-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Fuse 7.8.1 patch release and security update
Advisory ID:       RHSA-2021:1401-01
Product:           Red Hat JBoss Fuse
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:1401
Issue date:        2021-04-27
CVE Names:         CVE-2020-28052 
=====================================================================

1. Summary:

A micro version update (from 7.8.0 to 7.8.1) is now available for Red Hat
Fuse on Karaf and Red Hat Fuse on Spring Boot 2. The purpose of this
text-only errata is to inform you about the security issues fixed in this
release.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

This release of Red Hat Fuse 7.8.1 serves as a patch to Red Hat Fuse on
Karaf and Red Hat Fuse on Spring Boot 2 (7.8.0), and includes security
fixes, which are documented in the Release Notes document linked to in the
References.

Security Fix(es):

* bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility
possible - Karaf (CVE-2020-28052)

* bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility
possible - Spring Boot 2 (CVE-2020-28052)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

Installation instructions are available from the Fuse 7.8.0 product
documentation page:

https://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/html/install
ing_on_apache_karaf/apply-hotfix-patch

https://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/html/deployi
ng_into_spring_boot/patch-red-hat-fuse-applications

4. Bugs fixed (https://bugzilla.redhat.com/):

1912881 - CVE-2020-28052 bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible

5. References:

https://access.redhat.com/security/cve/CVE-2020-28052
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/html/installing_on_apache_karaf/apply-hotfix-patch
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/html/deploying_into_spring_boot/patch-red-hat-fuse-applications
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=7.8.0

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYIfQDtzjgjWX9erEAQgs8g/8D1JzNDrU9s8NIDGecM17U83tb62pdeHi
2WzKUFsG5cebZV1UpvIF0oeoIwAzwSROw9/TRzi5tzeibPEPVdW94DO9qApRNSsS
TdNxAAuPxkQkx6DoUOPxqw/vDC9oI0jGILL/wGKRX39kKEhtknghSq/5nZrjkP9v
3Y+6c+eKwgEJWQRn93NPaKa3kc18laFSmGp+gKppzafAh6h3LYZwFtCJs9sn0Lbx
pEEujMp1hibg9uAE7EWzw0dbyjNgg3befA56V5DtusvkE+MrbyDtbm4rGxyEUTUg
CrXxcl93ErngWgscIVcjDOPU2KKuvaamjisk0UvcYLDNXlL7aMjqobyPBgi4BO8F
iPLuWcJLjkfEbLatNuz48tWjhUkk3httU3521AIt4SUgW2daR0lyEqx6aHY5K2hX
apW0wsfnpaTSDOn+PFCnBI6lvhxR9YUgiAphcmhNUJWDrOu1t8wesP4iBsfwj3mf
rZFZlWAF02PV09I448NhDQwxnoSopj5S9MH+KQeipGeH1mpxP+HJSqTAABHm+sxO
bowQGVUdq/b1q8Dl2AU6/f9uyKygWNzWnYRJsQNb5POjauZVdVylF4mv0wcZiD1y
slOPltC+Qg7aJTInhJfwvQURDZON3A3qVk57dM+wOFNxnqEEVbCbvKT2Pi5S4ZW7
kMEDdFVBaGc=
=1BzY
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce