ID

VAR-202103-1464

CVE

CVE-2021-3449

TITLE

Debian Security Advisory 4875-1

DESCRIPTION

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j). OpenSSL is an open source general encryption library of the Openssl team that can implement the Secure Sockets Layer (SSLv2/v3) and Transport Layer Security (TLSv1) protocols. The product supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, secure hash algorithms, etc. Additional details can be found in the upstream advisory: https://www.openssl.org/news/secadv/20210325.txt For the stable distribution (buster), this problem has been fixed in version 1.1.1d-0+deb10u6. For the detailed security status of openssl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmBcru1fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0S4mQ//TejQ2VdmmRyQT6iSB6p9zu55Aq/cDlOaW+i338XKwZyI/AxvA+KMohGb 3xquLt4F9xaqT/I6jEUXRvev/y5+gsF3F6bIDczkR/3YG6YivWOXbcBXqIa8Z+NF F2xcz33R3iMZyLh03N4iw7LaZmCTcXFXgsdpDpGv/SM0Ze7B44GRA9znYtoHWqJk Mbk/ddsCQOYNRPccO+tfLzRKlNmoSIDDTbrPdAnETEevgVDbIHTyh/Wiv3BR/leV YHzEGMZ7EQlCrt7V7DoYp2/tXfmxVbrvw0ZOnyGnrfn/wVgaYhxbYhhP9LqszDgL 0z/KGOOIVs4Kqjos3d5QBymA9M1QNzBbfcH+QV3NmqqmOLHfHEFSGmd/JsCX1H7/ xZo3lFCaLAexZwcwa0cQ8AyZuaBnLmpSKoVb9Oo+MAKiPmmjEJ/IBOF4/qnwlLa6 jJ79/fq/SMV3+Unf4wtNrLV1W/J5Yhio1WIOVYzmIYrCcHpHDT3gtC9LC3IOIVCS ddJJtMB43092Z1knlfujhnEcTrVDxadcW8vce7vkFnErux7cTNSyEKdZ4afUOZP8 nxFDffPylMfvZXVS+Bp1668GiGfVAN9e+cIhy6RatkM2CMx63mZq3tXMfpT6wzps us3U1xgIgTZabZhyyuQGPFwpxLxnc32y26wgCxMjOHtmXdP8T5s= =r6Ce -----END PGP SIGNATURE----- . See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_mana gement_for_kubernetes/2.3/html/release_notes/ Security: * fastify-reply-from: crafted URL allows prefix scape of the proxied backend service (CVE-2021-21321) * fastify-http-proxy: crafted URL allows prefix scape of the proxied backend service (CVE-2021-21322) * nodejs-netmask: improper input validation of octal input data (CVE-2021-28918) * redis: Integer overflow via STRALGO LCS command (CVE-2021-29477) * redis: Integer overflow via COPY command for large intsets (CVE-2021-29478) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions (CVE-2020-28500) * golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing - -u- extension (CVE-2020-28851) * golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag (CVE-2020-28852) * nodejs-ansi_up: XSS due to insufficient URL sanitization (CVE-2021-3377) * oras: zip-slip vulnerability via oras-pull (CVE-2021-21272) * redis: integer overflow when configurable limit for maximum supported bulk input size is too big on 32-bit platforms (CVE-2021-21309) * nodejs-lodash: command injection via template (CVE-2021-23337) * nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() (CVE-2021-23362) * browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS) (CVE-2021-23364) * nodejs-postcss: Regular expression denial of service during source map parsing (CVE-2021-23368) * nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option (CVE-2021-23369) * nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js (CVE-2021-23382) * nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option (CVE-2021-23383) * openssl: integer overflow in CipherUpdate (CVE-2021-23840) * openssl: NULL pointer dereference in X509_issuer_and_serial_hash() (CVE-2021-23841) * nodejs-ua-parser-js: ReDoS via malicious User-Agent header (CVE-2021-27292) * grafana: snapshot feature allow an unauthenticated remote attacker to trigger a DoS via a remote API call (CVE-2021-27358) * nodejs-is-svg: ReDoS via malicious string (CVE-2021-28092) * nodejs-netmask: incorrectly parses an IP address that has octal integer with invalid character (CVE-2021-29418) * ulikunitz/xz: Infinite loop in readUvarint allows for denial of service (CVE-2021-29482) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * nodejs-trim-newlines: ReDoS in .end() method (CVE-2021-33623) * nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343) * html-parse-stringify: Regular Expression DoS (CVE-2021-23346) * openssl: incorrect SSLv2 rollback protection (CVE-2021-23839) For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the References section. Bugs: * RFE Make the source code for the endpoint-metrics-operator public (BZ# 1913444) * cluster became offline after apiserver health check (BZ# 1942589) 3. Bugs fixed (https://bugzilla.redhat.com/): 1913333 - CVE-2020-28851 golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension 1913338 - CVE-2020-28852 golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag 1913444 - RFE Make the source code for the endpoint-metrics-operator public 1921286 - CVE-2021-21272 oras: zip-slip vulnerability via oras-pull 1927520 - RHACM 2.3.0 images 1928937 - CVE-2021-23337 nodejs-lodash: command injection via template 1928954 - CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions 1930294 - CVE-2021-23839 openssl: incorrect SSLv2 rollback protection 1930310 - CVE-2021-23841 openssl: NULL pointer dereference in X509_issuer_and_serial_hash() 1930324 - CVE-2021-23840 openssl: integer overflow in CipherUpdate 1932634 - CVE-2021-21309 redis: integer overflow when configurable limit for maximum supported bulk input size is too big on 32-bit platforms 1936427 - CVE-2021-3377 nodejs-ansi_up: XSS due to insufficient URL sanitization 1939103 - CVE-2021-28092 nodejs-is-svg: ReDoS via malicious string 1940196 - View Resource YAML option shows 404 error when reviewing a Subscription for an application 1940613 - CVE-2021-27292 nodejs-ua-parser-js: ReDoS via malicious User-Agent header 1941024 - CVE-2021-27358 grafana: snapshot feature allow an unauthenticated remote attacker to trigger a DoS via a remote API call 1941675 - CVE-2021-23346 html-parse-stringify: Regular Expression DoS 1942178 - CVE-2021-21321 fastify-reply-from: crafted URL allows prefix scape of the proxied backend service 1942182 - CVE-2021-21322 fastify-http-proxy: crafted URL allows prefix scape of the proxied backend service 1942589 - cluster became offline after apiserver health check 1943208 - CVE-2021-23362 nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() 1944822 - CVE-2021-29418 nodejs-netmask: incorrectly parses an IP address that has octal integer with invalid character 1944827 - CVE-2021-28918 nodejs-netmask: improper input validation of octal input data 1945459 - CVE-2020-28469 nodejs-glob-parent: Regular expression denial of service 1948761 - CVE-2021-23369 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option 1948763 - CVE-2021-23368 nodejs-postcss: Regular expression denial of service during source map parsing 1954150 - CVE-2021-23382 nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js 1954368 - CVE-2021-29482 ulikunitz/xz: Infinite loop in readUvarint allows for denial of service 1955619 - CVE-2021-23364 browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS) 1956688 - CVE-2021-23383 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option 1956818 - CVE-2021-23343 nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe 1957410 - CVE-2021-29477 redis: Integer overflow via STRALGO LCS command 1957414 - CVE-2021-29478 redis: Integer overflow via COPY command for large intsets 1964461 - CVE-2021-33502 normalize-url: ReDoS for data URLs 1966615 - CVE-2021-33623 nodejs-trim-newlines: ReDoS in .end() method 1968122 - clusterdeployment fails because hiveadmission sc does not have correct permissions 1972703 - Subctl fails to join cluster, since it cannot auto-generate a valid cluster id 1983131 - Defragmenting an etcd member doesn't reduce the DB size (7.5GB) on a setup with ~1000 spoke clusters 5. Bug fix: * RHACM 2.0.10 images (BZ #1940452) 3. Bugs fixed (https://bugzilla.redhat.com/): 1940452 - RHACM 2.0.10 images 1944286 - CVE-2021-23358 nodejs-underscore: Arbitrary code execution via the template function 5. Bug Fix(es): * Documentation is referencing deprecated API for Service Export - Submariner (BZ#1936528) * Importing of cluster fails due to error/typo in generated command (BZ#1936642) * RHACM 2.2.2 images (BZ#1938215) * 2.2 clusterlifecycle fails to allow provision `fips: true` clusters on aws, vsphere (BZ#1941778) 3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server 5.4.2 Security Update Advisory ID: RHSA-2021:1196-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2021:1196 Issue date: 2021-04-14 CVE Names: CVE-2021-3449 CVE-2021-3450 ===================================================================== 1. Summary: Red Hat JBoss Web Server 5.4.2 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8 and Windows. Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.4.2 serves as a replacement for Red Hat JBoss Web Server 5.4.1, and includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References. Security Fix(es): * openssl: NULL pointer dereference in signature_algorithms processing (CVE-2021-3449) * openssl: CA certificate check bypass with X509_V_FLAG_X509_STRICT (CVE-2021-3450) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in to download the update. 4. Bugs fixed (https://bugzilla.redhat.com/): 1941547 - CVE-2021-3450 openssl: CA certificate check bypass with X509_V_FLAG_X509_STRICT 1941554 - CVE-2021-3449 openssl: NULL pointer dereference in signature_algorithms processing 5. References: https://access.redhat.com/security/cve/CVE-2021-3449 https://access.redhat.com/security/cve/CVE-2021-3450 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYHb9ptzjgjWX9erEAQgFCQ/7BJTSfq5w3doR0kSXLda2Obe3kHPppe5P yaCT135mIOJgWA+IRdupdmrXrnVdXPAW1EmRn6AgWVzb+94LavgHq0ZZoMlMTgRD mVhmmfnp9X7/PmrDjqoo/th07yWbTzl9j6x6fOP1OJRnFMFyBgX6ZqFGskft+ca0 VWuMr5iyWgLJElh0o2kaJPP5FuzJ79oSQv2MfzS/gGy/gOK3agvXsqSQLLS70TI1 E2mBi8Vcvqwo67GDgDdABa+8cQxgqm6+UqOCs38tLUwGtgU6bqeC855b23HNpyyQ 2D9JH4V32QO28Bjt40u4oFuZ6Ds2uCPJD0KpworxXBvCX/spU0K5N/5To2c09xP/ UkmsnTnKtH1Er0Xxz9V27i1W3tIE6fgvbBYCbDv204criLwGQYv5BOD/1blwpX9a 9Ds4fWKBtO80+9prcJfWYNlFHRuifcte+AGwJWGkbmL1eatj8KobYTvxEtlL25+R u9sRNpdMEWz3yjbBB0W2XiziXuflPNOYg8DWWncAKdmwPBL6VsInUYMv6r+/7JBT gvViapJZfJJlbD/LB/7E6r6OFt51BfHBLdib5PR9uXy45pszRFpiG+rUbCBmBWCs 1EqVn9jnu/0E7WIc49Wg+jwCyQcGNJmbOGMcxHTvvdi4XvwuJyJF/zXQfqFSQ0V6 HG1YdwtAWR8= =p16h -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Description: Red Hat Advanced Cluster Management for Kubernetes 2.1.6 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. Bug fixes: * RHACM 2.1.6 images (BZ#1940581) * When generating the import cluster string, it can include unescaped characters (BZ#1934184) 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_mana gement_for_kubernetes/2.1/html/install/installing#upgrading-by-using-the-op erator 4. Bugs fixed (https://bugzilla.redhat.com/): 1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash 1929338 - CVE-2020-35149 mquery: Code injection via merge or clone operation 1934184 - When generating the import cluster string, it can include unescaped characters 1940581 - RHACM 2.1.6 images 5. ========================================================================== Ubuntu Security Notice USN-5038-1 August 12, 2021 postgresql-10, postgresql-12, postgresql-13 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 21.04 - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in PostgreSQL. Software Description: - postgresql-13: Object-relational SQL database - postgresql-12: Object-relational SQL database - postgresql-10: Object-relational SQL database Details: It was discovered that the PostgresQL planner could create incorrect plans in certain circumstances. A remote attacker could use this issue to cause PostgreSQL to crash, resulting in a denial of service, or possibly obtain sensitive information from memory. (CVE-2021-3677) It was discovered that PostgreSQL incorrectly handled certain SSL renegotiation ClientHello messages from clients. A remote attacker could possibly use this issue to cause PostgreSQL to crash, resulting in a denial of service. (CVE-2021-3449) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 21.04: postgresql-13 13.4-0ubuntu0.21.04.1 Ubuntu 20.04 LTS: postgresql-12 12.8-0ubuntu0.20.04.1 Ubuntu 18.04 LTS: postgresql-10 10.18-0ubuntu0.18.04.1 This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart PostgreSQL to make all the necessary changes. Security Fix(es): * golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558) * golang: net: lookup functions may return invalid host names (CVE-2021-33195) * golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197) * golang: match/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198) * golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader (CVE-2021-27918) * golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525) * golang: archive/zip: malformed archive may cause panic or memory exhaustion (CVE-2021-33196) It was found that the CVE-2021-27918, CVE-2021-31525 and CVE-2021-33196 have been incorrectly mentioned as fixed in RHSA for Serverless client kn 1.16.0. Solution: See the Red Hat OpenShift Container Platform 4.6 documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/ 4.6/html/serverless/index See the Red Hat OpenShift Container Platform 4.7 documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/ 4.7/html/serverless/index See the Red Hat OpenShift Container Platform 4.8 documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/ 4.8/html/serverless/index 4. Bugs fixed (https://bugzilla.redhat.com/): 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic 1983651 - Release of OpenShift Serverless Serving 1.17.0 1983654 - Release of OpenShift Serverless Eventing 1.17.0 1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names 1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty 1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents 1992955 - CVE-2021-3703 serverless: incomplete fix for CVE-2021-27918 / CVE-2021-31525 / CVE-2021-33196 5

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

code execution

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2024-12-21T22:53:42.817000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE