2021-46 - Canonical, Red Hat, Cisco, GitHub Published on November 22, 2021

Advisory Week

Week 46, 2021

Ubuntu Security Notices

USN-5151-1: Mailman vulnerabilities USN-5150-1: OpenEXR vulnerability USN-5149-1: AccountsService vulnerability USN-5148-1: hivex vulnerability USN-5147-1: Vim vulnerabilities

Red Hat Security Advisory

(RHSA-2021:4743) Moderate: llvm-toolset:rhel8 security update (RHSA-2021:4730) Moderate: devtoolset-11-binutils security update (RHSA-2021:4729) Moderate: devtoolset-11-annobin security update (RHSA-2021:4725) Moderate: OpenShift Virtualization 2.6.8 Images security and bug fix update (RHSA-2021:4724) Moderate: devtoolset-10-annobin security update (RHSA-2021:4723) Moderate: devtoolset-10-binutils security update (RHSA-2021:4722) Moderate: OpenShift Virtualization 2.6.8 RPMs security and bug fix update (RHSA-2021:4032) Low: Openshift Logging 5.2.3 bug fix and security update (RHSA-2021:4628) Low: Openshift Logging 5.1.4 bug fix and security update (RHSA-2021:4626) Moderate: RHV Manager (ovirt-engine) security update [ovirt-4.4.9] (RHSA-2021:4703) Important: RHV Engine and Host Common Packages security update [ovirt-4.4.9] (RHSA-2021:4702) Moderate: Satellite 6.10 Release (RHSA-2021:4694) Moderate: rust-toolset-1.54-rust security update (RHSA-2021:4692) Important: kernel security update (RHSA-2021:4687) Important: kernel security update (RHSA-2021:4686) Moderate: webkit2gtk3 security update (RHSA-2021:4679) Moderate: Red Hat JBoss Enterprise Application Platform 7.4.2 security update (RHSA-2021:4676) Moderate: Red Hat JBoss Enterprise Application Platform 7.4.2 security update on RHEL 7 (RHSA-2021:4677) Moderate: Red Hat JBoss Enterprise Application Platform 7.4.2 security update on RHEL 8 (RHSA-2021:4627) Moderate: Openshift Logging 5.3.0 bug fix and security update (RHSA-2021:4669) Moderate: devtoolset-11-gcc security update (RHSA-2021:4647) Important: kernel security update (RHSA-2021:4650) Important: kernel security, bug fix, and enhancement update (RHSA-2021:4644) Important: kpatch-patch security update (RHSA-2021:4645) Important: kpatch-patch security update (RHSA-2021:4649) Moderate: gcc-toolset-10-binutils security update (RHSA-2021:4648) Important: kernel-rt security and bug fix update (RHSA-2021:4646) Important: kernel-rt security and bug fix update

Cisco Security Advisory

Cisco Common Services Platform Collector SQL Injection Vulnerability Cisco Common Services Platform Collector Stored Cross-Site Scripting Vulnerability Cisco Common Services Platform Collector Improper Logging Restriction Vulnerability

Github Security Advisories

[GHSA-6c7m-qwxj-mvhp] Broken encryption in EdgeX Foundry [GHSA-vf7h-6246-hm43] The disqualify lead action may be executed without CSRF token check [GHSA-xx4c-jj58-r7x6] Inefficient Regular Expression Complexity in Validator.js [GHSA-3pqh-p72c-fj85] Improper Preservation of Permissions in github.com/cloudflare/cfrpki/cmd/octorpki [GHSA-gpqc-4pp7-5954] Authentication Bypass by CSRF Weakness [GHSA-8xfw-5q82-3652] Authentication Bypass by CSRF Weakness [GHSA-6mqr-q86q-6gwr] Authentication Bypass by CSRF Weakness [GHSA-26xx-m4q2-xhq8] Authentication Bypass by CSRF Weakness [GHSA-5629-8855-gf4g] Authentication Bypass by CSRF Weakness [GHSA-xm34-v85h-9pg2] Authentication Bypass by CSRF Weakness [GHSA-mc8v-mgrf-8f4m] Clarify Content-Type handling [GHSA-5j5w-g665-5m35] Ambiguous OCI manifest parsing [GHSA-77vh-xpmg-72qh] Clarify `mediaType` handling [GHSA-wwgq-9jhf-qgw6] Cross-Site Request Forgery allowing sending of test emails and generation of node auto-deployment keys [GHSA-7h26-63m7-qhf2] HTML comments vulnerability allowing to execute JavaScript code [GHSA-pvmx-g8h5-cprj] Advanced Content Filter (ACF) vulnerability allowing to execute JavaScript code using malformed HTML [GHSA-r7cj-8hjg-x622] DBAL 3 SQL Injection Security Vulnerability [GHSA-cq58-r77c-5jjw] Cross-site scripting (XSS) from image block content in the site frontend [GHSA-x7j7-qp7j-hw3q] Cross-site scripting (XSS) from writer field content in the site frontend [GHSA-wmpv-c2jp-j2xg] ERC1155Supply vulnerability in OpenZeppelin Contracts [GHSA-p9m8-27x8-rg87] Critical vulnerability found in cron-utils [GHSA-4999-659w-mq36] Authentication bypass issue in the Operator Console [GHSA-844m-cpr9-jcmh] Secure/signed cookies share secrets between sites in a multi-site application [GHSA-35rf-v2jv-gfg7] Privilege escalation to cluster admin on multi-tenant environments