-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Gluster Storage web-admin-build security update Advisory ID: RHSA-2023:1486-01 Product: Red Hat Gluster Storage Advisory URL: https://access.redhat.com/errata/RHSA-2023:1486 Issue date: 2023-03-28 CVE Names: CVE-2022-24790 CVE-2022-30122 CVE-2022-30123 CVE-2022-31129 CVE-2022-31163 ===================================================================== 1. Summary: An update is now available for Red Hat Gluster Storage 3.5 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Gluster 3.5 Web Administration on RHEL-7 - noarch, x86_64 3. Description: Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself) principle. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Security Fix(es): * puma-5.6.4: http request smuggling vulnerabilities (CVE-2022-24790) * rubygem-rack: crafted requests can cause shell escape sequences (CVE-2022-30123) * moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129) * rubygem-tzinfo: arbitrary code execution (CVE-2022-31163) * rubygem-rack: crafted multipart POST request may cause a DoS (CVE-2022-30122) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2071616 - CVE-2022-24790 puma-5.6.4: http request smuggling vulnerabilities 2099519 - CVE-2022-30122 rubygem-rack: crafted multipart POST request may cause a DoS 2099524 - CVE-2022-30123 rubygem-rack: crafted requests can cause shell escape sequences 2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS 2110551 - CVE-2022-31163 rubygem-tzinfo: arbitrary code execution 6. Package List: Red Hat Gluster 3.5 Web Administration on RHEL-7: Source: grafana-5.2.4-6.el7rhgs.src.rpm python-django-1.11.27-4.el7rhgs.src.rpm ruby-2.4.9-94.el7rhgs.src.rpm rubygem-activemodel-5.2.0-1.el7rhgs.src.rpm rubygem-activesupport-5.2.0-1.el7rhgs.src.rpm rubygem-bcrypt-3.1.12-2.el7rhgs.src.rpm rubygem-concurrent-ruby-1.1.9-1.el7rhgs.src.rpm rubygem-i18n-1.9.1-1.el7rhgs.src.rpm rubygem-mustermann-1.0.3-1.el7rhgs.src.rpm rubygem-nio4r-2.3.1-2.el7rhgs.src.rpm rubygem-puma-4.3.12-1.el7rhgs.src.rpm rubygem-rack-2.2.4-1.el7rhgs.src.rpm rubygem-rack-protection-2.2.0-1.el7rhgs.src.rpm rubygem-sinatra-2.2.0-1.el7rhgs.src.rpm rubygem-thread_safe-0.3.6-1.el7rhgs.src.rpm rubygem-tilt-2.0.11-1.el7rhgs.src.rpm rubygem-tzinfo-1.2.10-1.el7rhgs.src.rpm noarch: python-django-bash-completion-1.11.27-4.el7rhgs.noarch.rpm python2-django-1.11.27-4.el7rhgs.noarch.rpm python2-django-doc-1.11.27-4.el7rhgs.noarch.rpm ruby-doc-2.4.9-94.el7rhgs.noarch.rpm ruby-irb-2.4.9-94.el7rhgs.noarch.rpm rubygem-activemodel-5.2.0-1.el7rhgs.noarch.rpm rubygem-activemodel-doc-5.2.0-1.el7rhgs.noarch.rpm rubygem-activesupport-5.2.0-1.el7rhgs.noarch.rpm rubygem-activesupport-doc-5.2.0-1.el7rhgs.noarch.rpm rubygem-bcrypt-doc-3.1.12-2.el7rhgs.noarch.rpm rubygem-concurrent-ruby-1.1.9-1.el7rhgs.noarch.rpm rubygem-concurrent-ruby-doc-1.1.9-1.el7rhgs.noarch.rpm rubygem-i18n-1.9.1-1.el7rhgs.noarch.rpm rubygem-i18n-doc-1.9.1-1.el7rhgs.noarch.rpm rubygem-minitest-5.10.1-94.el7rhgs.noarch.rpm rubygem-mustermann-1.0.3-1.el7rhgs.noarch.rpm rubygem-mustermann-doc-1.0.3-1.el7rhgs.noarch.rpm rubygem-nio4r-doc-2.3.1-2.el7rhgs.noarch.rpm rubygem-power_assert-0.4.1-94.el7rhgs.noarch.rpm rubygem-puma-doc-4.3.12-1.el7rhgs.noarch.rpm rubygem-rack-2.2.4-1.el7rhgs.noarch.rpm rubygem-rack-doc-2.2.4-1.el7rhgs.noarch.rpm rubygem-rack-protection-2.2.0-1.el7rhgs.noarch.rpm rubygem-rack-protection-doc-2.2.0-1.el7rhgs.noarch.rpm rubygem-rake-12.0.0-94.el7rhgs.noarch.rpm rubygem-rdoc-5.0.1-94.el7rhgs.noarch.rpm rubygem-sinatra-2.2.0-1.el7rhgs.noarch.rpm rubygem-sinatra-doc-2.2.0-1.el7rhgs.noarch.rpm rubygem-test-unit-3.2.3-94.el7rhgs.noarch.rpm rubygem-thread_safe-0.3.6-1.el7rhgs.noarch.rpm rubygem-thread_safe-doc-0.3.6-1.el7rhgs.noarch.rpm rubygem-tilt-2.0.11-1.el7rhgs.noarch.rpm rubygem-tilt-doc-2.0.11-1.el7rhgs.noarch.rpm rubygem-tzinfo-1.2.10-1.el7rhgs.noarch.rpm rubygem-tzinfo-doc-1.2.10-1.el7rhgs.noarch.rpm rubygem-xmlrpc-0.2.1-94.el7rhgs.noarch.rpm rubygems-2.6.14.4-94.el7rhgs.noarch.rpm rubygems-devel-2.6.14.4-94.el7rhgs.noarch.rpm x86_64: grafana-5.2.4-6.el7rhgs.x86_64.rpm ruby-2.4.9-94.el7rhgs.x86_64.rpm ruby-debuginfo-2.4.9-94.el7rhgs.x86_64.rpm ruby-devel-2.4.9-94.el7rhgs.x86_64.rpm ruby-libs-2.4.9-94.el7rhgs.x86_64.rpm rubygem-bcrypt-3.1.12-2.el7rhgs.x86_64.rpm rubygem-bcrypt-debuginfo-3.1.12-2.el7rhgs.x86_64.rpm rubygem-bigdecimal-1.3.2-94.el7rhgs.x86_64.rpm rubygem-did_you_mean-1.1.0-94.el7rhgs.x86_64.rpm rubygem-io-console-0.4.6-94.el7rhgs.x86_64.rpm rubygem-json-2.0.4-94.el7rhgs.x86_64.rpm rubygem-net-telnet-0.1.1-94.el7rhgs.x86_64.rpm rubygem-nio4r-2.3.1-2.el7rhgs.x86_64.rpm rubygem-nio4r-debuginfo-2.3.1-2.el7rhgs.x86_64.rpm rubygem-openssl-2.0.9-94.el7rhgs.x86_64.rpm rubygem-psych-2.2.2-94.el7rhgs.x86_64.rpm rubygem-puma-4.3.12-1.el7rhgs.x86_64.rpm rubygem-puma-debuginfo-4.3.12-1.el7rhgs.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-24790 https://access.redhat.com/security/cve/CVE-2022-30122 https://access.redhat.com/security/cve/CVE-2022-30123 https://access.redhat.com/security/cve/CVE-2022-31129 https://access.redhat.com/security/cve/CVE-2022-31163 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZCJbr9zjgjWX9erEAQjn5RAAoUF/k8EPq7iO9+x35TIISMUb+zNQON1F iM5r74vbqDjgB7HjNBJptdMj25UA+gOqrzl2UfpWpw5QZlPpnr3nCEcHrq1qKHHt IT7cZUWdvp1Gz+e0OtSPHDvmSlS/Wko1ElsH4i5SZayl+K9V7DJjShd0KJGpK9F4 grBeCjGqGr9Yl2QVAjrKLtWg4JGzbKO0WNJ+vs5XaN3SToCy534sIsRTkH2/JMcG B9yQPQ0uQ6p6GBzPNWwReZngACEgEVIVwyFFVuEEbli7b5d5qzRCSFycrp8qqlGd HGYVRXIk8pWnzq/Ex99Rv9ni3zQlwBkBWeQxko30NfTZAS5mS94n66+dJc6Ynxhr yQo/WHGd4OlHlBt4d3HTLfgl0O9Fwz60B/o8MWHf+FkR/byxOiPbLPuNZekCXNEP jVGnFw46osRgBjw2qerUuftnMLi9NY6+SoaEfRTjaQSxC+wv+9gUmgKkOSKgK3xr ThraNkkupLwWNA+AsIQGlGwfPHKyAbP3qr6yCulFB4fKb9btOprq7b+cxGhZt5ql R7NFlVZuMg6uTnb+YXAOoAsLzWQJpZiOXO8g3B3UhQcjqamgo/7Rr62n4kFDslfN HDWP2/GJeYe7A3DlfRawVi5zAFa5HCSDdsZUjvFa67cwv/3H2jgnFg4kSBj6yb3P dK9wE3y07no= =kXpV -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce