Multiple vulnerabilites found in che-postgres image #19649
Labels
area/che-operator
Issues and PRs related to Eclipse Che Kubernetes Operator
kind/bug
Outline of a bug - must adhere to the bug report template.
severity/P1
Has a major impact to usage or development of the system.
Milestone
Describe the bug
As described in #19646 and following one of the recent community meetings, there are multiple vulnerabilities found in some of the images. Here's a list of vulnerabilities found in the postgres images:
Name: RHSA-2020:3916
CVSS Score v3: 9.8
Severity: critical
Description: An update for curl is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.
Security Fix(es):
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
curl: heap buffer overflow in function tftp_receive_packet(). Impacted Image File(s):
Name: RHSA-2020:4076
CVSS Score v3: 9.8
Severity: critical
Description: An update for nss, nss-softokn, nss-util, and nspr is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications.
Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities.
The following packages have been upgraded to a later upstream version: nss (3.53.1), nss-softokn (3.53.1), nss-util (3.53.1), nspr (4.25.0). (BZ#1804262, BZ#1804264, BZ#1804271, BZ#1804273)
Security Fix(es):
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
nss: Out-of-bounds read when importing curve25519 private key
nss: PKCS#1 v1.5 signatures can be used for TLS 1.3
nss: Use-after-free in sftk_FreeSession due to improper refcounting
nss: Check length of inputs for cryptographic primitives
nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state
nss: Side channel attack on ECDSA signature generation
nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function
nss: ECDSA timing attack mitigation bypass
nss: Side channel vulnerabilities during RSA key generation
nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read. Impacted Image File(s):
Name: RHSA-2020:3978
CVSS Score v3: 9.8
Severity: critical
Description: An update for glib2 and ibus is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures.
The Intelligent Input Bus (IBus) is an input method framework for multilingual input in Unix-like operating systems.
Security Fix(es):
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
glib2: file_copy_fallback in gio/gfile.c in GNOME GLib does not properly restrict file permissions while a copy operation is in progress
ibus: missing authorization allows local attacker to access the input bus of another user.
The text was updated successfully, but these errors were encountered: