Docker centos:7.3.1611

Vulnerabilities

174 via 174 paths

Dependencies

142

Source

Group 6 Copy Created with Sketch. Docker

Target OS

centos:7
Test your Docker Hub image against our market leading vulnerability database Sign up for free
Severity
  • 48
  • 105
  • 21
Status
  • 174
  • 0
  • 0

high severity

RHSA-2017:0062

  • Vulnerable module: bind-license
  • Introduced through: bind-license@32:9.9.4-38.el7_3
  • Fixed in: 32:9.9.4-38.el7_3.1

Detailed paths

  • Introduced through: centos:7.3.1611@* bind-license@32:9.9.4-38.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-license package. See Remediation section below for Centos:7 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * A denial of service flaw was found in the way BIND processed a response to an ANY query. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-9131) * A denial of service flaw was found in the way BIND handled a query response containing inconsistent DNSSEC information. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-9147) * A denial of service flaw was found in the way BIND handled an unusually-formed DS record response. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-9444) Red Hat would like to thank ISC for reporting these issues.

Remediation

Upgrade Centos:7 bind-license to version 32:9.9.4-38.el7_3.1 or higher.

high severity

RHSA-2017:1095

  • Vulnerable module: bind-license
  • Introduced through: bind-license@32:9.9.4-38.el7_3
  • Fixed in: 32:9.9.4-38.el7_3.3

Detailed paths

  • Introduced through: centos:7.3.1611@* bind-license@32:9.9.4-38.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-license package. See Remediation section below for Centos:7 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * A denial of service flaw was found in the way BIND handled a query response containing CNAME or DNAME resource records in an unusual order. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2017-3137) * A denial of service flaw was found in the way BIND handled query requests when using DNS64 with "break-dnssec yes" option. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS request. (CVE-2017-3136) Red Hat would like to thank ISC for reporting these issues. Upstream acknowledges Oleg Gorokhov (Yandex) as the original reporter of CVE-2017-3136.

Remediation

Upgrade Centos:7 bind-license to version 32:9.9.4-38.el7_3.3 or higher.

high severity

RHSA-2017:1680

  • Vulnerable module: bind-license
  • Introduced through: bind-license@32:9.9.4-38.el7_3
  • Fixed in: 32:9.9.4-50.el7_3.1

Detailed paths

  • Introduced through: centos:7.3.1611@* bind-license@32:9.9.4-38.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-license package. See Remediation section below for Centos:7 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * A flaw was found in the way BIND handled TSIG authentication for dynamic updates. A remote attacker able to communicate with an authoritative BIND server could use this flaw to manipulate the contents of a zone, by forging a valid TSIG or SIG(0) signature for a dynamic update request. (CVE-2017-3143) * A flaw was found in the way BIND handled TSIG authentication of AXFR requests. A remote attacker, able to communicate with an authoritative BIND server, could use this flaw to view the entire contents of a zone by sending a specially constructed request packet. (CVE-2017-3142) Red Hat would like to thank Internet Systems Consortium for reporting these issues. Upstream acknowledges Clement Berthaux (Synacktiv) as the original reporter of these issues. Bug Fix(es): * ICANN is planning to perform a Root Zone DNSSEC Key Signing Key (KSK) rollover during October 2017. Maintaining an up-to-date KSK, by adding the new root zone KSK, is essential for ensuring that validating DNS resolvers continue to function following the rollover. (BZ#1459649)

Remediation

Upgrade Centos:7 bind-license to version 32:9.9.4-50.el7_3.1 or higher.

high severity

RHSA-2018:0102

  • Vulnerable module: bind-license
  • Introduced through: bind-license@32:9.9.4-38.el7_3
  • Fixed in: 32:9.9.4-51.el7_4.2

Detailed paths

  • Introduced through: centos:7.3.1611@* bind-license@32:9.9.4-38.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-license package. See Remediation section below for Centos:7 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * A use-after-free flaw leading to denial of service was found in the way BIND internally handled cleanup operations on upstream recursion fetch contexts. A remote attacker could potentially use this flaw to make named, acting as a DNSSEC validating resolver, exit unexpectedly with an assertion failure via a specially crafted DNS request. (CVE-2017-3145) Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Jayachandran Palanisamy (Cygate AB) as the original reporter.

Remediation

Upgrade Centos:7 bind-license to version 32:9.9.4-51.el7_4.2 or higher.

high severity

RHSA-2018:2570

  • Vulnerable module: bind-license
  • Introduced through: bind-license@32:9.9.4-38.el7_3
  • Fixed in: 32:9.9.4-61.el7_5.1

Detailed paths

  • Introduced through: centos:7.3.1611@* bind-license@32:9.9.4-38.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-license package. See Remediation section below for Centos:7 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * bind: processing of certain records when "deny-answer-aliases" is in use may trigger an assert leading to a denial of service (CVE-2018-5740) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Tony Finch (University of Cambridge) as the original reporter.

Remediation

Upgrade Centos:7 bind-license to version 32:9.9.4-61.el7_5.1 or higher.

high severity

RHSA-2019:1294

  • Vulnerable module: bind-license
  • Introduced through: bind-license@32:9.9.4-38.el7_3
  • Fixed in: 32:9.9.4-74.el7_6.1

Detailed paths

  • Introduced through: centos:7.3.1611@* bind-license@32:9.9.4-38.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-license package. See Remediation section below for Centos:7 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * bind: Limiting simultaneous TCP clients is ineffective (CVE-2018-5743) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 bind-license to version 32:9.9.4-74.el7_6.1 or higher.

high severity

RHSA-2020:2344

  • Vulnerable module: bind-license
  • Introduced through: bind-license@32:9.9.4-38.el7_3
  • Fixed in: 32:9.11.4-16.P2.el7_8.6

Detailed paths

  • Introduced through: centos:7.3.1611@* bind-license@32:9.9.4-38.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-license package. See Remediation section below for Centos:7 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * bind: BIND does not sufficiently limit the number of fetches performed when processing referrals (CVE-2020-8616) * bind: A logic error in code which checks TSIG validity can be used to trigger an assertion failure in tsig.c (CVE-2020-8617) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 bind-license to version 32:9.11.4-16.P2.el7_8.6 or higher.

References

high severity

RHSA-2021:0671

  • Vulnerable module: bind-license
  • Introduced through: bind-license@32:9.9.4-38.el7_3
  • Fixed in: 32:9.11.4-26.P2.el7_9.4

Detailed paths

  • Introduced through: centos:7.3.1611@* bind-license@32:9.9.4-38.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-license package. See Remediation section below for Centos:7 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * bind: Buffer overflow in the SPNEGO implementation affecting GSSAPI security policy negotiation (CVE-2020-8625) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 bind-license to version 32:9.11.4-26.P2.el7_9.4 or higher.

References

high severity

RHSA-2021:1469

  • Vulnerable module: bind-license
  • Introduced through: bind-license@32:9.9.4-38.el7_3
  • Fixed in: 32:9.11.4-26.P2.el7_9.5

Detailed paths

  • Introduced through: centos:7.3.1611@* bind-license@32:9.9.4-38.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-license package. See Remediation section below for Centos:7 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * bind: An assertion check can fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself (CVE-2021-25215) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 bind-license to version 32:9.11.4-26.P2.el7_9.5 or higher.

References

high severity

RHSA-2020:2894

  • Vulnerable module: dbus
  • Introduced through: dbus@1:1.6.12-17.el7
  • Fixed in: 1:1.10.24-14.el7_8

Detailed paths

  • Introduced through: centos:7.3.1611@* dbus@1:1.6.12-17.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream dbus package. See Remediation section below for Centos:7 relevant versions.

D-Bus is a system for sending messages between applications. It is used both for the system-wide message bus service, and as a per-user-login-session messaging facility. Security Fix(es): * dbus: denial of service via file descriptor leak (CVE-2020-12049) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 dbus to version 1:1.10.24-14.el7_8 or higher.

References

high severity

RHSA-2020:2894

  • Vulnerable module: dbus-libs
  • Introduced through: dbus-libs@1:1.6.12-17.el7
  • Fixed in: 1:1.10.24-14.el7_8

Detailed paths

  • Introduced through: centos:7.3.1611@* dbus-libs@1:1.6.12-17.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream dbus-libs package. See Remediation section below for Centos:7 relevant versions.

D-Bus is a system for sending messages between applications. It is used both for the system-wide message bus service, and as a per-user-login-session messaging facility. Security Fix(es): * dbus: denial of service via file descriptor leak (CVE-2020-12049) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 dbus-libs to version 1:1.10.24-14.el7_8 or higher.

References

high severity

RHBA-2018:0042

  • Vulnerable module: dracut
  • Introduced through: dracut@033-463.el7
  • Fixed in: 0:033-502.el7_4.1

Detailed paths

  • Introduced through: centos:7.3.1611@* dracut@033-463.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream dracut package. See Remediation section below for Centos:7 relevant versions.

The dracut packages contain an event-driven initial RAM file system (initramfs) generator infrastructure based on the udev device manager. The virtual file system, initramfs, is loaded together with the kernel at boot time and initializes the system, so it can read and boot from the root partition. This update fixes the following bug: * Microcode on AMD family 16h processors was not updated early in the boot process. With this bug fix, the issue is addressed. (BZ#1526943) Users of dracut are advised to upgrade to these updated packages, which fix this bug.

Remediation

Upgrade Centos:7 dracut to version 0:033-502.el7_4.1 or higher.

References

high severity

RHSA-2021:2147

  • Vulnerable module: glib2
  • Introduced through: glib2@2.46.2-4.el7
  • Fixed in: 0:2.56.1-9.el7_9

Detailed paths

  • Introduced through: centos:7.3.1611@* glib2@2.46.2-4.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream glib2 package. See Remediation section below for Centos:7 relevant versions.

GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures. Security Fix(es): * glib: integer overflow in g_bytes_new function on 64-bit platforms due to an implicit cast from 64 bits to 32 bits (CVE-2021-27219) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 glib2 to version 0:2.56.1-9.el7_9 or higher.

References

high severity

RHSA-2017:1481

  • Vulnerable module: glibc
  • Introduced through: glibc@2.17-157.el7_3.1
  • Fixed in: 0:2.17-157.el7_3.4

Detailed paths

  • Introduced through: centos:7.3.1611@* glibc@2.17-157.el7_3.1

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc package. See Remediation section below for Centos:7 relevant versions.

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es): * A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is glibc-side mitigation which blocks processing of LD_LIBRARY_PATH for programs running in secure-execution mode and reduces the number of allocations performed by the processing of LD_AUDIT, LD_PRELOAD, and LD_HWCAP_MASK, making successful exploitation of this issue more difficult. (CVE-2017-1000366) Red Hat would like to thank Qualys Research Labs for reporting this issue.

Remediation

Upgrade Centos:7 glibc to version 0:2.17-157.el7_3.4 or higher.

high severity

RHSA-2017:1481

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.17-157.el7_3.1
  • Fixed in: 0:2.17-157.el7_3.4

Detailed paths

  • Introduced through: centos:7.3.1611@* glibc-common@2.17-157.el7_3.1

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc-common package. See Remediation section below for Centos:7 relevant versions.

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es): * A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is glibc-side mitigation which blocks processing of LD_LIBRARY_PATH for programs running in secure-execution mode and reduces the number of allocations performed by the processing of LD_AUDIT, LD_PRELOAD, and LD_HWCAP_MASK, making successful exploitation of this issue more difficult. (CVE-2017-1000366) Red Hat would like to thank Qualys Research Labs for reporting this issue.

Remediation

Upgrade Centos:7 glibc-common to version 0:2.17-157.el7_3.4 or higher.

high severity

RHSA-2018:2181

  • Vulnerable module: gnupg2
  • Introduced through: gnupg2@2.0.22-4.el7
  • Fixed in: 0:2.0.22-5.el7_5

Detailed paths

  • Introduced through: centos:7.3.1611@* gnupg2@2.0.22-4.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream gnupg2 package. See Remediation section below for Centos:7 relevant versions.

The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and creating digital signatures, compliant with OpenPGP and S/MIME standards. Security Fix(es): * gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification (CVE-2018-12020) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 gnupg2 to version 0:2.0.22-5.el7_5 or higher.

high severity

RHSA-2019:0679

  • Vulnerable module: libssh2
  • Introduced through: libssh2@1.4.3-10.el7_2.1
  • Fixed in: 0:1.4.3-12.el7_6.2

Detailed paths

  • Introduced through: centos:7.3.1611@* libssh2@1.4.3-10.el7_2.1

NVD Description

Note: Versions mentioned in the description apply to the upstream libssh2 package. See Remediation section below for Centos:7 relevant versions.

The libssh2 packages provide a library that implements the SSH2 protocol. Security Fix(es): * libssh2: Integer overflow in transport read resulting in out of bounds write (CVE-2019-3855) * libssh2: Integer overflow in keyboard interactive handling resulting in out of bounds write (CVE-2019-3856) * libssh2: Integer overflow in SSH packet processing channel resulting in out of bounds write (CVE-2019-3857) * libssh2: Integer overflow in user authenticate keyboard interactive allows out-of-bounds writes (CVE-2019-3863) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 libssh2 to version 0:1.4.3-12.el7_6.2 or higher.

high severity

RHSA-2017:1100

  • Vulnerable module: nss
  • Introduced through: nss@3.21.3-2.el7_3
  • Fixed in: 0:3.28.4-1.0.el7_3

Detailed paths

  • Introduced through: centos:7.3.1611@* nss@3.21.3-2.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream nss package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries. The following packages have been upgraded to a newer upstream version: nss (3.28.4), nss-util (3.28.4). Security Fix(es): * An out-of-bounds write flaw was found in the way NSS performed certain Base64-decoding operations. An attacker could use this flaw to create a specially crafted certificate which, when parsed by NSS, could cause it to crash or execute arbitrary code, using the permissions of the user running an application compiled against the NSS library. (CVE-2017-5461) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Ronald Crane as the original reporter.

Remediation

Upgrade Centos:7 nss to version 0:3.28.4-1.0.el7_3 or higher.

high severity

RHSA-2017:1365

  • Vulnerable module: nss
  • Introduced through: nss@3.21.3-2.el7_3
  • Fixed in: 0:3.28.4-1.2.el7_3

Detailed paths

  • Introduced through: centos:7.3.1611@* nss@3.21.3-2.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream nss package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix(es): * A null pointer dereference flaw was found in the way NSS handled empty SSLv2 messages. An attacker could use this flaw to crash a server application compiled against the NSS library. (CVE-2017-7502) Bug Fix(es): * The Network Security Services (NSS) code and Certificate Authority (CA) list have been updated to meet the recommendations as published with the latest Mozilla Firefox Extended Support Release (ESR). The updated CA list improves compatibility with the certificates that are used in the Internet Public Key Infrastructure (PKI). To avoid certificate validation refusals, Red Hat recommends installing the updated CA list on June 12, 2017. (BZ#1451421)

Remediation

Upgrade Centos:7 nss to version 0:3.28.4-1.2.el7_3 or higher.

high severity

RHSA-2017:2832

  • Vulnerable module: nss
  • Introduced through: nss@3.21.3-2.el7_3
  • Fixed in: 0:3.28.4-12.el7_4

Detailed paths

  • Introduced through: centos:7.3.1611@* nss@3.21.3-2.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream nss package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix(es): * A use-after-free flaw was found in the TLS 1.2 implementation in the NSS library when client authentication was used. A malicious client could use this flaw to cause an application compiled against NSS to crash or, potentially, execute arbitrary code with the permission of the user running the application. (CVE-2017-7805) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Martin Thomson as the original reporter.

Remediation

Upgrade Centos:7 nss to version 0:3.28.4-12.el7_4 or higher.

high severity

RHSA-2019:4190

  • Vulnerable module: nss
  • Introduced through: nss@3.21.3-2.el7_3
  • Fixed in: 0:3.44.0-7.el7_7

Detailed paths

  • Introduced through: centos:7.3.1611@* nss@3.21.3-2.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream nss package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-softokn package provides the Network Security Services Softoken Cryptographic Module. The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries. Security Fix(es): * nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate (CVE-2019-11745) * nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault (CVE-2019-11729) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 nss to version 0:3.44.0-7.el7_7 or higher.

References

high severity

RHSA-2019:4190

  • Vulnerable module: nss-softokn
  • Introduced through: nss-softokn@3.16.2.3-14.4.el7
  • Fixed in: 0:3.44.0-8.el7_7

Detailed paths

  • Introduced through: centos:7.3.1611@* nss-softokn@3.16.2.3-14.4.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-softokn package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-softokn package provides the Network Security Services Softoken Cryptographic Module. The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries. Security Fix(es): * nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate (CVE-2019-11745) * nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault (CVE-2019-11729) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 nss-softokn to version 0:3.44.0-8.el7_7 or higher.

References

high severity

RHSA-2019:4190

  • Vulnerable module: nss-softokn-freebl
  • Introduced through: nss-softokn-freebl@3.16.2.3-14.4.el7
  • Fixed in: 0:3.44.0-8.el7_7

Detailed paths

  • Introduced through: centos:7.3.1611@* nss-softokn-freebl@3.16.2.3-14.4.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-softokn-freebl package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-softokn package provides the Network Security Services Softoken Cryptographic Module. The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries. Security Fix(es): * nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate (CVE-2019-11745) * nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault (CVE-2019-11729) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 nss-softokn-freebl to version 0:3.44.0-8.el7_7 or higher.

References

high severity

RHSA-2017:1100

  • Vulnerable module: nss-sysinit
  • Introduced through: nss-sysinit@3.21.3-2.el7_3
  • Fixed in: 0:3.28.4-1.0.el7_3

Detailed paths

  • Introduced through: centos:7.3.1611@* nss-sysinit@3.21.3-2.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-sysinit package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries. The following packages have been upgraded to a newer upstream version: nss (3.28.4), nss-util (3.28.4). Security Fix(es): * An out-of-bounds write flaw was found in the way NSS performed certain Base64-decoding operations. An attacker could use this flaw to create a specially crafted certificate which, when parsed by NSS, could cause it to crash or execute arbitrary code, using the permissions of the user running an application compiled against the NSS library. (CVE-2017-5461) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Ronald Crane as the original reporter.

Remediation

Upgrade Centos:7 nss-sysinit to version 0:3.28.4-1.0.el7_3 or higher.

high severity

RHSA-2017:1365

  • Vulnerable module: nss-sysinit
  • Introduced through: nss-sysinit@3.21.3-2.el7_3
  • Fixed in: 0:3.28.4-1.2.el7_3

Detailed paths

  • Introduced through: centos:7.3.1611@* nss-sysinit@3.21.3-2.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-sysinit package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix(es): * A null pointer dereference flaw was found in the way NSS handled empty SSLv2 messages. An attacker could use this flaw to crash a server application compiled against the NSS library. (CVE-2017-7502) Bug Fix(es): * The Network Security Services (NSS) code and Certificate Authority (CA) list have been updated to meet the recommendations as published with the latest Mozilla Firefox Extended Support Release (ESR). The updated CA list improves compatibility with the certificates that are used in the Internet Public Key Infrastructure (PKI). To avoid certificate validation refusals, Red Hat recommends installing the updated CA list on June 12, 2017. (BZ#1451421)

Remediation

Upgrade Centos:7 nss-sysinit to version 0:3.28.4-1.2.el7_3 or higher.

high severity

RHSA-2017:2832

  • Vulnerable module: nss-sysinit
  • Introduced through: nss-sysinit@3.21.3-2.el7_3
  • Fixed in: 0:3.28.4-12.el7_4

Detailed paths

  • Introduced through: centos:7.3.1611@* nss-sysinit@3.21.3-2.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-sysinit package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix(es): * A use-after-free flaw was found in the TLS 1.2 implementation in the NSS library when client authentication was used. A malicious client could use this flaw to cause an application compiled against NSS to crash or, potentially, execute arbitrary code with the permission of the user running the application. (CVE-2017-7805) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Martin Thomson as the original reporter.

Remediation

Upgrade Centos:7 nss-sysinit to version 0:3.28.4-12.el7_4 or higher.

high severity

RHSA-2019:4190

  • Vulnerable module: nss-sysinit
  • Introduced through: nss-sysinit@3.21.3-2.el7_3
  • Fixed in: 0:3.44.0-7.el7_7

Detailed paths

  • Introduced through: centos:7.3.1611@* nss-sysinit@3.21.3-2.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-sysinit package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-softokn package provides the Network Security Services Softoken Cryptographic Module. The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries. Security Fix(es): * nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate (CVE-2019-11745) * nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault (CVE-2019-11729) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 nss-sysinit to version 0:3.44.0-7.el7_7 or higher.

References

high severity

RHSA-2017:1100

  • Vulnerable module: nss-tools
  • Introduced through: nss-tools@3.21.3-2.el7_3
  • Fixed in: 0:3.28.4-1.0.el7_3

Detailed paths

  • Introduced through: centos:7.3.1611@* nss-tools@3.21.3-2.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-tools package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries. The following packages have been upgraded to a newer upstream version: nss (3.28.4), nss-util (3.28.4). Security Fix(es): * An out-of-bounds write flaw was found in the way NSS performed certain Base64-decoding operations. An attacker could use this flaw to create a specially crafted certificate which, when parsed by NSS, could cause it to crash or execute arbitrary code, using the permissions of the user running an application compiled against the NSS library. (CVE-2017-5461) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Ronald Crane as the original reporter.

Remediation

Upgrade Centos:7 nss-tools to version 0:3.28.4-1.0.el7_3 or higher.

high severity

RHSA-2017:1365

  • Vulnerable module: nss-tools
  • Introduced through: nss-tools@3.21.3-2.el7_3
  • Fixed in: 0:3.28.4-1.2.el7_3

Detailed paths

  • Introduced through: centos:7.3.1611@* nss-tools@3.21.3-2.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-tools package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix(es): * A null pointer dereference flaw was found in the way NSS handled empty SSLv2 messages. An attacker could use this flaw to crash a server application compiled against the NSS library. (CVE-2017-7502) Bug Fix(es): * The Network Security Services (NSS) code and Certificate Authority (CA) list have been updated to meet the recommendations as published with the latest Mozilla Firefox Extended Support Release (ESR). The updated CA list improves compatibility with the certificates that are used in the Internet Public Key Infrastructure (PKI). To avoid certificate validation refusals, Red Hat recommends installing the updated CA list on June 12, 2017. (BZ#1451421)

Remediation

Upgrade Centos:7 nss-tools to version 0:3.28.4-1.2.el7_3 or higher.

high severity

RHSA-2017:2832

  • Vulnerable module: nss-tools
  • Introduced through: nss-tools@3.21.3-2.el7_3
  • Fixed in: 0:3.28.4-12.el7_4

Detailed paths

  • Introduced through: centos:7.3.1611@* nss-tools@3.21.3-2.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-tools package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix(es): * A use-after-free flaw was found in the TLS 1.2 implementation in the NSS library when client authentication was used. A malicious client could use this flaw to cause an application compiled against NSS to crash or, potentially, execute arbitrary code with the permission of the user running the application. (CVE-2017-7805) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Martin Thomson as the original reporter.

Remediation

Upgrade Centos:7 nss-tools to version 0:3.28.4-12.el7_4 or higher.

high severity

RHSA-2019:4190

  • Vulnerable module: nss-tools
  • Introduced through: nss-tools@3.21.3-2.el7_3
  • Fixed in: 0:3.44.0-7.el7_7

Detailed paths

  • Introduced through: centos:7.3.1611@* nss-tools@3.21.3-2.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-tools package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-softokn package provides the Network Security Services Softoken Cryptographic Module. The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries. Security Fix(es): * nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate (CVE-2019-11745) * nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault (CVE-2019-11729) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 nss-tools to version 0:3.44.0-7.el7_7 or higher.

References

high severity

RHSA-2017:1100

  • Vulnerable module: nss-util
  • Introduced through: nss-util@3.21.3-1.1.el7_3
  • Fixed in: 0:3.28.4-1.0.el7_3

Detailed paths

  • Introduced through: centos:7.3.1611@* nss-util@3.21.3-1.1.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-util package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries. The following packages have been upgraded to a newer upstream version: nss (3.28.4), nss-util (3.28.4). Security Fix(es): * An out-of-bounds write flaw was found in the way NSS performed certain Base64-decoding operations. An attacker could use this flaw to create a specially crafted certificate which, when parsed by NSS, could cause it to crash or execute arbitrary code, using the permissions of the user running an application compiled against the NSS library. (CVE-2017-5461) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Ronald Crane as the original reporter.

Remediation

Upgrade Centos:7 nss-util to version 0:3.28.4-1.0.el7_3 or higher.

high severity

RHSA-2019:4190

  • Vulnerable module: nss-util
  • Introduced through: nss-util@3.21.3-1.1.el7_3
  • Fixed in: 0:3.44.0-4.el7_7

Detailed paths

  • Introduced through: centos:7.3.1611@* nss-util@3.21.3-1.1.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-util package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-softokn package provides the Network Security Services Softoken Cryptographic Module. The nss-util packages provide utilities for use with the Network Security Services (NSS) libraries. Security Fix(es): * nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate (CVE-2019-11745) * nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault (CVE-2019-11729) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 nss-util to version 0:3.44.0-4.el7_7 or higher.

References

high severity

RHSA-2020:5566

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.1e-60.el7
  • Fixed in: 1:1.0.2k-21.el7_9

Detailed paths

  • Introduced through: centos:7.3.1611@* openssl-libs@1:1.0.1e-60.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl-libs package. See Remediation section below for Centos:7 relevant versions.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Security Fix(es): * openssl: EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 openssl-libs to version 1:1.0.2k-21.el7_9 or higher.

References

high severity

RHSA-2018:1700

  • Vulnerable module: procps-ng
  • Introduced through: procps-ng@3.3.10-10.el7
  • Fixed in: 0:3.3.10-17.el7_5.2

Detailed paths

  • Introduced through: centos:7.3.1611@* procps-ng@3.3.10-10.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream procps-ng package. See Remediation section below for Centos:7 relevant versions.

The procps-ng packages contain a set of system utilities that provide system information, including ps, free, skill, pkill, pgrep, snice, tload, top, uptime, vmstat, w, watch, and pwdx. Security Fix(es): * procps-ng, procps: Integer overflows leading to heap overflow in file2strvec (CVE-2018-1124) * procps-ng, procps: incorrect integer size in proc/alloc.* leading to truncation / integer overflow issues (CVE-2018-1126) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Qualys Research Labs for reporting these issues.

Remediation

Upgrade Centos:7 procps-ng to version 0:3.3.10-17.el7_5.2 or higher.

high severity

RHSA-2019:0710

  • Vulnerable module: python
  • Introduced through: python@2.7.5-48.el7
  • Fixed in: 0:2.7.5-77.el7_6

Detailed paths

  • Introduced through: centos:7.3.1611@* python@2.7.5-48.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream python package. See Remediation section below for Centos:7 relevant versions.

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * python: Information Disclosure due to urlsplit improper NFKC normalization (CVE-2019-9636) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 python to version 0:2.7.5-77.el7_6 or higher.

high severity

RHSA-2019:1587

  • Vulnerable module: python
  • Introduced through: python@2.7.5-48.el7
  • Fixed in: 0:2.7.5-80.el7_6

Detailed paths

  • Introduced through: centos:7.3.1611@* python@2.7.5-48.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream python package. See Remediation section below for Centos:7 relevant versions.

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc (CVE-2019-10160) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 python to version 0:2.7.5-80.el7_6 or higher.

References

high severity

RHSA-2019:0710

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.5-48.el7
  • Fixed in: 0:2.7.5-77.el7_6

Detailed paths

  • Introduced through: centos:7.3.1611@* python-libs@2.7.5-48.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream python-libs package. See Remediation section below for Centos:7 relevant versions.

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * python: Information Disclosure due to urlsplit improper NFKC normalization (CVE-2019-9636) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 python-libs to version 0:2.7.5-77.el7_6 or higher.

high severity

RHSA-2019:1587

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.5-48.el7
  • Fixed in: 0:2.7.5-80.el7_6

Detailed paths

  • Introduced through: centos:7.3.1611@* python-libs@2.7.5-48.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream python-libs package. See Remediation section below for Centos:7 relevant versions.

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc (CVE-2019-10160) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 python-libs to version 0:2.7.5-80.el7_6 or higher.

References

high severity

RHSA-2020:0227

  • Vulnerable module: sqlite
  • Introduced through: sqlite@3.7.17-8.el7
  • Fixed in: 0:3.7.17-8.el7_7.1

Detailed paths

  • Introduced through: centos:7.3.1611@* sqlite@3.7.17-8.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream sqlite package. See Remediation section below for Centos:7 relevant versions.

SQLite is a C library that implements an SQL database engine. A large subset of SQL92 is supported. A complete database is stored in a single disk file. The API is designed for convenience and ease of use. Applications that link against SQLite can enjoy the power and flexibility of an SQL database without the administrative hassles of supporting a separate database server. Security Fix(es): * sqlite: fts3: improve shadow table corruption detection (CVE-2019-13734) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 sqlite to version 0:3.7.17-8.el7_7.1 or higher.

References

high severity

RHSA-2019:0049

  • Vulnerable module: systemd
  • Introduced through: systemd@219-30.el7_3.6
  • Fixed in: 0:219-62.el7_6.2

Detailed paths

  • Introduced through: centos:7.3.1611@* systemd@219-30.el7_3.6

NVD Description

Note: Versions mentioned in the description apply to the upstream systemd package. See Remediation section below for Centos:7 relevant versions.

The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es): * systemd: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling (CVE-2018-15688) * systemd: stack overflow when calling syslog from a command with long cmdline (CVE-2018-16864) * systemd: stack overflow when receiving many journald entries (CVE-2018-16865) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Ubuntu Security Team for reporting CVE-2018-15688 and Qualys Research Labs for reporting CVE-2018-16864 and CVE-2018-16865. Upstream acknowledges Felix Wilhelm (Google) as the original reporter of CVE-2018-15688.

Remediation

Upgrade Centos:7 systemd to version 0:219-62.el7_6.2 or higher.

high severity

RHSA-2019:0368

  • Vulnerable module: systemd
  • Introduced through: systemd@219-30.el7_3.6
  • Fixed in: 0:219-62.el7_6.5

Detailed paths

  • Introduced through: centos:7.3.1611@* systemd@219-30.el7_3.6

NVD Description

Note: Versions mentioned in the description apply to the upstream systemd package. See Remediation section below for Centos:7 relevant versions.

The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es): * systemd: Insufficient input validation in bus_process_object() resulting in PID 1 crash (CVE-2019-6454) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 systemd to version 0:219-62.el7_6.5 or higher.

high severity

RHSA-2019:0049

  • Vulnerable module: systemd-libs
  • Introduced through: systemd-libs@219-30.el7_3.6
  • Fixed in: 0:219-62.el7_6.2

Detailed paths

  • Introduced through: centos:7.3.1611@* systemd-libs@219-30.el7_3.6

NVD Description

Note: Versions mentioned in the description apply to the upstream systemd-libs package. See Remediation section below for Centos:7 relevant versions.

The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es): * systemd: Out-of-bounds heap write in systemd-networkd dhcpv6 option handling (CVE-2018-15688) * systemd: stack overflow when calling syslog from a command with long cmdline (CVE-2018-16864) * systemd: stack overflow when receiving many journald entries (CVE-2018-16865) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Ubuntu Security Team for reporting CVE-2018-15688 and Qualys Research Labs for reporting CVE-2018-16864 and CVE-2018-16865. Upstream acknowledges Felix Wilhelm (Google) as the original reporter of CVE-2018-15688.

Remediation

Upgrade Centos:7 systemd-libs to version 0:219-62.el7_6.2 or higher.

high severity

RHSA-2019:0368

  • Vulnerable module: systemd-libs
  • Introduced through: systemd-libs@219-30.el7_3.6
  • Fixed in: 0:219-62.el7_6.5

Detailed paths

  • Introduced through: centos:7.3.1611@* systemd-libs@219-30.el7_3.6

NVD Description

Note: Versions mentioned in the description apply to the upstream systemd-libs package. See Remediation section below for Centos:7 relevant versions.

The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es): * systemd: Insufficient input validation in bus_process_object() resulting in PID 1 crash (CVE-2019-6454) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 systemd-libs to version 0:219-62.el7_6.5 or higher.

high severity

RHSA-2019:1619

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:7.4.160-1.el7
  • Fixed in: 2:7.4.160-6.el7_6

Detailed paths

  • Introduced through: centos:7.3.1611@* vim-minimal@2:7.4.160-1.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream vim-minimal package. See Remediation section below for Centos:7 relevant versions.

Vim (Vi IMproved) is an updated and improved version of the vi editor. Security Fix(es): * vim/neovim: ':source!' command allows arbitrary command execution via modelines (CVE-2019-12735) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 vim-minimal to version 2:7.4.160-6.el7_6 or higher.

References

high severity

RHSA-2018:2285

  • Vulnerable module: yum-plugin-fastestmirror
  • Introduced through: yum-plugin-fastestmirror@1.1.31-40.el7
  • Fixed in: 0:1.1.31-46.el7_5

Detailed paths

  • Introduced through: centos:7.3.1611@* yum-plugin-fastestmirror@1.1.31-40.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream yum-plugin-fastestmirror package. See Remediation section below for Centos:7 relevant versions.

The yum-utils packages provide a collection of utilities and examples for the yum package manager to make yum easier and more powerful to use. Security Fix(es): * yum-utils: reposync: improper path validation may lead to directory traversal (CVE-2018-10897) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Jay Grizzard (Clover Network) and Aaron Levy (Clover Network) for reporting this issue.

Remediation

Upgrade Centos:7 yum-plugin-fastestmirror to version 0:1.1.31-46.el7_5 or higher.

high severity

RHSA-2018:2285

  • Vulnerable module: yum-plugin-ovl
  • Introduced through: yum-plugin-ovl@1.1.31-40.el7
  • Fixed in: 0:1.1.31-46.el7_5

Detailed paths

  • Introduced through: centos:7.3.1611@* yum-plugin-ovl@1.1.31-40.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream yum-plugin-ovl package. See Remediation section below for Centos:7 relevant versions.

The yum-utils packages provide a collection of utilities and examples for the yum package manager to make yum easier and more powerful to use. Security Fix(es): * yum-utils: reposync: improper path validation may lead to directory traversal (CVE-2018-10897) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Jay Grizzard (Clover Network) and Aaron Levy (Clover Network) for reporting this issue.

Remediation

Upgrade Centos:7 yum-plugin-ovl to version 0:1.1.31-46.el7_5 or higher.

high severity

RHSA-2018:2285

  • Vulnerable module: yum-utils
  • Introduced through: yum-utils@1.1.31-40.el7
  • Fixed in: 0:1.1.31-46.el7_5

Detailed paths

  • Introduced through: centos:7.3.1611@* yum-utils@1.1.31-40.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream yum-utils package. See Remediation section below for Centos:7 relevant versions.

The yum-utils packages provide a collection of utilities and examples for the yum package manager to make yum easier and more powerful to use. Security Fix(es): * yum-utils: reposync: improper path validation may lead to directory traversal (CVE-2018-10897) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Jay Grizzard (Clover Network) and Aaron Levy (Clover Network) for reporting this issue.

Remediation

Upgrade Centos:7 yum-utils to version 0:1.1.31-46.el7_5 or higher.

medium severity

RHSA-2017:1931

  • Vulnerable module: bash
  • Introduced through: bash@4.2.46-21.el7_3
  • Fixed in: 0:4.2.46-28.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* bash@4.2.46-21.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream bash package. See Remediation section below for Centos:7 relevant versions.

The bash packages provide Bash (Bourne-again shell), which is the default shell for Red Hat Enterprise Linux. Security Fix(es): * An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines running bash under specific circumstances. (CVE-2016-0634) * An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances. (CVE-2016-7543) * A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session. (CVE-2016-9401) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 bash to version 0:4.2.46-28.el7 or higher.

medium severity

RHSA-2020:1113

  • Vulnerable module: bash
  • Introduced through: bash@4.2.46-21.el7_3
  • Fixed in: 0:4.2.46-34.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* bash@4.2.46-21.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream bash package. See Remediation section below for Centos:7 relevant versions.

The bash packages provide Bash (Bourne-again shell), which is the default shell for Red Hat Enterprise Linux. Security Fix(es): * bash: BASH_CMD is writable in restricted bash shells (CVE-2019-9924) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.8 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 bash to version 0:4.2.46-34.el7 or higher.

References

medium severity

RHBA-2017:1767

  • Vulnerable module: bind-license
  • Introduced through: bind-license@32:9.9.4-38.el7_3
  • Fixed in: 32:9.9.4-50.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* bind-license@32:9.9.4-38.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-license package. See Remediation section below for Centos:7 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section. Users of bind are advised to upgrade to these updated packages.

Remediation

Upgrade Centos:7 bind-license to version 32:9.9.4-50.el7 or higher.

References

medium severity

RHSA-2017:0276

  • Vulnerable module: bind-license
  • Introduced through: bind-license@32:9.9.4-38.el7_3
  • Fixed in: 32:9.9.4-38.el7_3.2

Detailed paths

  • Introduced through: centos:7.3.1611@* bind-license@32:9.9.4-38.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-license package. See Remediation section below for Centos:7 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * A denial of service flaw was found in the way BIND handled query responses when both DNS64 and RPZ were used. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure or a null pointer dereference via a specially crafted DNS response. (CVE-2017-3135) Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Ramesh Damodaran (Infoblox) and Aliaksandr Shubnik (Infoblox) as the original reporter.

Remediation

Upgrade Centos:7 bind-license to version 32:9.9.4-38.el7_3.2 or higher.

medium severity

RHSA-2019:0194

  • Vulnerable module: bind-license
  • Introduced through: bind-license@32:9.9.4-38.el7_3
  • Fixed in: 32:9.9.4-73.el7_6

Detailed paths

  • Introduced through: centos:7.3.1611@* bind-license@32:9.9.4-38.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-license package. See Remediation section below for Centos:7 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * bind: Crash from assertion error when debug log level is 10 and log entries meet buffer boundary (CVE-2018-5742) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 bind-license to version 32:9.9.4-73.el7_6 or higher.

medium severity

RHSA-2019:2057

  • Vulnerable module: bind-license
  • Introduced through: bind-license@32:9.9.4-38.el7_3
  • Fixed in: 32:9.11.4-9.P2.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* bind-license@32:9.9.4-38.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-license package. See Remediation section below for Centos:7 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. The following packages have been upgraded to a later upstream version: bind (9.11.4). (BZ#1640561) Security Fix(es): * bind: Incorrect documentation of krb5-subdomain and ms-subdomain update policies (CVE-2018-5741) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 bind-license to version 32:9.11.4-9.P2.el7 or higher.

References

medium severity

RHSA-2020:1061

  • Vulnerable module: bind-license
  • Introduced through: bind-license@32:9.9.4-38.el7_3
  • Fixed in: 32:9.11.4-16.P2.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* bind-license@32:9.9.4-38.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-license package. See Remediation section below for Centos:7 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * bind: TCP Pipelining doesn't limit TCP clients on a single connection (CVE-2019-6477) * bind: An assertion failure if a trust anchor rolls over to an unsupported key algorithm when using managed-keys (CVE-2018-5745) * bind: Controls for zone transfers may not be properly applied to DLZs if the zones are writable (CVE-2019-6465) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.8 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 bind-license to version 32:9.11.4-16.P2.el7 or higher.

References

medium severity

RHSA-2020:5011

  • Vulnerable module: bind-license
  • Introduced through: bind-license@32:9.9.4-38.el7_3
  • Fixed in: 32:9.11.4-26.P2.el7_9.2

Detailed paths

  • Introduced through: centos:7.3.1611@* bind-license@32:9.9.4-38.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream bind-license package. See Remediation section below for Centos:7 relevant versions.

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * bind: truncated TSIG response can lead to an assertion failure (CVE-2020-8622) * bind: remotely triggerable assertion failure in pk11.c (CVE-2020-8623) * bind: incorrect enforcement of update-policy rules of type "subdomain" (CVE-2020-8624) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * BIND stops DNSKEY lookup in get_dst_key() when a key with unsupported algorithm is found first [RHEL7] (BZ#1884530)

Remediation

Upgrade Centos:7 bind-license to version 32:9.11.4-26.P2.el7_9.2 or higher.

References

medium severity

RHSA-2019:2075

  • Vulnerable module: binutils
  • Introduced through: binutils@2.25.1-22.base.el7
  • Fixed in: 0:2.27-41.base.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* binutils@2.25.1-22.base.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream binutils package. See Remediation section below for Centos:7 relevant versions.

The binutils packages provide a collection of binary utilities for the manipulation of object code in various object file formats. It includes the ar, as, gprof, ld, nm, objcopy, objdump, ranlib, readelf, size, strings, strip, and addr2line utilities. Security Fix(es): * binutils: integer overflow leads to heap-based buffer overflow in objdump (CVE-2018-1000876) * binutils: Stack Exhaustion in the demangling functions provided by libiberty (CVE-2018-12641) * binutils: NULL pointer dereference in work_stuff_copy_to_from in cplus-dem.c. (CVE-2018-12697) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 binutils to version 0:2.27-41.base.el7 or higher.

References

medium severity

RHSA-2020:3908

  • Vulnerable module: cpio
  • Introduced through: cpio@2.11-24.el7
  • Fixed in: 0:2.11-28.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* cpio@2.11-24.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream cpio package. See Remediation section below for Centos:7 relevant versions.

The cpio packages provide the GNU cpio utility for creating and extracting archives, or copying files from one place to another. Security Fix(es): * cpio: improper input validation when writing tar header fields leads to unexpect tar generation (CVE-2019-14866) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 cpio to version 0:2.11-28.el7 or higher.

References

medium severity

RHSA-2017:2016

  • Vulnerable module: curl
  • Introduced through: curl@7.29.0-35.el7.centos
  • Fixed in: 0:7.29.0-42.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* curl@7.29.0-35.el7.centos

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See Remediation section below for Centos:7 relevant versions.

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es): * Multiple integer overflow flaws leading to heap-based buffer overflows were found in the way curl handled escaping and unescaping of data. An attacker could potentially use these flaws to crash an application using libcurl by sending a specially crafted input to the affected libcurl functions. (CVE-2016-7167) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 curl to version 0:7.29.0-42.el7 or higher.

medium severity

RHSA-2017:3263

  • Vulnerable module: curl
  • Introduced through: curl@7.29.0-35.el7.centos
  • Fixed in: 0:7.29.0-42.el7_4.1

Detailed paths

  • Introduced through: centos:7.3.1611@* curl@7.29.0-35.el7.centos

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See Remediation section below for Centos:7 relevant versions.

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es): * A buffer overrun flaw was found in the IMAP handler of libcurl. By tricking an unsuspecting user into connecting to a malicious IMAP server, an attacker could exploit this flaw to potentially cause information disclosure or crash the application. (CVE-2017-1000257) Red Hat would like to thank the Curl project for reporting this issue. Upstream acknowledges Brian Carpenter and the OSS-Fuzz project as the original reporters.

Remediation

Upgrade Centos:7 curl to version 0:7.29.0-42.el7_4.1 or higher.

medium severity

RHSA-2018:3157

  • Vulnerable module: curl
  • Introduced through: curl@7.29.0-35.el7.centos
  • Fixed in: 0:7.29.0-51.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* curl@7.29.0-35.el7.centos

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See Remediation section below for Centos:7 relevant versions.

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. The nss-pem package provides the PEM file reader for Network Security Services (NSS) implemented as a PKCS#11 module. Security Fix(es): * curl: HTTP authentication leak in redirects (CVE-2018-1000007) * curl: FTP path trickery leads to NIL byte out of bounds write (CVE-2018-1000120) * curl: RTSP RTP buffer over-read (CVE-2018-1000122) * curl: Out-of-bounds heap read when missing RTSP headers allows information leak of denial of service (CVE-2018-1000301) * curl: LDAP NULL pointer dereference (CVE-2018-1000121) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the Curl project for reporting these issues. Upstream acknowledges Craig de Stigter as the original reporter of CVE-2018-1000007; Duy Phan Thanh as the original reporter of CVE-2018-1000120; Max Dymond as the original reporter of CVE-2018-1000122; the OSS-fuzz project as the original reporter of CVE-2018-1000301; and Dario Weisser as the original reporter of CVE-2018-1000121. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 curl to version 0:7.29.0-51.el7 or higher.

medium severity

RHSA-2020:3916

  • Vulnerable module: curl
  • Introduced through: curl@7.29.0-35.el7.centos
  • Fixed in: 0:7.29.0-59.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* curl@7.29.0-35.el7.centos

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See Remediation section below for Centos:7 relevant versions.

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es): * curl: heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 curl to version 0:7.29.0-59.el7 or higher.

References

medium severity

RHSA-2020:5002

  • Vulnerable module: curl
  • Introduced through: curl@7.29.0-35.el7.centos
  • Fixed in: 0:7.29.0-59.el7_9.1

Detailed paths

  • Introduced through: centos:7.3.1611@* curl@7.29.0-35.el7.centos

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See Remediation section below for Centos:7 relevant versions.

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es): * curl: Incorrect argument check can allow remote servers to overwrite local files (CVE-2020-8177) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 curl to version 0:7.29.0-59.el7_9.1 or higher.

References

medium severity

RHSA-2020:4032

  • Vulnerable module: dbus
  • Introduced through: dbus@1:1.6.12-17.el7
  • Fixed in: 1:1.10.24-15.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* dbus@1:1.6.12-17.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream dbus package. See Remediation section below for Centos:7 relevant versions.

D-Bus is a system for sending messages between applications. It is used both for the system-wide message bus service, and as a per-user-login-session messaging facility. Security Fix(es): * dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 dbus to version 1:1.10.24-15.el7 or higher.

References

medium severity

RHSA-2020:4032

  • Vulnerable module: dbus-libs
  • Introduced through: dbus-libs@1:1.6.12-17.el7
  • Fixed in: 1:1.10.24-15.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* dbus-libs@1:1.6.12-17.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream dbus-libs package. See Remediation section below for Centos:7 relevant versions.

D-Bus is a system for sending messages between applications. It is used both for the system-wide message bus service, and as a per-user-login-session messaging facility. Security Fix(es): * dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass (CVE-2019-12749) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 dbus-libs to version 1:1.10.24-15.el7 or higher.

References

medium severity

RHSA-2020:1011

  • Vulnerable module: expat
  • Introduced through: expat@2.1.0-10.el7_3
  • Fixed in: 0:2.1.0-11.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* expat@2.1.0-10.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream expat package. See Remediation section below for Centos:7 relevant versions.

Expat is a C library for parsing XML documents. Security Fix(es): * expat: Integer overflow leading to buffer overflow in XML_GetBuffer() (CVE-2015-2716) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.8 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 expat to version 0:2.1.0-11.el7 or higher.

References

medium severity

RHSA-2020:3952

  • Vulnerable module: expat
  • Introduced through: expat@2.1.0-10.el7_3
  • Fixed in: 0:2.1.0-12.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* expat@2.1.0-10.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream expat package. See Remediation section below for Centos:7 relevant versions.

Expat is a C library for parsing XML documents. Security Fix(es): * expat: large number of colons in input makes parser consume high amount of resources, leading to DoS (CVE-2018-20843) * expat: heap-based buffer over-read via crafted XML input (CVE-2019-15903) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 expat to version 0:2.1.0-12.el7 or higher.

References

medium severity

RHBA-2017:2100

  • Vulnerable module: glib2
  • Introduced through: glib2@2.46.2-4.el7
  • Fixed in: 0:2.50.3-3.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* glib2@2.46.2-4.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream glib2 package. See Remediation section below for Centos:7 relevant versions.

The GTK+ packages contain the GIMP ToolKit (GTK+), a library for creating graphical user interfaces for the X Window System. For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section. Users of GTK+ are advised to upgrade to these updated packages.

Remediation

Upgrade Centos:7 glib2 to version 0:2.50.3-3.el7 or higher.

References

medium severity

RHSA-2018:3140

  • Vulnerable module: glib2
  • Introduced through: glib2@2.46.2-4.el7
  • Fixed in: 0:2.56.1-2.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* glib2@2.46.2-4.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream glib2 package. See Remediation section below for Centos:7 relevant versions.

GNOME is the default desktop environment of Red Hat Enterprise Linux. Security Fix(es): * libsoup: Crash in soup_cookie_jar.c:get_cookies() on empty hostnames (CVE-2018-12910) * poppler: Infinite recursion in fofi/FoFiType1C.cc:FoFiType1C::cvtGlyph() function allows denial of service (CVE-2017-18267) * libgxps: heap based buffer over read in ft_font_face_hash function of gxps-fonts.c (CVE-2018-10733) * libgxps: Stack-based buffer overflow in calling glib in gxps_images_guess_content_type of gcontenttype.c (CVE-2018-10767) * poppler: NULL pointer dereference in Annot.h:AnnotPath::getCoordsLength() allows for denial of service via crafted PDF (CVE-2018-10768) * poppler: out of bounds read in pdfunite (CVE-2018-13988) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank chenyuan (NESA Lab) for reporting CVE-2018-10733 and CVE-2018-10767 and Hosein Askari for reporting CVE-2018-13988. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 glib2 to version 0:2.56.1-2.el7 or higher.

medium severity

RHSA-2020:3978

  • Vulnerable module: glib2
  • Introduced through: glib2@2.46.2-4.el7
  • Fixed in: 0:2.56.1-7.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* glib2@2.46.2-4.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream glib2 package. See Remediation section below for Centos:7 relevant versions.

GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures. The Intelligent Input Bus (IBus) is an input method framework for multilingual input in Unix-like operating systems. Security Fix(es): * glib2: file_copy_fallback in gio/gfile.c in GNOME GLib does not properly restrict file permissions while a copy operation is in progress (CVE-2019-12450) * ibus: missing authorization allows local attacker to access the input bus of another user (CVE-2019-14822) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 glib2 to version 0:2.56.1-7.el7 or higher.

References

medium severity

RHSA-2017:1916

  • Vulnerable module: glibc
  • Introduced through: glibc@2.17-157.el7_3.1
  • Fixed in: 0:2.17-196.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* glibc@2.17-157.el7_3.1

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc package. See Remediation section below for Centos:7 relevant versions.

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es): * A stack overflow vulnerability was found in nan* functions that could cause applications, which process long strings with the nan function, to crash or, potentially, execute arbitrary code. (CVE-2014-9761) * It was found that out-of-range time values passed to the strftime() function could result in an out-of-bounds memory access. This could lead to application crash or, potentially, information disclosure. (CVE-2015-8776) * An integer overflow vulnerability was found in hcreate() and hcreate_r() functions which could result in an out-of-bounds memory access. This could lead to application crash or, potentially, arbitrary code execution. (CVE-2015-8778) * A stack based buffer overflow vulnerability was found in the catopen() function. An excessively long string passed to the function could cause it to crash or, potentially, execute arbitrary code. (CVE-2015-8779) * It was found that the dynamic loader did not sanitize the LD_POINTER_GUARD environment variable. An attacker could use this flaw to bypass the pointer guarding protection on set-user-ID or set-group-ID programs to execute arbitrary code with the permissions of the user running the application. (CVE-2015-8777) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 glibc to version 0:2.17-196.el7 or higher.

medium severity

RHSA-2018:0805

  • Vulnerable module: glibc
  • Introduced through: glibc@2.17-157.el7_3.1
  • Fixed in: 0:2.17-222.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* glibc@2.17-157.el7_3.1

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc package. See Remediation section below for Centos:7 relevant versions.

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es): * glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation (CVE-2018-1000001) * glibc: Buffer overflow in glob with GLOB_TILDE (CVE-2017-15670) * glibc: Buffer overflow during unescaping of user names with the ~ operator (CVE-2017-15804) * glibc: denial of service in getnetbyname function (CVE-2014-9402) * glibc: DNS resolver NULL pointer dereference with crafted record type (CVE-2015-5180) * glibc: Fragmentation attacks possible when EDNS0 is enabled (CVE-2017-12132) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank halfdog for reporting CVE-2018-1000001. The CVE-2015-5180 issue was discovered by Florian Weimer (Red Hat Product Security). Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 glibc to version 0:2.17-222.el7 or higher.

medium severity

RHSA-2018:3092

  • Vulnerable module: glibc
  • Introduced through: glibc@2.17-157.el7_3.1
  • Fixed in: 0:2.17-260.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* glibc@2.17-157.el7_3.1

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc package. See Remediation section below for Centos:7 relevant versions.

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es): * glibc: Incorrect handling of RPATH in elf/dl-load.c can be used to execute code loaded from arbitrary libraries (CVE-2017-16997) * glibc: Integer overflow in posix_memalign in memalign functions (CVE-2018-6485) * glibc: Integer overflow in stdlib/canonicalize.c on 32-bit architectures leading to stack-based buffer overflow (CVE-2018-11236) * glibc: Buffer overflow in __mempcpy_avx512_no_vzeroupper (CVE-2018-11237) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 glibc to version 0:2.17-260.el7 or higher.

medium severity

RHSA-2019:2118

  • Vulnerable module: glibc
  • Introduced through: glibc@2.17-157.el7_3.1
  • Fixed in: 0:2.17-292.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* glibc@2.17-157.el7_3.1

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc package. See Remediation section below for Centos:7 relevant versions.

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es): * glibc: getaddrinfo should reject IP addresses with trailing characters (CVE-2016-10739) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 glibc to version 0:2.17-292.el7 or higher.

References

medium severity

RHSA-2021:0348

  • Vulnerable module: glibc
  • Introduced through: glibc@2.17-157.el7_3.1
  • Fixed in: 0:2.17-322.el7_9

Detailed paths

  • Introduced through: centos:7.3.1611@* glibc@2.17-157.el7_3.1

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc package. See Remediation section below for Centos:7 relevant versions.

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es): * glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding (CVE-2019-25013) * glibc: stack corruption from crafted input in cosl, sinl, sincosl, and tanl functions (CVE-2020-10029) * glibc: stack-based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern (CVE-2020-29573) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * glibc: 64bit_strstr_via_64bit_strstr_sse2_unaligned detection fails with large device and inode numbers (BZ#1883162) * glibc: Performance regression in ebizzy benchmark (BZ#1889977)

Remediation

Upgrade Centos:7 glibc to version 0:2.17-322.el7_9 or higher.

References

medium severity

RHSA-2017:1916

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.17-157.el7_3.1
  • Fixed in: 0:2.17-196.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* glibc-common@2.17-157.el7_3.1

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc-common package. See Remediation section below for Centos:7 relevant versions.

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es): * A stack overflow vulnerability was found in nan* functions that could cause applications, which process long strings with the nan function, to crash or, potentially, execute arbitrary code. (CVE-2014-9761) * It was found that out-of-range time values passed to the strftime() function could result in an out-of-bounds memory access. This could lead to application crash or, potentially, information disclosure. (CVE-2015-8776) * An integer overflow vulnerability was found in hcreate() and hcreate_r() functions which could result in an out-of-bounds memory access. This could lead to application crash or, potentially, arbitrary code execution. (CVE-2015-8778) * A stack based buffer overflow vulnerability was found in the catopen() function. An excessively long string passed to the function could cause it to crash or, potentially, execute arbitrary code. (CVE-2015-8779) * It was found that the dynamic loader did not sanitize the LD_POINTER_GUARD environment variable. An attacker could use this flaw to bypass the pointer guarding protection on set-user-ID or set-group-ID programs to execute arbitrary code with the permissions of the user running the application. (CVE-2015-8777) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 glibc-common to version 0:2.17-196.el7 or higher.

medium severity

RHSA-2018:0805

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.17-157.el7_3.1
  • Fixed in: 0:2.17-222.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* glibc-common@2.17-157.el7_3.1

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc-common package. See Remediation section below for Centos:7 relevant versions.

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es): * glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation (CVE-2018-1000001) * glibc: Buffer overflow in glob with GLOB_TILDE (CVE-2017-15670) * glibc: Buffer overflow during unescaping of user names with the ~ operator (CVE-2017-15804) * glibc: denial of service in getnetbyname function (CVE-2014-9402) * glibc: DNS resolver NULL pointer dereference with crafted record type (CVE-2015-5180) * glibc: Fragmentation attacks possible when EDNS0 is enabled (CVE-2017-12132) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank halfdog for reporting CVE-2018-1000001. The CVE-2015-5180 issue was discovered by Florian Weimer (Red Hat Product Security). Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 glibc-common to version 0:2.17-222.el7 or higher.

medium severity

RHSA-2018:3092

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.17-157.el7_3.1
  • Fixed in: 0:2.17-260.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* glibc-common@2.17-157.el7_3.1

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc-common package. See Remediation section below for Centos:7 relevant versions.

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es): * glibc: Incorrect handling of RPATH in elf/dl-load.c can be used to execute code loaded from arbitrary libraries (CVE-2017-16997) * glibc: Integer overflow in posix_memalign in memalign functions (CVE-2018-6485) * glibc: Integer overflow in stdlib/canonicalize.c on 32-bit architectures leading to stack-based buffer overflow (CVE-2018-11236) * glibc: Buffer overflow in __mempcpy_avx512_no_vzeroupper (CVE-2018-11237) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 glibc-common to version 0:2.17-260.el7 or higher.

medium severity

RHSA-2019:2118

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.17-157.el7_3.1
  • Fixed in: 0:2.17-292.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* glibc-common@2.17-157.el7_3.1

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc-common package. See Remediation section below for Centos:7 relevant versions.

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es): * glibc: getaddrinfo should reject IP addresses with trailing characters (CVE-2016-10739) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 glibc-common to version 0:2.17-292.el7 or higher.

References

medium severity

RHSA-2021:0348

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.17-157.el7_3.1
  • Fixed in: 0:2.17-322.el7_9

Detailed paths

  • Introduced through: centos:7.3.1611@* glibc-common@2.17-157.el7_3.1

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc-common package. See Remediation section below for Centos:7 relevant versions.

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es): * glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding (CVE-2019-25013) * glibc: stack corruption from crafted input in cosl, sinl, sincosl, and tanl functions (CVE-2020-10029) * glibc: stack-based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern (CVE-2020-29573) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * glibc: 64bit_strstr_via_64bit_strstr_sse2_unaligned detection fails with large device and inode numbers (BZ#1883162) * glibc: Performance regression in ebizzy benchmark (BZ#1889977)

Remediation

Upgrade Centos:7 glibc-common to version 0:2.17-322.el7_9 or higher.

References

medium severity

RHSA-2018:3140

  • Vulnerable module: gobject-introspection
  • Introduced through: gobject-introspection@1.42.0-1.el7
  • Fixed in: 0:1.56.1-1.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* gobject-introspection@1.42.0-1.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream gobject-introspection package. See Remediation section below for Centos:7 relevant versions.

GNOME is the default desktop environment of Red Hat Enterprise Linux. Security Fix(es): * libsoup: Crash in soup_cookie_jar.c:get_cookies() on empty hostnames (CVE-2018-12910) * poppler: Infinite recursion in fofi/FoFiType1C.cc:FoFiType1C::cvtGlyph() function allows denial of service (CVE-2017-18267) * libgxps: heap based buffer over read in ft_font_face_hash function of gxps-fonts.c (CVE-2018-10733) * libgxps: Stack-based buffer overflow in calling glib in gxps_images_guess_content_type of gcontenttype.c (CVE-2018-10767) * poppler: NULL pointer dereference in Annot.h:AnnotPath::getCoordsLength() allows for denial of service via crafted PDF (CVE-2018-10768) * poppler: out of bounds read in pdfunite (CVE-2018-13988) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank chenyuan (NESA Lab) for reporting CVE-2018-10733 and CVE-2018-10767 and Hosein Askari for reporting CVE-2018-13988. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 gobject-introspection to version 0:1.56.1-1.el7 or higher.

medium severity

RHBA-2019:2599

  • Vulnerable module: krb5-libs
  • Introduced through: krb5-libs@1.14.1-27.el7_3
  • Fixed in: 0:1.15.1-37.el7_7.2

Detailed paths

  • Introduced through: centos:7.3.1611@* krb5-libs@1.14.1-27.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream krb5-libs package. See Remediation section below for Centos:7 relevant versions.

Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC). This update fixes the following bug: * KDC and keytab can disagree on kvno after update (BZ#1732743)

Remediation

Upgrade Centos:7 krb5-libs to version 0:1.15.1-37.el7_7.2 or higher.

References

medium severity

RHSA-2018:0666

  • Vulnerable module: krb5-libs
  • Introduced through: krb5-libs@1.14.1-27.el7_3
  • Fixed in: 0:1.15.1-18.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* krb5-libs@1.14.1-27.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream krb5-libs package. See Remediation section below for Centos:7 relevant versions.

Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC). Security Fix(es): * krb5: Authentication bypass by improper validation of certificate EKU and SAN (CVE-2017-7562) * krb5: Invalid S4U2Self or S4U2Proxy request causes assertion failure (CVE-2017-11368) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 krb5-libs to version 0:1.15.1-18.el7 or higher.

medium severity

RHSA-2017:0907

  • Vulnerable module: libblkid
  • Introduced through: libblkid@2.23.2-33.el7
  • Fixed in: 0:2.23.2-33.el7_3.2

Detailed paths

  • Introduced through: centos:7.3.1611@* libblkid@2.23.2-33.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream libblkid package. See Remediation section below for Centos:7 relevant versions.

The util-linux packages contain a large variety of low-level system utilities that are necessary for a Linux system to function. Among others, these include the fdisk configuration tool and the login program. Security Fix(es): * A race condition was found in the way su handled the management of child processes. A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions. (CVE-2017-2616) Red Hat would like to thank Tobias Stöckmann for reporting this issue. Bug Fix(es): * The "findmnt --target <path>" command prints all file systems where the mount point directory is <path>. Previously, when used in the chroot environment, "findmnt --target <path>" incorrectly displayed all mount points. The command has been fixed so that it now checks the mount point path and returns information only for the relevant mount point. (BZ#1414481)

Remediation

Upgrade Centos:7 libblkid to version 0:2.23.2-33.el7_3.2 or higher.

medium severity

RHSA-2020:4011

  • Vulnerable module: libcom_err
  • Introduced through: libcom_err@1.42.9-9.el7
  • Fixed in: 0:1.42.9-19.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* libcom_err@1.42.9-9.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream libcom_err package. See Remediation section below for Centos:7 relevant versions.

The e2fsprogs packages provide a number of utilities for creating, checking, modifying, and correcting the ext2, ext3, and ext4 file systems. Security Fix(es): * e2fsprogs: Crafted ext4 partition leads to out-of-bounds write (CVE-2019-5094) * e2fsprogs: Out-of-bounds write in e2fsck/rehash.c (CVE-2019-5188) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 libcom_err to version 0:1.42.9-19.el7 or higher.

References

medium severity

RHSA-2017:2016

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.29.0-35.el7.centos
  • Fixed in: 0:7.29.0-42.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* libcurl@7.29.0-35.el7.centos

NVD Description

Note: Versions mentioned in the description apply to the upstream libcurl package. See Remediation section below for Centos:7 relevant versions.

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es): * Multiple integer overflow flaws leading to heap-based buffer overflows were found in the way curl handled escaping and unescaping of data. An attacker could potentially use these flaws to crash an application using libcurl by sending a specially crafted input to the affected libcurl functions. (CVE-2016-7167) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 libcurl to version 0:7.29.0-42.el7 or higher.

medium severity

RHSA-2017:3263

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.29.0-35.el7.centos
  • Fixed in: 0:7.29.0-42.el7_4.1

Detailed paths

  • Introduced through: centos:7.3.1611@* libcurl@7.29.0-35.el7.centos

NVD Description

Note: Versions mentioned in the description apply to the upstream libcurl package. See Remediation section below for Centos:7 relevant versions.

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es): * A buffer overrun flaw was found in the IMAP handler of libcurl. By tricking an unsuspecting user into connecting to a malicious IMAP server, an attacker could exploit this flaw to potentially cause information disclosure or crash the application. (CVE-2017-1000257) Red Hat would like to thank the Curl project for reporting this issue. Upstream acknowledges Brian Carpenter and the OSS-Fuzz project as the original reporters.

Remediation

Upgrade Centos:7 libcurl to version 0:7.29.0-42.el7_4.1 or higher.

medium severity

RHSA-2018:3157

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.29.0-35.el7.centos
  • Fixed in: 0:7.29.0-51.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* libcurl@7.29.0-35.el7.centos

NVD Description

Note: Versions mentioned in the description apply to the upstream libcurl package. See Remediation section below for Centos:7 relevant versions.

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. The nss-pem package provides the PEM file reader for Network Security Services (NSS) implemented as a PKCS#11 module. Security Fix(es): * curl: HTTP authentication leak in redirects (CVE-2018-1000007) * curl: FTP path trickery leads to NIL byte out of bounds write (CVE-2018-1000120) * curl: RTSP RTP buffer over-read (CVE-2018-1000122) * curl: Out-of-bounds heap read when missing RTSP headers allows information leak of denial of service (CVE-2018-1000301) * curl: LDAP NULL pointer dereference (CVE-2018-1000121) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the Curl project for reporting these issues. Upstream acknowledges Craig de Stigter as the original reporter of CVE-2018-1000007; Duy Phan Thanh as the original reporter of CVE-2018-1000120; Max Dymond as the original reporter of CVE-2018-1000122; the OSS-fuzz project as the original reporter of CVE-2018-1000301; and Dario Weisser as the original reporter of CVE-2018-1000121. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 libcurl to version 0:7.29.0-51.el7 or higher.

medium severity

RHSA-2020:3916

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.29.0-35.el7.centos
  • Fixed in: 0:7.29.0-59.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* libcurl@7.29.0-35.el7.centos

NVD Description

Note: Versions mentioned in the description apply to the upstream libcurl package. See Remediation section below for Centos:7 relevant versions.

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es): * curl: heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 libcurl to version 0:7.29.0-59.el7 or higher.

References

medium severity

RHSA-2020:5002

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.29.0-35.el7.centos
  • Fixed in: 0:7.29.0-59.el7_9.1

Detailed paths

  • Introduced through: centos:7.3.1611@* libcurl@7.29.0-35.el7.centos

NVD Description

Note: Versions mentioned in the description apply to the upstream libcurl package. See Remediation section below for Centos:7 relevant versions.

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es): * curl: Incorrect argument check can allow remote servers to overwrite local files (CVE-2020-8177) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 libcurl to version 0:7.29.0-59.el7_9.1 or higher.

References

medium severity

RHSA-2017:0907

  • Vulnerable module: libmount
  • Introduced through: libmount@2.23.2-33.el7
  • Fixed in: 0:2.23.2-33.el7_3.2

Detailed paths

  • Introduced through: centos:7.3.1611@* libmount@2.23.2-33.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream libmount package. See Remediation section below for Centos:7 relevant versions.

The util-linux packages contain a large variety of low-level system utilities that are necessary for a Linux system to function. Among others, these include the fdisk configuration tool and the login program. Security Fix(es): * A race condition was found in the way su handled the management of child processes. A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions. (CVE-2017-2616) Red Hat would like to thank Tobias Stöckmann for reporting this issue. Bug Fix(es): * The "findmnt --target <path>" command prints all file systems where the mount point directory is <path>. Previously, when used in the chroot environment, "findmnt --target <path>" incorrectly displayed all mount points. The command has been fixed so that it now checks the mount point path and returns information only for the relevant mount point. (BZ#1414481)

Remediation

Upgrade Centos:7 libmount to version 0:2.23.2-33.el7_3.2 or higher.

medium severity

RHSA-2020:4011

  • Vulnerable module: libss
  • Introduced through: libss@1.42.9-9.el7
  • Fixed in: 0:1.42.9-19.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* libss@1.42.9-9.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream libss package. See Remediation section below for Centos:7 relevant versions.

The e2fsprogs packages provide a number of utilities for creating, checking, modifying, and correcting the ext2, ext3, and ext4 file systems. Security Fix(es): * e2fsprogs: Crafted ext4 partition leads to out-of-bounds write (CVE-2019-5094) * e2fsprogs: Out-of-bounds write in e2fsck/rehash.c (CVE-2019-5188) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 libss to version 0:1.42.9-19.el7 or higher.

References

medium severity

RHSA-2019:1884

  • Vulnerable module: libssh2
  • Introduced through: libssh2@1.4.3-10.el7_2.1
  • Fixed in: 0:1.4.3-12.el7_6.3

Detailed paths

  • Introduced through: centos:7.3.1611@* libssh2@1.4.3-10.el7_2.1

NVD Description

Note: Versions mentioned in the description apply to the upstream libssh2 package. See Remediation section below for Centos:7 relevant versions.

The libssh2 packages provide a library that implements the SSH2 protocol. Security Fix(es): * libssh2: Out-of-bounds memory comparison with specially crafted message channel request (CVE-2019-3862) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 libssh2 to version 0:1.4.3-12.el7_6.3 or higher.

References

medium severity

RHSA-2019:2136

  • Vulnerable module: libssh2
  • Introduced through: libssh2@1.4.3-10.el7_2.1
  • Fixed in: 0:1.8.0-3.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* libssh2@1.4.3-10.el7_2.1

NVD Description

Note: Versions mentioned in the description apply to the upstream libssh2 package. See Remediation section below for Centos:7 relevant versions.

The libssh2 packages provide a library that implements the SSH2 protocol. The following packages have been upgraded to a later upstream version: libssh2 (1.8.0). (BZ#1592784) Security Fix(es): * libssh2: Zero-byte allocation with a specially crafted SFTP packed leading to an out-of-bounds read (CVE-2019-3858) * libssh2: Out-of-bounds reads with specially crafted SSH packets (CVE-2019-3861) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 libssh2 to version 0:1.8.0-3.el7 or higher.

References

medium severity

RHSA-2020:3915

  • Vulnerable module: libssh2
  • Introduced through: libssh2@1.4.3-10.el7_2.1
  • Fixed in: 0:1.8.0-4.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* libssh2@1.4.3-10.el7_2.1

NVD Description

Note: Versions mentioned in the description apply to the upstream libssh2 package. See Remediation section below for Centos:7 relevant versions.

The libssh2 packages provide a library that implements the SSH2 protocol. Security Fix(es): * libssh2: integer overflow in SSH_MSG_DISCONNECT logic in packet.c (CVE-2019-17498) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 libssh2 to version 0:1.8.0-4.el7 or higher.

References

medium severity

RHSA-2017:1860

  • Vulnerable module: libtasn1
  • Introduced through: libtasn1@3.8-3.el7
  • Fixed in: 0:4.10-1.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* libtasn1@3.8-3.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream libtasn1 package. See Remediation section below for Centos:7 relevant versions.

Libtasn1 is a library that provides Abstract Syntax Notation One (ASN.1, as specified by the X.680 ITU-T recommendation) parsing and structures management, and Distinguished Encoding Rules (DER, as per X.690) encoding and decoding functions. The following packages have been upgraded to a later upstream version: libtasn1 (4.10). (BZ#1360639) Security Fix(es): * A heap-based buffer overflow flaw was found in the way the libtasn1 library decoded certain DER-encoded inputs. A specially crafted DER-encoded input could cause an application using libtasn1 to perform an invalid read, causing the application to crash. (CVE-2015-3622) * A stack-based buffer overflow was found in the way libtasn1 decoded certain DER encoded data. An attacker could use this flaw to crash an application using the libtasn1 library. (CVE-2015-2806) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 libtasn1 to version 0:4.10-1.el7 or higher.

medium severity

RHSA-2017:0907

  • Vulnerable module: libuuid
  • Introduced through: libuuid@2.23.2-33.el7
  • Fixed in: 0:2.23.2-33.el7_3.2

Detailed paths

  • Introduced through: centos:7.3.1611@* libuuid@2.23.2-33.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream libuuid package. See Remediation section below for Centos:7 relevant versions.

The util-linux packages contain a large variety of low-level system utilities that are necessary for a Linux system to function. Among others, these include the fdisk configuration tool and the login program. Security Fix(es): * A race condition was found in the way su handled the management of child processes. A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions. (CVE-2017-2616) Red Hat would like to thank Tobias Stöckmann for reporting this issue. Bug Fix(es): * The "findmnt --target <path>" command prints all file systems where the mount point directory is <path>. Previously, when used in the chroot environment, "findmnt --target <path>" incorrectly displayed all mount points. The command has been fixed so that it now checks the mount point path and returns information only for the relevant mount point. (BZ#1414481)

Remediation

Upgrade Centos:7 libuuid to version 0:2.23.2-33.el7_3.2 or higher.

medium severity

RHSA-2020:1190

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.el7_2.3
  • Fixed in: 0:2.9.1-6.el7.4

Detailed paths

  • Introduced through: centos:7.3.1611@* libxml2@2.9.1-6.el7_2.3

NVD Description

Note: Versions mentioned in the description apply to the upstream libxml2 package. See Remediation section below for Centos:7 relevant versions.

The libxml2 library is a development toolbox providing the implementation of various XML standards. Security Fix(es): * libxml2: Use after free triggered by XPointer paths beginning with range-to (CVE-2016-5131) * libxml2: Use after free in xmlXPathCompOpEvalPositionalPredicate() function in xpath.c (CVE-2017-15412) * libxml2: DoS caused by incorrect error detection during XZ decompression (CVE-2015-8035) * libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in xpath.c (CVE-2018-14404) * libxml2: Unrestricted memory usage in xz_head() function in xzlib.c (CVE-2017-18258) * libxml2: Infinite loop caused by incorrect error detection during LZMA decompression (CVE-2018-14567) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.8 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 libxml2 to version 0:2.9.1-6.el7.4 or higher.

References

medium severity

RHSA-2020:3996

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.el7_2.3
  • Fixed in: 0:2.9.1-6.el7.5

Detailed paths

  • Introduced through: centos:7.3.1611@* libxml2@2.9.1-6.el7_2.3

NVD Description

Note: Versions mentioned in the description apply to the upstream libxml2 package. See Remediation section below for Centos:7 relevant versions.

The libxml2 library is a development toolbox providing the implementation of various XML standards. Security Fix(es): * libxml2: memory leak in xmlParseBalancedChunkMemoryRecover in parser.c (CVE-2019-19956) * libxml2: memory leak in xmlSchemaPreRun in xmlschemas.c (CVE-2019-20388) * libxml2: infinite loop in xmlStringLenDecodeEntities in some end-of-file situations (CVE-2020-7595) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 libxml2 to version 0:2.9.1-6.el7.5 or higher.

References

medium severity

RHSA-2020:1190

  • Vulnerable module: libxml2-python
  • Introduced through: libxml2-python@2.9.1-6.el7_2.3
  • Fixed in: 0:2.9.1-6.el7.4

Detailed paths

  • Introduced through: centos:7.3.1611@* libxml2-python@2.9.1-6.el7_2.3

NVD Description

Note: Versions mentioned in the description apply to the upstream libxml2-python package. See Remediation section below for Centos:7 relevant versions.

The libxml2 library is a development toolbox providing the implementation of various XML standards. Security Fix(es): * libxml2: Use after free triggered by XPointer paths beginning with range-to (CVE-2016-5131) * libxml2: Use after free in xmlXPathCompOpEvalPositionalPredicate() function in xpath.c (CVE-2017-15412) * libxml2: DoS caused by incorrect error detection during XZ decompression (CVE-2015-8035) * libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in xpath.c (CVE-2018-14404) * libxml2: Unrestricted memory usage in xz_head() function in xzlib.c (CVE-2017-18258) * libxml2: Infinite loop caused by incorrect error detection during LZMA decompression (CVE-2018-14567) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.8 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 libxml2-python to version 0:2.9.1-6.el7.4 or higher.

References

medium severity

RHSA-2020:3996

  • Vulnerable module: libxml2-python
  • Introduced through: libxml2-python@2.9.1-6.el7_2.3
  • Fixed in: 0:2.9.1-6.el7.5

Detailed paths

  • Introduced through: centos:7.3.1611@* libxml2-python@2.9.1-6.el7_2.3

NVD Description

Note: Versions mentioned in the description apply to the upstream libxml2-python package. See Remediation section below for Centos:7 relevant versions.

The libxml2 library is a development toolbox providing the implementation of various XML standards. Security Fix(es): * libxml2: memory leak in xmlParseBalancedChunkMemoryRecover in parser.c (CVE-2019-19956) * libxml2: memory leak in xmlSchemaPreRun in xmlschemas.c (CVE-2019-20388) * libxml2: infinite loop in xmlStringLenDecodeEntities in some end-of-file situations (CVE-2020-7595) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 libxml2-python to version 0:2.9.1-6.el7.5 or higher.

References

medium severity

RHSA-2019:2237

  • Vulnerable module: nspr
  • Introduced through: nspr@4.11.0-1.el7_2
  • Fixed in: 0:4.21.0-1.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* nspr@4.11.0-1.el7_2

NVD Description

Note: Versions mentioned in the description apply to the upstream nspr package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. The following packages have been upgraded to a later upstream version: nss (3.44.0), nss-softokn (3.44.0), nss-util (3.44.0), nspr (4.21.0). (BZ#1645231, BZ#1692269, BZ#1692271, BZ#1692274) Security Fix(es): * ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries (CVE-2018-0495) * nss: Cache side-channel variant of the Bleichenbacher attack (CVE-2018-12404) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 nspr to version 0:4.21.0-1.el7 or higher.

References

medium severity

RHSA-2020:4076

  • Vulnerable module: nspr
  • Introduced through: nspr@4.11.0-1.el7_2
  • Fixed in: 0:4.25.0-2.el7_9

Detailed paths

  • Introduced through: centos:7.3.1611@* nspr@4.11.0-1.el7_2

NVD Description

Note: Versions mentioned in the description apply to the upstream nspr package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. The following packages have been upgraded to a later upstream version: nss (3.53.1), nss-softokn (3.53.1), nss-util (3.53.1), nspr (4.25.0). (BZ#1804262, BZ#1804264, BZ#1804271, BZ#1804273) Security Fix(es): * nss: Out-of-bounds read when importing curve25519 private key (CVE-2019-11719) * nss: Use-after-free in sftk_FreeSession due to improper refcounting (CVE-2019-11756) * nss: Check length of inputs for cryptographic primitives (CVE-2019-17006) * nss: Side channel attack on ECDSA signature generation (CVE-2020-6829) * nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function (CVE-2020-12400) * nss: ECDSA timing attack mitigation bypass (CVE-2020-12401) * nss: Side channel vulnerabilities during RSA key generation (CVE-2020-12402) * nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read (CVE-2020-12403) * nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 (CVE-2019-11727) * nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state (CVE-2019-17023) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Memory leak: libcurl leaks 120 bytes on each connection (BZ#1688958) * NSS does not set downgrade sentinel in ServerHello.random for TLS 1.0 and TLS 1.1 (BZ#1712924) * Make TLS 1.3 work in FIPS mode (BZ#1724251) * Name Constraints validation: CN treated as DNS name even when syntactically invalid as DNS name (BZ#1737910) * x25519 allowed in FIPS mode (BZ#1754518) * When NSS_SDB_USE_CACHE not set, after curl access https, dentry increase but never released - consider alternative algorithm for benchmarking ACCESS call in sdb_measureAccess (BZ#1779325) * Running ipa-backup continuously causes httpd to crash and makes it irrecoverable (BZ#1804015) * nss needs to comply to the new SP800-56A rev 3 requirements (BZ#1857308) * KDF-self-tests-induced changes for nss in RHEL 7.9 (BZ#1870885)

Remediation

Upgrade Centos:7 nspr to version 0:4.25.0-2.el7_9 or higher.

References

medium severity

RHSA-2018:2768

  • Vulnerable module: nss
  • Introduced through: nss@3.21.3-2.el7_3
  • Fixed in: 0:3.36.0-7.el7_5

Detailed paths

  • Introduced through: centos:7.3.1611@* nss@3.21.3-2.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream nss package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix(es): * nss: ServerHello.random is all zeros when handling a v2-compatible ClientHello (CVE-2018-12384) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the Mozilla project for reporting this issue.

Remediation

Upgrade Centos:7 nss to version 0:3.36.0-7.el7_5 or higher.

medium severity

RHSA-2019:2237

  • Vulnerable module: nss
  • Introduced through: nss@3.21.3-2.el7_3
  • Fixed in: 0:3.44.0-4.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* nss@3.21.3-2.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream nss package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. The following packages have been upgraded to a later upstream version: nss (3.44.0), nss-softokn (3.44.0), nss-util (3.44.0), nspr (4.21.0). (BZ#1645231, BZ#1692269, BZ#1692271, BZ#1692274) Security Fix(es): * ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries (CVE-2018-0495) * nss: Cache side-channel variant of the Bleichenbacher attack (CVE-2018-12404) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 nss to version 0:3.44.0-4.el7 or higher.

References

medium severity

RHSA-2020:4076

  • Vulnerable module: nss
  • Introduced through: nss@3.21.3-2.el7_3
  • Fixed in: 0:3.53.1-3.el7_9

Detailed paths

  • Introduced through: centos:7.3.1611@* nss@3.21.3-2.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream nss package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. The following packages have been upgraded to a later upstream version: nss (3.53.1), nss-softokn (3.53.1), nss-util (3.53.1), nspr (4.25.0). (BZ#1804262, BZ#1804264, BZ#1804271, BZ#1804273) Security Fix(es): * nss: Out-of-bounds read when importing curve25519 private key (CVE-2019-11719) * nss: Use-after-free in sftk_FreeSession due to improper refcounting (CVE-2019-11756) * nss: Check length of inputs for cryptographic primitives (CVE-2019-17006) * nss: Side channel attack on ECDSA signature generation (CVE-2020-6829) * nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function (CVE-2020-12400) * nss: ECDSA timing attack mitigation bypass (CVE-2020-12401) * nss: Side channel vulnerabilities during RSA key generation (CVE-2020-12402) * nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read (CVE-2020-12403) * nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 (CVE-2019-11727) * nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state (CVE-2019-17023) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Memory leak: libcurl leaks 120 bytes on each connection (BZ#1688958) * NSS does not set downgrade sentinel in ServerHello.random for TLS 1.0 and TLS 1.1 (BZ#1712924) * Make TLS 1.3 work in FIPS mode (BZ#1724251) * Name Constraints validation: CN treated as DNS name even when syntactically invalid as DNS name (BZ#1737910) * x25519 allowed in FIPS mode (BZ#1754518) * When NSS_SDB_USE_CACHE not set, after curl access https, dentry increase but never released - consider alternative algorithm for benchmarking ACCESS call in sdb_measureAccess (BZ#1779325) * Running ipa-backup continuously causes httpd to crash and makes it irrecoverable (BZ#1804015) * nss needs to comply to the new SP800-56A rev 3 requirements (BZ#1857308) * KDF-self-tests-induced changes for nss in RHEL 7.9 (BZ#1870885)

Remediation

Upgrade Centos:7 nss to version 0:3.53.1-3.el7_9 or higher.

References

medium severity

RHSA-2021:1384

  • Vulnerable module: nss
  • Introduced through: nss@3.21.3-2.el7_3
  • Fixed in: 0:3.53.1-7.el7_9

Detailed paths

  • Introduced through: centos:7.3.1611@* nss@3.21.3-2.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream nss package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix(es): * nss: TLS 1.3 CCS flood remote DoS Attack (CVE-2020-25648) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * FTBFS: Paypal Cert expired (BZ#1883973) * FTBFS: IKE CLASS_1563 fails gtest (BZ#1884793) * Cannot compile code with nss headers and -Werror=strict-prototypes (BZ#1885321) * CA HSM ncipher token disabled after RHEL-7.9 update (BZ#1932193)

Remediation

Upgrade Centos:7 nss to version 0:3.53.1-7.el7_9 or higher.

References

medium severity

RHSA-2019:2237

  • Vulnerable module: nss-softokn
  • Introduced through: nss-softokn@3.16.2.3-14.4.el7
  • Fixed in: 0:3.44.0-5.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* nss-softokn@3.16.2.3-14.4.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-softokn package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. The following packages have been upgraded to a later upstream version: nss (3.44.0), nss-softokn (3.44.0), nss-util (3.44.0), nspr (4.21.0). (BZ#1645231, BZ#1692269, BZ#1692271, BZ#1692274) Security Fix(es): * ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries (CVE-2018-0495) * nss: Cache side-channel variant of the Bleichenbacher attack (CVE-2018-12404) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 nss-softokn to version 0:3.44.0-5.el7 or higher.

References

medium severity

RHSA-2020:4076

  • Vulnerable module: nss-softokn
  • Introduced through: nss-softokn@3.16.2.3-14.4.el7
  • Fixed in: 0:3.53.1-6.el7_9

Detailed paths

  • Introduced through: centos:7.3.1611@* nss-softokn@3.16.2.3-14.4.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-softokn package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. The following packages have been upgraded to a later upstream version: nss (3.53.1), nss-softokn (3.53.1), nss-util (3.53.1), nspr (4.25.0). (BZ#1804262, BZ#1804264, BZ#1804271, BZ#1804273) Security Fix(es): * nss: Out-of-bounds read when importing curve25519 private key (CVE-2019-11719) * nss: Use-after-free in sftk_FreeSession due to improper refcounting (CVE-2019-11756) * nss: Check length of inputs for cryptographic primitives (CVE-2019-17006) * nss: Side channel attack on ECDSA signature generation (CVE-2020-6829) * nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function (CVE-2020-12400) * nss: ECDSA timing attack mitigation bypass (CVE-2020-12401) * nss: Side channel vulnerabilities during RSA key generation (CVE-2020-12402) * nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read (CVE-2020-12403) * nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 (CVE-2019-11727) * nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state (CVE-2019-17023) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Memory leak: libcurl leaks 120 bytes on each connection (BZ#1688958) * NSS does not set downgrade sentinel in ServerHello.random for TLS 1.0 and TLS 1.1 (BZ#1712924) * Make TLS 1.3 work in FIPS mode (BZ#1724251) * Name Constraints validation: CN treated as DNS name even when syntactically invalid as DNS name (BZ#1737910) * x25519 allowed in FIPS mode (BZ#1754518) * When NSS_SDB_USE_CACHE not set, after curl access https, dentry increase but never released - consider alternative algorithm for benchmarking ACCESS call in sdb_measureAccess (BZ#1779325) * Running ipa-backup continuously causes httpd to crash and makes it irrecoverable (BZ#1804015) * nss needs to comply to the new SP800-56A rev 3 requirements (BZ#1857308) * KDF-self-tests-induced changes for nss in RHEL 7.9 (BZ#1870885)

Remediation

Upgrade Centos:7 nss-softokn to version 0:3.53.1-6.el7_9 or higher.

References

medium severity

RHSA-2019:2237

  • Vulnerable module: nss-softokn-freebl
  • Introduced through: nss-softokn-freebl@3.16.2.3-14.4.el7
  • Fixed in: 0:3.44.0-5.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* nss-softokn-freebl@3.16.2.3-14.4.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-softokn-freebl package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. The following packages have been upgraded to a later upstream version: nss (3.44.0), nss-softokn (3.44.0), nss-util (3.44.0), nspr (4.21.0). (BZ#1645231, BZ#1692269, BZ#1692271, BZ#1692274) Security Fix(es): * ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries (CVE-2018-0495) * nss: Cache side-channel variant of the Bleichenbacher attack (CVE-2018-12404) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 nss-softokn-freebl to version 0:3.44.0-5.el7 or higher.

References

medium severity

RHSA-2020:4076

  • Vulnerable module: nss-softokn-freebl
  • Introduced through: nss-softokn-freebl@3.16.2.3-14.4.el7
  • Fixed in: 0:3.53.1-6.el7_9

Detailed paths

  • Introduced through: centos:7.3.1611@* nss-softokn-freebl@3.16.2.3-14.4.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-softokn-freebl package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. The following packages have been upgraded to a later upstream version: nss (3.53.1), nss-softokn (3.53.1), nss-util (3.53.1), nspr (4.25.0). (BZ#1804262, BZ#1804264, BZ#1804271, BZ#1804273) Security Fix(es): * nss: Out-of-bounds read when importing curve25519 private key (CVE-2019-11719) * nss: Use-after-free in sftk_FreeSession due to improper refcounting (CVE-2019-11756) * nss: Check length of inputs for cryptographic primitives (CVE-2019-17006) * nss: Side channel attack on ECDSA signature generation (CVE-2020-6829) * nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function (CVE-2020-12400) * nss: ECDSA timing attack mitigation bypass (CVE-2020-12401) * nss: Side channel vulnerabilities during RSA key generation (CVE-2020-12402) * nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read (CVE-2020-12403) * nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 (CVE-2019-11727) * nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state (CVE-2019-17023) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Memory leak: libcurl leaks 120 bytes on each connection (BZ#1688958) * NSS does not set downgrade sentinel in ServerHello.random for TLS 1.0 and TLS 1.1 (BZ#1712924) * Make TLS 1.3 work in FIPS mode (BZ#1724251) * Name Constraints validation: CN treated as DNS name even when syntactically invalid as DNS name (BZ#1737910) * x25519 allowed in FIPS mode (BZ#1754518) * When NSS_SDB_USE_CACHE not set, after curl access https, dentry increase but never released - consider alternative algorithm for benchmarking ACCESS call in sdb_measureAccess (BZ#1779325) * Running ipa-backup continuously causes httpd to crash and makes it irrecoverable (BZ#1804015) * nss needs to comply to the new SP800-56A rev 3 requirements (BZ#1857308) * KDF-self-tests-induced changes for nss in RHEL 7.9 (BZ#1870885)

Remediation

Upgrade Centos:7 nss-softokn-freebl to version 0:3.53.1-6.el7_9 or higher.

References

medium severity

RHSA-2018:2768

  • Vulnerable module: nss-sysinit
  • Introduced through: nss-sysinit@3.21.3-2.el7_3
  • Fixed in: 0:3.36.0-7.el7_5

Detailed paths

  • Introduced through: centos:7.3.1611@* nss-sysinit@3.21.3-2.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-sysinit package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix(es): * nss: ServerHello.random is all zeros when handling a v2-compatible ClientHello (CVE-2018-12384) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the Mozilla project for reporting this issue.

Remediation

Upgrade Centos:7 nss-sysinit to version 0:3.36.0-7.el7_5 or higher.

medium severity

RHSA-2019:2237

  • Vulnerable module: nss-sysinit
  • Introduced through: nss-sysinit@3.21.3-2.el7_3
  • Fixed in: 0:3.44.0-4.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* nss-sysinit@3.21.3-2.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-sysinit package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. The following packages have been upgraded to a later upstream version: nss (3.44.0), nss-softokn (3.44.0), nss-util (3.44.0), nspr (4.21.0). (BZ#1645231, BZ#1692269, BZ#1692271, BZ#1692274) Security Fix(es): * ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries (CVE-2018-0495) * nss: Cache side-channel variant of the Bleichenbacher attack (CVE-2018-12404) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 nss-sysinit to version 0:3.44.0-4.el7 or higher.

References

medium severity

RHSA-2020:4076

  • Vulnerable module: nss-sysinit
  • Introduced through: nss-sysinit@3.21.3-2.el7_3
  • Fixed in: 0:3.53.1-3.el7_9

Detailed paths

  • Introduced through: centos:7.3.1611@* nss-sysinit@3.21.3-2.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-sysinit package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. The following packages have been upgraded to a later upstream version: nss (3.53.1), nss-softokn (3.53.1), nss-util (3.53.1), nspr (4.25.0). (BZ#1804262, BZ#1804264, BZ#1804271, BZ#1804273) Security Fix(es): * nss: Out-of-bounds read when importing curve25519 private key (CVE-2019-11719) * nss: Use-after-free in sftk_FreeSession due to improper refcounting (CVE-2019-11756) * nss: Check length of inputs for cryptographic primitives (CVE-2019-17006) * nss: Side channel attack on ECDSA signature generation (CVE-2020-6829) * nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function (CVE-2020-12400) * nss: ECDSA timing attack mitigation bypass (CVE-2020-12401) * nss: Side channel vulnerabilities during RSA key generation (CVE-2020-12402) * nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read (CVE-2020-12403) * nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 (CVE-2019-11727) * nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state (CVE-2019-17023) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Memory leak: libcurl leaks 120 bytes on each connection (BZ#1688958) * NSS does not set downgrade sentinel in ServerHello.random for TLS 1.0 and TLS 1.1 (BZ#1712924) * Make TLS 1.3 work in FIPS mode (BZ#1724251) * Name Constraints validation: CN treated as DNS name even when syntactically invalid as DNS name (BZ#1737910) * x25519 allowed in FIPS mode (BZ#1754518) * When NSS_SDB_USE_CACHE not set, after curl access https, dentry increase but never released - consider alternative algorithm for benchmarking ACCESS call in sdb_measureAccess (BZ#1779325) * Running ipa-backup continuously causes httpd to crash and makes it irrecoverable (BZ#1804015) * nss needs to comply to the new SP800-56A rev 3 requirements (BZ#1857308) * KDF-self-tests-induced changes for nss in RHEL 7.9 (BZ#1870885)

Remediation

Upgrade Centos:7 nss-sysinit to version 0:3.53.1-3.el7_9 or higher.

References

medium severity

RHSA-2021:1384

  • Vulnerable module: nss-sysinit
  • Introduced through: nss-sysinit@3.21.3-2.el7_3
  • Fixed in: 0:3.53.1-7.el7_9

Detailed paths

  • Introduced through: centos:7.3.1611@* nss-sysinit@3.21.3-2.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-sysinit package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix(es): * nss: TLS 1.3 CCS flood remote DoS Attack (CVE-2020-25648) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * FTBFS: Paypal Cert expired (BZ#1883973) * FTBFS: IKE CLASS_1563 fails gtest (BZ#1884793) * Cannot compile code with nss headers and -Werror=strict-prototypes (BZ#1885321) * CA HSM ncipher token disabled after RHEL-7.9 update (BZ#1932193)

Remediation

Upgrade Centos:7 nss-sysinit to version 0:3.53.1-7.el7_9 or higher.

References

medium severity

RHSA-2018:2768

  • Vulnerable module: nss-tools
  • Introduced through: nss-tools@3.21.3-2.el7_3
  • Fixed in: 0:3.36.0-7.el7_5

Detailed paths

  • Introduced through: centos:7.3.1611@* nss-tools@3.21.3-2.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-tools package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix(es): * nss: ServerHello.random is all zeros when handling a v2-compatible ClientHello (CVE-2018-12384) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the Mozilla project for reporting this issue.

Remediation

Upgrade Centos:7 nss-tools to version 0:3.36.0-7.el7_5 or higher.

medium severity

RHSA-2019:2237

  • Vulnerable module: nss-tools
  • Introduced through: nss-tools@3.21.3-2.el7_3
  • Fixed in: 0:3.44.0-4.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* nss-tools@3.21.3-2.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-tools package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. The following packages have been upgraded to a later upstream version: nss (3.44.0), nss-softokn (3.44.0), nss-util (3.44.0), nspr (4.21.0). (BZ#1645231, BZ#1692269, BZ#1692271, BZ#1692274) Security Fix(es): * ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries (CVE-2018-0495) * nss: Cache side-channel variant of the Bleichenbacher attack (CVE-2018-12404) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 nss-tools to version 0:3.44.0-4.el7 or higher.

References

medium severity

RHSA-2020:4076

  • Vulnerable module: nss-tools
  • Introduced through: nss-tools@3.21.3-2.el7_3
  • Fixed in: 0:3.53.1-3.el7_9

Detailed paths

  • Introduced through: centos:7.3.1611@* nss-tools@3.21.3-2.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-tools package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. The following packages have been upgraded to a later upstream version: nss (3.53.1), nss-softokn (3.53.1), nss-util (3.53.1), nspr (4.25.0). (BZ#1804262, BZ#1804264, BZ#1804271, BZ#1804273) Security Fix(es): * nss: Out-of-bounds read when importing curve25519 private key (CVE-2019-11719) * nss: Use-after-free in sftk_FreeSession due to improper refcounting (CVE-2019-11756) * nss: Check length of inputs for cryptographic primitives (CVE-2019-17006) * nss: Side channel attack on ECDSA signature generation (CVE-2020-6829) * nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function (CVE-2020-12400) * nss: ECDSA timing attack mitigation bypass (CVE-2020-12401) * nss: Side channel vulnerabilities during RSA key generation (CVE-2020-12402) * nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read (CVE-2020-12403) * nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 (CVE-2019-11727) * nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state (CVE-2019-17023) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Memory leak: libcurl leaks 120 bytes on each connection (BZ#1688958) * NSS does not set downgrade sentinel in ServerHello.random for TLS 1.0 and TLS 1.1 (BZ#1712924) * Make TLS 1.3 work in FIPS mode (BZ#1724251) * Name Constraints validation: CN treated as DNS name even when syntactically invalid as DNS name (BZ#1737910) * x25519 allowed in FIPS mode (BZ#1754518) * When NSS_SDB_USE_CACHE not set, after curl access https, dentry increase but never released - consider alternative algorithm for benchmarking ACCESS call in sdb_measureAccess (BZ#1779325) * Running ipa-backup continuously causes httpd to crash and makes it irrecoverable (BZ#1804015) * nss needs to comply to the new SP800-56A rev 3 requirements (BZ#1857308) * KDF-self-tests-induced changes for nss in RHEL 7.9 (BZ#1870885)

Remediation

Upgrade Centos:7 nss-tools to version 0:3.53.1-3.el7_9 or higher.

References

medium severity

RHSA-2021:1384

  • Vulnerable module: nss-tools
  • Introduced through: nss-tools@3.21.3-2.el7_3
  • Fixed in: 0:3.53.1-7.el7_9

Detailed paths

  • Introduced through: centos:7.3.1611@* nss-tools@3.21.3-2.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-tools package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix(es): * nss: TLS 1.3 CCS flood remote DoS Attack (CVE-2020-25648) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * FTBFS: Paypal Cert expired (BZ#1883973) * FTBFS: IKE CLASS_1563 fails gtest (BZ#1884793) * Cannot compile code with nss headers and -Werror=strict-prototypes (BZ#1885321) * CA HSM ncipher token disabled after RHEL-7.9 update (BZ#1932193)

Remediation

Upgrade Centos:7 nss-tools to version 0:3.53.1-7.el7_9 or higher.

References

medium severity

RHSA-2019:2237

  • Vulnerable module: nss-util
  • Introduced through: nss-util@3.21.3-1.1.el7_3
  • Fixed in: 0:3.44.0-3.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* nss-util@3.21.3-1.1.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-util package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. The following packages have been upgraded to a later upstream version: nss (3.44.0), nss-softokn (3.44.0), nss-util (3.44.0), nspr (4.21.0). (BZ#1645231, BZ#1692269, BZ#1692271, BZ#1692274) Security Fix(es): * ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries (CVE-2018-0495) * nss: Cache side-channel variant of the Bleichenbacher attack (CVE-2018-12404) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 nss-util to version 0:3.44.0-3.el7 or higher.

References

medium severity

RHSA-2020:4076

  • Vulnerable module: nss-util
  • Introduced through: nss-util@3.21.3-1.1.el7_3
  • Fixed in: 0:3.53.1-1.el7_9

Detailed paths

  • Introduced through: centos:7.3.1611@* nss-util@3.21.3-1.1.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream nss-util package. See Remediation section below for Centos:7 relevant versions.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. The following packages have been upgraded to a later upstream version: nss (3.53.1), nss-softokn (3.53.1), nss-util (3.53.1), nspr (4.25.0). (BZ#1804262, BZ#1804264, BZ#1804271, BZ#1804273) Security Fix(es): * nss: Out-of-bounds read when importing curve25519 private key (CVE-2019-11719) * nss: Use-after-free in sftk_FreeSession due to improper refcounting (CVE-2019-11756) * nss: Check length of inputs for cryptographic primitives (CVE-2019-17006) * nss: Side channel attack on ECDSA signature generation (CVE-2020-6829) * nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function (CVE-2020-12400) * nss: ECDSA timing attack mitigation bypass (CVE-2020-12401) * nss: Side channel vulnerabilities during RSA key generation (CVE-2020-12402) * nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read (CVE-2020-12403) * nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 (CVE-2019-11727) * nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state (CVE-2019-17023) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Memory leak: libcurl leaks 120 bytes on each connection (BZ#1688958) * NSS does not set downgrade sentinel in ServerHello.random for TLS 1.0 and TLS 1.1 (BZ#1712924) * Make TLS 1.3 work in FIPS mode (BZ#1724251) * Name Constraints validation: CN treated as DNS name even when syntactically invalid as DNS name (BZ#1737910) * x25519 allowed in FIPS mode (BZ#1754518) * When NSS_SDB_USE_CACHE not set, after curl access https, dentry increase but never released - consider alternative algorithm for benchmarking ACCESS call in sdb_measureAccess (BZ#1779325) * Running ipa-backup continuously causes httpd to crash and makes it irrecoverable (BZ#1804015) * nss needs to comply to the new SP800-56A rev 3 requirements (BZ#1857308) * KDF-self-tests-induced changes for nss in RHEL 7.9 (BZ#1870885)

Remediation

Upgrade Centos:7 nss-util to version 0:3.53.1-1.el7_9 or higher.

References

medium severity

RHSA-2017:1852

  • Vulnerable module: openldap
  • Introduced through: openldap@2.4.40-13.el7
  • Fixed in: 0:2.4.44-5.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* openldap@2.4.40-13.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream openldap package. See Remediation section below for Centos:7 relevant versions.

OpenLDAP is an open-source suite of Lightweight Directory Access Protocol (LDAP) applications and development tools. LDAP is a set of protocols used to access and maintain distributed directory information services over an IP network. The openldap packages contain configuration files, libraries, and documentation for OpenLDAP. The following packages have been upgraded to a later upstream version: openldap (2.4.44). (BZ#1386365) Security Fix(es): * A double-free flaw was found in the way OpenLDAP's slapd server using the MDB backend handled LDAP searches. A remote attacker with access to search the directory could potentially use this flaw to crash slapd by issuing a specially crafted LDAP search query. (CVE-2017-9287) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 openldap to version 0:2.4.44-5.el7 or higher.

medium severity

RHSA-2020:4041

  • Vulnerable module: openldap
  • Introduced through: openldap@2.4.40-13.el7
  • Fixed in: 0:2.4.44-22.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* openldap@2.4.40-13.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream openldap package. See Remediation section below for Centos:7 relevant versions.

OpenLDAP is an open-source suite of Lightweight Directory Access Protocol (LDAP) applications and development tools. LDAP is a set of protocols used to access and maintain distributed directory information services over an IP network. The openldap packages contain configuration files, libraries, and documentation for OpenLDAP. Security Fix(es): * openldap: denial of service via nested boolean expressions in LDAP search filters (CVE-2020-12243) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 openldap to version 0:2.4.44-22.el7 or higher.

References

medium severity

RHSA-2021:1389

  • Vulnerable module: openldap
  • Introduced through: openldap@2.4.40-13.el7
  • Fixed in: 0:2.4.44-23.el7_9

Detailed paths

  • Introduced through: centos:7.3.1611@* openldap@2.4.40-13.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream openldap package. See Remediation section below for Centos:7 relevant versions.

OpenLDAP is an open-source suite of Lightweight Directory Access Protocol (LDAP) applications and development tools. LDAP is a set of protocols used to access and maintain distributed directory information services over an IP network. Security Fix(es): * openldap: NULL pointer dereference for unauthenticated packet in slapd (CVE-2020-25692) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 openldap to version 0:2.4.44-23.el7_9 or higher.

References

medium severity

RHBA-2017:1929

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.1e-60.el7
  • Fixed in: 1:1.0.2k-8.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* openssl-libs@1:1.0.1e-60.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl-libs package. See Remediation section below for Centos:7 relevant versions.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section. Users of openssl are advised to upgrade to these updated packages.

Remediation

Upgrade Centos:7 openssl-libs to version 1:1.0.2k-8.el7 or higher.

References

medium severity

RHSA-2017:0286

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.1e-60.el7
  • Fixed in: 1:1.0.1e-60.el7_3.1

Detailed paths

  • Introduced through: centos:7.3.1611@* openssl-libs@1:1.0.1e-60.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl-libs package. See Remediation section below for Centos:7 relevant versions.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Security Fix(es): * An integer underflow leading to an out of bounds read flaw was found in OpenSSL. A remote attacker could possibly use this flaw to crash a 32-bit TLS/SSL server or client using OpenSSL if it used the RC4-MD5 cipher suite. (CVE-2017-3731) * A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections form other clients. (CVE-2016-8610)

Remediation

Upgrade Centos:7 openssl-libs to version 1:1.0.1e-60.el7_3.1 or higher.

medium severity

RHSA-2018:0998

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.1e-60.el7
  • Fixed in: 1:1.0.2k-12.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* openssl-libs@1:1.0.1e-60.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl-libs package. See Remediation section below for Centos:7 relevant versions.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Security Fix(es): * openssl: bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736) * openssl: Read/write after SSL object in error state (CVE-2017-3737) * openssl: rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 openssl-libs to version 1:1.0.2k-12.el7 or higher.

medium severity

RHSA-2018:3221

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.1e-60.el7
  • Fixed in: 1:1.0.2k-16.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* openssl-libs@1:1.0.1e-60.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl-libs package. See Remediation section below for Centos:7 relevant versions.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Security Fix(es): * openssl: ROHNP - Key Extraction Side Channel in Multiple Crypto Libraries (CVE-2018-0495) * openssl: Malicious server can send large prime to client during DH(E) TLS handshake causing the client to hang (CVE-2018-0732) * openssl: Handling of crafted recursive ASN.1 structures can cause a stack overflow and resulting denial of service (CVE-2018-0739) * openssl: Malformed X.509 IPAdressFamily could cause OOB read (CVE-2017-3735) * openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys (CVE-2018-0737) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 openssl-libs to version 1:1.0.2k-16.el7 or higher.

medium severity

RHSA-2018:3221

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.1e-60.el7
  • Fixed in: 1:1.0.2k-16.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* openssl-libs@1:1.0.1e-60.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl-libs package. See Remediation section below for Centos:7 relevant versions.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Security Fix(es): * openssl: ROHNP - Key Extraction Side Channel in Multiple Crypto Libraries (CVE-2018-0495) * openssl: Malicious server can send large prime to client during DH(E) TLS handshake causing the client to hang (CVE-2018-0732) * openssl: Handling of crafted recursive ASN.1 structures can cause a stack overflow and resulting denial of service (CVE-2018-0739) * openssl: Malformed X.509 IPAdressFamily could cause OOB read (CVE-2017-3735) * openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys (CVE-2018-0737) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 openssl-libs to version 1:1.0.2k-16.el7 or higher.

medium severity

RHSA-2019:0483

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.1e-60.el7
  • Fixed in: 1:1.0.2k-16.el7_6.1

Detailed paths

  • Introduced through: centos:7.3.1611@* openssl-libs@1:1.0.1e-60.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl-libs package. See Remediation section below for Centos:7 relevant versions.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Security Fix(es): * openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash) (CVE-2018-5407) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Perform the RSA signature self-tests with SHA-256 (BZ#1673914)

Remediation

Upgrade Centos:7 openssl-libs to version 1:1.0.2k-16.el7_6.1 or higher.

medium severity

RHSA-2019:2304

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.1e-60.el7
  • Fixed in: 1:1.0.2k-19.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* openssl-libs@1:1.0.1e-60.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl-libs package. See Remediation section below for Centos:7 relevant versions.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Security Fix(es): * openssl: 0-byte record padding oracle (CVE-2019-1559) * openssl: timing side channel attack in the DSA signature algorithm (CVE-2018-0734) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 openssl-libs to version 1:1.0.2k-19.el7 or higher.

References

medium severity

RHSA-2019:2189

  • Vulnerable module: procps-ng
  • Introduced through: procps-ng@3.3.10-10.el7
  • Fixed in: 0:3.3.10-26.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* procps-ng@3.3.10-10.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream procps-ng package. See Remediation section below for Centos:7 relevant versions.

The procps-ng packages contain a set of system utilities that provide system information, including ps, free, skill, pkill, pgrep, snice, tload, top, uptime, vmstat, w, watch, and pwdx. Security Fix(es): * procps-ng, procps: Local privilege escalation in top (CVE-2018-1122) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 procps-ng to version 0:3.3.10-26.el7 or higher.

References

medium severity

RHSA-2017:1868

  • Vulnerable module: python
  • Introduced through: python@2.7.5-48.el7
  • Fixed in: 0:2.7.5-58.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* python@2.7.5-48.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream python package. See Remediation section below for Centos:7 relevant versions.

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * The Python standard library HTTP client modules (such as httplib or urllib) did not perform verification of TLS/SSL certificates when connecting to HTTPS servers. A man-in-the-middle attacker could use this flaw to hijack connections and eavesdrop or modify transferred data. (CVE-2014-9365) Note: The Python standard library was updated to enable certificate verification by default. Refer to the Knowledgebase article 2039753 linked to in the References section for further details about this change. (BZ#1219110) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 python to version 0:2.7.5-58.el7 or higher.

medium severity

RHSA-2018:2123

  • Vulnerable module: python
  • Introduced through: python@2.7.5-48.el7
  • Fixed in: 0:2.7.5-69.el7_5

Detailed paths

  • Introduced through: centos:7.3.1611@* python@2.7.5-48.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream python package. See Remediation section below for Centos:7 relevant versions.

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183) Note: This update modifies the Python ssl module to disable 3DES cipher suites by default. Red Hat would like to thank OpenVPN for reporting this issue. Upstream acknowledges Karthikeyan Bhargavan (Inria) and Gaëtan Leurent (Inria) as the original reporters.

Remediation

Upgrade Centos:7 python to version 0:2.7.5-69.el7_5 or higher.

medium severity

RHSA-2018:3041

  • Vulnerable module: python
  • Introduced through: python@2.7.5-48.el7
  • Fixed in: 0:2.7.5-76.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* python@2.7.5-48.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream python package. See Remediation section below for Centos:7 relevant versions.

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * python: DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib (CVE-2018-1061) * python: DOS via regular expression catastrophic backtracking in apop() method in pop3lib (CVE-2018-1060) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the Python security response team for reporting these issues. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 python to version 0:2.7.5-76.el7 or higher.

medium severity

RHSA-2019:2030

  • Vulnerable module: python
  • Introduced through: python@2.7.5-48.el7
  • Fixed in: 0:2.7.5-86.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* python@2.7.5-48.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream python package. See Remediation section below for Centos:7 relevant versions.

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * python: Missing salt initialization in _elementtree.c module (CVE-2018-14647) * python: NULL pointer dereference using a specially crafted X509 certificate (CVE-2019-5010) * python: CRLF injection via the query part of the url passed to urlopen() (CVE-2019-9740) * python: CRLF injection via the path part of the url passed to urlopen() (CVE-2019-9947) * python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms (CVE-2019-9948) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 python to version 0:2.7.5-86.el7 or higher.

References

medium severity

RHSA-2020:1131

  • Vulnerable module: python
  • Introduced through: python@2.7.5-48.el7
  • Fixed in: 0:2.7.5-88.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* python@2.7.5-48.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream python package. See Remediation section below for Centos:7 relevant versions.

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * python: Cookie domain check returns incorrect results (CVE-2018-20852) * python: email.utils.parseaddr wrongly parses email addresses (CVE-2019-16056) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.8 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 python to version 0:2.7.5-88.el7 or higher.

References

medium severity

RHSA-2020:3911

  • Vulnerable module: python
  • Introduced through: python@2.7.5-48.el7
  • Fixed in: 0:2.7.5-89.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* python@2.7.5-48.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream python package. See Remediation section below for Centos:7 relevant versions.

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * python: XSS vulnerability in the documentation XML-RPC server in server_title field (CVE-2019-16935) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 python to version 0:2.7.5-89.el7 or higher.

References

medium severity

RHSA-2020:5009

  • Vulnerable module: python
  • Introduced through: python@2.7.5-48.el7
  • Fixed in: 0:2.7.5-90.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* python@2.7.5-48.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream python package. See Remediation section below for Centos:7 relevant versions.

Python is an accessible, high-level, dynamically typed, interpreted programming language, designed with an emphasis on code readability. It includes an extensive standard library, and has a vast ecosystem of third-party libraries. Security Fix(es): * python: infinite loop in the tarfile module via crafted TAR archive (CVE-2019-20907) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 python to version 0:2.7.5-90.el7 or higher.

References

medium severity

RHSA-2017:1868

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.5-48.el7
  • Fixed in: 0:2.7.5-58.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* python-libs@2.7.5-48.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream python-libs package. See Remediation section below for Centos:7 relevant versions.

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * The Python standard library HTTP client modules (such as httplib or urllib) did not perform verification of TLS/SSL certificates when connecting to HTTPS servers. A man-in-the-middle attacker could use this flaw to hijack connections and eavesdrop or modify transferred data. (CVE-2014-9365) Note: The Python standard library was updated to enable certificate verification by default. Refer to the Knowledgebase article 2039753 linked to in the References section for further details about this change. (BZ#1219110) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 python-libs to version 0:2.7.5-58.el7 or higher.

medium severity

RHSA-2018:2123

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.5-48.el7
  • Fixed in: 0:2.7.5-69.el7_5

Detailed paths

  • Introduced through: centos:7.3.1611@* python-libs@2.7.5-48.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream python-libs package. See Remediation section below for Centos:7 relevant versions.

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183) Note: This update modifies the Python ssl module to disable 3DES cipher suites by default. Red Hat would like to thank OpenVPN for reporting this issue. Upstream acknowledges Karthikeyan Bhargavan (Inria) and Gaëtan Leurent (Inria) as the original reporters.

Remediation

Upgrade Centos:7 python-libs to version 0:2.7.5-69.el7_5 or higher.

medium severity

RHSA-2018:3041

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.5-48.el7
  • Fixed in: 0:2.7.5-76.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* python-libs@2.7.5-48.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream python-libs package. See Remediation section below for Centos:7 relevant versions.

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * python: DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib (CVE-2018-1061) * python: DOS via regular expression catastrophic backtracking in apop() method in pop3lib (CVE-2018-1060) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the Python security response team for reporting these issues. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 python-libs to version 0:2.7.5-76.el7 or higher.

medium severity

RHSA-2019:2030

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.5-48.el7
  • Fixed in: 0:2.7.5-86.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* python-libs@2.7.5-48.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream python-libs package. See Remediation section below for Centos:7 relevant versions.

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * python: Missing salt initialization in _elementtree.c module (CVE-2018-14647) * python: NULL pointer dereference using a specially crafted X509 certificate (CVE-2019-5010) * python: CRLF injection via the query part of the url passed to urlopen() (CVE-2019-9740) * python: CRLF injection via the path part of the url passed to urlopen() (CVE-2019-9947) * python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms (CVE-2019-9948) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 python-libs to version 0:2.7.5-86.el7 or higher.

References

medium severity

RHSA-2020:1131

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.5-48.el7
  • Fixed in: 0:2.7.5-88.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* python-libs@2.7.5-48.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream python-libs package. See Remediation section below for Centos:7 relevant versions.

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * python: Cookie domain check returns incorrect results (CVE-2018-20852) * python: email.utils.parseaddr wrongly parses email addresses (CVE-2019-16056) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.8 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 python-libs to version 0:2.7.5-88.el7 or higher.

References

medium severity

RHSA-2020:3911

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.5-48.el7
  • Fixed in: 0:2.7.5-89.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* python-libs@2.7.5-48.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream python-libs package. See Remediation section below for Centos:7 relevant versions.

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * python: XSS vulnerability in the documentation XML-RPC server in server_title field (CVE-2019-16935) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 python-libs to version 0:2.7.5-89.el7 or higher.

References

medium severity

RHSA-2020:5009

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.5-48.el7
  • Fixed in: 0:2.7.5-90.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* python-libs@2.7.5-48.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream python-libs package. See Remediation section below for Centos:7 relevant versions.

Python is an accessible, high-level, dynamically typed, interpreted programming language, designed with an emphasis on code readability. It includes an extensive standard library, and has a vast ecosystem of third-party libraries. Security Fix(es): * python: infinite loop in the tarfile module via crafted TAR archive (CVE-2019-20907) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 python-libs to version 0:2.7.5-90.el7 or higher.

References

medium severity

RHSA-2020:1021

  • Vulnerable module: shared-mime-info
  • Introduced through: shared-mime-info@1.1-9.el7
  • Fixed in: 0:1.8-5.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* shared-mime-info@1.1-9.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream shared-mime-info package. See Remediation section below for Centos:7 relevant versions.

GNOME is the default desktop environment of Red Hat Enterprise Linux. Security Fix(es): * gnome-shell: partial lock screen bypass (CVE-2019-3820) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.8 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 shared-mime-info to version 0:1.8-5.el7 or higher.

References

medium severity

RHSA-2018:0260

  • Vulnerable module: systemd
  • Introduced through: systemd@219-30.el7_3.6
  • Fixed in: 0:219-42.el7_4.7

Detailed paths

  • Introduced through: centos:7.3.1611@* systemd@219-30.el7_3.6

NVD Description

Note: Versions mentioned in the description apply to the upstream systemd package. See Remediation section below for Centos:7 relevant versions.

The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es): * A race condition was found in systemd. This could result in automount requests not being serviced and processes using them could hang, causing denial of service. (CVE-2018-1049)

Remediation

Upgrade Centos:7 systemd to version 0:219-42.el7_4.7 or higher.

medium severity

RHSA-2019:2091

  • Vulnerable module: systemd
  • Introduced through: systemd@219-30.el7_3.6
  • Fixed in: 0:219-67.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* systemd@219-30.el7_3.6

NVD Description

Note: Versions mentioned in the description apply to the upstream systemd package. See Remediation section below for Centos:7 relevant versions.

The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es): * systemd: line splitting via fgets() allows for state injection during daemon-reexec (CVE-2018-15686) * systemd: out-of-bounds read when parsing a crafted syslog message (CVE-2018-16866) * systemd: kills privileged process if unprivileged PIDFile was tampered (CVE-2018-16888) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 systemd to version 0:219-67.el7 or higher.

References

medium severity

RHSA-2018:0260

  • Vulnerable module: systemd-libs
  • Introduced through: systemd-libs@219-30.el7_3.6
  • Fixed in: 0:219-42.el7_4.7

Detailed paths

  • Introduced through: centos:7.3.1611@* systemd-libs@219-30.el7_3.6

NVD Description

Note: Versions mentioned in the description apply to the upstream systemd-libs package. See Remediation section below for Centos:7 relevant versions.

The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es): * A race condition was found in systemd. This could result in automount requests not being serviced and processes using them could hang, causing denial of service. (CVE-2018-1049)

Remediation

Upgrade Centos:7 systemd-libs to version 0:219-42.el7_4.7 or higher.

medium severity

RHSA-2019:2091

  • Vulnerable module: systemd-libs
  • Introduced through: systemd-libs@219-30.el7_3.6
  • Fixed in: 0:219-67.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* systemd-libs@219-30.el7_3.6

NVD Description

Note: Versions mentioned in the description apply to the upstream systemd-libs package. See Remediation section below for Centos:7 relevant versions.

The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es): * systemd: line splitting via fgets() allows for state injection during daemon-reexec (CVE-2018-15686) * systemd: out-of-bounds read when parsing a crafted syslog message (CVE-2018-16866) * systemd: kills privileged process if unprivileged PIDFile was tampered (CVE-2018-16888) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 systemd-libs to version 0:219-67.el7 or higher.

References

medium severity

RHSA-2017:0907

  • Vulnerable module: util-linux
  • Introduced through: util-linux@2.23.2-33.el7
  • Fixed in: 0:2.23.2-33.el7_3.2

Detailed paths

  • Introduced through: centos:7.3.1611@* util-linux@2.23.2-33.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream util-linux package. See Remediation section below for Centos:7 relevant versions.

The util-linux packages contain a large variety of low-level system utilities that are necessary for a Linux system to function. Among others, these include the fdisk configuration tool and the login program. Security Fix(es): * A race condition was found in the way su handled the management of child processes. A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions. (CVE-2017-2616) Red Hat would like to thank Tobias Stöckmann for reporting this issue. Bug Fix(es): * The "findmnt --target <path>" command prints all file systems where the mount point directory is <path>. Previously, when used in the chroot environment, "findmnt --target <path>" incorrectly displayed all mount points. The command has been fixed so that it now checks the mount point path and returns information only for the relevant mount point. (BZ#1414481)

Remediation

Upgrade Centos:7 util-linux to version 0:2.23.2-33.el7_3.2 or higher.

medium severity

RHSA-2016:2972

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:7.4.160-1.el7
  • Fixed in: 2:7.4.160-1.el7_3.1

Detailed paths

  • Introduced through: centos:7.3.1611@* vim-minimal@2:7.4.160-1.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream vim-minimal package. See Remediation section below for Centos:7 relevant versions.

Vim (Vi IMproved) is an updated and improved version of the vi editor. Security Fix(es): * A vulnerability was found in vim in how certain modeline options were treated. An attacker could craft a file that, when opened in vim with modelines enabled, could execute arbitrary commands with privileges of the user running vim. (CVE-2016-1248)

Remediation

Upgrade Centos:7 vim-minimal to version 2:7.4.160-1.el7_3.1 or higher.

low severity

RHSA-2018:3032

  • Vulnerable module: binutils
  • Introduced through: binutils@2.25.1-22.base.el7
  • Fixed in: 0:2.27-34.base.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* binutils@2.25.1-22.base.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream binutils package. See Remediation section below for Centos:7 relevant versions.

The binutils packages provide a collection of binary utilities for the manipulation of object code in various object file formats. It includes the ar, as, gprof, ld, nm, objcopy, objdump, ranlib, readelf, size, strings, strip, and addr2line utilities. Security Fix(es): * binutils: Improper bounds check in coffgen.c:coff_pointerize_aux() allows for denial of service when parsing a crafted COFF file (CVE-2018-7208) * binutils: integer overflow via an ELF file with corrupt dwarf1 debug information in libbfd library (CVE-2018-7568) * binutils: integer underflow or overflow via an ELF file with a corrupt DWARF FORM block in libbfd library (CVE-2018-7569) * binutils: NULL pointer dereference in swap_std_reloc_in function in aoutx.h resulting in crash (CVE-2018-7642) * binutils: Integer overflow in the display_debug_ranges function resulting in crash (CVE-2018-7643) * binutils: Crash in elf.c:bfd_section_from_shdr() with crafted executable (CVE-2018-8945) * binutils: Heap-base buffer over-read in dwarf.c:process_cu_tu_index() allows for denial of service via crafted file (CVE-2018-10372) * binutils: NULL pointer dereference in dwarf2.c:concat_filename() allows for denial of service via crafted file (CVE-2018-10373) * binutils: out of bounds memory write in peXXigen.c files (CVE-2018-10534) * binutils: NULL pointer dereference in elf.c (CVE-2018-10535) * binutils: Uncontrolled Resource Consumption in execution of nm (CVE-2018-13033) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 binutils to version 0:2.27-34.base.el7 or higher.

low severity

RHSA-2019:1880

  • Vulnerable module: curl
  • Introduced through: curl@7.29.0-35.el7.centos
  • Fixed in: 0:7.29.0-51.el7_6.3

Detailed paths

  • Introduced through: centos:7.3.1611@* curl@7.29.0-35.el7.centos

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See Remediation section below for Centos:7 relevant versions.

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es): * curl: NTLM password overflow via integer overflow (CVE-2018-14618) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * baseurl with file:// hangs and then timeout in yum repo (BZ#1709474) * curl crashes on http links with rate-limit (BZ#1711914)

Remediation

Upgrade Centos:7 curl to version 0:7.29.0-51.el7_6.3 or higher.

References

low severity

RHSA-2019:2181

  • Vulnerable module: curl
  • Introduced through: curl@7.29.0-35.el7.centos
  • Fixed in: 0:7.29.0-54.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* curl@7.29.0-35.el7.centos

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See Remediation section below for Centos:7 relevant versions.

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es): * curl: Heap-based buffer over-read in the curl tool warning formatting (CVE-2018-16842) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 curl to version 0:7.29.0-54.el7 or higher.

References

low severity

RHSA-2020:1020

  • Vulnerable module: curl
  • Introduced through: curl@7.29.0-35.el7.centos
  • Fixed in: 0:7.29.0-57.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* curl@7.29.0-35.el7.centos

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See Remediation section below for Centos:7 relevant versions.

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es): * curl: TFTP receive heap buffer overflow in tftp_receive_packet() function (CVE-2019-5436) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.8 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 curl to version 0:7.29.0-57.el7 or higher.

References

low severity

RHSA-2019:2197

  • Vulnerable module: elfutils-libelf
  • Introduced through: elfutils-libelf@0.166-2.el7
  • Fixed in: 0:0.176-2.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* elfutils-libelf@0.166-2.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream elfutils-libelf package. See Remediation section below for Centos:7 relevant versions.

The elfutils packages contain a number of utility programs and libraries related to the creation and maintenance of executable code. The following packages have been upgraded to a later upstream version: elfutils (0.176). (BZ#1676504) Security Fix(es): * elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file (CVE-2018-16062) * elfutils: Double-free due to double decompression of sections in crafted ELF causes crash (CVE-2018-16402) * elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash (CVE-2018-16403) * elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl (CVE-2018-18310) * elfutils: eu-size cannot handle recursive ar files (CVE-2018-18520) * elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c (CVE-2018-18521) * elfutils: heap-based buffer over-read in read_srclines in dwarf_getsrclines.c in libdw (CVE-2019-7149) * elfutils: segmentation fault in elf64_xlatetom in libelf/elf32_xlatetom.c (CVE-2019-7150) * elfutils: Out of bound write in elf_cvt_note in libelf/note_xlate.h (CVE-2019-7664) * elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c (CVE-2019-7665) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 elfutils-libelf to version 0:0.176-2.el7 or higher.

References

low severity

RHSA-2019:2197

  • Vulnerable module: elfutils-libs
  • Introduced through: elfutils-libs@0.166-2.el7
  • Fixed in: 0:0.176-2.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* elfutils-libs@0.166-2.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream elfutils-libs package. See Remediation section below for Centos:7 relevant versions.

The elfutils packages contain a number of utility programs and libraries related to the creation and maintenance of executable code. The following packages have been upgraded to a later upstream version: elfutils (0.176). (BZ#1676504) Security Fix(es): * elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file (CVE-2018-16062) * elfutils: Double-free due to double decompression of sections in crafted ELF causes crash (CVE-2018-16402) * elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash (CVE-2018-16403) * elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl (CVE-2018-18310) * elfutils: eu-size cannot handle recursive ar files (CVE-2018-18520) * elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c (CVE-2018-18521) * elfutils: heap-based buffer over-read in read_srclines in dwarf_getsrclines.c in libdw (CVE-2019-7149) * elfutils: segmentation fault in elf64_xlatetom in libelf/elf32_xlatetom.c (CVE-2019-7150) * elfutils: Out of bound write in elf_cvt_note in libelf/note_xlate.h (CVE-2019-7664) * elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c (CVE-2019-7665) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 elfutils-libs to version 0:0.176-2.el7 or higher.

References

low severity

RHSA-2020:1022

  • Vulnerable module: file-libs
  • Introduced through: file-libs@5.11-33.el7
  • Fixed in: 0:5.11-36.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* file-libs@5.11-33.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream file-libs package. See Remediation section below for Centos:7 relevant versions.

The file command is used to identify a particular file according to the type of data the file contains. It can identify many different file types, including Executable and Linkable Format (ELF) binary files, system libraries, RPM packages, and different graphics formats. Security Fix(es): * file: out-of-bounds read via a crafted ELF file (CVE-2018-10360) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.8 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 file-libs to version 0:5.11-36.el7 or higher.

References

low severity

RHBA-2019:2044

  • Vulnerable module: glib2
  • Introduced through: glib2@2.46.2-4.el7
  • Fixed in: 0:2.56.1-5.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* glib2@2.46.2-4.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream glib2 package. See Remediation section below for Centos:7 relevant versions.

GNOME is the default desktop environment of Red Hat Enterprise Linux. For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section. Users of gnome are advised to upgrade to these updated packages.

Remediation

Upgrade Centos:7 glib2 to version 0:2.56.1-5.el7 or higher.

References

low severity

RHSA-2020:3861

  • Vulnerable module: glibc
  • Introduced through: glibc@2.17-157.el7_3.1
  • Fixed in: 0:2.17-317.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* glibc@2.17-157.el7_3.1

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc package. See Remediation section below for Centos:7 relevant versions.

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es): * glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries (CVE-2019-19126) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 glibc to version 0:2.17-317.el7 or higher.

References

low severity

RHSA-2020:3861

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.17-157.el7_3.1
  • Fixed in: 0:2.17-317.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* glibc-common@2.17-157.el7_3.1

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc-common package. See Remediation section below for Centos:7 relevant versions.

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es): * glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries (CVE-2019-19126) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 glibc-common to version 0:2.17-317.el7 or higher.

References

low severity

RHSA-2018:3071

  • Vulnerable module: krb5-libs
  • Introduced through: krb5-libs@1.14.1-27.el7_3
  • Fixed in: 0:1.15.1-34.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* krb5-libs@1.14.1-27.el7_3

NVD Description

Note: Versions mentioned in the description apply to the upstream krb5-libs package. See Remediation section below for Centos:7 relevant versions.

Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC). Security Fix(es): * krb5: null dereference in kadmind or DN container check bypass by supplying special crafted data (CVE-2018-5729) * krb5: DN container check bypass by supplying special crafted data (CVE-2018-5730) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 krb5-libs to version 0:1.15.1-34.el7 or higher.

low severity

RHSA-2019:1880

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.29.0-35.el7.centos
  • Fixed in: 0:7.29.0-51.el7_6.3

Detailed paths

  • Introduced through: centos:7.3.1611@* libcurl@7.29.0-35.el7.centos

NVD Description

Note: Versions mentioned in the description apply to the upstream libcurl package. See Remediation section below for Centos:7 relevant versions.

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es): * curl: NTLM password overflow via integer overflow (CVE-2018-14618) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * baseurl with file:// hangs and then timeout in yum repo (BZ#1709474) * curl crashes on http links with rate-limit (BZ#1711914)

Remediation

Upgrade Centos:7 libcurl to version 0:7.29.0-51.el7_6.3 or higher.

References

low severity

RHSA-2019:2181

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.29.0-35.el7.centos
  • Fixed in: 0:7.29.0-54.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* libcurl@7.29.0-35.el7.centos

NVD Description

Note: Versions mentioned in the description apply to the upstream libcurl package. See Remediation section below for Centos:7 relevant versions.

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es): * curl: Heap-based buffer over-read in the curl tool warning formatting (CVE-2018-16842) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 libcurl to version 0:7.29.0-54.el7 or higher.

References

low severity

RHSA-2020:1020

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.29.0-35.el7.centos
  • Fixed in: 0:7.29.0-57.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* libcurl@7.29.0-35.el7.centos

NVD Description

Note: Versions mentioned in the description apply to the upstream libcurl package. See Remediation section below for Centos:7 relevant versions.

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es): * curl: TFTP receive heap buffer overflow in tftp_receive_packet() function (CVE-2019-5436) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.8 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 libcurl to version 0:7.29.0-57.el7 or higher.

References

low severity

RHSA-2018:0849

  • Vulnerable module: libgcc
  • Introduced through: libgcc@4.8.5-11.el7
  • Fixed in: 0:4.8.5-28.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* libgcc@4.8.5-11.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream libgcc package. See Remediation section below for Centos:7 relevant versions.

The gcc packages provide compilers for C, C++, Java, Fortran, Objective C, and Ada 95 GNU, as well as related support libraries. Security Fix(es): * gcc: GCC generates incorrect code for RDRAND/RDSEED intrinsics (CVE-2017-11671) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 libgcc to version 0:4.8.5-28.el7 or higher.

low severity

RHSA-2018:0849

  • Vulnerable module: libstdc++
  • Introduced through: libstdc++@4.8.5-11.el7
  • Fixed in: 0:4.8.5-28.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* libstdc++@4.8.5-11.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream libstdc++ package. See Remediation section below for Centos:7 relevant versions.

The gcc packages provide compilers for C, C++, Java, Fortran, Objective C, and Ada 95 GNU, as well as related support libraries. Security Fix(es): * gcc: GCC generates incorrect code for RDRAND/RDSEED intrinsics (CVE-2017-11671) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 libstdc++ to version 0:4.8.5-28.el7 or higher.

low severity

RHSA-2018:3249

  • Vulnerable module: setup
  • Introduced through: setup@2.8.71-7.el7
  • Fixed in: 0:2.8.71-10.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* setup@2.8.71-7.el7

NVD Description

Note: Versions mentioned in the description apply to the upstream setup package. See Remediation section below for Centos:7 relevant versions.

The setup package contains a set of important default system configuration and setup files. Examples include /etc/passwd, /etc/group, and /etc/profile. Other examples are the default lists of reserved user IDs, reserved ports, reserved protocols, allowed shells, allowed secure terminals. Security Fix(es): * setup: nologin listed in /etc/shells violates security expectations (CVE-2018-1113) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 setup to version 0:2.8.71-10.el7 or higher.

low severity

RHSA-2019:0201

  • Vulnerable module: systemd
  • Introduced through: systemd@219-30.el7_3.6
  • Fixed in: 0:219-62.el7_6.3

Detailed paths

  • Introduced through: centos:7.3.1611@* systemd@219-30.el7_3.6

NVD Description

Note: Versions mentioned in the description apply to the upstream systemd package. See Remediation section below for Centos:7 relevant versions.

The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es): * systemd: memory leak in journald-server.c introduced by fix for CVE-2018-16864 (CVE-2019-3815) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 systemd to version 0:219-62.el7_6.3 or higher.

low severity

RHSA-2020:4007

  • Vulnerable module: systemd
  • Introduced through: systemd@219-30.el7_3.6
  • Fixed in: 0:219-78.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* systemd@219-30.el7_3.6

NVD Description

Note: Versions mentioned in the description apply to the upstream systemd package. See Remediation section below for Centos:7 relevant versions.

The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es): * systemd: memory leak in button_open() in login/logind-button.c when udev events are received (CVE-2019-20386) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 systemd to version 0:219-78.el7 or higher.

References

low severity

RHSA-2019:0201

  • Vulnerable module: systemd-libs
  • Introduced through: systemd-libs@219-30.el7_3.6
  • Fixed in: 0:219-62.el7_6.3

Detailed paths

  • Introduced through: centos:7.3.1611@* systemd-libs@219-30.el7_3.6

NVD Description

Note: Versions mentioned in the description apply to the upstream systemd-libs package. See Remediation section below for Centos:7 relevant versions.

The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es): * systemd: memory leak in journald-server.c introduced by fix for CVE-2018-16864 (CVE-2019-3815) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Remediation

Upgrade Centos:7 systemd-libs to version 0:219-62.el7_6.3 or higher.

low severity

RHSA-2020:4007

  • Vulnerable module: systemd-libs
  • Introduced through: systemd-libs@219-30.el7_3.6
  • Fixed in: 0:219-78.el7

Detailed paths

  • Introduced through: centos:7.3.1611@* systemd-libs@219-30.el7_3.6

NVD Description

Note: Versions mentioned in the description apply to the upstream systemd-libs package. See Remediation section below for Centos:7 relevant versions.

The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes using Linux cgroups. In addition, it supports snapshotting and restoring of the system state, maintains mount and automount points, and implements an elaborate transactional dependency-based service control logic. It can also work as a drop-in replacement for sysvinit. Security Fix(es): * systemd: memory leak in button_open() in login/logind-button.c when udev events are received (CVE-2019-20386) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.

Remediation

Upgrade Centos:7 systemd-libs to version 0:219-78.el7 or higher.

References