via use of unsafe comparator (CVE-2022-3143) * jackson-databind: use of deeply nested arrays (CVE-2022-42004) * jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003) * jettison: parser crash by stackoverflow (CVE-2022-40149) * jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150) * jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693) * CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364) 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. JIRA issues fixed (https://issues.jboss.org/): JBEAP-23864 - (7.4.z) Upgrade xmlsec from 2.1.7.redhat-00001 to 2.2.3.redhat-00001 JBEAP-23865 - [GSS](7.4.z) Upgrade Apache CXF from 3.3.13.redhat-00001 to 3.4.10.redhat-00001 JBEAP-23866 - (7.4.z) Upgrade wss4j from 2.2.7.redhat-00001 to 2.3.3.redhat-00001 JBEAP-23928 - Tracker bug for the EAP 7.4.9 release for RHEL-9 JBEAP-24055 - (7.4.z) Upgrade HAL from 3.3.15.Final-redhat-00001 to 3.3.16.Final-redhat-00001 JBEAP-24081 - (7.4.z) Upgrade Elytron from 1.15.14.Final-redhat-00001 to 1.15.15.Final-redhat-00001 JBEAP-24095 - (7.4.z) Upgrade elytron-web from 1.9.2.Final-redhat-00001 to 1.9.3.Final-redhat-00001 JBEAP-24100 - [GSS](7.4.z) Upgrade Undertow from 2.2.20.SP1-redhat-00001 to 2.2.22.SP3-redhat-00001 JBEAP-24127 - (7.4.z) UNDERTOW-2123 - Update AsyncContextImpl.dispatch to use proper value JBEAP-24128 - (7.4.z) Upgrade Hibernate Search from 5.10.7.Final-redhat-00001 to 5.10.13.Final-redhat-00001 JBEAP-24132 - [GSS](7.4.z) Upgrade Ironjacamar from 1.5.3.SP2-redhat-00001 to 1.5.10.Final-redhat-00001 JBEAP-24147 - (7.4.z) Upgrade jboss-ejb-client from 4.0.45.Final-redhat-00001 to 4.0.49.Final-redhat-00001 JBEAP-24167 - (7.4.z) Upgrade WildFly Core from 15.0.19.Final-redhat-00001 to 15.0.21.Final-redhat-00002 JBEAP-24191 - [GSS](7.4.z) Upgrade remoting from 5.0.26.SP1-redhat-00001 to 5.0.27.Final-redhat-00001 JBEAP-24195 - [GSS](7.4.z) Upgrade JSF API from 3.0.0.SP06-redhat-00001 to 3.0.0.SP07-redhat-00001 JBEAP-24207 - (7.4.z) Upgrade Soteria from 1.0.1.redhat-00002 to 1.0.1.redhat-00003 JBEAP-24248 - (7.4.z) ELY-2492 - Upgrade sshd-common in Elytron from 2.7.0 to 2.9.2 JBEAP-24426 - (7.4.z) Upgrade Elytron from 1.15.15.Final-redhat-00001 to 1.15.16.Final-redhat-00001 JBEAP-24427 - (7.4.z) Upgrade WildFly Core from 15.0.21.Final-redhat-00002 to 15.0.22.Final-redhat-00001 7. 8) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: Red Hat Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.4 Release Notes linked from the References section. Bugs fixed (https://bugzilla.redhat.com/): 871208 - ipa sudorule-add-user should accept external users 1340463 - [RFE] Implement pam_pwquality featureset in IPA password policies 1357495 - ipa command provides stack trace when provided with single hypen commands 1484088 - [RFE]: Able to browse different links from IPA web gui in new tabs 1542737 - Incorrect certs are being updated with "ipa-certupdate" 1544379 - ipa-client-install changes system wide ssh configuration 1660877 - kinit is failing due to overflow in Root CA certificate's timestamp 1779981 - ipa-cert-fix warning message should use commercial name for the product. 1780328 - ipa-healthcheck - Mention that the default output format is JSON. 1780510 - Source 'ipahealthcheck.ipa.topology' not found is displayed when ipactl service is stopped 1780782 - ipa-cert-fix tool fails when the Dogtag CA SSL CSR is missing from CS.cfg 1784657 - Unlock user accounts after a password reset and replicate that unlock to all IdM servers 1809215 - Man page has incorrect examples; log location for healthcheck tool 1810148 - ipa-server-certinstall raises exception when installing IPA-issued web server cert 1812871 - Intermittent IdM Client Registration Failures 1824193 - Add Directory Server Healthchecks from lib389 1850004 - CVE-2020-11023 jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution 1851835 - [RFE] IdM short-term certificates ACME provider 1857272 - negative option for token.mechanism not working correctly 1860129 - ipa trust-add fails when FIPS enabled 1866558 - ipa-healthcheck --input-file returns 1 on exit 1872603 - KRA Transport and Storage Certificates do not renew 1875001 - It is not possible to edit KDC database when the FreeIPA server is running 1882340 - nsslapd-db-locks patching no longer works 1891056 - ipa-kdb: support subordinate/superior UPN suffixes 1891505 - ipa-healthcheck returns msg": "{sssctl} {key} reports mismatch: sssd domains {sssd_domains} trust domains {trust_domains}" 1891735 - [Rebase] Rebase bind-dyndb-ldap to the recent upstream release 1891741 - [Rebase] Rebase slapi-nis to recent upstream release 1891832 - [Rebase] Rebase FreeIPA to a recent upstream release 1891850 - [Rebase] Rebase ipa-healthcheck to 0.7 upstream release 1894800 - IPA WebUI inaccessible after upgrading to RHEL 8.3.- idoverride-memberof.js missing 1901068 - Traceback while doing ipa-backup 1902173 - Uninstallation of IPA server with KRA installed displays 'ERROR: subprocess.CalledProcessError:' 1902727 - ipa-acme-manage enable fails after upgrade 1903025 - test failure in test_acme.py::TestACME::test_third_party_certs 1904484 - [Rebase] Rebase opendnssec to 2.1.7 1904612 - bind-dyndb-ldap: Rebased bind modifies so versions 1905919 - ipa-server-upgrade fails with traceback "exception: KeyError: 'DOMAIN'" 1909876 - ipa uninstall fails when dns not installed 1912845 - ipa-certupdate drops profile from the caSigningCert tracking 1922955 - Resubmitting KDC cert fails with internal server error 1923900 - Samba on IdM member failure 1924026 - Fix upstream test test_trust.py::test_subordinate_suffix 1924501 - ipa-client-install: Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 7 1924812 - Fix upstream test test_smb.py::TestSMB::test_authentication_with_smb_cifs_principal_alias 1925410 - Cannot delete sudocmd with typo error e.g. "/usr/sbin/reboot." 1926699 - avc denial for gpg-agent with systemd-run 1926910 - ipa cert-remove-hold <invalid_cert_id> returns an incorrect error message 1928900 - Support new baseURL config option for ACME 1930426 - IPA krb5kdc crash possible doublefree ipadb_mspac_struct_free finish_process_as_req 1932289 - Sync ipatests from upstream to RHEL packages for FreeIPA 4.9 branch 1939371 - ipa-client-install displays false message 'sudo binary does not seem to be present on this system' 6. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202007-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ <https://security.gentoo.org/> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Cacti: Multiple vulnerabilities Date: July 26, 2020 Bugs: #728678, #732522 ID: 202007-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Cacti, the worst of which could result in the arbitrary execution of code. Background ========== Cacti is a complete frontend to rrdtool. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-analyzer/cacti < 1.2.13 >= 1.2.13 2 net-analyzer/cacti-spine < 1.2.13 >= 1.2.13 ------------------------------------------------------------------- 2 affected packages Description =========== Multiple vulnerabilities have been discovered in Cacti. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Cacti users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/cacti-1.2.13" All Cacti Spine users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=net-analyzer/cacti-spine-1.2.13" References ========== [ 1 ] CVE-2020-11022 https://nvd.nist.gov/vuln/detail/CVE-2020-11022 <https://nvd.nist.gov/vuln/detail/CVE-2020-11022> [ 2 ] CVE-2020-11023 https://nvd.nist.gov/vuln/detail/CVE-2020-11023 <https://nvd.nist.gov/vuln/detail/CVE-2020-11023> [ 3 ] CVE-2020-14295 https://nvd.nist.gov/vuln/detail/CVE-2020-14295 <https://nvd.nist.gov/vuln/detail/CVE-2020-14295> Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202007-03 <https://security.gentoo.org/glsa/202007-03> Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org <mailto:security@gentoo.org> or alternatively, you may file a bug at https://bugs.gentoo.org <https://bugs.gentoo.org/>. License ======= Copyright 2020 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 <https://creativecommons.org/licenses/by-sa/2.5> . Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link (you must log in to download the update). -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Virtualization security, bug fix, and enhancement update Advisory ID: RHSA-2020:3807-01 Product: Red Hat Virtualization Advisory URL: https://access.redhat.com/errata/RHSA-2020:3807 Issue date: 2020-09-23 CVE Names: CVE-2020-8203 CVE-2020-11022 CVE-2020-11023 CVE-2020-14333 ==================================================================== 1. Summary: An update is now available for Red Hat Virtualization Engine 4.4. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch 3. Description: The org.ovirt.engine-root is a core component of oVirt. The following packages have been upgraded to a later upstream version: ansible-runner-service (1.0.5), org.ovirt.engine-root (4.4.2.3), ovirt-engine-dwh (4.4.2.1), ovirt-engine-extension-aaa-ldap (1.4.1), ovirt-engine-ui-extensions (1.2.3), ovirt-log-collector (4.4.3), ovirt-web-ui (1.6.4), rhvm-branding-rhv (4.4.5), rhvm-dependencies (4.4.1), vdsm-jsonrpc-java (1.5.5). (BZ#1674420, BZ#1866734) A list of bugs fixed in this update is available in the Technical Notes book: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/ht ml-single/technical_notes Security Fix(es): * nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203) * jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022) * jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023) * ovirt-engine: Reflected cross site scripting vulnerability (CVE-2020-14333) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Cannot assign direct LUN from FC storage - grayed out (BZ#1625499) * VM portal always asks how to open console.vv even it has been set to default application. (BZ#1638217) * RESTAPI Not able to remove the QoS from a disk profile (BZ#1643520) * On OVA import, qemu-img fails to write to NFS storage domain (BZ#1748879) * Possible missing block path for a SCSI host device needs to be handled in the UI (BZ#1801206) * Scheduling Memory calculation disregards huge-pages (BZ#1804037) * Engine does not reduce scheduling memory when a VM with dynamic hugepages runs. (BZ#1804046) * In Admin Portal, "Huge Pages (size: amount)" needs to be clarified (BZ#1806339) * Refresh LUN is using host from different Data Center to scan the LUN (BZ#1838051) * Unable to create Windows VM's with Mozilla Firefox version 74.0.1 and greater for RHV-M GUI/Webadmin portal (BZ#1843234) * [RHV-CNV] - NPE when creating new VM in cnv cluster (BZ#1854488) * [CNV&RHV] Add-Disk operation failed to complete. (BZ#1855377) * Cannot create KubeVirt VM as a normal user (BZ#1859460) * Welcome page - remove Metrics Store links and update "Insights Guide" link (BZ#1866466) * [RHV 4.4] Change in CPU model name after RHVH upgrade (BZ#1869209) * VM vm-name is down with error. Exit message: unsupported configuration: Can't add USB input device. USB bus is disabled. (BZ#1871235) * spec_ctrl host feature not detected (BZ#1875609) Enhancement(s): * [RFE] API for changed blocks/sectors for a disk for incremental backup usage (BZ#1139877) * [RFE] Improve workflow for storage migration of VMs with multiple disks (BZ#1749803) * [RFE] Move the Remove VM button to the drop down menu when viewing details such as snapshots (BZ#1763812) * [RFE] enhance search filter for Storage Domains with free argument (BZ#1819260) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/2974891 5. Bugs fixed (https://bugzilla.redhat.com/): 1625499 - Cannot assign direct LUN from FC storage - grayed out 1638217 - VM portal always asks how to open console.vv even it has been set to default application. 1643520 - RESTAPI Not able to remove the QoS from a disk profile 1674420 - [RFE] - add support for Cascadelake-Server CPUs (and IvyBridge) 1748879 - On OVA import, qemu-img fails to write to NFS storage domain 1749803 - [RFE] Improve workflow for storage migration of VMs with multiple disks 1758024 - Long running Ansible tasks timeout and abort for RHV-H hosts with STIG/Security Profiles applied 1763812 - [RFE] Move the Remove VM button to the drop down menu when viewing details such as snapshots 1778471 - Using more than one asterisk in LDAP search string is not working when searching for AD users. 1787854 - RHV: Updating/reinstall a host which is part of affinity labels is removed from the affinity label. 1801206 - Possible missing block path for a SCSI host device needs to be handled in the UI 1803856 - [Scale] ovirt-vmconsole takes too long or times out in a 500+ VM environment. 1804037 - Scheduling Memory calculation disregards huge-pages 1804046 - Engine does not reduce scheduling memory when a VM with dynamic hugepages runs. 1806339 - In Admin Portal, "Huge Pages (size: amount)" needs to be clarified 1816951 - [CNV&RHV] CNV VM migration failure is not handled correctly by the engine 1819260 - [RFE] enhance search filter for Storage Domains with free argument 1826255 - [CNV&RHV]Change name of type of provider - CNV -> OpenShift Virtualization 1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method 1831949 - RESTAPI javadoc contains missing information about assigning IP address to NIC 1831952 - RESTAPI contains malformed link around JSON representation fo the cluster 1831954 - RESTAPI javadoc contains malformed link around oVirt guest agent 1831956 - RESTAPI javadoc contains malformed link around time zone representation 1838051 - Refresh LUN is using host from different Data Center to scan the LUN 1841112 - not able to upload vm from OVA when there are 2 OVA from the same vm in same directory 1843234 - Unable to create Windows VM's with Mozilla Firefox version 74.0.1 and greater for RHV-M GUI/Webadmin portal 1850004 - CVE-2020-11023 jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution 1854488 - [RHV-CNV] - NPE when creating new VM in cnv cluster 1855377 - [CNV&RHV] Add-Disk operation failed to complete. 1857412 - CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function 1858184 - CVE-2020-14333 ovirt-engine: Reflected cross site scripting vulnerability 1859460 - Cannot create KubeVirt VM as a normal user 1860907 - Upgrade bundled GWT to 2.9.0 1866466 - Welcome page - remove Metrics Store links and update "Insights Guide" link 1866734 - [DWH] Rebase bug - for the 4.4.2 release 1869209 - [RHV 4.4] Change in CPU model name after RHVH upgrade 1869302 - ansible 2.9.12 - host deploy fixes 1871235 - VM vm-name is down with error. Exit message: unsupported configuration: Can't add USB input device. USB bus is disabled. 1875609 - spec_ctrl host feature not detected 1875851 - Web Admin interface broken on Firefox ESR 68.11 6. Package List: RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4: Source: ansible-runner-service-1.0.5-1.el8ev.src.rpm ovirt-engine-4.4.2.3-0.6.el8ev.src.rpm ovirt-engine-dwh-4.4.2.1-1.el8ev.src.rpm ovirt-engine-extension-aaa-ldap-1.4.1-1.el8ev.src.rpm ovirt-engine-ui-extensions-1.2.3-1.el8ev.src.rpm ovirt-log-collector-4.4.3-1.el8ev.src.rpm ovirt-web-ui-1.6.4-1.el8ev.src.rpm rhvm-branding-rhv-4.4.5-1.el8ev.src.rpm rhvm-dependencies-4.4.1-1.el8ev.src.rpm vdsm-jsonrpc-java-1.5.5-1.el8ev.src.rpm noarch: ansible-runner-service-1.0.5-1.el8ev.noarch.rpm ovirt-engine-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-backend-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-dbscripts-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-dwh-4.4.2.1-1.el8ev.noarch.rpm ovirt-engine-dwh-grafana-integration-setup-4.4.2.1-1.el8ev.noarch.rpm ovirt-engine-dwh-setup-4.4.2.1-1.el8ev.noarch.rpm ovirt-engine-extension-aaa-ldap-1.4.1-1.el8ev.noarch.rpm ovirt-engine-extension-aaa-ldap-setup-1.4.1-1.el8ev.noarch.rpm ovirt-engine-health-check-bundler-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-restapi-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-setup-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-setup-base-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-setup-plugin-cinderlib-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-setup-plugin-imageio-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-common-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-setup-plugin-websocket-proxy-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-tools-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-tools-backup-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-ui-extensions-1.2.3-1.el8ev.noarch.rpm ovirt-engine-vmconsole-proxy-helper-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-webadmin-portal-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-engine-websocket-proxy-4.4.2.3-0.6.el8ev.noarch.rpm ovirt-log-collector-4.4.3-1.el8ev.noarch.rpm ovirt-web-ui-1.6.4-1.el8ev.noarch.rpm python3-ovirt-engine-lib-4.4.2.3-0.6.el8ev.noarch.rpm rhvm-4.4.2.3-0.6.el8ev.noarch.rpm rhvm-branding-rhv-4.4.5-1.el8ev.noarch.rpm rhvm-dependencies-4.4.1-1.el8ev.noarch.rpm vdsm-jsonrpc-java-1.5.5-1.el8ev.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-8203 https://access.redhat.com/security/cve/CVE-2020-11022 https://access.redhat.com/security/cve/CVE-2020-11023 https://access.redhat.com/security/cve/CVE-2020-14333 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX2t0HtzjgjWX9erEAQhpWg/+KolNmhmQCrst8TmYsC2IgSdHP+q0LKLj gdPZYu0ixOpwLLiAhrsoDXqL3H3w7UDSKkSISgPMEqEde4Vp+zI37O1q3E/P7CAj rfLGuL1UDEiy0q0g1BP13GrPlg6K4fR5wQAnTB6vD/ZY+wd50Z0T+NGAxd2w68bM R5q1kSOUPc4AZt25FORU2cmp775Y7DWazMWHC77uiJHgyCwVqLtdO09iEnglZDKJ BynwyT8exZKXxmmpE4QZ4X7wNo3Y0mTiRZo5eyxxQpwj9X+qw1V+pBdtMH/C1yhk J+X1f+wDoe2jCx2bqPXqp6EgFSHnJNt96jV0oTdD0f8rMgWcBDStNXdagPBmBCBp t+Kq3BZx0Oqkig4f+DCEmoS0V0fB9UQLg0Q/M9p1bTfYQkbn+BMHL7CAp8UyAzPH A1HlnP7TtQgplFvoap82xt2pXh97VvI6x3sBGHyW4Fz0SykhRYx3dAgmqy5nEssl 5ApWZ87M3l+2tUh4ZOJAtzRDt9sL5KQsXjp1jZaK/gWBsL4Suzr9AIrs4NmRmXnY TzxdXgIY6C+dWmB4TPhcJE5etcvtorqvs93d47yBdpRyO/IlbEw0vLUBdVZZuj9N mqp6RcHqDKm6Yv4B73Ud5my44wSRWVWtBxO6fivQOQG7iqCyIlA3M3LUMkVy+fxc bvmOI0eIsZw=Jhpi -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

xss

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2024-12-21T19:57:15.342000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE