ID

VAR-202205-1990

CVE

CVE-2022-1927

TITLE

vim/vim  Out-of-bounds read vulnerability in

DESCRIPTION

Buffer Over-read in GitHub repository vim/vim prior to 8.2. vim/vim Exists in an out-of-bounds read vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Vim is a cross-platform text editor. Vim versions prior to 8.2 have a security vulnerability caused by buffer overreading. Bugs fixed (https://bugzilla.redhat.com/): 2024702 - CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerability 2053259 - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak 2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale 2085307 - CVE-2022-1650 eventsource: Exposure of Sensitive Information 2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS 5. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat OpenShift Data Foundation 4.11.0 security, enhancement, & bugfix update Advisory ID: RHSA-2022:6156-01 Product: RHODF Advisory URL: https://access.redhat.com/errata/RHSA-2022:6156 Issue date: 2022-08-24 CVE Names: CVE-2021-23440 CVE-2021-23566 CVE-2021-40528 CVE-2022-0235 CVE-2022-0536 CVE-2022-0670 CVE-2022-1292 CVE-2022-1586 CVE-2022-1650 CVE-2022-1785 CVE-2022-1897 CVE-2022-1927 CVE-2022-2068 CVE-2022-2097 CVE-2022-21698 CVE-2022-22576 CVE-2022-23772 CVE-2022-23773 CVE-2022-23806 CVE-2022-24675 CVE-2022-24771 CVE-2022-24772 CVE-2022-24773 CVE-2022-24785 CVE-2022-24921 CVE-2022-25313 CVE-2022-25314 CVE-2022-27774 CVE-2022-27776 CVE-2022-27782 CVE-2022-28327 CVE-2022-29526 CVE-2022-29810 CVE-2022-29824 CVE-2022-31129 ==================================================================== 1. Summary: Updated images that include numerous enhancements, security, and bug fixes are now available for Red Hat OpenShift Data Foundation 4.11.0 on Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Data Foundation provisions a multicloud data management service with an S3 compatible API. Security Fix(es): * eventsource: Exposure of Sensitive Information (CVE-2022-1650) * moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129) * nodejs-set-value: type confusion allows bypass of CVE-2019-10747 (CVE-2021-23440) * nanoid: Information disclosure via valueOf() function (CVE-2021-23566) * node-fetch: exposure of sensitive information to an unauthorized actor (CVE-2022-0235) * follow-redirects: Exposure of Sensitive Information via Authorization Header leak (CVE-2022-0536) * prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698) * golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString (CVE-2022-23772) * golang: cmd/go: misinterpretation of branch names can lead to incorrect access control (CVE-2022-23773) * golang: crypto/elliptic: IsOnCurve returns true for invalid field elements (CVE-2022-23806) * golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675) * node-forge: Signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery (CVE-2022-24771) * node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery (CVE-2022-24772) * node-forge: Signature verification leniency in checking `DigestInfo` structure (CVE-2022-24773) * Moment.js: Path traversal in moment.locale (CVE-2022-24785) * golang: regexp: stack exhaustion via a deeply nested expression (CVE-2022-24921) * golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327) * golang: syscall: faccessat checks wrong group (CVE-2022-29526) * go-getter: writes SSH credentials into logfile, exposing sensitive credentials to local uses (CVE-2022-29810) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): These updated images include numerous enhancements and bug fixes. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat OpenShift Data Foundation Release Notes for information on the most significant of these changes: https://access.redhat.com//documentation/en-us/red_hat_openshift_data_foundation/4.11/html/4.11_release_notes/index All Red Hat OpenShift Data Foundation users are advised to upgrade to these updated images, which provide numerous bug fixes and enhancements. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 1937117 - Deletion of StorageCluster doesn't remove ceph toolbox pod 1947482 - The device replacement process when deleting the volume metadata need to be fixed or modified 1973317 - libceph: read_partial_message and bad crc/signature errors 1996829 - Permissions assigned to ceph auth principals when using external storage are too broad 2004944 - CVE-2021-23440 nodejs-set-value: type confusion allows bypass of CVE-2019-10747 2027724 - Warning log for rook-ceph-toolbox in ocs-operator log 2029298 - [GSS] Noobaa is not compatible with aws bucket lifecycle rule creation policies 2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor 2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter 2047173 - [RFE] Change controller-manager pod name in odf-lvm-operator to more relevant name to lvm 2050853 - CVE-2021-23566 nanoid: Information disclosure via valueOf() function 2050897 - CVE-2022-0235 mcg-core-container: node-fetch: exposure of sensitive information to an unauthorized actor [openshift-data-foundation-4] 2053259 - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak 2053429 - CVE-2022-23806 golang: crypto/elliptic: IsOnCurve returns true for invalid field elements 2053532 - CVE-2022-23772 golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString 2053541 - CVE-2022-23773 golang: cmd/go: misinterpretation of branch names can lead to incorrect access control 2056697 - odf-csi-addons-operator subscription failed while using custom catalog source 2058211 - Add validation for CIDR field in DRPolicy 2060487 - [ODF to ODF MS] Consumer lost connection to provider API if the endpoint node is powered off/replaced 2060790 - ODF under Storage missing for OCP 4.11 + ODF 4.10 2061713 - [KMS] The error message during creation of encrypted PVC mentions the parameter in UPPER_CASE 2063691 - [GSS] [RFE] Add termination policy to s3 route 2064426 - [GSS][External Mode] exporter python script does not support FQDN for RGW endpoint 2064857 - CVE-2022-24921 golang: regexp: stack exhaustion via a deeply nested expression 2066514 - OCS operator to install Ceph prometheus alerts instead of Rook 2067079 - [GSS] [RFE] Add termination policy to ocs-storagecluster-cephobjectstore route 2067387 - CVE-2022-24771 node-forge: Signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery 2067458 - CVE-2022-24772 node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery 2067461 - CVE-2022-24773 node-forge: Signature verification leniency in checking `DigestInfo` structure 2069314 - OCS external mode should allow specifying names for all Ceph auth principals 2069319 - [RFE] OCS CephFS External Mode Multi-tenancy. Add cephfs subvolumegroup and path= caps per cluster. 2069812 - must-gather: rbd_vol_and_snap_info collection is broken 2069815 - must-gather: essential rbd mirror command outputs aren't collected 2070542 - After creating a new storage system it redirects to 404 error page instead of the "StorageSystems" page for OCP 4.11 2071494 - [DR] Applications are not getting deployed 2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale 2073920 - rook osd prepare failed with this error - failed to set kek as an environment variable: key encryption key is empty 2074810 - [Tracker for Bug 2074585] MCG standalone deployment page goes blank when the KMS option is enabled 2075426 - 4.10 must gather is not available after GA of 4.10 2075581 - [IBM Z] : ODF 4.11.0-38 deployment leaves the storagecluster in "Progressing" state although all the openshift-storage pods are up and Running 2076457 - After node replacement[provider], connection issue between consumer and provider if the provider node which was referenced MON-endpoint configmap (on consumer) is lost 2077242 - vg-manager missing permissions 2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode 2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar 2079866 - [DR] odf-multicluster-console is in CLBO state 2079873 - csi-nfsplugin pods are not coming up after successful patch request to update "ROOK_CSI_ENABLE_NFS": "true"' 2080279 - CVE-2022-29810 go-getter: writes SSH credentials into logfile, exposing sensitive credentials to local uses 2081680 - Add the LVM Operator into the Storage category in OperatorHub 2082028 - UI does not have the option to configure capacity, security and networks,etc. during storagesystem creation 2082078 - OBC's not getting created on primary cluster when manageds3 set as "true" for mirrorPeer 2082497 - Do not filter out removable devices 2083074 - [Tracker for Ceph BZ #2086419] Two Ceph mons crashed in ceph-16.2.7/src/mon/PaxosService.cc: 193: FAILED ceph_assert(have_pending) 2083441 - LVM operator should deploy the volumesnapshotclass resource 2083953 - [Tracker for Ceph BZ #2084579] PVC created with ocs-storagecluster-ceph-nfs storageclass is moving to pending status 2083993 - Add missing pieces for storageclassclaim 2084041 - [Console Migration] Link-able storage system name directs to blank page 2084085 - CVE-2022-29526 golang: syscall: faccessat checks wrong group 2084201 - MCG operator pod is stuck in a CrashLoopBackOff; Panic Attack: [] an empty namespace may not be set when a resource name is provided" 2084503 - CLI falsely flags unique PVPool backingstore secrets as duplicates 2084546 - [Console Migration] Provider details absent under backing store in UI 2084565 - [Console Migration] The creation of new backing store , directs to a blank page 2085307 - CVE-2022-1650 eventsource: Exposure of Sensitive Information 2085351 - [DR] Mirrorpeer failed to create with msg Internal error occurred 2085357 - [DR] When drpolicy is create drcluster resources are getting created under default namespace 2086557 - Thin pool in lvm operator doesn't use all disks 2086675 - [UI]No option to "add capacity" via the Installed Operators tab 2086982 - ODF 4.11 deployment is failing 2086983 - [odf-clone] Mons IP not updated correctly in the rook-ceph-mon-endpoints cm 2087078 - [RDR] [UI] Multiple instances of Object Bucket, Object Bucket Claims and 'Overview' tab is present under Storage section on the Hub cluster when navigated back from the Managed cluster using the Hybrid console dropdown 2087107 - Set default storage class if none is set 2087237 - [UI] After clicking on Create StorageSystem, it navigates to Storage Systems tab but shows an error message 2087675 - ocs-metrics-exporter pod crashes on odf v4.11 2087732 - [Console Migration] Events page missing under new namespace store 2087755 - [Console Migration] Bucket Class details page doesn't have the complete details in UI 2088359 - Send VG Metrics even if storage is being consumed from thinPool alone 2088380 - KMS using vault on standalone MCG cluster is not enabled 2088506 - ceph-external-cluster-details-exporter.py should not accept hostname for rgw-endpoint 2088587 - Removal of external storage system with misconfigured cephobjectstore fails on noobaa webhook 2089296 - [MS v2] Storage cluster in error phase and 'ocs-provider-qe' addon installation failed with ODF 4.10.2 2089342 - prometheus pod goes into OOMKilled state during ocs-osd-controller-manager pod restarts 2089397 - [GSS]OSD pods CLBO after upgrade to 4.10 from 4.9. 2089552 - [MS v2] Cannot create StorageClassClaim 2089567 - [Console Migration] Improve the styling of Various Components 2089786 - [Console Migration] "Attach to deployment" option is missing in kebab menu for Object Bucket Claims . 2089795 - [Console Migration] Yaml and Events page is missing for Object Bucket Claims and Object Bucket. 2089797 - [RDR] rbd image failed to mount with msg rbd error output: rbd: sysfs write failed 2090278 - [LVMO] Some containers are missing resource requirements and limits 2090314 - [LVMO] CSV is missing some useful annotations 2090953 - [MCO] DRCluster created under default namespace 2091487 - [Hybrid Console] Multicluster dashboard is not displaying any metrics 2091638 - [Console Migration] Yaml page is missing for existing and newly created Block pool. 2091641 - MCG operator pod is stuck in a CrashLoopBackOff; MapSecretToNamespaceStores invalid memory address or nil pointer dereference 2091681 - Auto replication policy type detection is not happneing on DRPolicy creation page when ceph cluster is external 2091894 - All backingstores in cluster spontaneously change their own secret 2091951 - [GSS] OCS pods are restarting due to liveness probe failure 2091998 - Volume Snapshots not work with external restricted mode 2092143 - Deleting a CephBlockPool CR does not delete the underlying Ceph pool 2092217 - [External] UI for uploding JSON data for external cluster connection has some strict checks 2092220 - [Tracker for Ceph BZ #2096882] CephNFS is not reaching to Ready state on ODF on IBM Power (ppc64le) 2092349 - Enable zeroing on the thin-pool during creation 2092372 - [MS v2] StorageClassClaim is not reaching Ready Phase 2092400 - [MS v2] StorageClassClaim creation is failing with error "no StorageCluster found" 2093266 - [RDR] When mirroring is enabled rbd mirror daemon restart config should be enabled automatically 2093848 - Note about token for encrypted PVCs should be removed when only cluster wide encryption checkbox is selected 2094179 - MCO fails to create DRClusters when replication mode is synchronous 2094853 - [Console Migration] Description under storage class drop down in add capacity is missing . 2094856 - [KMS] PVC creation using vaulttenantsa method is failing due to token secret missing in serviceaccount 2095155 - Use tool `black` to format the python external script 2096209 - ReclaimSpaceJob fails on OCP 4.11 + ODF 4.10 cluster 2096414 - Compression status for cephblockpool is reported as Enabled and Disabled at the same time 2096509 - [Console Migration] Unable to select Storage Class in Object Bucket Claim creation page 2096513 - Infinite BlockPool tabs get created when the StorageSystem details page is opened 2096823 - After upgrading the cluster from ODF4.10 to ODF4.11, the ROOK_CSI_ENABLE_CEPHFS move to False 2096937 - Storage - Data Foundation: i18n misses 2097216 - Collect StorageClassClaim details in must-gather 2097287 - [UI] Dropdown doesn't close on it's own after arbiter zone selection on 'Capacity and nodes' page 2097305 - Add translations for ODF 4.11 2098121 - Managed ODF not getting detected 2098261 - Remove BlockPools(no use case) and Object(redundat with Overview) tab on the storagesystem page for NooBaa only and remove BlockPools tab for External mode deployment 2098536 - [KMS] PVC creation using vaulttenantsa method is failing due to token secret missing in serviceaccount 2099265 - [KMS] The storagesystem creation page goes blank when KMS is enabled 2099581 - StorageClassClaim with encryption gets into Failed state 2099609 - The red-hat-storage/topolvm release-4.11 needs to be synced with the upstream project 2099646 - Block pool list page kebab action menu is showing empty options 2099660 - OCS dashbaords not appearing unless user clicks on "Overview" Tab 2099724 - S3 secret namespace on the managed cluster doesn't match with the namespace in the s3profile 2099965 - rbd: provide option to disable setting metadata on RBD images 2100326 - [ODF to ODF] Volume snapshot creation failed 2100352 - Make lvmo pod labels more uniform 2100946 - Avoid temporary ceph health alert for new clusters where the insecure global id is allowed longer than necessary 2101139 - [Tracker for OCP BZ #2102782] topolvm-controller get into CrashLoopBackOff few minutes after install 2101380 - Default backingstore is rejected with message INVALID_SCHEMA_PARAMS SERVER account_api#/methods/check_external_connection 2103818 - Restored snapshot don't have any content 2104833 - Need to update configmap for IBM storage odf operator GA 2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS 5. References: https://access.redhat.com/security/cve/CVE-2021-23440 https://access.redhat.com/security/cve/CVE-2021-23566 https://access.redhat.com/security/cve/CVE-2021-40528 https://access.redhat.com/security/cve/CVE-2022-0235 https://access.redhat.com/security/cve/CVE-2022-0536 https://access.redhat.com/security/cve/CVE-2022-0670 https://access.redhat.com/security/cve/CVE-2022-1292 https://access.redhat.com/security/cve/CVE-2022-1586 https://access.redhat.com/security/cve/CVE-2022-1650 https://access.redhat.com/security/cve/CVE-2022-1785 https://access.redhat.com/security/cve/CVE-2022-1897 https://access.redhat.com/security/cve/CVE-2022-1927 https://access.redhat.com/security/cve/CVE-2022-2068 https://access.redhat.com/security/cve/CVE-2022-2097 https://access.redhat.com/security/cve/CVE-2022-21698 https://access.redhat.com/security/cve/CVE-2022-22576 https://access.redhat.com/security/cve/CVE-2022-23772 https://access.redhat.com/security/cve/CVE-2022-23773 https://access.redhat.com/security/cve/CVE-2022-23806 https://access.redhat.com/security/cve/CVE-2022-24675 https://access.redhat.com/security/cve/CVE-2022-24771 https://access.redhat.com/security/cve/CVE-2022-24772 https://access.redhat.com/security/cve/CVE-2022-24773 https://access.redhat.com/security/cve/CVE-2022-24785 https://access.redhat.com/security/cve/CVE-2022-24921 https://access.redhat.com/security/cve/CVE-2022-25313 https://access.redhat.com/security/cve/CVE-2022-25314 https://access.redhat.com/security/cve/CVE-2022-27774 https://access.redhat.com/security/cve/CVE-2022-27776 https://access.redhat.com/security/cve/CVE-2022-27782 https://access.redhat.com/security/cve/CVE-2022-28327 https://access.redhat.com/security/cve/CVE-2022-29526 https://access.redhat.com/security/cve/CVE-2022-29810 https://access.redhat.com/security/cve/CVE-2022-29824 https://access.redhat.com/security/cve/CVE-2022-31129 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com//documentation/en-us/red_hat_openshift_data_foundation/4.11/html/4.11_release_notes/index 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYwZpHdzjgjWX9erEAQgy1Q//QaStGj34eQ0ap5J5gCcC1lTv7U908fNy Xo7VvwAi67IslacAiQhWNyhg+jr1c46Op7kAAC04f8n25IsM+7xYYyieJ0YDAP7N b3iySRKnPI6I9aJlN0KMm7J1jfjFmcuPMrUdDHiSGNsmK9zLmsQs3dGMaCqYX+fY sJEDPnMMulbkrPLTwSG2IEcpqGH2BoEYwPhSblt2fH0Pv6H7BWYF/+QjxkGOkGDj gz0BBnc1Foir2BpYKv6/+3FUbcXFdBXmrA5BIcZ9157Yw3RP/khf+lQ6I1KYX1Am 2LI6/6qL8HyVWyl+DEUz0DxoAQaF5x61C35uENyh/U96sYeKXtP9rvDC41TvThhf mX4woWcUN1euDfgEF22aP9/gy+OsSyfP+SV0d9JKIaM9QzCCOwyKcIM2+CeL4LZl CSAYI7M+cKsl1wYrioNBDdG8H54GcGV8kS1Hihb+Za59J7pf/4IPuHy3Cd6FBymE hTFLE9YGYeVtCufwdTw+4CEjB2jr3WtzlYcSc26SET9aPCoTUmS07BaIAoRmzcKY 3KKSKi3LvW69768OLQt8UT60WfQ7zHa+OWuEp1tVoXe/XU3je42yuptCd34axn7E 2gtZJOocJxL2FtehhxNTx7VI3Bjy2V0VGlqqf1t6/z6r0IOhqxLbKeBvH9/XF/6V ERCapzwcRuQ=gV+z -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Description: Red Hat Advanced Cluster Management for Kubernetes 2.4.6 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/ Security fixes: * golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629) * moment: inefficient parsing algorithim resulting in DoS (CVE-2022-31129) * nodejs16: CRLF injection in node-undici (CVE-2022-31150) * nodejs/undici: Cookie headers uncleared on cross-origin redirect (CVE-2022-31151) * vm2: Sandbox Escape in vm2 (CVE-2022-36067) Bug fixes: * RHACM 2.4 using deprecated APIs in managed clusters (BZ# 2041540) * vSphere network name doesn't allow entering spaces and doesn't reflect YAML changes (BZ# 2074766) * cluster update status is stuck, also update is not even visible (BZ# 2079418) * Policy that creates cluster role is showing as not compliant due to Request entity too large message (BZ# 2088486) * Upgraded from RHACM 2.2-->2.3-->2.4 and cannot create cluster (BZ# 2089490) * ACM Console Becomes Unusable After a Time (BZ# 2097464) * RHACM 2.4.6 images (BZ# 2100613) * Cluster Pools with conflicting name of existing clusters in same namespace fails creation and deletes existing cluster (BZ# 2102436) * ManagedClusters in Pending import state after ACM hub migration (BZ# 2102495) 3. Solution: For Red Hat Advanced Cluster Management for Kubernetes, see the following documentation, which will be updated shortly for this release, for important instructions on installing this update: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html-single/install/index#installing 4. Bugs fixed (https://bugzilla.redhat.com/): 2041540 - RHACM 2.4 using deprecated APIs in managed clusters 2074766 - vSphere network name doesn't allow entering spaces and doesn't reflect YAML changes 2079418 - cluster update status is stuck, also update is not even visible 2088486 - Policy that creates cluster role is showing as not compliant due to Request entity too large message 2089490 - Upgraded from RHACM 2.2-->2.3-->2.4 and cannot create cluster 2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add 2097464 - ACM Console Becomes Unusable After a Time 2100613 - RHACM 2.4.6 images 2102436 - Cluster Pools with conflicting name of existing clusters in same namespace fails creation and deletes existing cluster 2102495 - ManagedClusters in Pending import state after ACM hub migration 2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS 2109354 - CVE-2022-31150 nodejs16: CRLF injection in node-undici 2121396 - CVE-2022-31151 nodejs/undici: Cookie headers uncleared on cross-origin redirect 2124794 - CVE-2022-36067 vm2: Sandbox Escape in vm2 5. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: Vim (Vi IMproved) is an updated and improved version of the vi editor. Security Fix(es): * vim: Out-of-bounds Write (CVE-2022-1785) * vim: out-of-bounds write in vim_regsub_both() in regexp.c (CVE-2022-1897) * vim: buffer over-read in utf_ptr2char() in mbyte.c (CVE-2022-1927) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bugs fixed (https://bugzilla.redhat.com/): 2088689 - CVE-2022-1785 vim: Out-of-bounds Write 2091682 - CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c 2091687 - CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c 6. Package List: Red Hat Enterprise Linux AppStream (v. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. Summary: This is an updated release of the Self Node Remediation Operator. The Self Node Remediation Operator replaces the Poison Pill Operator, and is delivered by Red Hat Workload Availability. Description: The Self Node Remediation Operator works in conjunction with the Machine Health Check or the Node Health Check Operators to provide automatic remediation of unhealthy nodes by rebooting them. This minimizes downtime for stateful applications and RWO volumes, as well as restoring compute capacity in the event of transient failures. Bugs fixed (https://bugzilla.redhat.com/): 2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read 5. Summary: The Migration Toolkit for Containers (MTC) 1.7.4 is now available. Description: The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Bugs fixed (https://bugzilla.redhat.com/): 1928937 - CVE-2021-23337 nodejs-lodash: command injection via template 1928954 - CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions 2054663 - CVE-2022-0512 nodejs-url-parse: authorization bypass through user-controlled key 2057442 - CVE-2022-0639 npm-url-parse: Authorization Bypass Through User-Controlled Key 2060018 - CVE-2022-0686 npm-url-parse: Authorization bypass through user-controlled key 2060020 - CVE-2022-0691 npm-url-parse: authorization bypass through user-controlled key 2085307 - CVE-2022-1650 eventsource: Exposure of Sensitive Information 2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read 5. Description: Logging Subsystem 5.5.5 - Red Hat OpenShift Security Fixe(s): * jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518) * golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664) * golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879, CVE-2022-2880, CVE-2022-41715) * jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003) * jackson-databind: use of deeply nested arrays (CVE-2022-42004) * loader-utils: Regular expression denial of service (CVE-2022-37603) * golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bugs fixed (https://bugzilla.redhat.com/): 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY 2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps 2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS 2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays 2140597 - CVE-2022-37603 loader-utils:Regular expression denial of service 5. JIRA issues fixed (https://issues.jboss.org/): LOG-2860 - Error on LokiStack Components when forwarding logs to Loki on proxy cluster LOG-3131 - vector: kube API server certificate validation failure due to hostname mismatch LOG-3222 - [release-5.5] fluentd plugin for kafka ca-bundle secret doesn't support multiple CAs LOG-3226 - FluentdQueueLengthIncreasing rule failing to be evaluated. LOG-3284 - [release-5.5][Vector] logs parsed into structured when json is set without structured types. LOG-3287 - [release-5.5] Increase value of cluster-logging PriorityClass to move closer to system-cluster-critical value LOG-3301 - [release-5.5][ClusterLogging] elasticsearchStatus in ClusterLogging instance CR is not updated when Elasticsearch status is changed LOG-3305 - [release-5.5] Kibana Authentication Exception cookie issue LOG-3310 - [release-5.5] Can't choose correct CA ConfigMap Key when creating lokistack in Console LOG-3332 - [release-5.5] Reconcile error on controller when creating LokiStack with tls config 6. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202305-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Vim, gVim: Multiple Vulnerabilities Date: May 03, 2023 Bugs: #851231, #861092, #869359, #879257, #883681, #889730 ID: 202305-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Vim, the worst of which could result in denial of service. gVim is the GUI version of Vim. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-editors/gvim < 9.0.1157 >= 9.0.1157 2 app-editors/vim < 9.0.1157 >= 9.0.1157 3 app-editors/vim-core < 9.0.1157 >= 9.0.1157 Description =========== Multiple vulnerabilities have been discovered in Vim, gVim. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Vim users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-editors/vim-9.0.1157" All gVim users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-editors/gvim-9.0.1157" All vim-core users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-editors/vim-core-9.0.1157" References ========== [ 1 ] CVE-2022-1154 https://nvd.nist.gov/vuln/detail/CVE-2022-1154 [ 2 ] CVE-2022-1160 https://nvd.nist.gov/vuln/detail/CVE-2022-1160 [ 3 ] CVE-2022-1381 https://nvd.nist.gov/vuln/detail/CVE-2022-1381 [ 4 ] CVE-2022-1420 https://nvd.nist.gov/vuln/detail/CVE-2022-1420 [ 5 ] CVE-2022-1616 https://nvd.nist.gov/vuln/detail/CVE-2022-1616 [ 6 ] CVE-2022-1619 https://nvd.nist.gov/vuln/detail/CVE-2022-1619 [ 7 ] CVE-2022-1620 https://nvd.nist.gov/vuln/detail/CVE-2022-1620 [ 8 ] CVE-2022-1621 https://nvd.nist.gov/vuln/detail/CVE-2022-1621 [ 9 ] CVE-2022-1629 https://nvd.nist.gov/vuln/detail/CVE-2022-1629 [ 10 ] CVE-2022-1674 https://nvd.nist.gov/vuln/detail/CVE-2022-1674 [ 11 ] CVE-2022-1720 https://nvd.nist.gov/vuln/detail/CVE-2022-1720 [ 12 ] CVE-2022-1725 https://nvd.nist.gov/vuln/detail/CVE-2022-1725 [ 13 ] CVE-2022-1733 https://nvd.nist.gov/vuln/detail/CVE-2022-1733 [ 14 ] CVE-2022-1735 https://nvd.nist.gov/vuln/detail/CVE-2022-1735 [ 15 ] CVE-2022-1769 https://nvd.nist.gov/vuln/detail/CVE-2022-1769 [ 16 ] CVE-2022-1771 https://nvd.nist.gov/vuln/detail/CVE-2022-1771 [ 17 ] CVE-2022-1785 https://nvd.nist.gov/vuln/detail/CVE-2022-1785 [ 18 ] CVE-2022-1796 https://nvd.nist.gov/vuln/detail/CVE-2022-1796 [ 19 ] CVE-2022-1851 https://nvd.nist.gov/vuln/detail/CVE-2022-1851 [ 20 ] CVE-2022-1886 https://nvd.nist.gov/vuln/detail/CVE-2022-1886 [ 21 ] CVE-2022-1897 https://nvd.nist.gov/vuln/detail/CVE-2022-1897 [ 22 ] CVE-2022-1898 https://nvd.nist.gov/vuln/detail/CVE-2022-1898 [ 23 ] CVE-2022-1927 https://nvd.nist.gov/vuln/detail/CVE-2022-1927 [ 24 ] CVE-2022-1942 https://nvd.nist.gov/vuln/detail/CVE-2022-1942 [ 25 ] CVE-2022-1968 https://nvd.nist.gov/vuln/detail/CVE-2022-1968 [ 26 ] CVE-2022-2000 https://nvd.nist.gov/vuln/detail/CVE-2022-2000 [ 27 ] CVE-2022-2042 https://nvd.nist.gov/vuln/detail/CVE-2022-2042 [ 28 ] CVE-2022-2124 https://nvd.nist.gov/vuln/detail/CVE-2022-2124 [ 29 ] CVE-2022-2125 https://nvd.nist.gov/vuln/detail/CVE-2022-2125 [ 30 ] CVE-2022-2126 https://nvd.nist.gov/vuln/detail/CVE-2022-2126 [ 31 ] CVE-2022-2129 https://nvd.nist.gov/vuln/detail/CVE-2022-2129 [ 32 ] CVE-2022-2175 https://nvd.nist.gov/vuln/detail/CVE-2022-2175 [ 33 ] CVE-2022-2182 https://nvd.nist.gov/vuln/detail/CVE-2022-2182 [ 34 ] CVE-2022-2183 https://nvd.nist.gov/vuln/detail/CVE-2022-2183 [ 35 ] CVE-2022-2206 https://nvd.nist.gov/vuln/detail/CVE-2022-2206 [ 36 ] CVE-2022-2207 https://nvd.nist.gov/vuln/detail/CVE-2022-2207 [ 37 ] CVE-2022-2208 https://nvd.nist.gov/vuln/detail/CVE-2022-2208 [ 38 ] CVE-2022-2210 https://nvd.nist.gov/vuln/detail/CVE-2022-2210 [ 39 ] CVE-2022-2231 https://nvd.nist.gov/vuln/detail/CVE-2022-2231 [ 40 ] CVE-2022-2257 https://nvd.nist.gov/vuln/detail/CVE-2022-2257 [ 41 ] CVE-2022-2264 https://nvd.nist.gov/vuln/detail/CVE-2022-2264 [ 42 ] CVE-2022-2284 https://nvd.nist.gov/vuln/detail/CVE-2022-2284 [ 43 ] CVE-2022-2285 https://nvd.nist.gov/vuln/detail/CVE-2022-2285 [ 44 ] CVE-2022-2286 https://nvd.nist.gov/vuln/detail/CVE-2022-2286 [ 45 ] CVE-2022-2287 https://nvd.nist.gov/vuln/detail/CVE-2022-2287 [ 46 ] CVE-2022-2288 https://nvd.nist.gov/vuln/detail/CVE-2022-2288 [ 47 ] CVE-2022-2289 https://nvd.nist.gov/vuln/detail/CVE-2022-2289 [ 48 ] CVE-2022-2304 https://nvd.nist.gov/vuln/detail/CVE-2022-2304 [ 49 ] CVE-2022-2343 https://nvd.nist.gov/vuln/detail/CVE-2022-2343 [ 50 ] CVE-2022-2344 https://nvd.nist.gov/vuln/detail/CVE-2022-2344 [ 51 ] CVE-2022-2345 https://nvd.nist.gov/vuln/detail/CVE-2022-2345 [ 52 ] CVE-2022-2522 https://nvd.nist.gov/vuln/detail/CVE-2022-2522 [ 53 ] CVE-2022-2816 https://nvd.nist.gov/vuln/detail/CVE-2022-2816 [ 54 ] CVE-2022-2817 https://nvd.nist.gov/vuln/detail/CVE-2022-2817 [ 55 ] CVE-2022-2819 https://nvd.nist.gov/vuln/detail/CVE-2022-2819 [ 56 ] CVE-2022-2845 https://nvd.nist.gov/vuln/detail/CVE-2022-2845 [ 57 ] CVE-2022-2849 https://nvd.nist.gov/vuln/detail/CVE-2022-2849 [ 58 ] CVE-2022-2862 https://nvd.nist.gov/vuln/detail/CVE-2022-2862 [ 59 ] CVE-2022-2874 https://nvd.nist.gov/vuln/detail/CVE-2022-2874 [ 60 ] CVE-2022-2889 https://nvd.nist.gov/vuln/detail/CVE-2022-2889 [ 61 ] CVE-2022-2923 https://nvd.nist.gov/vuln/detail/CVE-2022-2923 [ 62 ] CVE-2022-2946 https://nvd.nist.gov/vuln/detail/CVE-2022-2946 [ 63 ] CVE-2022-2980 https://nvd.nist.gov/vuln/detail/CVE-2022-2980 [ 64 ] CVE-2022-2982 https://nvd.nist.gov/vuln/detail/CVE-2022-2982 [ 65 ] CVE-2022-3016 https://nvd.nist.gov/vuln/detail/CVE-2022-3016 [ 66 ] CVE-2022-3099 https://nvd.nist.gov/vuln/detail/CVE-2022-3099 [ 67 ] CVE-2022-3134 https://nvd.nist.gov/vuln/detail/CVE-2022-3134 [ 68 ] CVE-2022-3153 https://nvd.nist.gov/vuln/detail/CVE-2022-3153 [ 69 ] CVE-2022-3234 https://nvd.nist.gov/vuln/detail/CVE-2022-3234 [ 70 ] CVE-2022-3235 https://nvd.nist.gov/vuln/detail/CVE-2022-3235 [ 71 ] CVE-2022-3256 https://nvd.nist.gov/vuln/detail/CVE-2022-3256 [ 72 ] CVE-2022-3278 https://nvd.nist.gov/vuln/detail/CVE-2022-3278 [ 73 ] CVE-2022-3296 https://nvd.nist.gov/vuln/detail/CVE-2022-3296 [ 74 ] CVE-2022-3297 https://nvd.nist.gov/vuln/detail/CVE-2022-3297 [ 75 ] CVE-2022-3324 https://nvd.nist.gov/vuln/detail/CVE-2022-3324 [ 76 ] CVE-2022-3352 https://nvd.nist.gov/vuln/detail/CVE-2022-3352 [ 77 ] CVE-2022-3491 https://nvd.nist.gov/vuln/detail/CVE-2022-3491 [ 78 ] CVE-2022-3520 https://nvd.nist.gov/vuln/detail/CVE-2022-3520 [ 79 ] CVE-2022-3591 https://nvd.nist.gov/vuln/detail/CVE-2022-3591 [ 80 ] CVE-2022-3705 https://nvd.nist.gov/vuln/detail/CVE-2022-3705 [ 81 ] CVE-2022-4141 https://nvd.nist.gov/vuln/detail/CVE-2022-4141 [ 82 ] CVE-2022-4292 https://nvd.nist.gov/vuln/detail/CVE-2022-4292 [ 83 ] CVE-2022-4293 https://nvd.nist.gov/vuln/detail/CVE-2022-4293 [ 84 ] CVE-2022-47024 https://nvd.nist.gov/vuln/detail/CVE-2022-47024 [ 85 ] CVE-2023-0049 https://nvd.nist.gov/vuln/detail/CVE-2023-0049 [ 86 ] CVE-2023-0051 https://nvd.nist.gov/vuln/detail/CVE-2023-0051 [ 87 ] CVE-2023-0054 https://nvd.nist.gov/vuln/detail/CVE-2023-0054 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202305-16 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2023 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

TYPE

code execution

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2025-08-12T20:51:56.286000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE