ID

VAR-202102-1092

CVE

CVE-2021-27218

TITLE

GNOME GLib  Vulnerability in conversion between numeric types in

DESCRIPTION

An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called with a buffer of 4GB or more on a 64-bit platform, the length would be truncated modulo 2**32, causing unintended length truncation. GNOME GLib Is vulnerable to a conversion error between numeric types.Denial of service (DoS) It may be put into a state. Currently there is no information about this vulnerability. Please keep an eye on CNNVD or manufacturer announcements. Description: Service Telemetry Framework (STF) provides automated collection of measurements and data from remote clients, such as Red Hat OpenStack Platform or third-party nodes. STF then transmits the information to a centralized, receiving Red Hat OpenShift Container Platform (OCP) deployment for storage, retrieval, and monitoring. Solution: The Service Telemetry Framework container image provided by this update can be downloaded from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available at Red Hat Container Catalog (see References). Dockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally. Bugs fixed (https://bugzilla.redhat.com/): 2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read 5. 8) - noarch 3. The following packages have been upgraded to a later upstream version: mingw-glib2 (2.66.7). Description: The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Package List: Red Hat Enterprise Linux BaseOS (v. 8): Source: glib2-2.56.4-10.el8_4.1.src.rpm aarch64: glib2-2.56.4-10.el8_4.1.aarch64.rpm glib2-debuginfo-2.56.4-10.el8_4.1.aarch64.rpm glib2-debugsource-2.56.4-10.el8_4.1.aarch64.rpm glib2-devel-2.56.4-10.el8_4.1.aarch64.rpm glib2-devel-debuginfo-2.56.4-10.el8_4.1.aarch64.rpm glib2-fam-2.56.4-10.el8_4.1.aarch64.rpm glib2-fam-debuginfo-2.56.4-10.el8_4.1.aarch64.rpm glib2-tests-2.56.4-10.el8_4.1.aarch64.rpm glib2-tests-debuginfo-2.56.4-10.el8_4.1.aarch64.rpm ppc64le: glib2-2.56.4-10.el8_4.1.ppc64le.rpm glib2-debuginfo-2.56.4-10.el8_4.1.ppc64le.rpm glib2-debugsource-2.56.4-10.el8_4.1.ppc64le.rpm glib2-devel-2.56.4-10.el8_4.1.ppc64le.rpm glib2-devel-debuginfo-2.56.4-10.el8_4.1.ppc64le.rpm glib2-fam-2.56.4-10.el8_4.1.ppc64le.rpm glib2-fam-debuginfo-2.56.4-10.el8_4.1.ppc64le.rpm glib2-tests-2.56.4-10.el8_4.1.ppc64le.rpm glib2-tests-debuginfo-2.56.4-10.el8_4.1.ppc64le.rpm s390x: glib2-2.56.4-10.el8_4.1.s390x.rpm glib2-debuginfo-2.56.4-10.el8_4.1.s390x.rpm glib2-debugsource-2.56.4-10.el8_4.1.s390x.rpm glib2-devel-2.56.4-10.el8_4.1.s390x.rpm glib2-devel-debuginfo-2.56.4-10.el8_4.1.s390x.rpm glib2-fam-2.56.4-10.el8_4.1.s390x.rpm glib2-fam-debuginfo-2.56.4-10.el8_4.1.s390x.rpm glib2-tests-2.56.4-10.el8_4.1.s390x.rpm glib2-tests-debuginfo-2.56.4-10.el8_4.1.s390x.rpm x86_64: glib2-2.56.4-10.el8_4.1.i686.rpm glib2-2.56.4-10.el8_4.1.x86_64.rpm glib2-debuginfo-2.56.4-10.el8_4.1.i686.rpm glib2-debuginfo-2.56.4-10.el8_4.1.x86_64.rpm glib2-debugsource-2.56.4-10.el8_4.1.i686.rpm glib2-debugsource-2.56.4-10.el8_4.1.x86_64.rpm glib2-devel-2.56.4-10.el8_4.1.i686.rpm glib2-devel-2.56.4-10.el8_4.1.x86_64.rpm glib2-devel-debuginfo-2.56.4-10.el8_4.1.i686.rpm glib2-devel-debuginfo-2.56.4-10.el8_4.1.x86_64.rpm glib2-fam-2.56.4-10.el8_4.1.x86_64.rpm glib2-fam-debuginfo-2.56.4-10.el8_4.1.i686.rpm glib2-fam-debuginfo-2.56.4-10.el8_4.1.x86_64.rpm glib2-tests-2.56.4-10.el8_4.1.x86_64.rpm glib2-tests-debuginfo-2.56.4-10.el8_4.1.i686.rpm glib2-tests-debuginfo-2.56.4-10.el8_4.1.x86_64.rpm Red Hat CodeReady Linux Builder (v. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202107-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: GLib: Multiple vulnerabilities Date: July 07, 2021 Bugs: #768753, #775632 ID: 202107-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in GLib, the worst of which could result in the arbitrary execution of code. Background ========== GLib is a library providing a number of GNOME's core objects and functions. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/glib < 2.66.8 >= 2.66.8 Description =========== Multiple vulnerabilities have been discovered in GLib. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All GLib users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/glib-2.66.8" References ========== [ 1 ] CVE-2021-27218 https://nvd.nist.gov/vuln/detail/CVE-2021-27218 [ 2 ] CVE-2021-27219 https://nvd.nist.gov/vuln/detail/CVE-2021-27219 [ 3 ] CVE-2021-28153 https://nvd.nist.gov/vuln/detail/CVE-2021-28153 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202107-13 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . Software Description: - glib2.0: GLib library of C routines Details: Krzesimir Nowak discovered that GLib incorrectly handled certain large buffers. A remote attacker could use this issue to cause applications linked to GLib to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2021-27218) Kevin Backhouse discovered that GLib incorrectly handled certain memory allocations. A remote attacker could use this issue to cause applications linked to GLib to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2021-27219) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.10: libglib2.0-0 2.66.1-2ubuntu0.1 Ubuntu 20.04 LTS: libglib2.0-0 2.64.6-1~ubuntu20.04.2 Ubuntu 18.04 LTS: libglib2.0-0 2.56.4-0ubuntu0.18.04.7 Ubuntu 16.04 LTS: libglib2.0-0 2.48.2-0ubuntu4.7 After a standard system update you need to restart your session to make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: ACS 3.64 security and enhancement update Advisory ID: RHSA-2021:3146-01 Product: RHACS Advisory URL: https://access.redhat.com/errata/RHSA-2021:3146 Issue date: 2021-08-11 CVE Names: CVE-2021-27218 CVE-2021-33195 CVE-2021-33197 CVE-2021-33198 CVE-2021-34558 ==================================================================== 1. Summary: Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). * Red Hat Product Security has rated this update as having a "Moderate" security impact. * A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the references section. 2. Description: New Features The release of RHACS 3.64 provides the following new features: 1. You can now use deployment and namespace annotations to define where RHACS sends the violation notifications when configuring your notifiers such as Slack, Microsoft Teams, Email, and others. 2. The Red Hat Advanced Cluster Security Operator now supports the ability to allow users to set the enforcement behavior of the admission controller as part of their custom resource. 3. RHACS now supports kernel modules for Ubuntu 16.04 LTS with extended security maintenance (ESM). Security Fixes The release of RHACS 3.64 provides the following security fixes: * golang: `net` lookup functions may return invalid hostnames (CVE-2021-33195) * golang: `net/http/httputil` ReverseProxy forwards connection headers if the first one is empty (CVE-2021-33197) * golang: `math/big.Rat` may cause panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198) * golang: `crypto/tls` certificate of the wrong type is causing TLS client to panic (CVE-2021-34558) For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages in the references section. System changes The release of RHACS 3.64 includes the following system changes: 1. RHACS now pre-fixes the optional security context constraint name with `stackrox` to avoid global naming conflicts. 2. Previously, violations for `port forwards` and `exec` events did not contain information about the user who performed the action that generated the events. The violations now include the user context. 3. The cluster init bundles contain the secrets required for internal RHACS services to communicate with each other. You can delete these to rotate secrets, which have previously sometimes caused outages. This update includes a new deletion workflow that warns about the possible impact of deletion on your environment. 4. The OpenShift compliance operator uses `rpm` only for querying, and it does not install any packages. Therefore, this update includes a policy exception for this pod by default to reduce the violations count. 3. Solution: To take advantage of these new features and changes, please upgrade Red Hat Advanced Cluster Security for Kubernetes to version 3.64 4. Bugs fixed (https://bugzilla.redhat.com/): 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic 1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names 1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty 1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents 5. JIRA issues fixed (https://issues.jboss.org/): RHACS-25 - Release RHACS 3.64 6. References: https://access.redhat.com/security/cve/CVE-2021-27218 https://access.redhat.com/security/cve/CVE-2021-33195 https://access.redhat.com/security/cve/CVE-2021-33197 https://access.redhat.com/security/cve/CVE-2021-33198 https://access.redhat.com/security/cve/CVE-2021-34558 https://docs.openshift.com/acs/release_notes/364-release-notes.html https://access.redhat.com/security/updates/classification/#moderate 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYRR/dtzjgjWX9erEAQiwMg/8DLRIyhV+QWOxDgfkSsEB7xtCZGtXtaFG xj8HX+yxGvYOCZVLNK+6CR2qhr8MI28QtU4UFhO6WlbyEByVVq6tNJV6Db/ismsX 6+JTK18O+EGEjVK4dhnuvv9+u/155X6UXe60gZxcOmHI/tIiqf7Tz4TmKMsXb02R OPpgOBOEtEEbn9HiJJ9LXiaDyjKB1vSkgLv0RS4M2nvHq9XVUjLPaBq2uroSlCYr Xcne7F2mtEkltGfL3Za4hEaywSZBD0rJe0a5GS/91m3s4SgQvFTs5g4+suBxSjFG AaLpRfMuhWxpgQqYCtTswvUcMi3wsrbNgDtZN3atRruo6RlLCVVpcrDlGRD5/fxn G2YMeSg0WAJhQdU93OYpyGBdhoVdkITjqCV0TsUSDQp77gxfiZ3f+eCybxiCmeil Apb4CypEPucVBzfEi9cCJyNxQLM4p8vzCOF0qS4xiRA9ZDrwvRbdZcjsxKhczLIb gAxLesiu7tfCqLT8Yy4CqCaMlEhSS049jhj6jzlWzRmO0rgpGQfWD1hIlixV+3Xh 4URAmkmE5CRHs6kc6tT4XIS4XcAzn3TvVrMw8yo+bZFGzFMqIvYmhBxaUyYIWdZN /5zbh8OBC2KCqHyQAcL11qnid+o2cnl4mZs+gSwqOGxx8nqKrHPtnTaa2ZMXodJI QjlOAcComy8=OnA7 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . 1998818 - virt-handler Pod is missing xorrisofs command 1998983 - 4.8.2 containers 2000021 - [VMIO][RHV VM Import] 63 long char VM Name with more than 1 Disk results in DataVolumeCreationFailed 2001038 - Importer attempts to shrink an image in certain situations 2001069 - [4.8.z] Automatic size detection may not request a PVC that is large enough for an import 5. Bugs fixed (https://bugzilla.redhat.com/): 2000734 - CVE-2021-3757 nodejs-immer: prototype pollution may lead to DoS or remote code execution 2005438 - Combining Rsync and Stunnel in a single pod can degrade performance (1.5 backport) 2006842 - MigCluster CR remains in "unready" state and source registry is inaccessible after temporary shutdown of source cluster 2007429 - "oc describe" and "oc log" commands on "Migration resources" tree cannot be copied after failed migration 2022017 - CVE-2021-3948 mig-controller: incorrect namespaces handling may lead to not authorized usage of Migration Toolkit for Containers (MTC) 5

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

overflow

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2026-02-07T22:46:13.148000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE