AlmaLinux OS Errata System 0.0.1 5.10 2026-04-10T11:19:59 For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2017-14502 For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-20391 CVE-2019-20392 CVE-2019-20393 CVE-2019-20394 CVE-2019-20395 CVE-2019-20396 CVE-2019-20397 CVE-2019-20398 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix(es): * A flaw was found in the way runc handled system file descriptors when running containers. A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system. (CVE-2019-5736) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * [stream rhel8] rebase container-selinux to 2.94 (BZ#1693675) * [stream rhel8] unable to mount disk at `/var/lib/containers` via `systemd` unit when `container-selinux` policy installed (BZ#1695669) * [stream rhel8] don't allow a container to connect to random services (BZ#1695689) Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-5736 Python is an interpreted, interactive, object-oriented programming language that supports modules, classes, exceptions, high-level dynamic data types, and dynamic typing. SQLAlchemy is an Object Relational Mapper (ORM) that provides a flexible, high-level interface to SQL databases. Security Fix(es): * python: Information Disclosure due to urlsplit improper NFKC normalization (CVE-2019-9636) * python-sqlalchemy: SQL Injection when the order_by parameter can be controlled (CVE-2019-7164) * python-sqlalchemy: SQL Injection when the group_by parameter can be controlled (CVE-2019-7548) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-7164 CVE-2019-7548 CVE-2019-9636 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. SQLAlchemy is an Object Relational Mapper (ORM) that provides a flexible, high-level interface to SQL databases. Security Fix(es): * python-sqlalchemy: SQL Injection when the order_by parameter can be controlled (CVE-2019-7164) * python-sqlalchemy: SQL Injection when the group_by parameter can be controlled (CVE-2019-7548) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-7164 CVE-2019-7548 Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. Security Fix(es): * subversion: NULL pointer dereference in svnserve leading to an unauthenticated remote DoS (CVE-2019-0203) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-0203 Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. Security Fix(es): * squid: heap-based buffer overflow in HttpHeader::getAuth (CVE-2019-12527) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-12527 The Public Key Infrastructure (PKI) Deps module contains fundamental packages required as dependencies for the pki-core module by AlmaLinux Certificate System. Security Fix(es): * jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution (CVE-2019-12384) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-12384 The libwmf packages provide a library for reading and converting Windows Metafile Format (WMF) vector graphics. The library is used by applications such as GIMP and ImageMagick. Security Fix(es): * gd: double free in the gdImage*Ptr in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c (CVE-2019-6978) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Low Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2019-6978 Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 (Post Office Protocol 3) and IMAP protocols, with a focus on high concurrency, performance and low memory usage. Security Fix(es): * HTTP/2: large amount of data request leads to denial of service (CVE-2019-9511) * HTTP/2: flood using PRIORITY frames resulting in excessive resource consumption (CVE-2019-9513) * HTTP/2: 0-length headers leads to denial of service (CVE-2019-9516) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-9511 CVE-2019-9513 CVE-2019-9516 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (10.16.3). Security Fix(es): * HTTP/2: large amount of data requests leads to denial of service (CVE-2019-9511) * HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512) * HTTP/2: flood using PRIORITY frames results in excessive resource consumption (CVE-2019-9513) * HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514) * HTTP/2: flood using SETTINGS frames results in unbounded memory growth (CVE-2019-9515) * HTTP/2: 0-length headers lead to denial of service (CVE-2019-9516) * HTTP/2: request for large response leads to denial of service (CVE-2019-9517) * HTTP/2: flood using empty frames results in excessive resource consumption (CVE-2019-9518) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-5737 CVE-2019-9511 CVE-2019-9512 CVE-2019-9513 CVE-2019-9514 CVE-2019-9515 CVE-2019-9516 CVE-2019-9517 CVE-2019-9518 Python is an interpreted, interactive, object-oriented programming language that supports modules, classes, exceptions, high-level dynamic data types, and dynamic typing. Security Fix(es): * numpy: crafted serialized object passed in numpy.load() in pickle python module allows arbitrary code execution (CVE-2019-6446) * python: CRLF injection via the query part of the url passed to urlopen() (CVE-2019-9740) * python: CRLF injection via the path part of the url passed to urlopen() (CVE-2019-9947) * python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms (CVE-2019-9948) * python-urllib3: CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service (CVE-2019-11236) * python-urllib3: Certification mishandle when error should be thrown (CVE-2019-11324) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-11236 CVE-2019-11324 CVE-2019-6446 CVE-2019-9740 CVE-2019-9947 CVE-2019-9948 Kernel-based Virtual Machine (KVM) offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems. Security Fix(es): * ntfs-3g: heap-based buffer overflow leads to local root privilege escalation (CVE-2019-9755) * QEMU: slirp: information leakage in tcp_emu() due to uninitialized stack variables (CVE-2019-9824) * QEMU: qxl: null pointer dereference while releasing spice resources (CVE-2019-12155) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Low Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2019-12155 CVE-2019-9755 CVE-2019-9824 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix(es): * QEMU: slirp: heap buffer overflow during packet reassembly (CVE-2019-14378) * containers/image: not enforcing TLS when sending username+password credentials to token servers leading to credential disclosure (CVE-2019-10214) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-10214 CVE-2019-14378 GNOME is the default desktop environment of AlmaLinux. Security Fix(es): * evince: uninitialized memory use in function tiff_document_render() and tiff_document_get_thumbnail() (CVE-2019-11459) * gvfs: improper authorization in daemon/gvfsdaemon.c in gvfsd (CVE-2019-12795) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Low Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2019-11070 CVE-2019-11459 CVE-2019-12795 CVE-2019-3820 CVE-2019-6237 CVE-2019-6251 CVE-2019-8506 CVE-2019-8518 CVE-2019-8523 CVE-2019-8524 CVE-2019-8535 CVE-2019-8536 CVE-2019-8544 CVE-2019-8551 CVE-2019-8558 CVE-2019-8559 CVE-2019-8563 CVE-2019-8571 CVE-2019-8583 CVE-2019-8584 CVE-2019-8586 CVE-2019-8587 CVE-2019-8594 CVE-2019-8595 CVE-2019-8596 CVE-2019-8597 CVE-2019-8601 CVE-2019-8607 CVE-2019-8608 CVE-2019-8609 CVE-2019-8610 CVE-2019-8611 CVE-2019-8615 CVE-2019-8619 CVE-2019-8622 CVE-2019-8623 CVE-2019-8666 CVE-2019-8671 CVE-2019-8672 CVE-2019-8673 CVE-2019-8676 CVE-2019-8677 CVE-2019-8679 CVE-2019-8681 CVE-2019-8686 CVE-2019-8687 CVE-2019-8689 CVE-2019-8690 CVE-2019-8726 CVE-2019-8735 CVE-2019-8768 The gettext packages provide a documentation for producing multi-lingual messages in programs, set of conventions about how programs should be written, a runtime library, and a directory and file naming organization for the message catalogs. Security Fix(es): * gettext: double free in default_add_message in read-catalog.c (CVE-2018-18751) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Low Copyright 2022 AlmaLinux OS cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2018-18751 The libvorbis package contains runtime libraries for use in programs that support Ogg Vorbis, a fully open, non-proprietary, patent- and royalty-free, general-purpose compressed format for audio and music at fixed and variable bitrates. Security Fix(es): * libvorbis: heap buffer overflow in mapping0_forward function (CVE-2018-10392) * libvorbis: stack buffer overflow in bark_noise_hybridmp function (CVE-2018-10393) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Low Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2018-10392 CVE-2018-10393 The libjpeg-turbo packages contain a library of functions for manipulating JPEG images. They also contain simple client programs for accessing the libjpeg functions. These packages provide the same functionality and API as libjpeg but with better performance. Security Fix(es): * libjpeg-turbo: heap-based buffer over-read via crafted 8-bit BMP in get_8bit_row in rdbmp.c leads to denial of service (CVE-2018-14498) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2018-14498 The lua packages provide support for Lua, a powerful light-weight programming language designed for extending applications. Lua is also frequently used as a general-purpose, stand-alone language. Security Fix(es): * lua: use-after-free in lua_upvaluejoin in lapi.c resulting in denial of service (CVE-2019-6706) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2019-6706 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a later upstream version: mariadb (10.3.17), galera (25.3.26). (BZ#1701687, BZ#1711265, BZ#1741358) Security Fix(es): * mysql: InnoDB unspecified vulnerability (CPU Jan 2019) (CVE-2019-2510) * mysql: Server: DDL unspecified vulnerability (CPU Jan 2019) (CVE-2019-2537) * mysql: Server: Replication unspecified vulnerability (CPU Apr 2019) (CVE-2019-2614) * mysql: Server: Security: Privileges unspecified vulnerability (CPU Apr 2019) (CVE-2019-2627) * mysql: InnoDB unspecified vulnerability (CPU Apr 2019) (CVE-2019-2628) * mysql: Server: Pluggable Auth unspecified vulnerability (CPU Jul 2019) (CVE-2019-2737) * mysql: Server: Security: Privileges unspecified vulnerability (CPU Jul 2019) (CVE-2019-2739) * mysql: Server: XML unspecified vulnerability (CPU Jul 2019) (CVE-2019-2740) * mysql: InnoDB unspecified vulnerability (CPU Jul 2019) (CVE-2019-2758) * mysql: Server: Parser unspecified vulnerability (CPU Jul 2019) (CVE-2019-2805) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2019-2510 CVE-2019-2537 CVE-2019-2614 CVE-2019-2627 CVE-2019-2628 CVE-2019-2737 CVE-2019-2739 CVE-2019-2740 CVE-2019-2758 CVE-2019-2805 CVE-2020-2922 CVE-2021-2007 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix(es): * php: underflow in env_path_info in fpm_main.c (CVE-2019-11043) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Critical Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-11043 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix(es): * php: underflow in env_path_info in fpm_main.c (CVE-2019-11043) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Critical Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-11043 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix(es): * HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512) * HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514) * runc: AppArmor/SELinux bypass with malicious image that specifies a volume at /proc (CVE-2019-16884) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * avc: podman run --security-opt label=type:svirt_qemu_net_t (BZ#1764318) * backport json-file logging support to 1.4.2 (BZ#1770176) * Selinux won't allow SCTP inter pod communication (BZ#1774382) Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-16884 CVE-2019-18466 CVE-2019-9512 CVE-2019-9514 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix(es): * HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512) * HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-9512 CVE-2019-9514 Kernel-based Virtual Machine (KVM) offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems. Security Fix(es): * hw: TSX Transaction Asynchronous Abort (TAA) (CVE-2019-11135) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2019-11135 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix(es): * QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu() (CVE-2020-7039) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-15890 CVE-2020-7039 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (10.19.0). Security Fix(es): * nodejs: HTTP request smuggling using malformed Transfer-Encoding header (CVE-2019-15605) * nodejs: Remotely trigger an assertion on a TLS server with a malformed certificate string (CVE-2019-15604) * nodejs: HTTP header values do not have trailing optional whitespace trimmed (CVE-2019-15606) * npm: Symlink reference outside of node_modules folder through the bin field upon installation (CVE-2019-16775) * npm: Arbitrary file write via constructed entry in the package.json bin field (CVE-2019-16776) * npm: Global node_modules Binary Overwrite (CVE-2019-16777) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-15604 CVE-2019-15605 CVE-2019-15606 CVE-2019-16775 CVE-2019-16776 CVE-2019-16777 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (12.16.1). Security Fix(es): * nodejs: HTTP request smuggling using malformed Transfer-Encoding header (CVE-2019-15605) * nodejs: Remotely trigger an assertion on a TLS server with a malformed certificate string (CVE-2019-15604) * nodejs: HTTP header values do not have trailing optional whitespace trimmed (CVE-2019-15606) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-15604 CVE-2019-15605 CVE-2019-15606 The ppp packages contain the Point-to-Point Protocol (PPP) daemon and documentation for PPP support. The PPP protocol provides a method for transmitting datagrams over serial point-to-point links. PPP is usually used to dial in to an Internet Service Provider (ISP) or other organization over a modem and phone line. Security Fix(es): * ppp: Buffer overflow in the eap_request and eap_response functions in eap.c (CVE-2020-8597) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2020-8597 The International Components for Unicode (ICU) library provides robust and full-featured Unicode services. Security Fix(es): * ICU: Integer overflow in UnicodeString::doAppend() (CVE-2020-10531) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2020-10531 The zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell (the Korn shell), but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions (with autoloading), a history mechanism, and more. Security Fix(es): * zsh: insecure dropping of privileges when unsetting PRIVILEGED option (CVE-2019-20044) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2019-20044 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): * ICU: Integer overflow in UnicodeString::doAppend() (CVE-2020-10531) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-10531 The exiv2 packages provide a command line utility which can display and manipulate image metadata such as EXIF, LPTC, and JPEG comments. The following packages have been upgraded to a later upstream version: exiv2 (0.27.2). (BZ#1651917) Security Fix(es): * exiv2: infinite loop and hang in Jp2Image::readMetadata() in jp2image.cpp could lead to DoS (CVE-2019-20421) * exiv2: null pointer dereference in the Exiv2::DataValue::toLong function in value.cpp (CVE-2017-18005) * exiv2: Excessive memory allocation in Exiv2::Jp2Image::readMetadata function in jp2image.cpp (CVE-2018-4868) * exiv2: assertion failure in BigTiffImage::readData in bigtiffimage.cpp (CVE-2018-9303) * exiv2: divide by zero in BigTiffImage::printIFD in bigtiffimage.cpp (CVE-2018-9304) * exiv2: out of bounds read in IptcData::printStructure in iptc.c (CVE-2018-9305) * exiv2: OOB read in pngimage.cpp:tEXtToDataBuf() allows for crash via crafted file (CVE-2018-10772) * exiv2: information leak via a crafted file (CVE-2018-11037) * exiv2: buffer overflow in samples/geotag.cpp (CVE-2018-14338) * exiv2: heap-based buffer overflow in Exiv2::d2Data in types.cpp (CVE-2018-17229) * exiv2: heap-based buffer overflow in Exiv2::ul2Data in types.cpp (CVE-2018-17230) * exiv2: NULL pointer dereference in Exiv2::DataValue::copy in value.cpp leading to application crash (CVE-2018-17282) * exiv2: Stack overflow in CiffDirectory::readDirectory() at crwimage_int.cpp leading to denial of service (CVE-2018-17581) * exiv2: infinite loop in Exiv2::Image::printIFDStructure function in image.cpp (CVE-2018-18915) * exiv2: heap-based buffer over-read in Exiv2::IptcParser::decode in iptc.cpp (CVE-2018-19107) * exiv2: infinite loop in Exiv2::PsdImage::readMetadata in psdimage.cpp (CVE-2018-19108) * exiv2: heap-based buffer over-read in PngChunk::readRawProfile in pngchunk_int.cpp (CVE-2018-19535) * exiv2: NULL pointer dereference in Exiv2::isoSpeed in easyaccess.cpp (CVE-2018-19607) * exiv2: Heap-based buffer over-read in Exiv2::tEXtToDataBuf function resulting in a denial of service (CVE-2018-20096) * exiv2: Segmentation fault in Exiv2::Internal::TiffParserWorker::findPrimaryGroups function (CVE-2018-20097) * exiv2: Heap-based buffer over-read in Exiv2::Jp2Image::encodeJp2Header resulting in a denial of service (CVE-2018-20098) * exiv2: Infinite loop in Exiv2::Jp2Image::encodeJp2Header resulting in a denial of service (CVE-2018-20099) * exiv2: infinite recursion in Exiv2::Image::printTiffStructure in file image.cpp resulting in denial of service (CVE-2019-9143) * exiv2: denial of service in PngImage::readMetadata (CVE-2019-13109) * exiv2: integer overflow in WebPImage::decodeChunks leads to denial of service (CVE-2019-13111) * exiv2: uncontrolled memory allocation in PngChunk::parseChunkContent causing denial of service (CVE-2019-13112) * exiv2: invalid data location in CRW image file causing denial of service (CVE-2019-13113) * exiv2: null-pointer dereference in http.c causing denial of service (CVE-2019-13114) * exiv2: out of bounds read in IptcData::printStructure in iptc.c (CVE-2018-9306) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2017-18005 CVE-2018-10772 CVE-2018-11037 CVE-2018-14338 CVE-2018-17229 CVE-2018-17230 CVE-2018-17282 CVE-2018-17581 CVE-2018-18915 CVE-2018-19107 CVE-2018-19108 CVE-2018-19535 CVE-2018-19607 CVE-2018-20096 CVE-2018-20097 CVE-2018-20098 CVE-2018-20099 CVE-2018-4868 CVE-2018-9303 CVE-2018-9304 CVE-2018-9305 CVE-2018-9306 CVE-2019-13109 CVE-2019-13111 CVE-2019-13112 CVE-2019-13113 CVE-2019-13114 CVE-2019-20421 CVE-2019-9143 WavPack is a completely open audio compression format providing lossless, high-quality lossy, and a unique hybrid compression mode. Security Fix(es): * wawpack: Infinite loop in WavpackPackInit function lead to DoS (CVE-2018-19840) * wawpack: Out-of-bounds read in WavpackVerifySingleBlock function leads to DoS (CVE-2018-19841) * wavpack: Use of uninitialized variable in WavpackSetConfiguration64 leads to DoS (CVE-2019-11498) * wavpack: Divide by zero in ParseDsdiffHeaderConfig leads to crash (CVE-2019-1010315) * wavpack: Use of uninitialized variable in ParseCaffHeaderConfig leads to DoS (CVE-2019-1010317) * wavpack: Use of uninitialized variable in ParseWave64HeaderConfig leads to DoS (CVE-2019-1010319) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Low Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2018-19840 CVE-2018-19841 CVE-2019-1010315 CVE-2019-1010317 CVE-2019-1010319 CVE-2019-11498 Python is an interpreted, interactive, object-oriented programming language that supports modules, classes, exceptions, high-level dynamic data types, and dynamic typing. The python27 packages provide a stable release of Python 2.7 with a number of additional utilities and database connectors for MySQL and PostgreSQL. The following packages have been upgraded to a later upstream version: python2 (2.7.17). (BZ#1759944) Security Fix(es): * python-urllib3: Cross-host redirect does not remove Authorization header allow for credential exposure (CVE-2018-20060) * python: Cookie domain check returns incorrect results (CVE-2018-20852) * python-urllib3: CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service (CVE-2019-11236) * python-urllib3: Certification mishandle when error should be thrown (CVE-2019-11324) * python: email.utils.parseaddr wrongly parses email addresses (CVE-2019-16056) * python-requests: Redirect from HTTPS to HTTP does not remove Authorization header (CVE-2018-18074) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2018-18074 CVE-2018-20060 CVE-2018-20852 CVE-2019-11236 CVE-2019-11324 CVE-2019-16056 CVE-2019-16935 Irssi is a modular IRC client with Perl scripting. Security Fix(es): * irssi: use after free when sending SASL login to server (CVE-2019-13045) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Low Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2019-13045 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. The following packages have been upgraded to a later upstream version: php (7.2.24). (BZ#1726981) Security Fix(es): * php: Invalid memory access in function xmlrpc_decode() (CVE-2019-9020) * php: File rename across filesystems may allow unwanted access during processing (CVE-2019-9637) * php: Uninitialized read in exif_process_IFD_in_MAKERNOTE (CVE-2019-9638) * php: Uninitialized read in exif_process_IFD_in_MAKERNOTE (CVE-2019-9639) * php: Invalid read in exif_process_SOFn() (CVE-2019-9640) * php: Out-of-bounds read due to integer overflow in iconv_mime_decode_headers() (CVE-2019-11039) * php: Buffer over-read in exif_read_data() (CVE-2019-11040) * php: Buffer over-read in PHAR reading functions (CVE-2018-20783) * php: Heap-based buffer over-read in PHAR reading functions (CVE-2019-9021) * php: memcpy with negative length via crafted DNS response (CVE-2019-9022) * php: Heap-based buffer over-read in mbstring regular expression functions (CVE-2019-9023) * php: Out-of-bounds read in base64_decode_xmlrpc in ext/xmlrpc/libxmlrpc/base64.c (CVE-2019-9024) * php: Heap buffer overflow in function exif_process_IFD_TAG() (CVE-2019-11034) * php: Heap buffer overflow in function exif_iif_add_value() (CVE-2019-11035) * php: Buffer over-read in exif_process_IFD_TAG() leading to information disclosure (CVE-2019-11036) * php: Heap buffer over-read in exif_scan_thumbnail() (CVE-2019-11041) * php: Heap buffer over-read in exif_process_user_comment() (CVE-2019-11042) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2018-20783 CVE-2019-11034 CVE-2019-11035 CVE-2019-11036 CVE-2019-11039 CVE-2019-11040 CVE-2019-11041 CVE-2019-11042 CVE-2019-9020 CVE-2019-9021 CVE-2019-9022 CVE-2019-9023 CVE-2019-9024 CVE-2019-9637 CVE-2019-9638 CVE-2019-9639 CVE-2019-9640 libsndfile is a C library for reading and writing files containing sampled sound, such as AIFF, AU, or WAV. Security Fix(es): * libsndfile: stack-based buffer overflow in sndfile-deinterleave utility (CVE-2018-13139) * libsndfile: buffer over-read in the function i2alaw_array in alaw.c (CVE-2018-19662) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2018-13139 CVE-2018-19662 The Public Key Infrastructure (PKI) Core contains fundamental packages required by AlmaLinux Certificate System. Security Fix(es): * jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig (CVE-2019-14540) * jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource (CVE-2019-16335) * jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* (CVE-2019-16942) * jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource (CVE-2019-16943) * jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-14540 CVE-2019-16335 CVE-2019-16942 CVE-2019-16943 CVE-2019-17531 CVE-2019-20330 CVE-2020-10672 CVE-2020-10673 CVE-2020-8840 CVE-2020-9546 CVE-2020-9547 CVE-2020-9548 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix(es): * runc: volume mount race condition with shared mounts leads to information leak/integrity manipulation (CVE-2019-19921) * containers/image: Container images read entire image manifest into memory (CVE-2020-1702) * podman: incorrectly allows existing files in volumes to be overwritten by a container when it is created (CVE-2020-1726) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-19921 CVE-2020-1702 CVE-2020-1726 The zziplib is a lightweight library to easily extract data from zip files. Security Fix(es): * zziplib: directory traversal in unzzip_cat in the bins/unzzipcat-mem.c (CVE-2018-17828) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2018-17828 The libmspack packages contain a library providing compression and extraction of the Cabinet (CAB) file format used by Microsoft. Security Fix(es): * libmspack: buffer overflow in function chmd_read_headers() (CVE-2019-1010305) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Low Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2019-1010305 Liblouis is an open source braille translator and back-translator named in honor of Louis Braille. It features support for computer and literary braille, supports contracted and uncontracted translation for many languages and has support for hyphenation. New languages can easily be added through tables that support a rule or dictionary based approach. Liblouis also supports math braille (Nemeth and Marburg). Security Fix(es): * liblouis: Stack-based buffer overflow in function includeFile in compileTranslationTable.c (CVE-2018-11684) * liblouis: Stack-based buffer overflow in function compileHyphenation in compileTranslationTable.c (CVE-2018-11685) * liblouis: Segmentation fault in logging.c:lou_logPrint() (CVE-2018-11577) * liblouis: Stack-based buffer overflow in compileTranslationTable.c (CVE-2018-12085) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2018-11577 CVE-2018-11684 CVE-2018-11685 CVE-2018-12085 GNOME is the default desktop environment of AlmaLinux. Security Fix(es): * LibRaw: stack-based buffer overflow in the parse_makernote function of dcraw_common.cpp (CVE-2018-20337) * gdm: lock screen bypass when timed login is enabled (CVE-2019-3825) * gvfs: mishandling of file ownership in daemon/gvfsbackendadmin.c (CVE-2019-12447) * gvfs: race condition in daemon/gvfsbackendadmin.c due to admin backend not implementing query_info_on_read/write (CVE-2019-12448) * gvfs: mishandling of file's user and group ownership in daemon/gvfsbackendadmin.c due to unavailability of root privileges (CVE-2019-12449) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2018-20337 CVE-2019-12447 CVE-2019-12448 CVE-2019-12449 CVE-2019-3825 The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file (patching the file). Security Fix(es): * patch: the following of symlinks in inp.c and util.c is mishandled in cases other than input files (CVE-2019-13636) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2019-13636 GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures. The Intelligent Input Bus (IBus) is an input method framework for multilingual input in Unix-like operating systems. Security Fix(es): * ibus: missing authorization allows local attacker to access the input bus of another user (CVE-2019-14822) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2019-14822 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix(es): * buildah: Crafted input tar file may lead to local file overwrite during image build process (CVE-2020-10696) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * conflicting requests: failed to install container-tools:1.0 (BZ#1813776) * podman run container error with avc denied (BZ#1816541) Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-10696 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix(es): * buildah: Crafted input tar file may lead to local file overwrite during image build process (CVE-2020-10696) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-10696 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix(es): * buildah: Crafted input tar file may lead to local file overwrite during image build process (CVE-2020-10696) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-10696 Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. Security Fix(es): * squid: improper check for new member in ESIExpression::Evaluate allows for stack buffer overflow (CVE-2019-12519) * squid: improper access restriction upon Digest Authentication nonce replay could lead to remote code execution (CVE-2020-11945) * squid: parsing of header Proxy-Authentication leads to memory corruption (CVE-2019-12525) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-12519 CVE-2019-12525 CVE-2020-11945 libnghttp2 is a library implementing the Hypertext Transfer Protocol version 2 (HTTP/2) protocol in C. Security Fix(es): * nghttp2: overly large SETTINGS frames can lead to DoS (CVE-2020-11080) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2020-11080 Kernel-based Virtual Machine (KVM) offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems. Security Fix(es): * QEMU: Slirp: potential OOB access due to unsafe snprintf() usages (CVE-2020-8608) * QEMU: vnc: memory leakage upon disconnect (CVE-2019-20382) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2019-20382 CVE-2020-8608 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (10.21.0). Security Fix(es): * nghttp2: overly large SETTINGS frames can lead to DoS (CVE-2020-11080) * nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload (CVE-2020-7598) * nodejs: memory corruption in napi_get_value_string_* functions (CVE-2020-8174) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-11080 CVE-2020-7598 CVE-2020-8174 The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server. Security Fix(es): * mod_auth_openidc: Open redirect in logout url when using URLs with leading slashes (CVE-2019-14857) * mod_auth_openidc: Open redirect issue exists in URLs with slash and backslash (CVE-2019-20479) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Module stream mod_auth_openidc:2.3 does not have correct module.md file (BZ#1844107) Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-14857 CVE-2019-20479 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix(es): * QEMU: slirp: use-after-free in ip_reass() function in ip_input.c (CVE-2020-1983) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-1983 CVE-2021-20188 PostgreSQL is an advanced object-relational database management system. The postgresql-jdbc package includes the .jar files needed for Java programs to access a PostgreSQL database. Security Fix(es): * postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692) This update introduces a backwards incompatible change required to resolve this issue. Refer to the AlmaLinux Knowledgebase article 5266441 linked to in the References section for information on how to re-enable the old insecure behavior. For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-13692 LibVNCServer is a C library that enables you to implement VNC server functionality into own programs. Security Fix(es): * libvncserver: websocket decoding buffer overflow (CVE-2017-18922) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2017-18922 The lz4 packages provide support for LZ4, a very fast, lossless compression algorithm that provides compression speeds of 400 MB/s per core and scales with multicore CPUs. It also features an extremely fast decoder that reaches speeds of multiple GB/s per core and typically reaches RAM speed limits on multicore systems. Security Fix(es): * lz4: heap-based buffer overflow in LZ4_write32 (CVE-2019-17543) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2025 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/a:almalinux:almalinux:8::highavailability cpe:/a:almalinux:almalinux:8::nfv cpe:/a:almalinux:almalinux:8::realtime cpe:/a:almalinux:almalinux:8::resilientstorage cpe:/a:almalinux:almalinux:8::sap cpe:/a:almalinux:almalinux:8::sap_hana cpe:/a:almalinux:almalinux:8::supplementary cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2019-17543 libxslt is a library for transforming XML files into other textual formats (including HTML, plain text, and other XML representations of the underlying data) using the standard XSLT stylesheet transformation mechanism. Security Fix(es): * libxslt: Use-After-Free in libxslt numbers.c (CVE-2025-24855) * libxslt: Use-After-Free in libxslt (xsltGetInheritedNsList) (CVE-2024-55549) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2025 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/a:almalinux:almalinux:8::highavailability cpe:/a:almalinux:almalinux:8::nfv cpe:/a:almalinux:almalinux:8::realtime cpe:/a:almalinux:almalinux:8::resilientstorage cpe:/a:almalinux:almalinux:8::sap cpe:/a:almalinux:almalinux:8::sap_hana cpe:/a:almalinux:almalinux:8::supplementary cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2024-55549 CVE-2025-24855 The libjpeg-turbo packages contain a library of functions for manipulating JPEG images. They also contain simple client programs for accessing the libjpeg functions. These packages provide the same functionality and API as libjpeg but with better performance. Security Fix(es): * libjpeg-turbo: heap-based buffer over-read in get_rgb_row() in rdppm.c (CVE-2020-13790) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2025 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/a:almalinux:almalinux:8::highavailability cpe:/a:almalinux:almalinux:8::nfv cpe:/a:almalinux:almalinux:8::realtime cpe:/a:almalinux:almalinux:8::resilientstorage cpe:/a:almalinux:almalinux:8::sap cpe:/a:almalinux:almalinux:8::sap_hana cpe:/a:almalinux:almalinux:8::supplementary cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2020-13790 The libcroco is a standalone Cascading Style Sheet level 2 (CSS2) parsing and manipulation library. Security Fix(es): * libcroco: Stack overflow in function cr_parser_parse_any_core in cr-parser.c (CVE-2020-12825) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2020-12825 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. The following packages have been upgraded to a later upstream version: php (7.3.20). (BZ#1856655) Security Fix(es): * php: Out-of-bounds read due to integer overflow in iconv_mime_decode_headers() (CVE-2019-11039) * php: Buffer over-read in exif_read_data() (CVE-2019-11040) * php: DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte (CVE-2019-11045) * php: Information disclosure in exif_read_data() (CVE-2019-11047) * php: Integer wraparounds when receiving multipart forms (CVE-2019-11048) * oniguruma: Use-after-free in onig_new_deluxe() in regext.c (CVE-2019-13224) * oniguruma: NULL pointer dereference in match_at() in regexec.c (CVE-2019-13225) * oniguruma: Stack exhaustion in regcomp.c because of recursion in regparse.c (CVE-2019-16163) * oniguruma: Heap-based buffer over-read in function gb18030_mbc_enc_len in file gb18030.c (CVE-2019-19203) * oniguruma: Heap-based buffer over-read in function fetch_interval_quantifier in regparse.c (CVE-2019-19204) * pcre: Out of bounds read in JIT mode when \X is used in non-UTF mode (CVE-2019-20454) * php: Out of bounds read in php_strip_tags_ex (CVE-2020-7059) * php: Global buffer-overflow in mbfl_filt_conv_big5_wchar function (CVE-2020-7060) * php: NULL pointer dereference in PHP session upload progress (CVE-2020-7062) * php: Files added to tar with Phar::buildFromIterator have all-access permissions (CVE-2020-7063) * php: Information disclosure in exif_read_data() function (CVE-2020-7064) * php: Using mb_strtolower() function with UTF-32LE encoding leads to potential code execution (CVE-2020-7065) * php: Heap buffer over-read in exif_scan_thumbnail() (CVE-2019-11041) * php: Heap buffer over-read in exif_process_user_comment() (CVE-2019-11042) * php: Out of bounds read when parsing EXIF information (CVE-2019-11050) * oniguruma: Heap-based buffer overflow in str_lower_case_match in regexec.c (CVE-2019-19246) * php: Information disclosure in function get_headers (CVE-2020-7066) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-11039 CVE-2019-11040 CVE-2019-11041 CVE-2019-11042 CVE-2019-11045 CVE-2019-11047 CVE-2019-11048 CVE-2019-11050 CVE-2019-13224 CVE-2019-13225 CVE-2019-16163 CVE-2019-19203 CVE-2019-19204 CVE-2019-19246 CVE-2019-20454 CVE-2020-7059 CVE-2020-7060 CVE-2020-7062 CVE-2020-7063 CVE-2020-7064 CVE-2020-7065 CVE-2020-7066 MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. The following packages have been upgraded to a later upstream version: mysql (8.0.21). Security Fix(es): * mysql: Server: Security: Privileges multiple unspecified vulnerabilities (CVE-2020-14663, CVE-2020-14678, CVE-2020-14697, CVE-2020-2761, CVE-2020-2774, CVE-2020-2779, CVE-2020-2853, CVE-2020-14586, CVE-2020-14702) * mysql: Server: Security: Encryption multiple unspecified vulnerabilities (CVE-2019-2914, CVE-2019-2957) * mysql: InnoDB multiple unspecified vulnerabilities (CVE-2019-2938, CVE-2019-2963, CVE-2019-2968, CVE-2019-3018, CVE-2020-2577, CVE-2020-2589, CVE-2020-2760, CVE-2020-2762, CVE-2020-2814, CVE-2020-2893, CVE-2020-2895, CVE-2020-14568, CVE-2020-14623, CVE-2020-14633, CVE-2020-14634) * mysql: Server: PS multiple unspecified vulnerabilities (CVE-2019-2946, CVE-2020-2925) * mysql: Server: Replication multiple unspecified vulnerabilities (CVE-2019-2960, CVE-2020-2759, CVE-2020-2763, CVE-2020-14567) * mysql: Server: Optimizer multiple unspecified vulnerabilities (CVE-2019-2966, CVE-2019-2967, CVE-2019-2974, CVE-2019-2982, CVE-2019-2991, CVE-2019-2998, CVE-2020-2579, CVE-2020-2660, CVE-2020-2679, CVE-2020-2686, CVE-2020-2765, CVE-2020-2892, CVE-2020-2897, CVE-2020-2901, CVE-2020-2904, CVE-2020-2923, CVE-2020-2924, CVE-2020-2928, CVE-2020-14539, CVE-2020-14547, CVE-2020-14597, CVE-2020-14614, CVE-2020-14654, CVE-2020-14680, CVE-2020-14725) * mysql: Server: C API multiple unspecified vulnerabilities (CVE-2019-2993, CVE-2019-3011) * mysql: Server: DDL multiple unspecified vulnerabilities (CVE-2019-2997, CVE-2020-2580) * mysql: Server: Parser multiple unspecified vulnerabilities (CVE-2019-3004, CVE-2020-2627, CVE-2020-2930, CVE-2020-14619) * mysql: Server: Connection unspecified vulnerability (CVE-2019-3009) * mysql: Server: Options multiple unspecified vulnerabilities (CVE-2020-2584, CVE-2020-14632) * mysql: Server: DML multiple unspecified vulnerabilities (CVE-2020-2588, CVE-2020-2780, CVE-2020-14540, CVE-2020-14575, CVE-2020-14620) * mysql: C API multiple unspecified vulnerabilities (CVE-2020-2752, CVE-2020-2922, CVE-2020-14550, CVE-2020-2570, CVE-2020-2573, CVE-2020-2574) * mysql: Server: Logging unspecified vulnerability (CVE-2020-2770) * mysql: Server: Memcached unspecified vulnerability (CVE-2020-2804) * mysql: Server: Stored Procedure unspecified vulnerability (CVE-2020-2812) * mysql: Server: Information Schema multiple unspecified vulnerabilities (CVE-2020-2896, CVE-2020-14559, CVE-2020-2694) * mysql: Server: Charsets unspecified vulnerability (CVE-2020-2898) * mysql: Server: Connection Handling unspecified vulnerability (CVE-2020-2903) * mysql: Server: Group Replication Plugin unspecified vulnerability (CVE-2020-2921) * mysql: Server: Group Replication GCS unspecified vulnerability (CVE-2020-2926) * mysql: Server: Pluggable Auth unspecified vulnerability (CVE-2020-14553) * mysql: Server: UDF unspecified vulnerability (CVE-2020-14576) * mysql: Server: JSON unspecified vulnerability (CVE-2020-14624) * mysql: Server: Security: Audit unspecified vulnerability (CVE-2020-14631) * mysql: Server: Security: Roles multiple unspecified vulnerabilities (CVE-2020-14641, CVE-2020-14643, CVE-2020-14651) * mysql: Server: Locking unspecified vulnerability (CVE-2020-14656) * mysql: Information Schema unspecified vulnerability (CVE-2019-2911) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-2911 CVE-2019-2914 CVE-2019-2938 CVE-2019-2946 CVE-2019-2957 CVE-2019-2960 CVE-2019-2963 CVE-2019-2966 CVE-2019-2967 CVE-2019-2968 CVE-2019-2974 CVE-2019-2982 CVE-2019-2991 CVE-2019-2993 CVE-2019-2997 CVE-2019-2998 CVE-2019-3004 CVE-2019-3009 CVE-2019-3011 CVE-2019-3018 CVE-2020-14539 CVE-2020-14540 CVE-2020-14547 CVE-2020-14550 CVE-2020-14553 CVE-2020-14559 CVE-2020-14567 CVE-2020-14568 CVE-2020-14575 CVE-2020-14576 CVE-2020-14586 CVE-2020-14597 CVE-2020-14614 CVE-2020-14619 CVE-2020-14620 CVE-2020-14623 CVE-2020-14624 CVE-2020-14631 CVE-2020-14632 CVE-2020-14633 CVE-2020-14634 CVE-2020-14641 CVE-2020-14643 CVE-2020-14651 CVE-2020-14654 CVE-2020-14656 CVE-2020-14663 CVE-2020-14678 CVE-2020-14680 CVE-2020-14697 CVE-2020-14702 CVE-2020-14725 CVE-2020-14799 CVE-2020-2570 CVE-2020-2573 CVE-2020-2574 CVE-2020-2577 CVE-2020-2579 CVE-2020-2580 CVE-2020-2584 CVE-2020-2588 CVE-2020-2589 CVE-2020-2627 CVE-2020-2660 CVE-2020-2679 CVE-2020-2686 CVE-2020-2694 CVE-2020-2752 CVE-2020-2759 CVE-2020-2760 CVE-2020-2761 CVE-2020-2762 CVE-2020-2763 CVE-2020-2765 CVE-2020-2770 CVE-2020-2774 CVE-2020-2779 CVE-2020-2780 CVE-2020-2804 CVE-2020-2812 CVE-2020-2814 CVE-2020-2853 CVE-2020-2892 CVE-2020-2893 CVE-2020-2895 CVE-2020-2896 CVE-2020-2897 CVE-2020-2898 CVE-2020-2901 CVE-2020-2903 CVE-2020-2904 CVE-2020-2921 CVE-2020-2922 CVE-2020-2923 CVE-2020-2924 CVE-2020-2925 CVE-2020-2926 CVE-2020-2928 CVE-2020-2930 CVE-2021-1998 CVE-2021-2006 CVE-2021-2007 CVE-2021-2009 CVE-2021-2012 CVE-2021-2016 CVE-2021-2019 CVE-2021-2020 CVE-2021-2144 CVE-2021-2160 Git Large File Storage (LFS) replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server. Security Fix(es): * git-lfs: Git LFS permits exfiltration of credentials via crafted HTTP URLs (CVE-2024-53263) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2025 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/a:almalinux:almalinux:8::highavailability cpe:/a:almalinux:almalinux:8::nfv cpe:/a:almalinux:almalinux:8::realtime cpe:/a:almalinux:almalinux:8::resilientstorage cpe:/a:almalinux:almalinux:8::sap cpe:/a:almalinux:almalinux:8::sap_hana cpe:/a:almalinux:almalinux:8::supplementary cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2024-53263 Kernel-based Virtual Machine (KVM) offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems. Security Fix(es): * QEMU: usb: out-of-bounds r/w access issue while processing usb packets (CVE-2020-14364) * QEMU: slirp: networking out-of-bounds read information disclosure vulnerability (CVE-2020-10756) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2020-10756 CVE-2020-14364 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (12.18.4). Security Fix(es): * nodejs-dot-prop: prototype pollution (CVE-2020-8116) * nodejs: HTTP request smuggling due to CR-to-Hyphen conversion (CVE-2020-8201) * npm: Sensitive information exposure through logs (CVE-2020-15095) * libuv: buffer overflow in realpath (CVE-2020-8252) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * The nodejs:12/development module is not installable (BZ#1883966) Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-15095 CVE-2020-8116 CVE-2020-8201 CVE-2020-8252 The gnome-software packages contain an application that makes it easy to add, remove, and update software in the GNOME desktop. The appstream-data package provides the distribution specific AppStream metadata required for the GNOME and KDE software centers. The fwupd packages provide a service that allows session software to update device firmware. The following packages have been upgraded to a later upstream version: gnome-software (3.36.1), fwupd (1.4.2). Security Fix(es): * fwupd: Possible bypass in signature verification (CVE-2020-10759) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Low Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2020-10759 The libarchive programming library can create and read several different streaming archive formats, including GNU tar, cpio, and ISO 9660 CD-ROM images. Libarchive is used notably in the bsdtar utility, scripting language bindings such as python-libarchive, and several popular desktop file managers. Security Fix(es): * libarchive: out-of-bounds read in archive_wstring_append_from_mbs in archive_string.c (CVE-2019-19221) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2019-19221 The librabbitmq packages provide an Advanced Message Queuing Protocol (AMQP) client library that allows you to communicate with AMQP servers using protocol version 0-9-1. Security Fix(es): * librabbitmq: integer overflow in amqp_handle_input in amqp_connection.c leads to heap-based buffer overflow (CVE-2019-18609) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2019-18609 GNOME is the default desktop environment of AlmaLinux. The following packages have been upgraded to a later upstream version: gnome-remote-desktop (0.1.8), pipewire (0.3.6), vte291 (0.52.4), webkit2gtk3 (2.28.4), xdg-desktop-portal (1.6.0), xdg-desktop-portal-gtk (1.6.0). (BZ#1775345, BZ#1779691, BZ#1817143, BZ#1832347, BZ#1837406) Security Fix(es): * webkitgtk: Multiple security issues (CVE-2019-8625, CVE-2019-8710, CVE-2019-8720, CVE-2019-8743, CVE-2019-8764, CVE-2019-8766, CVE-2019-8769, CVE-2019-8771, CVE-2019-8782, CVE-2019-8783, CVE-2019-8808, CVE-2019-8811, CVE-2019-8812, CVE-2019-8813, CVE-2019-8814, CVE-2019-8815, CVE-2019-8816, CVE-2019-8819, CVE-2019-8820, CVE-2019-8823, CVE-2019-8835, CVE-2019-8844, CVE-2019-8846, CVE-2020-3862, CVE-2020-3864, CVE-2020-3865, CVE-2020-3867, CVE-2020-3868, CVE-2020-3885, CVE-2020-3894, CVE-2020-3895, CVE-2020-3897, CVE-2020-3899, CVE-2020-3900, CVE-2020-3901, CVE-2020-3902, CVE-2020-9802, CVE-2020-9803, CVE-2020-9805, CVE-2020-9806, CVE-2020-9807, CVE-2020-9843, CVE-2020-9850, CVE-2020-9862, CVE-2020-9893, CVE-2020-9894, CVE-2020-9895, CVE-2020-9915, CVE-2020-9925, CVE-2020-10018, CVE-2020-11793) * gnome-settings-daemon: AlmaLinux Customer Portal password logged and passed as command line argument when user registers through GNOME control center (CVE-2020-14391) * LibRaw: lack of thumbnail size range check can lead to buffer overflow (CVE-2020-15503) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2019-8625 CVE-2019-8710 CVE-2019-8720 CVE-2019-8743 CVE-2019-8764 CVE-2019-8766 CVE-2019-8769 CVE-2019-8771 CVE-2019-8782 CVE-2019-8783 CVE-2019-8808 CVE-2019-8811 CVE-2019-8812 CVE-2019-8813 CVE-2019-8814 CVE-2019-8815 CVE-2019-8816 CVE-2019-8819 CVE-2019-8820 CVE-2019-8823 CVE-2019-8835 CVE-2019-8844 CVE-2019-8846 CVE-2020-10018 CVE-2020-11793 CVE-2020-14391 CVE-2020-15503 CVE-2020-3862 CVE-2020-3864 CVE-2020-3865 CVE-2020-3867 CVE-2020-3868 CVE-2020-3885 CVE-2020-3894 CVE-2020-3895 CVE-2020-3897 CVE-2020-3899 CVE-2020-3900 CVE-2020-3901 CVE-2020-3902 CVE-2020-9802 CVE-2020-9803 CVE-2020-9805 CVE-2020-9806 CVE-2020-9807 CVE-2020-9843 CVE-2020-9850 CVE-2020-9862 CVE-2020-9893 CVE-2020-9894 CVE-2020-9895 CVE-2020-9915 CVE-2020-9925 CVE-2020-9952 CVE-2021-30666 CVE-2021-30761 CVE-2021-30762 The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and creating digital signatures, compliant with OpenPGP and S/MIME standards. The following packages have been upgraded to a later upstream version: gnupg2 (2.2.20). (BZ#1663944) Security Fix(es): * GnuPG: interaction between the sks-keyserver code and GnuPG allows for a Certificate Spamming Attack which leads to persistent DoS (CVE-2019-13050) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2018-1000858 CVE-2019-13050 The cyrus-sasl packages contain the Cyrus implementation of Simple Authentication and Security Layer (SASL). SASL is a method for adding authentication support to connection-based protocols. Security Fix(es): * cyrus-sasl: denial of service in _sasl_add_string function (CVE-2019-19906) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2019-19906 The pcre2 package contains a new generation of the Perl Compatible Regular Expression libraries for implementing regular expression pattern matching using the same syntax and semantics as Perl. Security Fix(es): * pcre: Out of bounds read in JIT mode when \X is used in non-UTF mode (CVE-2019-20454) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2019-20454 AlmaLinux Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. Security Fix(es): * FreeIPA: idm: Privilege escalation from host to domain admin in FreeIPA (CVE-2025-7493) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2025 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/a:almalinux:almalinux:8::highavailability cpe:/a:almalinux:almalinux:8::nfv cpe:/a:almalinux:almalinux:8::realtime cpe:/a:almalinux:almalinux:8::resilientstorage cpe:/a:almalinux:almalinux:8::sap cpe:/a:almalinux:almalinux:8::sap_hana cpe:/a:almalinux:almalinux:8::supplementary cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2025-7493 The libpcap packages provide a portable framework for low-level network monitoring. The libpcap library provides network statistics collection, security monitoring, and network debugging. The following packages have been upgraded to a later upstream version: libpcap (1.9.1). (BZ#1806422) Security Fix(es): * libpcap: Resource exhaustion during PHB header length validation (CVE-2019-15165) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Low Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2019-15165 FRRouting is free software that manages TCP/IP based routing protocols. It supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP and BFD. Security Fix(es): * frr: default permission issue eases information leaks (CVE-2020-12831) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-12831 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extended office suite. The following packages have been upgraded to a later upstream version: libreoffice (6.3.6.2), libcmis (0.5.2), liborcus (0.14.1). (BZ#1796893) Security Fix(es): * libreoffice: 'stealth mode' remote resource restrictions bypass (CVE-2020-12802) * libreoffice: forms allowed to be submitted to any URI could result in local file overwrite (CVE-2020-12803) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Low Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2020-12802 CVE-2020-12803 The libvpx packages provide the VP8 SDK, which allows the encoding and decoding of the VP8 video codec, commonly used with the WebM multimedia container file format. Security Fix(es): * libvpx: Double free in ParseContentEncodingEntry() in mkvparser.cc (CVE-2019-2126) * libvpx: Out of bounds read in vp8_norm table (CVE-2019-9232) * libvpx: Resource exhaustion after memory leak in mkvparser.cc (CVE-2019-9371) * libvpx: Use-after-free in vp8_deblock() in vp8/common/postproc.c (CVE-2019-9433) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2019-2126 CVE-2019-9232 CVE-2019-9371 CVE-2019-9433 The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files. Security Fix(es): * libtiff: integer overflow leading to heap-based buffer overflow in tif_getimage.c (CVE-2019-17546) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2019-17546 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. The following packages have been upgraded to a later upstream version: python38 (3.8.3). (BZ#1847416) Security Fix(es): * PyYAML: command execution through python/object/apply constructor in FullLoader (CVE-2019-20477) * python: infinite loop in the tarfile module via crafted TAR archive (CVE-2019-20907) * PyYAML: arbitrary command execution through python/object/new when FullLoader is used (CVE-2020-1747) * python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS (CVE-2020-8492) * python: DoS via inefficiency in IPv{4,6}Interface classes (CVE-2020-14422) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-20477 CVE-2019-20907 CVE-2020-14422 CVE-2020-1747 CVE-2020-8492 Poppler is a Portable Document Format (PDF) rendering library, used by applications such as Evince. Security Fix(es): * poppler: divide-by-zero in function SplashOutputDev::tilingPatternFill in SplashOutputDev.cc (CVE-2019-14494) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Low Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2019-14494 FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. The xfreerdp client can connect to RDP servers such as Microsoft Windows machines, xrdp, and VirtualBox. The vinagre packages provide the Vinagre remote desktop viewer for the GNOME desktop. The following packages have been upgraded to a later upstream version: freerdp (2.1.1). (BZ#1834287) Security Fix(es): * freerdp: Out of bound read in cliprdr_server_receive_capabilities (CVE-2020-11018) * freerdp: Out of bound read/write in usb redirection channel (CVE-2020-11039) * freerdp: out-of-bounds read in update_read_icon_info function (CVE-2020-11042) * freerdp: out-of-bounds read in autodetect_recv_bandwidth_measure_results function (CVE-2020-11047) * freerdp: Out-of-bounds read in ntlm_read_ChallengeMessage in winpr/libwinpr/sspi/NTLM/ntlm_message.c. (CVE-2020-13396) * freerdp: Out-of-bounds read in security_fips_decrypt in libfreerdp/core/security.c (CVE-2020-13397) * freerdp: Out of bound read in update_recv could result in a crash (CVE-2020-11019) * freerdp: Integer overflow in VIDEO channel (CVE-2020-11038) * freerdp: Out of bound access in clear_decompress_subcode_rlex (CVE-2020-11040) * freerdp: Unchecked read of array offset in rdpsnd_recv_wave2_pdu (CVE-2020-11041) * freerdp: out of bound read in rfx_process_message_tileset (CVE-2020-11043) * freerdp: double free in update_read_cache_bitmap_v3_order function (CVE-2020-11044) * freerdp: out of bounds read in update_read_bitmap_data function (CVE-2020-11045) * freerdp: out of bounds seek in update_read_synchronize function could lead out of bounds read (CVE-2020-11046) * freerdp: out-of-bounds read could result in aborting the session (CVE-2020-11048) * freerdp: out-of-bound read of client memory that is then passed on to the protocol parser (CVE-2020-11049) * freerdp: stream out-of-bounds seek in rdp_read_font_capability_set could lead to out-of-bounds read (CVE-2020-11058) * freerdp: out-of-bounds read in cliprdr_read_format_list function (CVE-2020-11085) * freerdp: out-of-bounds read in ntlm_read_ntlm_v2_client_challenge function (CVE-2020-11086) * freerdp: out-of-bounds read in ntlm_read_AuthenticateMessage (CVE-2020-11087) * freerdp: out-of-bounds read in ntlm_read_NegotiateMessage (CVE-2020-11088) * freerdp: out-of-bounds read in irp functions (CVE-2020-11089) * freerdp: out-of-bounds read in gdi.c (CVE-2020-11522) * freerdp: out-of-bounds read in bitmap.c (CVE-2020-11525) * freerdp: Stream pointer out of bounds in update_recv_secondary_order could lead out of bounds read later (CVE-2020-11526) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2020-11018 CVE-2020-11019 CVE-2020-11038 CVE-2020-11039 CVE-2020-11040 CVE-2020-11041 CVE-2020-11042 CVE-2020-11043 CVE-2020-11044 CVE-2020-11045 CVE-2020-11046 CVE-2020-11047 CVE-2020-11048 CVE-2020-11049 CVE-2020-11058 CVE-2020-11085 CVE-2020-11086 CVE-2020-11087 CVE-2020-11088 CVE-2020-11089 CVE-2020-11522 CVE-2020-11525 CVE-2020-11526 CVE-2020-13396 CVE-2020-13397 Evolution is a GNOME application that provides integrated email, calendar, contact management, and communications functionality. The evolution-data-server packages provide a unified back end for applications which interact with contacts, tasks and calendar information. Evolution Data Server was originally developed as a back end for the Evolution information management application, but is now used by various other applications. OpenChange provides libraries to access Microsoft Exchange servers using native protocols. Security Fix(es): * evolution-data-server: Response injection via STARTTLS in SMTP and POP3 (CVE-2020-14928) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Low Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2020-14928 Python is an interpreted, interactive, object-oriented programming language that supports modules, classes, exceptions, high-level dynamic data types, and dynamic typing. The python27 packages provide a stable release of Python 2.7 with a number of additional utilities and database connectors for MySQL and PostgreSQL. Security Fix(es): * python: infinite loop in the tarfile module via crafted TAR archive (CVE-2019-20907) * python-pip: directory traversal in _download_http_url() function in src/pip/_internal/download.py (CVE-2019-20916) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-20907 CVE-2019-20916 GD is an open source code library for the dynamic creation of images by programmers. GD creates PNG, JPEG, GIF, WebP, XPM, BMP images, among other formats. Security Fix(es): * gd: Heap-based buffer overflow in gdImageColorMatch() in gd_color_match.c (CVE-2019-6977) * gd: NULL pointer dereference in gdImageClone (CVE-2018-14553) * gd: Double free in the gdImage*Ptr in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c (CVE-2019-6978) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2018-14553 CVE-2019-6977 CVE-2019-6978 AlmaLinux Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. The following packages have been upgraded to a later upstream version: ipa (4.8.7), softhsm (2.6.0), opendnssec (2.1.6). (BZ#1759888, BZ#1818765, BZ#1818877) Security Fix(es): * js-jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251) * bootstrap: XSS in the data-target attribute (CVE-2016-10735) * bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040) * bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042) * bootstrap: XSS in the tooltip data-viewport attribute (CVE-2018-20676) * bootstrap: XSS in the affix configuration target property (CVE-2018-20677) * bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331) * js-jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358) * jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022) * ipa: No password length restriction leads to denial of service (CVE-2020-1722) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2015-9251 CVE-2016-10735 CVE-2018-14040 CVE-2018-14042 CVE-2018-20676 CVE-2018-20677 CVE-2019-11358 CVE-2019-8331 CVE-2020-11022 CVE-2020-1722 Kernel-based Virtual Machine (KVM) offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems. The following packages have been upgraded to a later upstream version: hivex (1.3.18), libguestfs (1.40.2), libguestfs-winsupport (8.2), libvirt (6.0.0), libvirt-dbus (1.3.0), libvirt-python (6.0.0), nbdkit (1.16.2), perl-Sys-Virt (6.0.0), qemu-kvm (4.2.0), seabios (1.13.0), SLOF (20191022). (BZ#1810193, BZ#1844296) Security Fix(es): * libvirt: leak of /dev/mapper/control into QEMU guests (CVE-2020-14339) * QEMU: Slirp: use-after-free during packet reassembly (CVE-2019-15890) * libvirt: Potential DoS by holding a monitor job while querying QEMU guest-agent (CVE-2019-20485) * QEMU: slirp: use-after-free in ip_reass() function in ip_input.c (CVE-2020-1983) * libvirt: Potential denial of service via active pool without target path (CVE-2020-10703) * libvirt: leak of sensitive cookie information via dumpxml (CVE-2020-14301) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2019-15890 CVE-2019-20485 CVE-2020-10703 CVE-2020-14301 CVE-2020-14339 CVE-2020-1983 Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. The following packages have been upgraded to a later upstream version: grafana (6.7.4). (BZ#1807323) Security Fix(es): * grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen (CVE-2018-18624) * grafana: arbitrary file read via MySQL data source (CVE-2019-19499) * grafana: stored XSS (CVE-2020-11110) * grafana: XSS annotation popup vulnerability (CVE-2020-12052) * grafana: XSS via column.title or cellLinkTooltip (CVE-2020-12245) * grafana: information disclosure through world-readable /var/lib/grafana/grafana.db (CVE-2020-12458) * grafana: information disclosure through world-readable grafana configuration files (CVE-2020-12459) * grafana: XSS via the OpenTSDB datasource (CVE-2020-13430) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2018-18624 CVE-2019-19499 CVE-2020-11110 CVE-2020-12052 CVE-2020-12245 CVE-2020-12458 CVE-2020-12459 CVE-2020-13430 The librsvg2 packages provide a Scalable Vector Graphics (SVG) library based on the libart library. Security Fix(es): * librsvg: Resource exhaustion via crafted SVG file with nested patterns (CVE-2019-20446) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-20446 Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. Security Fix(es): * subversion: remotely triggerable DoS vulnerability in svnserve 'get-deleted-rev' (CVE-2018-11782) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2018-11782 Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. The following packages have been upgraded to a later upstream version: squid (4.11). (BZ#1829467) Security Fix(es): * squid: Improper input validation in request allows for proxy manipulation (CVE-2019-12520) * squid: Off-by-one error in addStackElement allows for heap buffer overflow and crash (CVE-2019-12521) * squid: Improper input validation in URI processor (CVE-2019-12523) * squid: Improper access restriction in url_regex may lead to security bypass (CVE-2019-12524) * squid: Heap overflow issue in URN processing (CVE-2019-12526) * squid: Information Disclosure issue in FTP Gateway (CVE-2019-12528) * squid: Out of bounds read in Proxy-Authorization header causes DoS (CVE-2019-12529) * squid: Denial of service in cachemgr.cgi (CVE-2019-12854) * squid: Buffer overflow in URI processor (CVE-2019-18676) * squid: Cross-Site Request Forgery issue in HTTP Request processing (CVE-2019-18677) * squid: HTTP Request Splitting issue in HTTP message processing (CVE-2019-18678) * squid: Information Disclosure issue in HTTP Digest Authentication (CVE-2019-18679) * squid: Mishandled HTML in the host parameter to cachemgr.cgi results in insecure behaviour (CVE-2019-18860) * squid: Improper input validation issues in HTTP Request processing (CVE-2020-8449) * squid: Buffer overflow in reverse-proxy configurations (CVE-2020-8450) * squid: DoS in TLS handshake (CVE-2020-14058) * squid: Request smuggling and poisoning attack against the HTTP cache (CVE-2020-15049) * squid: Improper input validation could result in a DoS (CVE-2020-24606) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-12520 CVE-2019-12521 CVE-2019-12523 CVE-2019-12524 CVE-2019-12526 CVE-2019-12528 CVE-2019-12529 CVE-2019-12854 CVE-2019-18676 CVE-2019-18677 CVE-2019-18678 CVE-2019-18679 CVE-2019-18860 CVE-2020-14058 CVE-2020-15049 CVE-2020-24606 CVE-2020-8449 CVE-2020-8450 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. The following packages have been upgraded to a later upstream version: mod_http2 (1.15.7). (BZ#1814236) Security Fix(es): * httpd: memory corruption on early pushes (CVE-2019-10081) * httpd: read-after-free in h2 connection shutdown (CVE-2019-10082) * httpd: null-pointer dereference in mod_remoteip (CVE-2019-10097) * httpd: mod_rewrite configurations vulnerable to open redirect (CVE-2020-1927) * httpd: mod_http2: DoS via slow, unneeded request bodies (CVE-2018-17189) * httpd: mod_http2: read-after-free on a string compare (CVE-2019-0196) * httpd: mod_http2: possible crash on late upgrade (CVE-2019-0197) * httpd: limited cross-site scripting in mod_proxy error page (CVE-2019-10092) * httpd: mod_rewrite potential open redirect (CVE-2019-10098) * httpd: mod_proxy_ftp use of uninitialized value (CVE-2020-1934) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2018-17189 CVE-2019-0196 CVE-2019-0197 CVE-2019-10081 CVE-2019-10082 CVE-2019-10092 CVE-2019-10097 CVE-2019-10098 CVE-2020-1927 CVE-2020-1934 Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server, and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages. Security Fix(es): * dovecot: command followed by sufficient number of newlines leads to use-after-free (CVE-2020-10958) * dovecot: sending mail with empty quoted localpart leads to DoS (CVE-2020-10967) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2020-10958 CVE-2020-10967 Prometheus JMX Exporter is a JMX to Prometheus exporter: a collector that can be configured to scrape and expose MBeans of a JMX target. Security Fix(es): * snakeyaml: Billion laughs attack via alias feature (CVE-2017-18640) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2017-18640 Oniguruma is a regular expressions library that supports a variety of character encodings. Security Fix(es): * oniguruma: NULL pointer dereference in match_at() in regexec.c (CVE-2019-13225) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2019-13225 FontForge is a font editor for outline and bitmap fonts. It supports a range of font formats, including PostScript (ASCII and binary Type 1, some Type 3 and Type 0), TrueType, OpenType (Type2) and CID-keyed fonts. Security Fix(es): * fontforge: SFD_GetFontMetaData() insufficient CVE-2020-5395 backport (CVE-2020-25690) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools CVE-2020-25690 Expat is a C library for parsing XML documents. The mingw-expat packages provide a port of the Expat library for MinGW. Security Fix(es): * expat: large number of colons in input makes parser consume high amount of resources, leading to DoS (CVE-2018-20843) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools CVE-2018-20843 FreeType is a free, high-quality, portable font engine that can open and manage font files. FreeType loads, hints, and renders individual glyphs efficiently. Security Fix(es): * freetype: Heap-based buffer overflow due to integer truncation in Load_SBit_Png (CVE-2020-15999) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2020-15999 The libexif packages provide a library for extracting extra information from image files. Security Fix(es): * libexif: out of bounds write due to an integer overflow in exif-entry.c (CVE-2020-0452) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2020-0452 The Pacemaker cluster resource manager is a collection of technologies working together to maintain data integrity and application availability in the event of failures. Security Fix(es): * pacemaker: ACL restrictions bypass (CVE-2020-25654) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::highavailability cpe:/a:almalinux:almalinux:8::resilientstorage CVE-2020-25654 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): * nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774) * c-ares: ares_parse_{a,aaaa}_reply() insufficient naddrttls validation DoS (CVE-2020-8277) * nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * yarn install crashes with nodejs:12 on aarch64 (BZ#1901045) Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-15366 CVE-2020-7608 CVE-2020-7774 CVE-2020-8277 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a later upstream version: mariadb (10.3.27), galera (25.3.31). (BZ#1899082, BZ#1899086) Security Fix(es): * mariadb: Insufficient SST method name check leading to code injection in mysql-wsrep (CVE-2020-15180) * mysql: InnoDB unspecified vulnerability (CPU Oct 2019) (CVE-2019-2938) * mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2019) (CVE-2019-2974) * mysql: C API unspecified vulnerability (CPU Apr 2020) (CVE-2020-2752) * mysql: InnoDB unspecified vulnerability (CPU Apr 2020) (CVE-2020-2760) * mysql: Server: DML unspecified vulnerability (CPU Apr 2020) (CVE-2020-2780) * mysql: Server: Stored Procedure unspecified vulnerability (CPU Apr 2020) (CVE-2020-2812) * mysql: InnoDB unspecified vulnerability (CPU Apr 2020) (CVE-2020-2814) * mariadb-connector-c: Improper validation of content in a OK packet received from server (CVE-2020-13249) * mysql: Server: FTS unspecified vulnerability (CPU Oct 2020) (CVE-2020-14765) * mysql: InnoDB unspecified vulnerability (CPU Oct 2020) (CVE-2020-14776) * mysql: Server: FTS unspecified vulnerability (CPU Oct 2020) (CVE-2020-14789) * mysql: Server: Locking unspecified vulnerability (CPU Oct 2020) (CVE-2020-14812) * mysql: C API unspecified vulnerability (CPU Jan 2020) (CVE-2020-2574) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * FTBFS: -D_GLIBCXX_ASSERTIONS (BZ#1899009) * Queries with entity_id IN ('1', '2', …, '70000') run much slower in MariaDB 10.3 than on MariaDB 10.1 (BZ#1899017) * Cleanup race with wsrep_rsync_sst_tunnel may prevent full galera cluster bootstrap (BZ#1899021) * There are undeclared file conflicts in several mariadb and mysql packages (BZ#1899077) Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-2938 CVE-2019-2974 CVE-2020-13249 CVE-2020-14765 CVE-2020-14776 CVE-2020-14789 CVE-2020-14812 CVE-2020-15180 CVE-2020-2574 CVE-2020-2752 CVE-2020-2760 CVE-2020-2780 CVE-2020-2812 CVE-2020-2814 CVE-2021-2022 CVE-2021-2144 CVE-2021-2194 The MariaDB Native Client library (C driver) is used to connect applications developed in C/C++ to MariaDB and MySQL databases. The following packages have been upgraded to a later upstream version: mariadb-connector-c (3.1.11). (BZ#1898993) Security Fix(es): * mysql: C API unspecified vulnerability (CPU Apr 2020) (CVE-2020-2752) * mysql: C API unspecified vulnerability (CPU Apr 2020) (CVE-2020-2922) * mariadb-connector-c: Improper validation of content in a OK packet received from server (CVE-2020-13249) * mysql: C API unspecified vulnerability (CPU Jan 2020) (CVE-2020-2574) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Code utilizing plugins can't be compiled properly (BZ#1899001) * Add "zlib-devel" requirement in "-devel" subpackage (BZ#1899005) * Replace hard-coded /usr with %{_prefix} (BZ#1899099) Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-13249 CVE-2020-2574 CVE-2020-2752 CVE-2020-2922 CVE-2021-2007 PostgreSQL is an advanced object-relational database management system (DBMS). The following packages have been upgraded to a later upstream version: postgresql (12.5). Security Fix(es): * postgresql: Reconnection can downgrade connection security settings (CVE-2020-25694) * postgresql: Multiple features escape "security restricted operation" sandbox (CVE-2020-25695) * postgresql: Uncontrolled search path element in logical replication (CVE-2020-14349) * postgresql: Uncontrolled search path element in CREATE EXTENSION (CVE-2020-14350) * postgresql: psql's \gset allows overwriting specially treated variables (CVE-2020-25696) * postgresql: ALTER ... DEPENDS ON EXTENSION is missing authorization checks (CVE-2020-1720) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-14349 CVE-2020-14350 CVE-2020-1720 CVE-2020-25694 CVE-2020-25695 CVE-2020-25696 The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es): * sudo: Heap buffer overflow in argument parsing (CVE-2021-3156) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-3156 Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. Security Fix(es): * subversion: Remote unauthenticated denial of service in mod_authz_svn (CVE-2020-17525) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-17525 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix(es): * podman: environment variables leak between containers when started via Varlink or Docker-compatible REST API (CVE-2020-14370) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-14370 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (10.23.1). Security Fix(es): * libuv: buffer overflow in realpath (CVE-2020-8252) * nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754) * nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774) * nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-dot-prop: prototype pollution (CVE-2020-8116) * nodejs: use-after-free in the TLS implementation (CVE-2020-8265) * npm: sensitive information exposure through logs (CVE-2020-15095) * nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366) * nodejs-yargs-parser: prototype pollution vulnerability (CVE-2020-7608) * nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-15095 CVE-2020-15366 CVE-2020-7608 CVE-2020-7754 CVE-2020-7774 CVE-2020-7788 CVE-2020-8116 CVE-2020-8252 CVE-2020-8265 CVE-2020-8287 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (12.20.1), nodejs-nodemon (2.0.3). Security Fix(es): * nodejs-mixin-deep: prototype pollution in function mixin-deep (CVE-2019-10746) * nodejs-set-value: prototype pollution in function set-value (CVE-2019-10747) * nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754) * nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788) * nodejs: use-after-free in the TLS implementation (CVE-2020-8265) * nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2018-3750 CVE-2019-10746 CVE-2019-10747 CVE-2020-7754 CVE-2020-7788 CVE-2020-8265 CVE-2020-8287 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.15.4). Security Fix(es): * nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754) * nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774) * nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788) * nodejs: use-after-free in the TLS implementation (CVE-2020-8265) * c-ares: ares_parse_{a,aaaa}_reply() insufficient naddrttls validation DoS (CVE-2020-8277) * nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366) * nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * yarn install crashes with nodejs:14 on aarch64 (BZ#1916465) Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-15366 CVE-2020-7754 CVE-2020-7774 CVE-2020-7788 CVE-2020-8265 CVE-2020-8277 CVE-2020-8287 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * kernel: locking issue in drivers/tty/tty_jobctrl.c can lead to an use-after-free (CVE-2020-29661) * kernel: performance counters race condition use-after-free (CVE-2020-14351) * kernel: ICMP rate limiting can be used for DNS poisoning attack (CVE-2020-25705) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Final fixes + drop alpha_support flag requirement for Tigerlake (BZ#1882620) * OVS complains Invalid Argument on TCP packets going into conntrack (BZ#1892744) * BUG: using smp_processor_id() in preemptible [00000000] code: handler106/3082 (BZ#1893281) * Icelake performance - add intel_idle: Customize IceLake server support to AlmaLinux-8 (BZ#1897183) * [mlx5] IPV6 TOS rewrite flows are not getting offloaded in HW (BZ#1897688) * AlmaLinux 8.3 SAS - multipathd fails to re-establish paths during controller random reset (BZ#1900112) * AlmaLinux8.3 Beta - AlmaLinux8.3 hangs on dbginfo.sh execution, crash dump generated (mm-) (BZ#1903019) * Win10 guest automatic reboot after migration in Win10 and WSL2 on AMD hosts (BZ#1905084) * block, dm: fix IO splitting for stacked devices (BZ#1905136) * Failed to hotplug scsi-hd disks (BZ#1905214) * PCI quirk needed to prevent GPU hang (BZ#1906516) * AlmaLinux8.2 - various patches to stabilize the OPAL error log processing and the powernv dump processing (ESS) (BZ#1907301) * pmtu not working with tunnels as bridge ports and br_netfilter loaded (BZ#1907576) * [ThinkPad X13/T14/T14s AMD]: Kdump failed (BZ#1907775) * NFSv4 client improperly handles interrupted slots (BZ#1908312) * NFSv4.1 client ignores ERR_DELAY during LOCK recovery, could lead to data corruption (BZ#1908313) * [Regression] AlmaLinux8.2 - [kernel 148.el8] cpu (sys) time regression in SAP HANA 2.0 benchmark benchInsertSubSelectPerformance (BZ#1908519) * AlmaLinux8: kernel-rt: kernel BUG at kernel/sched/deadline.c:1462! (BZ#1908731) * SEV VM hang at efi_mokvar_sysfs_init+0xa9/0x19d during boot (BZ#1909243) * C6gn support requires "Ensure dirty bit is preserved across pte_wrprotect" patch (BZ#1909577) * [Lenovo 8.3 & 8.4 Bug] [Regression] No response from keyboard and mouse when boot from tboot kernel (BZ#1911555) * Kernel crash with krb5p (BZ#1912478) * [AlmaLinux8] Need additional backports for FIPS 800-90A DRBG entropy seeding source (BZ#1912872) * [Hyper-V][AlmaLinux-8] Request to included a commit that adds a timeout to vmbus_wait_for_unload (BZ#1913528) * Host becomes unresponsive during stress-ng --cyclic test rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: (BZ#1913964) * AlmaLinux8.4: Backport upstream RCU patches up to v5.6 (BZ#1915638) * Missing mm backport to fix regression introduced by another mm backport (BZ#1915814) * [Hyper-V][AlmaLinux-8]video: hyperv_fb: Fix the cache type when mapping the VRAM Edit (BZ#1917711) * ionic 0000:39:00.0 ens2: IONIC_CMD_Q_INIT (40) failed: IONIC_RC_ERROR (-5) (BZ#1918372) * [certification] mlx5_core depends on tls triggering TAINT_TECH_PREVIEW even if no ConnectX-6 card is present (BZ#1918743) * kvm-almalinux8.3 [AMD] - system crash observed while powering on virtual machine with attached VF interfaces. (BZ#1919885) Enhancement(s): * [Mellanox 8.4 FEAT] mlx5: Add messages when VF-LAG fails to start (BZ#1892344) Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2020-14351 CVE-2020-25705 CVE-2020-29661 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * kernel: arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array (CVE-2025-21785) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2025 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/a:almalinux:almalinux:8::highavailability cpe:/a:almalinux:almalinux:8::nfv cpe:/a:almalinux:almalinux:8::realtime cpe:/a:almalinux:almalinux:8::resilientstorage cpe:/a:almalinux:almalinux:8::sap cpe:/a:almalinux:almalinux:8::sap_hana cpe:/a:almalinux:almalinux:8::supplementary cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2025-21785 The xterm program is a terminal emulator for the X Window System. It provides DEC VT102 and Tektronix 4014 compatible terminals for programs that can't use the window system directly. Security Fix(es): * xterm: crash when processing combining characters (CVE-2021-27135) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-27135 Stunnel is a wrapper for network connections. It can be used to tunnel an unencrypted network connection over an encrypted connection (encrypted using SSL or TLS) or to provide an encrypted means of connecting to services that do not natively support encryption. Security Fix(es): * stunnel: client certificate not correctly verified when redirect and verifyChain options are used (CVE-2021-20230) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-20230 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix(es): * podman: container users permissions are not respected in privileged containers (CVE-2021-20188) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-20188 Kernel-based Virtual Machine (KVM) offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems. Security Fix(es): * QEMU: virtiofsd: potential privileged host device access from guest (CVE-2020-35517) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2020-35517 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (12.21.0). Security Fix(es): * nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion (CVE-2021-22883) * nodejs: DNS rebinding in --inspect (CVE-2021-22884) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-22883 CVE-2021-22884 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (10.24.0). Security Fix(es): * nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion (CVE-2021-22883) * nodejs: DNS rebinding in --inspect (CVE-2021-22884) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-22883 CVE-2021-22884 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.16.0). Security Fix(es): * nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion (CVE-2021-22883) * nodejs: DNS rebinding in --inspect (CVE-2021-22884) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Node.js should not be built with "--debug-nghttp2" (BZ#1932427) Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-22883 CVE-2021-22884 Kernel-based Virtual Machine (KVM) offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems. Security Fix(es): * QEMU: Regression of CVE-2020-10756 fix in virt:rhel/qemu-kvm in AlmaLinux (CVE-2021-20295) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2021-20295 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * kernel: use after free in eventpoll.c may lead to escalation of privilege (CVE-2020-0466) * kernel: SCSI target (LIO) write to any block on ILO backstore (CVE-2020-28374) * kernel: Use after free via PI futex state (CVE-2021-3347) * kernel: race conditions caused by wrong locking in net/vmw_vsock/af_vsock.c (CVE-2021-26708) * kernel: out-of-bounds read in libiscsi module (CVE-2021-27364) * kernel: heap buffer overflow in the iSCSI subsystem (CVE-2021-27365) * Kernel: KVM: host stack overflow due to lazy update IOAPIC (CVE-2020-27152) * kernel: iscsi: unrestricted access to sessions and handles (CVE-2021-27363) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * race condition when creating child sockets from syncookies (BZ#1915529) * On System Z, a hash needs state randomized for entropy extraction (BZ#1915816) * scsi: target: core_tmr_abort_task() reporting multiple aborts for the same se_cmd->tag (BZ#1918354) * [mlx5] VF interface stats are not reflected in "ip -s link show" / "ifconfig <vf>" commands (BZ#1921060) * Win10 guest automatic reboot after migration in Win10 and WSL2 on Intel hosts (BZ#1923281) * [AlmaLinux 8.3] Repeated messages - Unable to burst-read optrom segment (BZ#1924222) * Backport bug fix RDMA/umem: Prevent small pages from being returned by ib_umem_find_best_pgsz (BZ#1924691) * [Cisco 8.3] AlmaLinux/Cent 8.2 fNIC driver needs a patch fix that addresses crash (BZ#1925186) * AlmaLinux8.3 - The kernel misdetects zCX with z/VM (BZ#1925508) * Backport 22e4663e91 ("mm/slub: fix panic in slab_alloc_node()") (BZ#1925511) * SCTP "Address already in use" when no active endpoints from AlmaLinux 8.2 onwards (BZ#1927521) * lpfc: Fix initial FLOGI failure due to BBSCN not supported (BZ#1927921) * [mm] mm, oom: remove oom_lock from oom_reaper (BZ#1929738) * Unexpected thread movement with AMD Milan compared to Rome (BZ#1929740) * rpmbuild cannot build the userspace RPMs in the kernel package when the kernel itself is not built (BZ#1929910) * [Regression] AlmaLinux8.2 - ISST-LTE:pVM:diapvmlp83:sum:memory DLPAR fails to add memory on multiple trials[mm/memory_hotplug.c:1163] (mm-) (BZ#1930168) * Configuring the system with non-RT kernel will hang the system (BZ#1930735) * Upstream Patch for Gracefully handle DMAR units with no supported address widthsx86/vt-d (BZ#1932199) * gfs2: Deadlock between gfs2_{create_inode,inode_lookup} and delete_work_func (BZ#1937109) * Failing on tsx-ctrl when the flag doesn't change anything (BZ#1939013) Enhancement(s): * RFE: Backport all Audit enhancements and fixes up to version 5.10-rc1 (BZ#1907520) * AlmaLinux8.4: Update the target driver (BZ#1918363) * [Mellanox 8.4 FEAT] mlx5: Hairpin Support in Switch Mode (BZ#1924689) Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2020-0466 CVE-2020-27152 CVE-2020-28374 CVE-2021-26708 CVE-2021-27363 CVE-2021-27364 CVE-2021-27365 CVE-2021-3347 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a later upstream version: mariadb (10.3.28), galera (25.3.32). Security Fix(es): * mariadb: writable system variables allows a database user with SUPER privilege to execute arbitrary code as the system mysql user (CVE-2021-27928) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2021-27928 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * kernel: Integer overflow in Intel(R) Graphics Drivers (CVE-2020-12362) * kernel: memory leak in sof_set_get_large_ctrl_data() function in sound/soc/sof/ipc.c (CVE-2019-18811) * kernel: use-after-free caused by a malicious USB device in the drivers/usb/misc/adutux.c driver (CVE-2019-19523) * kernel: use-after-free bug caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver (CVE-2019-19528) * kernel: possible out of bounds write in kbd_keycode of keyboard.c (CVE-2020-0431) * kernel: DoS by corrupting mountpoint reference counter (CVE-2020-12114) * kernel: use-after-free in usb_sg_cancel function in drivers/usb/core/message.c (CVE-2020-12464) * kernel: buffer uses out of index in ext3/4 filesystem (CVE-2020-14314) * kernel: Use After Free vulnerability in cgroup BPF component (CVE-2020-14356) * kernel: NULL pointer dereference in serial8250_isa_init_ports function in drivers/tty/serial/8250/8250_core.c (CVE-2020-15437) * kernel: umask not applied on filesystem without ACL support (CVE-2020-24394) * kernel: TOCTOU mismatch in the NFS client code (CVE-2020-25212) * kernel: incomplete permission checking for access to rbd devices (CVE-2020-25284) * kernel: race condition between hugetlb sysctl handlers in mm/hugetlb.c (CVE-2020-25285) * kernel: improper input validation in ppp_cp_parse_cr function leads to memory corruption and read overflow (CVE-2020-25643) * kernel: perf_event_parse_addr_filter memory (CVE-2020-25704) * kernel: use-after-free in kernel midi subsystem (CVE-2020-27786) * kernel: child process is able to access parent mm through hfi dev file handle (CVE-2020-27835) * kernel: slab-out-of-bounds read in fbcon (CVE-2020-28974) * kernel: fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent (CVE-2020-35508) * kernel: fuse: fuse_do_getattr() calls make_bad_inode() in inappropriate situations (CVE-2020-36322) * kernel: use after free in tun_get_user of tun.c could lead to local escalation of privilege (CVE-2021-0342) * kernel: NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs in drivers/media/usb/gspca/ov519.c (CVE-2020-11608) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2019-18811 CVE-2019-19523 CVE-2019-19528 CVE-2020-0431 CVE-2020-11608 CVE-2020-12114 CVE-2020-12362 CVE-2020-12363 CVE-2020-12364 CVE-2020-12464 CVE-2020-14314 CVE-2020-14356 CVE-2020-15437 CVE-2020-24394 CVE-2020-25212 CVE-2020-25284 CVE-2020-25285 CVE-2020-25643 CVE-2020-25704 CVE-2020-27786 CVE-2020-27835 CVE-2020-28974 CVE-2020-35508 CVE-2020-36322 CVE-2021-0342 CVE-2021-0605 The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es): * glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding (CVE-2019-25013) * glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read (CVE-2019-9169) * glibc: assertion failure in ISO-2022-JP-3 gconv module related to combining characters (CVE-2021-3326) * glibc: iconv program can hang when invoked with the -c option (CVE-2016-10228) * glibc: iconv when processing invalid multi-byte input sequences fails to advance the input state, which could result in an infinite loop (CVE-2020-27618) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2016-10228 CVE-2019-25013 CVE-2019-9169 CVE-2020-27618 CVE-2021-3326 GNOME is the default desktop environment of AlmaLinux. The following packages have been upgraded to a later upstream version: accountsservice (0.6.55), webkit2gtk3 (2.30.4). (BZ#1846376, BZ#1883304) Security Fix(es): * webkitgtk: type confusion may lead to arbitrary code execution (CVE-2020-9948) * webkitgtk: use-after-free may lead to arbitrary code execution (CVE-2020-9951) * webkitgtk: out-of-bounds write may lead to code execution (CVE-2020-9983) * webkitgtk: use-after-free may lead to arbitrary code execution (CVE-2020-13543) * webkitgtk: use-after-free may lead to arbitrary code execution (CVE-2020-13584) * glib2: insecure permissions for files and directories (CVE-2019-13012) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2019-13012 CVE-2020-13543 CVE-2020-13584 CVE-2020-16125 CVE-2020-9948 CVE-2020-9951 CVE-2020-9983 CVE-2021-1817 CVE-2021-1820 CVE-2021-1825 CVE-2021-1826 CVE-2021-30661 The bluez packages contain the following utilities for use in Bluetooth applications: hcitool, hciattach, hciconfig, bluetoothd, l2ping, start scripts (AlmaLinux), and pcmcia configuration files. Security Fix(es): * bluez: double free in gatttool client disconnect callback handler in src/shared/att.c could lead to DoS or RCE (CVE-2020-27153) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2020-27153 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * mod_wsgi: Trusted Proxy Headers Removing Bypass (CVE-2022-2255) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2025 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/a:almalinux:almalinux:8::highavailability cpe:/a:almalinux:almalinux:8::nfv cpe:/a:almalinux:almalinux:8::realtime cpe:/a:almalinux:almalinux:8::resilientstorage cpe:/a:almalinux:almalinux:8::sap cpe:/a:almalinux:almalinux:8::sap_hana cpe:/a:almalinux:almalinux:8::supplementary cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2022-2255 The OpenSC set of libraries and utilities provides support for working with smart cards. OpenSC focuses on cards that support cryptographic operations and enables their use for authentication, mail encryption, or digital signatures. Security Fix(es): * opensc: heap-based buffer overflow in sc_oberthur_read_file (CVE-2020-26570) * opensc: stack-based buffer overflow in sc_pkcs15emu_gemsafeGPK_init (CVE-2020-26571) * opensc: stack-based buffer overflow in tcos_decipher (CVE-2020-26572) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2020-26570 CVE-2020-26571 CVE-2020-26572 The p11-kit packages provide a mechanism to manage PKCS#11 modules. The p11-kit-trust subpackage includes a PKCS#11 trust module that provides certificate anchors and black lists based on configuration files. The following packages have been upgraded to a later upstream version: p11-kit (0.23.22). (BZ#1887853) Security Fix(es): * p11-kit: integer overflow when allocating memory for arrays or attributes and object identifiers (CVE-2020-29361) * p11-kit: out-of-bounds read in p11_rpc_buffer_get_byte_array function in rpc-message.c (CVE-2020-29362) * p11-kit: out-of-bounds write in p11_rpc_buffer_get_byte_array_value function in rpc-message.c (CVE-2020-29363) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2020-29361 CVE-2020-29362 CVE-2020-29363 TrouSerS is an implementation of the Trusted Computing Group's Software Stack (TSS) specification. TrouSerS enables the user to write applications that make use of the Trusted Platform Module (TPM) hardware. The following packages have been upgraded to a later upstream version: trousers (0.3.15). (BZ#1725782) Security Fix(es): * trousers: tss user still has read and write access to the /etc/tcsd.conf file if tcsd is started as root (CVE-2020-24331) * trousers: tss user can be used to create or corrupt existing files, this could lead to DoS (CVE-2020-24332) * trousers: fails to drop the root gid privilege when no longer needed (CVE-2020-24330) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2020-24330 CVE-2020-24331 CVE-2020-24332 The python-urllib3 package provides the Python HTTP module with connection pooling and file POST abilities. Security Fix(es): * python-urllib3: CRLF injection via HTTP request method (CVE-2020-26137) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2020-26137 Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a later upstream version: samba (4.13.3). (BZ#1878109) Security Fix(es): * samba: Netlogon elevation of privilege vulnerability (Zerologon) (CVE-2020-1472) * samba: Missing handle permissions check in SMB1/2/3 ChangeNotify (CVE-2020-14318) * samba: Unprivileged user can crash winbind (CVE-2020-14323) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2020-14318 CVE-2020-14323 CVE-2020-1472 The libdb packages provide the Berkeley Database, an embedded database supporting both traditional and client/server applications. Security Fix(es): * libdb: Denial of service in the Data Store component (CVE-2019-2708) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Low Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2019-2708 The wpa_supplicant packages contain an 802.1X Supplicant with support for WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication methods. They implement key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. Security Fix(es): * wpa_supplicant: P2P group information processing vulnerability (CVE-2021-0326) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-0326 Brotli is a generic-purpose lossless compression algorithm that compresses data using a combination of a modern variant of the LZ77 algorithm, Huffman coding and 2nd order context modeling, with a compression ratio comparable to the best currently available general-purpose compression methods. It is similar in speed with deflate but offers more dense compression. Security Fix(es): * brotli: buffer overflow when input chunk is larger than 2GiB (CVE-2020-8927) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2020-8927 The shim package contains a first-stage UEFI boot loader that handles chaining to a trusted full boot loader under secure boot environments. Security Fix(es): * grub2: acpi command allows privileged user to load crafted ACPI tables when Secure Boot is enabled (CVE-2020-14372) * grub2: Use-after-free in rmmod command (CVE-2020-25632) * grub2: Out-of-bounds write in grub_usb_device_initialize() (CVE-2020-25647) * grub2: Stack buffer overflow in grub_parser_split_cmdline() (CVE-2020-27749) * grub2: cutmem command allows privileged user to remove memory regions when Secure Boot is enabled (CVE-2020-27779) * grub2: Heap out-of-bounds write in short form option parser (CVE-2021-20225) * grub2: Heap out-of-bounds write due to miscalculation of space required for quoting (CVE-2021-20233) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2020-14372 CVE-2020-25632 CVE-2020-25647 CVE-2020-27749 CVE-2020-27779 CVE-2021-20225 CVE-2021-20233 Scanner Access Now Easy (SANE) is a universal scanner interface. The SANE application programming interface (API) provides standardized access to any raster image scanner hardware (for example, flatbed scanners, hand-held scanners, video and still cameras, and frame-grabbers). Security Fix(es): * sane-backends: NULL pointer dereference in sanei_epson_net_read function (CVE-2020-12867) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-12867 Evolution is a GNOME application that provides integrated email, calendar, contact management, and communications functionality. The evolution-data-server packages provide a unified back end for applications which interact with contacts, tasks and calendar information. Evolution Data Server was originally developed as a back end for the Evolution information management application, but is now used by various other applications. Security Fix(es): * evolution-data-server: NULL pointer dereference related to imapx_free_capability and imapx_connect_to_server (CVE-2020-16117) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Low Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2020-16117 Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. Security Fix(es): * qt: buffer over-read in read_xbm_body in gui/image/qxbmhandler.cpp (CVE-2020-17507) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2020-17507 The exiv2 packages provide a command line utility which can display and manipulate image metadata such as EXIF, LPTC, and JPEG comments. The following packages have been upgraded to a later upstream version: exiv2 (0.27.3). (BZ#1880984) Security Fix(es): * exiv2: out-of-bounds read in CiffDirectory::readDirectory due to lack of size check (CVE-2019-17402) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Low Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2019-17402 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * setuptools: Path Traversal Vulnerability in setuptools PackageIndex (CVE-2025-47273) * cpython: Cpython infinite loop when parsing a tarfile (CVE-2025-8194) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2025 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/a:almalinux:almalinux:8::highavailability cpe:/a:almalinux:almalinux:8::nfv cpe:/a:almalinux:almalinux:8::realtime cpe:/a:almalinux:almalinux:8::resilientstorage cpe:/a:almalinux:almalinux:8::sap cpe:/a:almalinux:almalinux:8::sap_hana cpe:/a:almalinux:almalinux:8::supplementary cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2025-8194 CVE-2025-47273 Python is an interpreted, interactive, object-oriented programming language that supports modules, classes, exceptions, high-level dynamic data types, and dynamic typing. The python27 packages provide a stable release of Python 2.7 with a number of additional utilities and database connectors for MySQL and PostgreSQL. Security Fix(es): * python: CRLF injection via HTTP request method in httplib/http.client (CVE-2020-26116) * python-urllib3: CRLF injection via HTTP request method (CVE-2020-26137) * python-lxml: mXSS due to the use of improper parser (CVE-2020-27783) * python: Stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c (CVE-2021-3177) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-26116 CVE-2020-26137 CVE-2020-27783 CVE-2021-3177 Kernel-based Virtual Machine (KVM) offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems. Security Fix(es): * libvirt: double free in qemuAgentGetInterfaces() in qemu_agent.c (CVE-2020-25637) * QEMU: heap buffer overflow in msix_table_mmio_write() in hw/pci/msix.c (CVE-2020-27821) * QEMU: ide: atapi: OOB access while processing read commands (CVE-2020-29443) * QEMU: heap buffer overflow in iscsi_aio_ioctl_cb() in block/iscsi.c may lead to information disclosure (CVE-2020-11947) * QEMU: reachable assertion failure in net_tx_pkt_add_raw_fragment() in hw/net/net_tx_pkt.c (CVE-2020-16092) * QEMU: infinite loop in e1000e_write_packet_to_guest() in hw/net/e1000e_core.c (CVE-2020-25707) * QEMU: assertion failure through usb_packet_unmap() in hw/usb/hcd-ehci.c (CVE-2020-25723) * QEMU: e1000e: infinite loop scenario in case of null packet descriptor (CVE-2020-28916) * QEMU: slirp: out-of-bounds access while processing ARP/NCSI packets (CVE-2020-29129, CVE-2020-29130) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2020-11947 CVE-2020-16092 CVE-2020-25637 CVE-2020-25707 CVE-2020-25723 CVE-2020-27821 CVE-2020-28916 CVE-2020-29129 CVE-2020-29130 CVE-2020-29443 GUPnP is an object-oriented open source framework for creating UPnP devices and control points, written in C using GObject and libsoup. The GUPnP API is intended to be easy to use, efficient and flexible. GSSDP implements resource discovery and announcement over SSDP and is part of gUPnP. The following packages have been upgraded to a later upstream version: gssdp (1.0.5), gupnp (1.0.6). (BZ#1846589, BZ#1861928) Security Fix(es): * hostapd: UPnP SUBSCRIBE misbehavior in WPS AP (CVE-2020-12695) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2020-12695 The spice-vdagent packages provide a SPICE agent for Linux guests. Security Fix(es): * spice-vdagent: possible file transfer DoS and information leak via active_xfers hash map (CVE-2020-25651) * spice-vdagent: UNIX domain socket peer PID retrieved via SO_PEERCRED is subject to race condition (CVE-2020-25653) * spice-vdagent: memory DoS via arbitrary entries in active_xfers hash table (CVE-2020-25650) * spice-vdagent: possibility to exhaust file descriptors in vdagentd (CVE-2020-25652) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-25650 CVE-2020-25651 CVE-2020-25652 CVE-2020-25653 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix(es): * golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference (CVE-2020-29652) * podman: Remote traffic to rootless containers is seen as orginating from localhost (CVE-2021-20199) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-29652 CVE-2021-20199 X.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Mesa provides a 3D graphics API that is compatible with Open Graphics Library (OpenGL). It also provides hardware-accelerated drivers for many popular graphics chips. The following packages have been upgraded to a later upstream version: egl-wayland (1.1.5), libdrm (2.4.103), libglvnd (1.3.2), libinput (1.16.3), libwacom (1.6), mesa (20.3.3), xorg-x11-server (1.20.10). (BZ#1878160, BZ#1886648, BZ#1887654, BZ#1887655) Security Fix(es): * xorg-x11-server: Out-of-bounds access in XkbSetNames function (CVE-2020-14345) * xorg-x11-server: Integer underflow in the X input extension protocol (CVE-2020-14346) * xorg-x11-server: Out-of-bounds access in XkbSetMap function (CVE-2020-14360) * xorg-x11-server: XkbSelectEvents integer underflow privilege escalation vulnerability (CVE-2020-14361) * xorg-x11-server: XRecordRegisterClients integer underflow privilege escalation vulnerability (CVE-2020-14362) * libX11: Integer overflow leads to double free in locale handling (CVE-2020-14363) * xorg-x11-server: XkbSetDeviceInfo heap-based buffer overflow privilege escalation vulnerability (CVE-2020-25712) * libX11: Heap overflow in the X input method client (CVE-2020-14344) * xorg-x11-server: Leak of uninitialized heap memory from the X server to clients in AllocatePixmap of dix/pixmap.c (CVE-2020-14347) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2020-14344 CVE-2020-14345 CVE-2020-14346 CVE-2020-14347 CVE-2020-14360 CVE-2020-14361 CVE-2020-14362 CVE-2020-14363 CVE-2020-25712 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es): * httpd: mod_session_cookie does not respect expiry time (CVE-2018-17199) * httpd: mod_proxy_uwsgi buffer overflow (CVE-2020-11984) * httpd: mod_http2 concurrent pool usage (CVE-2020-11993) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2018-17199 CVE-2020-11984 CVE-2020-11993 PostgreSQL is an advanced object-relational database management system (DBMS). Security Fix(es): * postgresql: PostgreSQL missing validation of multibyte character length executes arbitrary code (CVE-2026-2006) * postgresql: PostgreSQL intarray missing validation of type of input to selectivity estimator executes arbitrary code (CVE-2026-2004) * postgresql: PostgreSQL pgcrypto heap buffer overflow executes arbitrary code (CVE-2026-2005) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2026 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/a:almalinux:almalinux:8::highavailability cpe:/a:almalinux:almalinux:8::nfv cpe:/a:almalinux:almalinux:8::realtime cpe:/a:almalinux:almalinux:8::resilientstorage cpe:/a:almalinux:almalinux:8::sap cpe:/a:almalinux:almalinux:8::sap_hana cpe:/a:almalinux:almalinux:8::supplementary cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2026-2004 CVE-2026-2005 CVE-2026-2006 LibVNCServer is a C library that enables you to implement VNC server functionality into own programs. Security Fix(es): * libvncserver: uninitialized memory contents are vulnerable to Information Leak (CVE-2018-21247) * libvncserver: buffer overflow in ConnectClientToUnixSock() (CVE-2019-20839) * libvncserver: libvncserver/rfbregion.c has a NULL pointer dereference (CVE-2020-14397) * libvncserver: libvncclient/rfbproto.c does not limit TextChat size (CVE-2020-14405) * libvncserver: libvncserver/rfbserver.c has a divide by zero which could result in DoS (CVE-2020-25708) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2018-21247 CVE-2019-20839 CVE-2020-14397 CVE-2020-14405 CVE-2020-25708 Raptor is the RDF Parser Toolkit for Redland that provides a set of standalone RDF parsers, generating triples from RDF/XML or N-Triples. Security Fix(es): * raptor: heap-based buffer overflows due to an error in calculating the maximum nspace declarations for the XML writer (CVE-2017-18926) * raptor2: malformed input file can lead to a segfault due to an out of bounds array access in raptor_xml_writer_start_element_common (CVE-2020-25713) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2017-18926 CVE-2020-25713 AlmaLinux Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. Security Fix(es): * jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-11023 FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. The xfreerdp client can connect to RDP servers such as Microsoft Windows machines, xrdp, and VirtualBox. The following packages have been upgraded to a later upstream version: freerdp (2.2.0). (BZ#1881971) Security Fix(es): * freerdp: out of bounds read in TrioParse (CVE-2020-4030) * freerdp: out of bound reads resulting in accessing memory location outside of static array PRIMARY_DRAWING_ORDER_FIELD_BYTES (CVE-2020-11095) * freerdp: out of bounds read in PRIMARY_DRAWING_ORDER_FIELD_BYTES (CVE-2020-11097) * freerdp: out of bounds read in license_read_new_or_upgrade_license_packet (CVE-2020-11099) * freerdp: integer overflow due to missing input sanitation in rdpegfx channel (CVE-2020-15103) * freerdp: out-of-bounds read in RLEDECOMPRESS (CVE-2020-4033) * freerdp: out-of-bound read in update_read_cache_bitmap_v3_order (CVE-2020-11096) * freerdp: out-of-bound read in glyph_cache_put (CVE-2020-11098) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2020-11095 CVE-2020-11096 CVE-2020-11097 CVE-2020-11098 CVE-2020-11099 CVE-2020-15103 CVE-2020-4030 CVE-2020-4033 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. The following packages have been upgraded to a later upstream version: ghostscript (9.27). (BZ#1874523) Security Fix(es): * ghostscript: use-after-free vulnerability in igc_reloc_struct_ptr() could result in DoS (CVE-2020-14373) * ghostscript: buffer overflow in lprn_is_black() in contrib/lips4/gdevlprn.c could result in a DoS (CVE-2020-16287) * ghostscript: buffer overflow in pj_common_print_page() in devices/gdevpjet.c could result in a DoS (CVE-2020-16288) * ghostscript: buffer overflow in jetp3852_print_page() in devices/gdev3852.c could result in a DoS (CVE-2020-16290) * ghostscript: buffer overflow in contrib/gdevdj9.c could result in a DoS (CVE-2020-16291) * ghostscript: buffer overflow in mj_raster_cmd() in contrib/japanese/gdevmjc.c could result in a DoS (CVE-2020-16292) * ghostscript: NULL pointer dereference in compose_group_nonknockout_nonblend_isolated_allmask_common() in base/gxblend.c could result in a DoS (CVE-2020-16293) * ghostscript: buffer overflow in epsc_print_page() in devices/gdevepsc.c could result in a DoS (CVE-2020-16294) * ghostscript: NULL pointer dereference in clj_media_size() in devices/gdevclj.c could result in a DoS (CVE-2020-16295) * ghostscript: buffer overflow in GetNumWrongData() in contrib/lips4/gdevlips.c could result in a DoS (CVE-2020-16296) * ghostscript: buffer overflow in FloydSteinbergDitheringC() in contrib/gdevbjca.c could result in a DoS (CVE-2020-16297) * ghostscript: buffer overflow in mj_color_correct() in contrib/japanese/gdevmjc.c could result in a DoS (CVE-2020-16298) * ghostscript: division by zero in bj10v_print_page() in contrib/japanese/gdev10v.c could result in a DoS (CVE-2020-16299) * ghostscript: buffer overflow in tiff12_print_page() in devices/gdevtfnx.c could result in a DoS (CVE-2020-16300) * ghostscript: buffer overflow in okiibm_print_page1() in devices/gdevokii.c could result in a DoS (CVE-2020-16301) * ghostscript: buffer overflow in jetp3852_print_page() in devices/gdev3852.c could result in a privilege escalation (CVE-2020-16302) * ghostscript: use-after-free in xps_finish_image_path() in devices/vector/gdevxps.c could result in a privilege escalation (CVE-2020-16303) * ghostscript: buffer overflow in image_render_color_thresh() in base/gxicolor.c could result in a DoS (CVE-2020-16304) * ghostscript: NULL pointer dereference in devices/gdevtsep.c could result in a DoS (CVE-2020-16306) * ghostscript: NULL pointer dereference in devices/vector/gdevtxtw.c and psi/zbfont.c could result in a DoS (CVE-2020-16307) * ghostscript: buffer overflow in p_print_image() in devices/gdevcdj.c could result in a DoS (CVE-2020-16308) * ghostscript: buffer overflow in lxm5700m_print_page() in devices/gdevlxm.c could result in a DoS (CVE-2020-16309) * ghostscript: division by zero in dot24_print_page() in devices/gdevdm24.c could result in a DoS (CVE-2020-16310) * ghostscript: buffer overflow in GetNumSameData() in contrib/lips4/gdevlips.c could result in a DoS (CVE-2020-17538) * ghostscript: buffer overflow in cif_print_page() in devices/gdevcif.c could result in a DoS (CVE-2020-16289) * ghostscript: buffer overflow in pcx_write_rle() in contrib/japanese/gdev10v.c could result in a DoS (CVE-2020-16305) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2020-14373 CVE-2020-16287 CVE-2020-16288 CVE-2020-16289 CVE-2020-16290 CVE-2020-16291 CVE-2020-16292 CVE-2020-16293 CVE-2020-16294 CVE-2020-16295 CVE-2020-16296 CVE-2020-16297 CVE-2020-16298 CVE-2020-16299 CVE-2020-16300 CVE-2020-16301 CVE-2020-16302 CVE-2020-16303 CVE-2020-16304 CVE-2020-16305 CVE-2020-16306 CVE-2020-16307 CVE-2020-16308 CVE-2020-16309 CVE-2020-16310 CVE-2020-17538 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * python: CRLF injection via HTTP request method in httplib/http.client (CVE-2020-26116) * python-lxml: mXSS due to the use of improper parser (CVE-2020-27783) * python: Stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c (CVE-2021-3177) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-26116 CVE-2020-27783 CVE-2021-3177 Poppler is a Portable Document Format (PDF) rendering library, used by applications such as Evince. The evince packages provide a simple multi-page document viewer for Portable Document Format (PDF), PostScript (PS), Encapsulated PostScript (EPS) files, and, with additional back-ends, also the Device Independent File format (DVI) files. The following packages have been upgraded to a later upstream version: poppler (20.11.0). (BZ#1644423) Security Fix(es): * poppler: pdftohtml: access to uninitialized pointer could lead to DoS (CVE-2020-27778) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2020-27778 Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server, and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages. Security Fix(es): * dovecot: IMAP hibernation function allows mail access (CVE-2020-24386) * dovecot: Denial of service via mail MIME parsing (CVE-2020-25275) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2020-24386 CVE-2020-25275 The Simple Protocol for Independent Computing Environments (SPICE) is a remote display system built for virtual environments which allows the user to view a computing 'desktop' environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. Security Fix(es): * spice: Client initiated renegotiation denial of service (CVE-2021-20201) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Low Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2021-20201 MinGW is a free and open source software development environment to create Microsoft Windows applications. The following packages have been upgraded to a later upstream version: mingw-sqlite (3.26.0.0). (BZ#1845475) Security Fix(es): * sqlite: Division by zero in whereLoopAddBtreeIndex in sqlite3.c (CVE-2019-16168) * sqlite: Integer overflow in sqlite3_str_vappendf function in printf.c (CVE-2020-13434) * sqlite: Use-after-free in fts3EvalNextRow in ext/fts3/fts3.c (CVE-2020-13630) * sqlite: Virtual table can be renamed into the name of one of its shadow tables (CVE-2020-13631) * sqlite: NULL pointer dereference in ext/fts3/fts3_snippet.c via a crafted matchinfo() query (CVE-2020-13632) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools CVE-2019-16168 CVE-2020-13434 CVE-2020-13630 CVE-2020-13631 CVE-2020-13632 Pandoc is a Haskell library for converting from one markup format to another, and a command-line tool that uses this library. Security Fix(es): * cmark-gfm: Exponential time to parse certain inputs could lead to DoS (CVE-2020-5238) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools CVE-2020-5238 Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. Security Fix(es): * squid: improper input validation may allow a trusted client to perform HTTP request smuggling (CVE-2020-25097) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-25097 AlmaLinux Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. Security Fix(es): * slapi-nis: NULL dereference (DoS) with specially crafted Binding DN (CVE-2021-3480) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-3480 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * bind: An assertion check can fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself (CVE-2021-25215) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-25215 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * kernel: userspace applications can misuse the KVM API to cause a write of 16 bytes at an offset up to 32 GB from vcpu->run (CVE-2021-3501) * kernel: nitro_enclaves stale file descriptors on failed usercopy (CVE-2021-3543) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * OVS mistakenly using local IP as tun_dst for VXLAN packets (?) (BZ#1944667) * Selinux: The task calling security_set_bools() deadlocks with itself when it later calls selinux_audit_rule_match(). (BZ#1945123) * [mlx5] tc flower mpls match options does not work (BZ#1952061) * mlx5: missing patches for ct.rel (BZ#1952062) * CT HWOL: with OVN/OVS, intermittently, load balancer hairpin TCP packets get dropped for seconds in a row (BZ#1952065) * [Lenovo 8.3 bug] Blackscreen after clicking on "Settings" icon from top-right corner. (BZ#1952900) * AlmaLinux 8.x missing uio upstream fix. (BZ#1952952) * Turbostat doesn't show any measured data on AMD Milan (BZ#1952987) * P620 no sound from front headset jack (BZ#1954545) * AlmaLinux kernel 8.2 and higher are affected by data corruption bug in raid1 arrays using bitmaps. (BZ#1955188) * [net/sched] connection failed with DNAT + SNAT by tc action ct (BZ#1956458) Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-3501 CVE-2021-3543 GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures. Security Fix(es): * glib: integer overflow in g_bytes_new function on 64-bit platforms due to an implicit cast from 64 bits to 32 bits (CVE-2021-27219) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Refcounting issue causes crashes and slow workarounds (BZ#1953553) Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-27219 nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Security Fix(es): * nginx: Off-by-one in ngx_resolver_copy() when labels are followed by a pointer to a root domain name (CVE-2021-23017) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-23017 nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Security Fix(es): * nginx: Off-by-one in ngx_resolver_copy() when labels are followed by a pointer to a root domain name (CVE-2021-23017) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-23017 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix(es): * runc: vulnerable to symlink exchange attack (CVE-2021-30465) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-30465 jq is a lightweight and flexible command-line JSON processor. jq is like sed for JSON data. You can use it to slice, filter, map, or transform structured data with the same ease that sed, awk, grep, or similar applications allow you to manipulate text. Security Fix(es): * jq: jq has signed integer overflow in jv.c:jvp_array_write (CVE-2024-23337) * jq: AddressSanitizer: stack-buffer-overflow in jq_fuzz_execute (jv_string_vfmt) (CVE-2025-48060) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2025 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/a:almalinux:almalinux:8::highavailability cpe:/a:almalinux:almalinux:8::nfv cpe:/a:almalinux:almalinux:8::realtime cpe:/a:almalinux:almalinux:8::resilientstorage cpe:/a:almalinux:almalinux:8::sap cpe:/a:almalinux:almalinux:8::sap_hana cpe:/a:almalinux:almalinux:8::supplementary cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2024-23337 CVE-2025-48060 PostgreSQL is an advanced object-relational database management system (DBMS). The following packages have been upgraded to a later upstream version: postgresql (9.6.22) Security Fix(es): * postgresql: Buffer overrun from integer overflow in array subscripting calculations (CVE-2021-32027) * postgresql: Memory disclosure in INSERT ... ON CONFLICT ... DO UPDATE (CVE-2021-32028) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-32027 CVE-2021-32028 GUPnP is an object-oriented open source framework for creating UPnP devices and control points, written in C using GObject and libsoup. The GUPnP API is intended to be easy to use, efficient and flexible. Security Fix(es): * gupnp: allows DNS rebinding which could result in tricking browser into triggering actions against local UPnP services (CVE-2021-33516) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2021-33516 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix(es): * runc: vulnerable to symlink exchange attack (CVE-2021-30465) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-30465 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix(es): * runc: vulnerable to symlink exchange attack (CVE-2021-30465) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-30465 PostgreSQL is an advanced object-relational database management system (DBMS). The following packages have been upgraded to a later upstream version: postgresql (12.7) Security Fix(es): * postgresql: Buffer overrun from integer overflow in array subscripting calculations (CVE-2021-32027) * postgresql: Memory disclosure in INSERT ... ON CONFLICT ... DO UPDATE (CVE-2021-32028) * postgresql: Memory disclosure in partitioned-table UPDATE ... RETURNING (CVE-2021-32029) * postgresql: Partition constraint violation errors leak values of denied columns (CVE-2021-3393) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-32027 CVE-2021-32028 CVE-2021-32029 CVE-2021-3393 PostgreSQL is an advanced object-relational database management system (DBMS). The following packages have been upgraded to a later upstream version: postgresql (13.3). Security Fix(es): * postgresql: Buffer overrun from integer overflow in array subscripting calculations (CVE-2021-32027) * postgresql: Memory disclosure in INSERT ... ON CONFLICT ... DO UPDATE (CVE-2021-32028) * postgresql: Memory disclosure in partitioned-table UPDATE ... RETURNING (CVE-2021-32029) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-32027 CVE-2021-32028 CVE-2021-32029 The libxml2 library is a development toolbox providing the implementation of various XML standards. Security Fix(es): * libxml2: Use-after-free in xmlEncodeEntitiesInternal() in entities.c (CVE-2021-3516) * libxml2: Heap-based buffer overflow in xmlEncodeEntitiesInternal() in entities.c (CVE-2021-3517) * libxml2: Use-after-free in xmlXIncludeDoProcess() in xinclude.c (CVE-2021-3518) * libxml2: NULL pointer dereference when post-validating mixed content parsed in recovery mode (CVE-2021-3537) * libxml2: Exponential entity expansion attack bypasses all existing protection mechanisms (CVE-2021-3541) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-3516 CVE-2021-3517 CVE-2021-3518 CVE-2021-3537 CVE-2021-3541 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * kernel: use-after-free in net/bluetooth/hci_event.c when destroying an hci_chan (CVE-2021-33034) * kernel: security bypass in certs/blacklist.c and certs/system_keyring.c (CVE-2020-26541) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * [ESXi][AlmaLinux-8] VMXNET3 v4 causes invalid checksums of inner packets of VXLAN tunnel (BZ#1960702) * fnic crash from invalid request pointer (BZ#1961705) * GFS2: Failed FS thaw call makes the entire snapshot failed. (BZ#1961849) * dm writecache: fix performance degradation in ssd mode (BZ#1962241) * Kernel BUG with act_ct and IP fragments (BZ#1963940) * core: backports from upstream (BZ#1963952) * Hibernate resume on AlmaLinux fails in Amazon EC2 C5.18xlarge instance (BZ#1964930) * [SanityOnly] panic caused by i40e_msix_clean_rings (BZ#1964962) * tc reclassification limit is too low for OVN (BZ#1965148) * tc action ct nat src addr does not work while used with ct nat dst addr together (BZ#1965150) * CNB: Rebase/update TC subsystem for AlmaLinux 8.5 (BZ#1965457) * sctp: crash due to use after free of sctp_transport structure (BZ#1965632) Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2020-26541 CVE-2021-33034 The lz4 packages provide support for LZ4, a very fast, lossless compression algorithm that provides compression speeds of 400 MB/s per core and scales with multicore CPUs. It also features an extremely fast decoder that reaches speeds of multiple GB/s per core and typically reaches RAM speed limits on multicore systems. Security Fix(es): * lz4: memory corruption due to an integer overflow bug caused by memmove argument (CVE-2021-3520) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-3520 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * PyYAML: incomplete fix for CVE-2020-1747 (CVE-2020-14343) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2020-14343 Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. The following packages have been upgraded to a later upstream version: ruby (2.7.3). (BZ#1951999) Security Fix(es): * ruby: Potential HTTP request smuggling in WEBrick (CVE-2020-25613) * ruby: XML round-trip vulnerability in REXML (CVE-2021-28965) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Resolv::DNS: ruby:2.7/ruby: timeouts if multiple IPv6 name servers are given and address contains leading zero [almalinux-8] (BZ#1952000) Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-25613 CVE-2021-28965 Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. The following packages have been upgraded to a later upstream version: ruby (2.5.9). (BZ#1952626) Security Fix(es): * ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch? (CVE-2019-15845) * ruby: Regular expression denial of service vulnerability of WEBrick's Digest authentication (CVE-2019-16201) * ruby: Code injection via command argument of Shell#test / Shell#[] (CVE-2019-16255) * rubygem-json: Unsafe object creation vulnerability in JSON (CVE-2020-10663) * ruby: BasicSocket#read_nonblock method leads to information disclosure (CVE-2020-10933) * ruby: Potential HTTP request smuggling in WEBrick (CVE-2020-25613) * ruby: XML round-trip vulnerability in REXML (CVE-2021-28965) * ruby: HTTP response splitting in WEBrick (CVE-2019-16254) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-15845 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 CVE-2020-10663 CVE-2020-10933 CVE-2020-25613 CVE-2021-28965 Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. The following packages have been upgraded to a later upstream version: ruby (2.6.7). (BZ#1952627) Security Fix(es): * rubygem-bundler: Insecure permissions on directory in /tmp/ allows for execution of malicious code (CVE-2019-3881) * ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch? (CVE-2019-15845) * ruby: Regular expression denial of service vulnerability of WEBrick's Digest authentication (CVE-2019-16201) * ruby: Code injection via command argument of Shell#test / Shell#[] (CVE-2019-16255) * rubygem-json: Unsafe object creation vulnerability in JSON (CVE-2020-10663) * ruby: BasicSocket#read_nonblock method leads to information disclosure (CVE-2020-10933) * ruby: Potential HTTP request smuggling in WEBrick (CVE-2020-25613) * ruby: XML round-trip vulnerability in REXML (CVE-2021-28965) * ruby: HTTP response splitting in WEBrick (CVE-2019-16254) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Resolv::DNS: ruby:2.6/ruby: timeouts if multiple IPv6 name servers are given and address contains leading zero [almalinux-8] (BZ#1954968) Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-15845 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 CVE-2019-3881 CVE-2020-10663 CVE-2020-10933 CVE-2020-25613 CVE-2021-28965 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * kernel: size_t-to-int conversion vulnerability in the filesystem layer (CVE-2021-33909) * kernel: race condition for removal of the HCI controller (CVE-2021-32399) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * pinctrl_emmitsburg: improper configuration (BZ#1963984) * [Ampere] locking/qrwlock: Fix ordering in queued_write_lock_slowpath (BZ#1964419) * AlmaLinux8.4 - [P10] [NPIV Multi queue Test kernel- 4.18.0-283.el8.ibmvfc_11022021.ppc64le] DLPAR operation fails for ibmvfc on Denali (ibmvfc/dlpar/AlmaLinux8.4) (BZ#1964697) * Every server is displaying the same power levels for all of our i40e 25G interfaces. 10G interfaces seem to be correct. Ethtool version is 5.0 (BZ#1967099) * backport fixes for Connection Tracking offload (BZ#1968679) * fm10k: removal of MODULE_VERSION deemed improper for y-stream release (BZ#1969910) * ixgbevf: removal of MODULE_VERSION deemed improper for y-stream release (BZ#1969911) * ena: removal of MODULE_VERSION deemed improper for y-stream release (BZ#1969913) * b44, bnx2, bnx2x, bnxt, tg3: removal of MODULE_VERSION deemed improper for y-stream release (BZ#1969914) * e1000, e1000e: removal of MODULE_VERSION deemed improper for y-stream release (BZ#1969915) * ice: removal of MODULE_VERSION deemed improper for y-stream release (BZ#1969917) * igb: removal of MODULE_VERSION deemed improper for y-stream release (BZ#1969919) * igbvf: removal of MODULE_VERSION deemed improper for y-stream release (BZ#1969920) * igc: removal of MODULE_VERSION deemed improper for y-stream release (BZ#1969921) * ixgbe: removal of MODULE_VERSION deemed improper for y-stream release (BZ#1969922) * i40e: removal of MODULE_VERSION deemed improper for y-stream release (BZ#1969923) * iavf: removal of MODULE_VERSION deemed improper for y-stream release (BZ#1969925) * Backport netlink extack tracepoint (BZ#1972938) * [AlmaLinux8.4] kernel panic when create NPIV port on qedf driver (BZ#1974968) Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-32399 CVE-2021-33909 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es): * OpenJDK: Incorrect comparison during range check elimination (Hotspot, 8264066) (CVE-2021-2388) * OpenJDK: FTP PASV command response can cause FtpClient to connect to arbitrary host (Networking, 8258432) (CVE-2021-2341) * OpenJDK: Incorrect verification of JAR files with multiple MANIFEST.MF files (Library, 8260967) (CVE-2021-2369) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2021-2341 CVE-2021-2369 CVE-2021-2388 The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix(es): * OpenJDK: Incorrect comparison during range check elimination (Hotspot, 8264066) (CVE-2021-2388) * OpenJDK: FTP PASV command response can cause FtpClient to connect to arbitrary host (Networking, 8258432) (CVE-2021-2341) * OpenJDK: Incorrect verification of JAR files with multiple MANIFEST.MF files (Library, 8260967) (CVE-2021-2369) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2021-2341 CVE-2021-2369 CVE-2021-2388 Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Security Fix(es): * rubygem-bundler: Dependencies of gems with explicit source may be installed from a different source (CVE-2020-36327) * rubygem-rdoc: Command injection vulnerability in RDoc (CVE-2021-31799) * ruby: FTP PASV command response can cause Net::FTP to connect to arbitrary host (CVE-2021-31810) * ruby: StartTLS stripping vulnerability in Net::IMAP (CVE-2021-32066) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-36327 CVE-2021-31799 CVE-2021-31810 CVE-2021-32066 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix(es): * podman: podman missing TLS verification (CVE-2025-6032) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2025 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/a:almalinux:almalinux:8::highavailability cpe:/a:almalinux:almalinux:8::nfv cpe:/a:almalinux:almalinux:8::realtime cpe:/a:almalinux:almalinux:8::resilientstorage cpe:/a:almalinux:almalinux:8::sap cpe:/a:almalinux:almalinux:8::sap_hana cpe:/a:almalinux:almalinux:8::supplementary cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2025-6032 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * kernel: race condition in net/can/bcm.c leads to local privilege escalation (CVE-2021-3609) * kernel: Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks (CVE-2021-22543) * kernel: out-of-bounds write in xt_compat_target_from_user() in net/netfilter/x_tables.c (CVE-2021-22555) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Urgent: Missing dptf_power.ko module in AlmaLinux8 (BZ#1968381) * [mlx5] kdump over NFS fails: mlx5 driver gives error "Stop room 95 is bigger than the SQ size 64" (BZ#1969909) * BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 in bluetooth hci_error_reset on intel-tigerlake-h01 (BZ#1972564) * Update CIFS to kernel 5.10 (BZ#1973637) * Backport "tick/nohz: Conditionally restart tick on idle exit" to AlmaLinux 8.5 (BZ#1978710) * Significant performance drop starting on kernel-4.18.0-277 visible on mmap benchmark (BZ#1980314) * Inaccessible NFS server overloads clients (native_queued_spin_lock_slowpath connotation?) (BZ#1980613) * [AlmaLinux8.4 BUG],RialtoMLK, I915 graphic driver failed to boot with one new 120HZ panel (BZ#1981250) * act_ct: subject to DNAT tuple collision (BZ#1982494) Enhancement(s): * [Lenovo 8.5 FEAT] drivers/nvme - Update to the latest upstream (BZ#1965415) Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-22543 CVE-2021-22555 CVE-2021-3609 GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures. Security Fix(es): * glib: integer overflow in g_byte_array_new_take function when called with a buffer of 4GB or more on a 64-bit platform (CVE-2021-27218) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-27218 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * kernel: media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format (CVE-2024-53104) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2025 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/a:almalinux:almalinux:8::highavailability cpe:/a:almalinux:almalinux:8::nfv cpe:/a:almalinux:almalinux:8::realtime cpe:/a:almalinux:almalinux:8::resilientstorage cpe:/a:almalinux:almalinux:8::sap cpe:/a:almalinux:almalinux:8::sap_hana cpe:/a:almalinux:almalinux:8::supplementary cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2024-53104 Kernel-based Virtual Machine (KVM) offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems. Security Fix(es): * QEMU: msix: OOB access during mmio operations may lead to DoS (CVE-2020-13754) * hivex: Buffer overflow when provided invalid node key length (CVE-2021-3504) * QEMU: net: an assert failure via eth_get_gso_type (CVE-2020-27617) * QEMU: net: infinite loop in loopback mode may lead to stack overflow (CVE-2021-3416) * qemu: out-of-bound heap buffer access via an interrupt ID field (CVE-2021-20221) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * cannot restart default network and firewalld: iptables: No chain/target/match by that name. (BZ#1958301) * AlmaLinux8.4 Nightly[0322] - KVM guest fails to find zipl boot menu index (qemu-kvm) (BZ#1975679) Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2020-13754 CVE-2020-27617 CVE-2021-20221 CVE-2021-3416 CVE-2021-3504 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.17.3). (BZ#1978203) Security Fix(es): * nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() (CVE-2021-23362) * nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode (CVE-2021-27290) * libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes (CVE-2021-22918) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-22918 CVE-2021-23362 CVE-2021-27290 libuv is a multi-platform support library with a focus on asynchronous I/O. Security Fix(es): * libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes (CVE-2021-22918) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Low Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2021-22918 The System Security Services Daemon (SSSD) service provides a set of daemons to manage access to remote directories and authentication mechanisms. It also provides the Name Service Switch (NSS) and the Pluggable Authentication Modules (PAM) interfaces toward the system, and a pluggable back-end system to connect to multiple different account sources. Security Fix(es): * sssd: shell command injection in sssctl (CVE-2021-3621) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-3621 Exiv2 is a C++ library to access image metadata, supporting read and write access to the Exif, IPTC and XMP metadata, Exif MakerNote support, extract and delete methods for Exif thumbnails, classes to access Ifd, and support for various image formats. Security Fix(es): * exiv2: Heap-based buffer overflow vulnerability in jp2image.cpp (CVE-2021-31291) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2021-31291 libsndfile is a C library for reading and writing files containing sampled sound, such as AIFF, AU, or WAV. Security Fix(es): * libsndfile: Heap buffer overflow via crafted WAV file allows arbitrary code execution (CVE-2021-3246) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2021-3246 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * kernel: powerpc: KVM guest OS users can cause host OS memory corruption (CVE-2021-37576) * kernel: slab-out-of-bounds access in xdr_set_page_base() in net/sunrpc/xdr.c (CVE-2021-38201) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Update Broadcom Emulex lpfc driver for AlmaLinux8.5 with bug fixes (BZ#1948608) * cyclictest shows >50us latency when guest enters idle (RT guest with 18 RT vCPUs) (BZ#1981336) * xfrm: backports from upstream (BZ#1981840) * A task is stuck waiting for the completion of the vmci_resouce releasing upon the balloon reset. (BZ#1982042) * [mlx5] backport driver bits of net: zero-initialize tc skb extension on allocation (BZ#1982220) * Kernel cannot kill a process doing compaction for hugepage allocation (BZ#1984085) * AlmaLinux8.4 Nightly[0108] - [P10] [Regression] Kdump failed on AlmaLinux8.4 on SAN disk via flavafish adapter (qla2xxx/HPT/Radix) (BZ#1986156) * [AlmaLinux8.5] scheduler updates and fixes (BZ#1987296) * AlmaLinux 8.3 using FCOE via a FastLinQ QL45000 card will not manually scan in LUN from Target_id's over 8 (BZ#1989097) * fixes for oopses in security mitigation runtime code patching (BZ#1989174) * act mirred doesn't scrub packets when sending them to ingress (BZ#1992226) * HPE: Cannot install 8.4 using the DVD presented to the iLO (BZ#1993894) * NFS client hangs on share listing when server side readdir verifiers are implemented (BZ#1993895) * SNO: The load is extremely high (~870) when pao is added and a profile is applied. (BZ#1994879) * timeout value of conntrack entry with TCP ESTABLISHED status is too short (BZ#1995554) * Increase the default value for flowtable offload timeouts (BZ#1995555) * ice/iavf driver stop responding (BZ#1997534) * [FJ8.4 Bug]: [REG] Some files in /proc/sys/user show wrong data (BZ#1998002) Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-37576 CVE-2021-38201 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * kernel: SVM nested virtualization issue in KVM (AVIC support) (CVE-2021-3653) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * AlmaLinux8.4 Nightly[0308] - HST:STC950:Fleetwood: LPAR crashed during LPM: BUG at lib/locks.c:34! (using ibmvfc) (BZ#1969792) * AlmaLinux8.2 - s390/vtime: fix increased steal time accounting (BZ#1988386) * [FJ8.4 Bug]: Installation of AlmaLinux8.4 hang up on a Tatlow platform while loading intel_lpss_pci module. (BZ#1989560) * kernel panic in drm_fb_helper_dirty_work() caused by a race condition qxl driver (BZ#1992839) * [AlmaLinux8.4] TIOCGSERIAL ioctl fails on serial device (BZ#1993872) * AlmaLinux8.4 Nightly[0208] - kernel panic when executing test case for persistent device configuration (using DASD) (BZ#1995206) * Killing ceph daemon leaving an unhealthy ocs/ocp cluster (worker node/s NotReady) (BZ#1995862) * ceph: potential data corruption in cephfs write_begin codepath (BZ#1996680) * libceph: allow addrvecs with a single NONE/blank address (BZ#1996682) * [iavf] traffic stops after host sets vf trust on (BZ#1997536) * [ice][iavf] hit some call trace and system panic when create-remove-vfs in loop (BZ#1997538) * Missing backport of IMA boot aggregate calculation in almalinux 8.4 kernel (BZ#1997766) * XArray tests broken for single processor (BZ#1997997) * [AlmaLinux-8.4] mlock() end up returning -EINVAL instead of -ENOMEM in rewriting the upper address bits. (BZ#1997998) * Kernel panic at n_tty_set_termios+0x30 (BZ#1997999) * [ice]BUG: scheduling while atomic: ifenslave/270215/0x00000200 (BZ#2000129) * [ice]port lost connectivity after removing from bonding (BZ#2000130) Enhancement(s): * [Mellanox 8.5 FEAT] mlx5: drivers update upto Linux v5.12 (BZ#1983681) Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-3653 Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. The following packages have been upgraded to a later upstream version: nss (3.67.0), nspr (4.32.0). (BZ#1967980) Security Fix(es): * nss: TLS 1.3 CCS flood remote DoS Attack (CVE-2020-25648) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * 8025 error code when creating subCAs (BZ#1977412) * NSS cannot use SQL databases created by specific versions of NSS (BZ#1978443) * Inconsistent handling of malformed CertificateRequest messages (BZ#1980050) Enhancement(s): * [IBM 8.5 FEAT] [P10] POWER10 performance enhancements for cryptography: NSS FreeBL (BZ#1978257) Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-25648 MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries. The following packages have been upgraded to a later upstream version: mysql (8.0.26). (BZ#1996693) Security Fix(es): * mysql: Server: Stored Procedure multiple vulnerabilities (CVE-2020-14672, CVE-2021-2046, CVE-2021-2072, CVE-2021-2081, CVE-2021-2215, CVE-2021-2217, CVE-2021-2293, CVE-2021-2304, CVE-2021-2424) * mysql: Server: FTS multiple vulnerabilities (CVE-2020-14765, CVE-2020-14789, CVE-2020-14804) * mysql: Server: Optimizer multiple vulnerabilities (CVE-2020-14769, CVE-2020-14773, CVE-2020-14777, CVE-2020-14785, CVE-2020-14793, CVE-2020-14794, CVE-2020-14809, CVE-2020-14830, CVE-2020-14836, CVE-2020-14837, CVE-2020-14839, CVE-2020-14845, CVE-2020-14846, CVE-2020-14861, CVE-2020-14866, CVE-2020-14868, CVE-2020-14888, CVE-2020-14891, CVE-2020-14893, CVE-2021-2001, CVE-2021-2021, CVE-2021-2024, CVE-2021-2030, CVE-2021-2031, CVE-2021-2036, CVE-2021-2055, CVE-2021-2060, CVE-2021-2065, CVE-2021-2070, CVE-2021-2076, CVE-2021-2164, CVE-2021-2169, CVE-2021-2170, CVE-2021-2193, CVE-2021-2203, CVE-2021-2212, CVE-2021-2213, CVE-2021-2230, CVE-2021-2278, CVE-2021-2298, CVE-2021-2299, CVE-2021-2342, CVE-2021-2357, CVE-2021-2367, CVE-2021-2383, CVE-2021-2384, CVE-2021-2387, CVE-2021-2410, CVE-2021-2412, CVE-2021-2418, CVE-2021-2425, CVE-2021-2426, CVE-2021-2427, CVE-2021-2437, CVE-2021-2441, CVE-2021-2444) * mysql: InnoDB multiple vulnerabilities (CVE-2020-14775, CVE-2020-14776, CVE-2020-14821, CVE-2020-14829, CVE-2020-14848, CVE-2021-2022, CVE-2021-2028, CVE-2021-2048, CVE-2021-2174, CVE-2021-2180, CVE-2021-2194, CVE-2021-2372, CVE-2021-2374, CVE-2021-2389, CVE-2021-2390, CVE-2021-2429, CVE-2020-14791, CVE-2021-2042) * mysql: Server: PS multiple vulnerabilities (CVE-2020-14786, CVE-2020-14790, CVE-2020-14844, CVE-2021-2422) * mysql: Server: Security multiple vulnerabilities (CVE-2020-14800, CVE-2020-14838, CVE-2020-14860) * mysql: Server: Locking multiple vulnerabilities (CVE-2020-14812, CVE-2021-2058, CVE-2021-2402) * mysql: Server: DML multiple vulnerabilities (CVE-2020-14814, CVE-2020-14828, CVE-2021-2056, CVE-2021-2087, CVE-2021-2088, CVE-2021-2166, CVE-2021-2172, CVE-2021-2196, CVE-2021-2300, CVE-2021-2305, CVE-2021-2370, CVE-2021-2440) * mysql: Server: Charsets unspecified vulnerability (CVE-2020-14852) * mysql: Server: DDL multiple vulnerabilities (CVE-2020-14867, CVE-2021-2061, CVE-2021-2122, CVE-2021-2339, CVE-2021-2352, CVE-2021-2399) * mysql: Server: X Plugin unspecified vulnerability (CVE-2020-14870) * mysql: Server: Logging unspecified vulnerability (CVE-2020-14873) * mysql: Server: Replication multiple vulnerabilities (CVE-2021-2002, CVE-2021-2171, CVE-2021-2178, CVE-2021-2202, CVE-2021-2356, CVE-2021-2385) * mysql: C API multiple vulnerabilities (CVE-2021-2010, CVE-2021-2011) * mysql: Server: Components Services unspecified vulnerability (CVE-2021-2038) * mysql: Server: Options unspecified vulnerability (CVE-2021-2146) * mysql: Server: Group Replication Plugin multiple vulnerabilities (CVE-2021-2179, CVE-2021-2232) * mysql: Server: Partition multiple vulnerabilities (CVE-2021-2201, CVE-2021-2208) * mysql: Server: Information Schema multiple vulnerabilities (CVE-2021-2032, CVE-2021-2226, CVE-2021-2301, CVE-2021-2308) * mysql: Server: Packaging unspecified vulnerability (CVE-2021-2307) * mysql: Server: Federated unspecified vulnerability (CVE-2021-2354) * mysql: Server: GIS unspecified vulnerability (CVE-2021-2417) * mysql: Server: Memcached unspecified vulnerability (CVE-2021-2340) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Segfault and possible DoS with a crafted query (BZ#1996699) Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-14672 CVE-2020-14765 CVE-2020-14769 CVE-2020-14773 CVE-2020-14775 CVE-2020-14776 CVE-2020-14777 CVE-2020-14785 CVE-2020-14786 CVE-2020-14789 CVE-2020-14790 CVE-2020-14791 CVE-2020-14793 CVE-2020-14794 CVE-2020-14800 CVE-2020-14804 CVE-2020-14809 CVE-2020-14812 CVE-2020-14814 CVE-2020-14821 CVE-2020-14828 CVE-2020-14829 CVE-2020-14830 CVE-2020-14836 CVE-2020-14837 CVE-2020-14838 CVE-2020-14839 CVE-2020-14844 CVE-2020-14845 CVE-2020-14846 CVE-2020-14848 CVE-2020-14852 CVE-2020-14860 CVE-2020-14861 CVE-2020-14866 CVE-2020-14867 CVE-2020-14868 CVE-2020-14870 CVE-2020-14873 CVE-2020-14888 CVE-2020-14891 CVE-2020-14893 CVE-2021-2001 CVE-2021-2002 CVE-2021-2010 CVE-2021-2011 CVE-2021-2021 CVE-2021-2022 CVE-2021-2024 CVE-2021-2028 CVE-2021-2030 CVE-2021-2031 CVE-2021-2032 CVE-2021-2036 CVE-2021-2038 CVE-2021-2042 CVE-2021-2046 CVE-2021-2048 CVE-2021-2055 CVE-2021-2056 CVE-2021-2058 CVE-2021-2060 CVE-2021-2061 CVE-2021-2065 CVE-2021-2070 CVE-2021-2072 CVE-2021-2076 CVE-2021-2081 CVE-2021-2087 CVE-2021-2088 CVE-2021-2122 CVE-2021-2146 CVE-2021-2164 CVE-2021-2166 CVE-2021-2169 CVE-2021-2170 CVE-2021-2171 CVE-2021-2172 CVE-2021-2174 CVE-2021-2178 CVE-2021-2179 CVE-2021-2180 CVE-2021-2193 CVE-2021-2194 CVE-2021-2196 CVE-2021-2201 CVE-2021-2202 CVE-2021-2203 CVE-2021-2208 CVE-2021-2212 CVE-2021-2213 CVE-2021-2215 CVE-2021-2217 CVE-2021-2226 CVE-2021-2230 CVE-2021-2232 CVE-2021-2278 CVE-2021-2293 CVE-2021-2298 CVE-2021-2299 CVE-2021-2300 CVE-2021-2301 CVE-2021-2304 CVE-2021-2305 CVE-2021-2307 CVE-2021-2308 CVE-2021-2339 CVE-2021-2340 CVE-2021-2342 CVE-2021-2352 CVE-2021-2354 CVE-2021-2356 CVE-2021-2357 CVE-2021-2367 CVE-2021-2370 CVE-2021-2372 CVE-2021-2374 CVE-2021-2383 CVE-2021-2384 CVE-2021-2385 CVE-2021-2387 CVE-2021-2389 CVE-2021-2390 CVE-2021-2399 CVE-2021-2402 CVE-2021-2410 CVE-2021-2412 CVE-2021-2417 CVE-2021-2418 CVE-2021-2422 CVE-2021-2424 CVE-2021-2425 CVE-2021-2426 CVE-2021-2427 CVE-2021-2429 CVE-2021-2437 CVE-2021-2440 CVE-2021-2441 CVE-2021-2444 CVE-2021-35537 CVE-2021-35629 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930) * nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22940) * c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672) * nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931) * nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803) * nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804) * nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939) * nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * nodejs:12/nodejs: Make FIPS options always available (BZ#1993927) Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-22930 CVE-2021-22931 CVE-2021-22939 CVE-2021-22940 CVE-2021-23343 CVE-2021-32803 CVE-2021-32804 CVE-2021-3672 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es): * httpd: mod_proxy: SSRF via a crafted request uri-path containing "unix:" (CVE-2021-40438) * httpd: mod_session: Heap overflow via a crafted SessionHeader value (CVE-2021-26691) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-26691 CVE-2021-40438 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 5.0.208 and .NET Runtime 5.0.11. Security Fix(es): * dotnet: System.DirectoryServices.Protocols.LdapConnection sends credentials in plaintext if TLS handshake fails (CVE-2021-41355) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-41355 The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix(es): * OpenJDK: Loop in HttpsServer triggered during TLS session close (JSSE, 8254967) (CVE-2021-35565) * OpenJDK: Incorrect principal selection when using Kerberos Constrained Delegation (Libraries, 8266689) (CVE-2021-35567) * OpenJDK: Weak ciphers preferred over stronger ones for TLS (JSSE, 8264210) (CVE-2021-35550) * OpenJDK: Excessive memory allocation in RTFParser (Swing, 8265167) (CVE-2021-35556) * OpenJDK: Excessive memory allocation in RTFReader (Swing, 8265580) (CVE-2021-35559) * OpenJDK: Excessive memory allocation in HashMap and HashSet (Utility, 8266097) (CVE-2021-35561) * OpenJDK: Certificates with end dates too far in the future can corrupt keystore (Keytool, 8266137) (CVE-2021-35564) * OpenJDK: Unexpected exception raised during TLS handshake (JSSE, 8267729) (CVE-2021-35578) * OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8267735) (CVE-2021-35586) * OpenJDK: Non-constant comparison during TLS handshakes (JSSE, 8269618) (CVE-2021-35603) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2021-35550 CVE-2021-35556 CVE-2021-35559 CVE-2021-35561 CVE-2021-35564 CVE-2021-35565 CVE-2021-35567 CVE-2021-35578 CVE-2021-35586 CVE-2021-35603 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es): * OpenJDK: Loop in HttpsServer triggered during TLS session close (JSSE, 8254967) (CVE-2021-35565) * OpenJDK: Incorrect principal selection when using Kerberos Constrained Delegation (Libraries, 8266689) (CVE-2021-35567) * OpenJDK: Weak ciphers preferred over stronger ones for TLS (JSSE, 8264210) (CVE-2021-35550) * OpenJDK: Excessive memory allocation in RTFParser (Swing, 8265167) (CVE-2021-35556) * OpenJDK: Excessive memory allocation in RTFReader (Swing, 8265580) (CVE-2021-35559) * OpenJDK: Excessive memory allocation in HashMap and HashSet (Utility, 8266097) (CVE-2021-35561) * OpenJDK: Certificates with end dates too far in the future can corrupt keystore (Keytool, 8266137) (CVE-2021-35564) * OpenJDK: Unexpected exception raised during TLS handshake (JSSE, 8267729) (CVE-2021-35578) * OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8267735) (CVE-2021-35586) * OpenJDK: Incomplete validation of inner class references in ClassFileParser (Hotspot, 8268071) (CVE-2021-35588) * OpenJDK: Non-constant comparison during TLS handshakes (JSSE, 8269618) (CVE-2021-35603) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Previously, OpenJDK's FIPS mode would be enabled if it detected that the system crypto policy was set to FIPS. This meant that containers running on a FIPS mode kernel would not enable FIPS mode without the crypto policy being changed. With this update, OpenJDK queries the NSS library as to whether FIPS mode is active or not. (RHBZ#2014201) * The use of the NSS FIPS mode by OpenJDK requires the JDK to login to the NSS software token. Previously, this happened indirectly as part of some crypto operations, but not others. With this update, the JDK logs in to the token on initialisation. (RHBZ#2014204) * While in FIPS mode, the NSS Software Token does not allow the import of private or secret plain keys. This caused the OpenJDK keytool application to fail when used with OpenJDK in FIPS mode. With this update, OpenJDK will now import such keys into the NSS database. This behaviour may be disabled using -Dcom.AlmaLinux.fips.plainKeySupport=false. (RHBZ#2014193) Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2021-35550 CVE-2021-35556 CVE-2021-35559 CVE-2021-35561 CVE-2021-35564 CVE-2021-35565 CVE-2021-35567 CVE-2021-35578 CVE-2021-35586 CVE-2021-35588 CVE-2021-35603 Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or by appending each command to a log. Security Fix(es): * redis: Lua scripts can overflow the heap-based Lua stack (CVE-2021-32626) * redis: Integer overflow issue with Streams (CVE-2021-32627) * redis: Integer overflow bug in the ziplist data structure (CVE-2021-32628) * redis: Denial of service via Redis Standard Protocol (RESP) request (CVE-2021-32675) * redis: Integer overflow issue with intsets (CVE-2021-32687) * redis: Integer overflow issue with strings (CVE-2021-41099) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-32626 CVE-2021-32627 CVE-2021-32628 CVE-2021-32675 CVE-2021-32687 CVE-2021-41099 Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or by appending each command to a log. Security Fix(es): * redis: Lua scripts can overflow the heap-based Lua stack (CVE-2021-32626) * redis: Integer overflow issue with Streams (CVE-2021-32627) * redis: Integer overflow bug in the ziplist data structure (CVE-2021-32628) * redis: Denial of service via Redis Standard Protocol (RESP) request (CVE-2021-32675) * redis: Integer overflow issue with intsets (CVE-2021-32687) * redis: Integer overflow issue with strings (CVE-2021-41099) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-32626 CVE-2021-32627 CVE-2021-32628 CVE-2021-32675 CVE-2021-32687 CVE-2021-41099 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix(es): * golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip (CVE-2025-61728) * golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726) * crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2026 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/a:almalinux:almalinux:8::highavailability cpe:/a:almalinux:almalinux:8::nfv cpe:/a:almalinux:almalinux:8::realtime cpe:/a:almalinux:almalinux:8::resilientstorage cpe:/a:almalinux:almalinux:8::sap cpe:/a:almalinux:almalinux:8::sap_hana cpe:/a:almalinux:almalinux:8::supplementary cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2025-61726 CVE-2025-61728 CVE-2025-68121 Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Security Fix(es): * flatpak: Sandbox bypass via recent VFS-manipulating syscalls (CVE-2021-41133) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-41133 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * kernel: use-after-free in drivers/infiniband/core/ucma.c ctx use-after-free (CVE-2020-36385) * kernel: out-of-bounds write due to a heap buffer overflow in __hidinput_change_resolution_multipliers() of hid-input.c (CVE-2021-0512) * kernel: SVM nested virtualization issue in KVM (VMLOAD/VMSAVE) (CVE-2021-3656) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * [HPE 8.3 bug] No EDAC MC0 message with one-DIMM two-processor configuration under AlmaLinux8.3 (BZ#1982182) * mlx: devlink port function shows all zero hw_addr (BZ#1986837) * net/sched: act_mirred: allow saving the last chain processed on xmit path (BZ#1992230) * AlmaLinux8.3 - System hang and / or r/o fs during SVC/v5k/v7k maintenance with ibmvfc (BZ#1993892) * AlmaLinux8.1 Snapshot3 - PVT:940:virt:4TB:LPM operation failed by returning HSCLA2CF, HSCL365C SRC's - Linux partition suspend timeout (-> documentation/Linux Alert through LTC bug 182549) (BZ#1993952) * AlmaLinux8.4 - benchTableRepDMLAsyncBarrier regresses by 34% on AlmaLinux8.4 on POWER9 compared to AlmaLinux8.2 (performance) (BZ#1997431) * [panic] call trace: ice_probe+0x238/0x10f0 [ice] (BZ#1997539) * [ice, PTP] ice: fix GPIO 1PPS signal (BZ#1997572) * Fix locality handling in the tpm_tis driver (BZ#1998219) * [ice, PTP]: fix Tx queue iteration for Tx timestamp enablement (BZ#2000128) * PCI passthrough with NVidia GPU "Invalid device 0003:01:00.0 iommu_group file /sys/bus/pci/devices/0003:01:00.0/iommu_group is not a symlink" (BZ#2000602) * [DELL 8.4 BUG] - System Hangs at Dell Logo When Boot to OS(e1000e with wrong GbE checksum) (BZ#2002335) * AlmaLinux8.4 - kernel: Fix hanging ioctl caused by wrong msg counter (BZ#2002635) * kernel: get_timespec64 does not ignore padding in compat syscalls (BZ#2003569) * [mlx5] eth0: hw csum failure (BZ#2005980) * xlog_grant_head_wait() does not return and system hangs (BZ#2007413) * panic while breaking a lease/delegation after user mode helper invocation (BZ#2010331) * Lockd invalid cast to nlm_lockowner (BZ#2010820) * [xfstests generic/388] XFS: Assertion failed: 0, file: fs/xfs/xfs_mount.c, line: 1218 (BZ#2011919) Enhancement(s): * [Intel 8.5 FEAT] ice: Enable PTP Support (BZ#1998220) * [Intel 8.5 FEAT] ice: Enable GPIO/SDP Support (BZ#1998221) Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2020-36385 CVE-2021-0512 CVE-2021-3656 Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix(es): * samba: Negative idmap cache entries can cause incorrect group entries in the Samba file server process token (CVE-2021-20254) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-20254 The libsolv packages provide a library for resolving package dependencies using a satisfiability algorithm. Security Fix(es): * libsolv: heap-based buffer overflow in pool_installable() in src/repo.h (CVE-2021-33928) * libsolv: heap-based buffer overflow in pool_disabled_solvable() in src/repo.h (CVE-2021-33929) * libsolv: heap-based buffer overflow in pool_installable_whatprovides() in src/repo.h (CVE-2021-33930) * libsolv: heap-based buffer overflow in prune_to_recommended() in src/policy.c (CVE-2021-33938) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-33928 CVE-2021-33929 CVE-2021-33930 CVE-2021-33938 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.3.0 ESR. Security Fix(es): * Mozilla: Use-after-free in HTTP2 Session object * Mozilla: Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3 * Mozilla: iframe sandbox rules did not apply to XSLT stylesheets (CVE-2021-38503) * Mozilla: Use-after-free in file picker dialog (CVE-2021-38504) * Mozilla: Firefox could be coaxed into going into fullscreen mode without notification or warning (CVE-2021-38506) * Mozilla: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports (CVE-2021-38507) * Mozilla: Permission Prompt could be overlaid, resulting in user confusion and potential spoofing (CVE-2021-38508) * Mozilla: Javascript alert box could have been spoofed onto an arbitrary domain (CVE-2021-38509) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-38503 CVE-2021-38504 CVE-2021-38506 CVE-2021-38507 CVE-2021-38508 CVE-2021-38509 CVE-2021-43534 CVE-2021-43535 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.3.0. Security Fix(es): * Mozilla: Use-after-free in HTTP2 Session object * Mozilla: Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3 * Mozilla: iframe sandbox rules did not apply to XSLT stylesheets (CVE-2021-38503) * Mozilla: Use-after-free in file picker dialog (CVE-2021-38504) * Mozilla: Firefox could be coaxed into going into fullscreen mode without notification or warning (CVE-2021-38506) * Mozilla: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports (CVE-2021-38507) * Mozilla: Permission Prompt could be overlaid, resulting in user confusion and potential spoofing (CVE-2021-38508) * Mozilla: Javascript alert box could have been spoofed onto an arbitrary domain (CVE-2021-38509) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-38503 CVE-2021-38504 CVE-2021-38506 CVE-2021-38507 CVE-2021-38508 CVE-2021-38509 CVE-2021-43529 CVE-2021-43534 CVE-2021-43535 The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit. Security Fix(es): * OpenJDK: Incorrect principal selection when using Kerberos Constrained Delegation (Libraries, 8266689) (CVE-2021-35567) * OpenJDK: Excessive memory allocation in RTFParser (Swing, 8265167) (CVE-2021-35556) * OpenJDK: Excessive memory allocation in RTFReader (Swing, 8265580) (CVE-2021-35559) * OpenJDK: Excessive memory allocation in HashMap and HashSet (Utility, 8266097) (CVE-2021-35561) * OpenJDK: Certificates with end dates too far in the future can corrupt keystore (Keytool, 8266137) (CVE-2021-35564) * OpenJDK: Unexpected exception raised during TLS handshake (JSSE, 8267729) (CVE-2021-35578) * OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8267735) (CVE-2021-35586) * OpenJDK: Non-constant comparison during TLS handshakes (JSSE, 8269618) (CVE-2021-35603) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2021-35556 CVE-2021-35559 CVE-2021-35561 CVE-2021-35564 CVE-2021-35567 CVE-2021-35578 CVE-2021-35586 CVE-2021-35603 The resource-agents packages provide the Pacemaker and RGManager service managers with a set of scripts. These scripts interface with several services to allow operating in a high-availability (HA) environment. Security Fix(es): * python-pygments: Infinite loop in SML lexer may lead to DoS (CVE-2021-20270) * python-pygments: ReDoS in multiple lexers (CVE-2021-27291) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::highavailability cpe:/a:almalinux:almalinux:8::resilientstorage CVE-2021-20270 CVE-2021-27291 The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. The following packages have been upgraded to a later upstream version: pcs (0.10.10). (BZ#1935594) Security Fix(es): * jquery: Cross-site scripting (XSS) via <script> HTML tags containing whitespaces (CVE-2020-7656) * jquery: Untrusted code execution via <option> tag in HTML passed to DOM manipulation methods (CVE-2020-11023) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Low Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::highavailability cpe:/a:almalinux:almalinux:8::resilientstorage CVE-2020-11023 CVE-2020-7656 The python-pillow packages contain a Python image processing library that provides extensive file format support, an efficient internal representation, and powerful image-processing capabilities. Security Fix(es): * python-pillow: Out-of-bounds read in J2K image reader (CVE-2021-25287) * python-pillow: Out-of-bounds read in J2K image reader (CVE-2021-25288) * python-pillow: Negative-offset memcpy in TIFF image reader (CVE-2021-25290) * python-pillow: Regular expression DoS in PDF format parser (CVE-2021-25292) * python-pillow: Out-of-bounds read in SGI RLE image reader (CVE-2021-25293) * python-pillow: Excessive memory allocation in BLP image reader (CVE-2021-27921) * python-pillow: Excessive memory allocation in ICNS image reader (CVE-2021-27922) * python-pillow: Excessive memory allocation in ICO image reader (CVE-2021-27923) * python-pillow: Excessive memory allocation in PSD image reader (CVE-2021-28675) * python-pillow: Infinite loop in FLI image reader (CVE-2021-28676) * python-pillow: Excessive CPU use in EPS image reader (CVE-2021-28677) * python-pillow: Excessive looping in BLP image reader (CVE-2021-28678) * python-pillow: Buffer overflow in image convert function (CVE-2021-34552) * python-pillow: Buffer over-read in PCX image reader (CVE-2020-35653) * python-pillow: Buffer over-read in SGI RLE image reader (CVE-2020-35655) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-35653 CVE-2020-35655 CVE-2021-25287 CVE-2021-25288 CVE-2021-25290 CVE-2021-25292 CVE-2021-25293 CVE-2021-27921 CVE-2021-27922 CVE-2021-27923 CVE-2021-28675 CVE-2021-28676 CVE-2021-28677 CVE-2021-28678 CVE-2021-34552 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * python-pygments: Infinite loop in SML lexer may lead to DoS (CVE-2021-20270) * python-pygments: ReDoS in multiple lexers (CVE-2021-27291) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-20270 CVE-2021-27291 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * python: Unsafe use of eval() on data retrieved via HTTP in the test suite (CVE-2020-27619) * python-jinja2: ReDoS vulnerability in the urlize filter (CVE-2020-28493) * python-babel: Relative path traversal allows attacker to load arbitrary locale files and execute arbitrary code (CVE-2021-20095, CVE-2021-42771) * python-pygments: Infinite loop in SML lexer may lead to DoS (CVE-2021-20270) * python: Web cache poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a semicolon in query parameters (CVE-2021-23336) * python-pygments: ReDoS in multiple lexers (CVE-2021-27291) * python-lxml: Missing input sanitization for formaction HTML5 attributes may lead to XSS (CVE-2021-28957) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-27619 CVE-2020-28493 CVE-2021-20095 CVE-2021-20270 CVE-2021-23336 CVE-2021-27291 CVE-2021-28957 CVE-2021-42771 The dnsmasq packages contain Dnsmasq, a lightweight DNS (Domain Name Server) forwarder and DHCP (Dynamic Host Configuration Protocol) server. Security Fix(es): * dnsmasq: fixed outgoing port used when --server is used with an interface name (CVE-2021-3448) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-3448 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix(es): * buildah: Host environment variables leaked in build container when using chroot isolation (CVE-2021-3602) * containers/storage: DoS via malicious image (CVE-2021-20291) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-20291 CVE-2021-3602 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The following packages have been upgraded to a later upstream version: golang (1.16.7). (BZ#1938071) Security Fix(es): * golang: net: lookup functions may return invalid host names (CVE-2021-33195) * golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197) * golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198) * golang: net/http/httputil: panic due to racy read of persistConn after handler panic (CVE-2021-36221) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-33195 CVE-2021-33197 CVE-2021-33198 CVE-2021-36221 lxml is an XML processing library providing access to libxml2 and libxslt libraries using the Python ElementTree API. Security Fix(es): * python-lxml: Missing input sanitization for formaction HTML5 attributes may lead to XSS (CVE-2021-28957) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-28957 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * python: Information disclosure via pydoc (CVE-2021-3426) * python: urllib: Regular expression DoS in AbstractBasicAuthHandler (CVE-2021-3733) * python-lxml: Missing input sanitization for formaction HTML5 attributes may lead to XSS (CVE-2021-28957) * python-ipaddress: Improper input validation of octal strings (CVE-2021-29921) * python-urllib3: ReDoS in the parsing of authority part of URL (CVE-2021-33503) * python-pip: Incorrect handling of unicode separators in git references (CVE-2021-3572) * python: urllib: HTTP client possible infinite loop on a 100 Continue response (CVE-2021-3737) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2021-28957 CVE-2021-29921 CVE-2021-33503 CVE-2021-3426 CVE-2021-3572 CVE-2021-3733 CVE-2021-3737 The python-jinja2 package contains Jinja2, a template engine written in pure Python. Jinja2 provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment. Security Fix(es): * python-jinja2: ReDoS vulnerability due to the sub-pattern (CVE-2020-28493) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-28493 Qt is a software toolkit for developing applications. The following packages have been upgraded to a later upstream version: adwaita-qt (1.2.1), python-qt5 (5.15.0), qgnomeplatform (0.7.1), qt5 (5.15.2), qt5-qt3d (5.15.2), qt5-qtbase (5.15.2), qt5-qtconnectivity (5.15.2), qt5-qtdeclarative (5.15.2), qt5-qtdoc (5.15.2), qt5-qtgraphicaleffects (5.15.2), qt5-qtimageformats (5.15.2), qt5-qtlocation (5.15.2), qt5-qtmultimedia (5.15.2), qt5-qtquickcontrols (5.15.2), qt5-qtquickcontrols2 (5.15.2), qt5-qtscript (5.15.2), qt5-qtsensors (5.15.2), qt5-qtserialbus (5.15.2), qt5-qtserialport (5.15.2), qt5-qtsvg (5.15.2), qt5-qttools (5.15.2), qt5-qttranslations (5.15.2), qt5-qtwayland (5.15.2), qt5-qtwebchannel (5.15.2), qt5-qtwebsockets (5.15.2), qt5-qtx11extras (5.15.2), qt5-qtxmlpatterns (5.15.2), sip (4.19.24). (BZ#1928156) Security Fix(es): * qt: Out of bounds read in function QRadialFetchSimd from crafted svg file (CVE-2021-3481) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2021-3481 The GIMP (GNU Image Manipulation Program) is an image composition and editing program. GIMP provides a large image manipulation toolbox, including channel operations and layers, effects, sub-pixel imaging and anti-aliasing, and conversions, all with multi-level undo. Security Fix(es): * gimp: GIMP: Remote Code Execution via uninitialized memory in PGM file parsing (CVE-2026-2044) * gimp: GIMP: Remote Code Execution via out-of-bounds write in XWD file parsing (CVE-2026-2045) * gimp: GIMP: Remote Code Execution via ICO File Parsing Vulnerability (CVE-2026-0797) * gimp: GIMP: Remote Code Execution via XWD file parsing vulnerability (CVE-2026-2048) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2026 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/a:almalinux:almalinux:8::highavailability cpe:/a:almalinux:almalinux:8::nfv cpe:/a:almalinux:almalinux:8::realtime cpe:/a:almalinux:almalinux:8::resilientstorage cpe:/a:almalinux:almalinux:8::sap cpe:/a:almalinux:almalinux:8::sap_hana cpe:/a:almalinux:almalinux:8::supplementary cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2026-0797 CVE-2026-2044 CVE-2026-2045 CVE-2026-2048 Exiv2 is a C++ library to access image metadata, supporting read and write access to the Exif, IPTC and XMP metadata, Exif MakerNote support, extract and delete methods for Exif thumbnails, classes to access Ifd, and support for various image formats. The following packages have been upgraded to a later upstream version: exiv2 (0.27.4). (BZ#1989860) Security Fix(es): * exiv2: Heap-based buffer overflow in Jp2Image::readMetadata() (CVE-2021-3482) * exiv2: Heap-based buffer overflow in Exiv2::Jp2Image::doWriteMetadata (CVE-2021-29457) * exiv2: Out-of-bounds read in Exiv2::Internal::CrwMap::encode (CVE-2021-29458) * exiv2: Heap-based buffer overflow in Exiv2::Jp2Image::encodeJp2Header (CVE-2021-29464) * exiv2: Out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header (CVE-2021-29470) * exiv2: Out-of-bounds read in Exiv2::Jp2Image::doWriteMetadata (CVE-2021-29473) * exiv2: Integer overflow in CrwMap:encode0x1810 leading to heap-based buffer overflow and DoS (CVE-2021-31292) * exiv2: Out-of-bounds read in Exiv2::WebPImage::doWriteMetadata (CVE-2021-29463) * exiv2: Use of uninitialized memory in isWebPType() may lead to information leak (CVE-2021-29623) * exiv2: DoS due to quadratic complexity in ProcessUTF8Portion (CVE-2021-32617) * exiv2: Out-of-bounds read in Exiv2::Jp2Image::printStructure (CVE-2021-37618) * exiv2: Out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header (CVE-2021-37619) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2021-29457 CVE-2021-29458 CVE-2021-29463 CVE-2021-29464 CVE-2021-29470 CVE-2021-29473 CVE-2021-29623 CVE-2021-31292 CVE-2021-32617 CVE-2021-3482 CVE-2021-37618 CVE-2021-37619 File Roller is an application for creating and viewing archives files, such as tar or zip files. Security Fix(es): * file-roller: directory traversal via directory symlink pointing outside of the target directory (incomplete fix for CVE-2020-11736) (CVE-2020-36314) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Low Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-36314 Mutt is a low resource, highly configurable, text-based MIME e-mail client. Mutt supports most e-mail storing formats, such as mbox and Maildir, as well as most protocols, including POP3 and IMAP. The following packages have been upgraded to a later upstream version: mutt (2.0.7). (BZ#1912614) Security Fix(es): * mutt: Incorrect handling of invalid initial IMAP responses could lead to an authentication attempt over unencrypted connection (CVE-2020-28896) * mutt: Memory leak when parsing rfc822 group addresses (CVE-2021-3181) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-28896 CVE-2021-3181 Kernel-based Virtual Machine (KVM) offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems. Security Fix(es): * QEMU: net: e1000e: use-after-free while sending packets (CVE-2020-15859) * QEMU: slirp: invalid pointer initialization may lead to information disclosure (bootp) (CVE-2021-3592) * QEMU: slirp: invalid pointer initialization may lead to information disclosure (udp6) (CVE-2021-3593) * QEMU: slirp: invalid pointer initialization may lead to information disclosure (udp) (CVE-2021-3594) * QEMU: slirp: invalid pointer initialization may lead to information disclosure (tftp) (CVE-2021-3595) * libvirt: Insecure sVirt label generation (CVE-2021-3631) * libvirt: Improper locking on ACL failure in virStoragePoolLookupByTargetPath API (CVE-2021-3667) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2020-15859 CVE-2021-3592 CVE-2021-3593 CVE-2021-3594 CVE-2021-3595 CVE-2021-3631 CVE-2021-3667 EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. The following packages have been upgraded to a later upstream version: edk2 (20210527gite1999b264f1f). (BZ#1846481, BZ#1938238) Security Fix(es): * openssl: integer overflow in CipherUpdate (CVE-2021-23840) * openssl: NULL pointer dereference in X509_issuer_and_serial_hash() (CVE-2021-23841) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-23840 CVE-2021-23841 Babel provides tools to build and work with gettext message catalogs, and a Python interface to the CLDR (Common Locale Data Repository), providing access to various locale display names, localized number and date formatting, etc. Security Fix(es): * python-babel: Relative path traversal allows attacker to load arbitrary locale files and execute arbitrary code (CVE-2021-20095, CVE-2021-42771) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-20095 CVE-2021-42771 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. The following packages have been upgraded to a later upstream version: php (7.4.19). (BZ#1944110) Security Fix(es): * php: Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV (CVE-2020-7069) * php: FILTER_VALIDATE_URL accepts URLs with invalid userinfo (CVE-2020-7071) * php: Use of freed hash key in the phar_parse_zipfile function (CVE-2020-7068) * php: URL decoding of cookie names can lead to different interpretation of cookies between browser and server (CVE-2020-7070) * php: NULL pointer dereference in SoapClient (CVE-2021-21702) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-7068 CVE-2020-7069 CVE-2020-7070 CVE-2020-7071 CVE-2021-21702 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix(es): * buildah: Host environment variables leaked in build container when using chroot isolation (CVE-2021-3602) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-3602 The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix(es): * buildah: Host environment variables leaked in build container when using chroot isolation (CVE-2021-3602) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-3602 Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. The following packages have been upgraded to a later upstream version: grafana (7.5.9). (BZ#1921191) Security Fix(es): * golang: crypto/elliptic: incorrect operations on the P-224 curve (CVE-2021-3114) * grafana: snapshot feature allow an unauthenticated remote attacker to trigger a DoS via a remote API call (CVE-2021-27358) * golang: net: lookup functions may return invalid host names (CVE-2021-33195) * golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197) * golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-27358 CVE-2021-3114 CVE-2021-33195 CVE-2021-33197 CVE-2021-34558 The libwebp packages provide a library and tools for the WebP graphics format. WebP is an image format with a lossy compression of digital photographic images. WebP consists of a codec based on the VP8 format, and a container based on the Resource Interchange File Format (RIFF). Webmasters, web developers and browser developers can use WebP to compress, archive, and distribute digital images more efficiently. Security Fix(es): * libwebp: out-of-bounds read in WebPMuxCreateInternal (CVE-2018-25009) * libwebp: out-of-bounds read in ApplyFilter() (CVE-2018-25010) * libwebp: out-of-bounds read in WebPMuxCreateInternal() (CVE-2018-25012) * libwebp: out-of-bounds read in ShiftBytes() (CVE-2018-25013) * libwebp: use of uninitialized value in ReadSymbol() (CVE-2018-25014) * libwebp: out-of-bounds read in ChunkVerifyAndAssign() in mux/muxread.c (CVE-2020-36330) * libwebp: out-of-bounds read in ChunkAssignData() in mux/muxinternal.c (CVE-2020-36331) * libwebp: excessive memory allocation when reading a file (CVE-2020-36332) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2018-25009 CVE-2018-25010 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36330 CVE-2020-36331 CVE-2020-36332 JasPer is an implementation of Part 1 of the JPEG 2000 image compression standard. Security Fix(es): * jasper: Heap-based buffer overflow in cp_create() in jpc_enc.c (CVE-2020-27828) * jasper: Heap-based buffer over-read in jp2_decode() in jp2_dec.c (CVE-2021-3272) * jasper: Out of bounds read in jp2_decode() in jp2_dec.c (CVE-2021-26926) * jasper: NULL pointer dereference in jp2_decode() in jp2_dec.c (CVE-2021-26927) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2020-27828 CVE-2021-26926 CVE-2021-26927 CVE-2021-3272 The tcpdump packages contain the tcpdump utility for monitoring network traffic. The tcpdump utility can capture and display the packet headers on a particular network interface or on all interfaces. Security Fix(es): * tcpdump: ppp decapsulator can be convinced to allocate a large amount of memory (CVE-2020-8037) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Low Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-8037 The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files. Security Fix(es): * libtiff: Integer overflow in tif_getimage.c (CVE-2020-35523) * libtiff: Heap-based buffer overflow in TIFF2PDF tool (CVE-2020-35524) * libtiff: Memory allocation failure in tiff2rgba (CVE-2020-35521) * libtiff: Memory allocation failure in tiff2rgba (CVE-2020-35522) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2020-35521 CVE-2020-35522 CVE-2020-35523 CVE-2020-35524 OpenJPEG is an open source library for reading and writing image files in JPEG2000 format. The following packages have been upgraded to a later upstream version: openjpeg2 (2.4.0). Security Fix(es): * openjpeg: use-after-free and double-free via a mix of valid and invalid files in a directory operated on by the decompressor (CVE-2020-15389) * openjpeg: heap-buffer-overflow in lib/openjp2/mqc.c could result in DoS (CVE-2020-27814) * openjpeg: heap-buffer-overflow write in opj_tcd_dc_level_shift_encode() (CVE-2020-27823) * openjpeg: heap-buffer-overflow in color.c may lead to DoS or arbitrary code execution (CVE-2021-3575) * openjpeg: integer overflow in opj_t1_encode_cblks in src/lib/openjp2/t1.c (CVE-2018-5727) * openjpeg: integer overflow in opj_j2k_setup_encoder function in openjp2/j2k.c (CVE-2018-5785) * openjpeg: division-by-zero in functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl in openmj2/pi.c (CVE-2018-20845) * openjpeg: integer overflow in function opj_get_encoding_parameters in openjp2/pi.c (CVE-2018-20847) * openjpeg: denial of service in function opj_t1_encode_cblks in openjp2/t1.c (CVE-2019-12973) * openjpeg: global-buffer-overflow read in opj_dwt_calc_explicit_stepsizes() (CVE-2020-27824) * openjpeg: null pointer dereference in opj_tgt_reset function in lib/openjp2/tgt.c (CVE-2020-27842) * openjpeg: out-of-bounds read in opj_t2_encode_packet function in openjp2/t2.c (CVE-2020-27843) * openjpeg: heap-based buffer overflow in functions opj_pi_next_rlcp, opj_pi_next_rpcl and opj_pi_next_lrcp in openjp2/pi.c (CVE-2020-27845) * openjpeg: out-of-bounds write due to an integer overflow in opj_compress.c (CVE-2021-29338) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2018-20845 CVE-2018-20847 CVE-2018-5727 CVE-2018-5785 CVE-2019-12973 CVE-2020-15389 CVE-2020-27814 CVE-2020-27823 CVE-2020-27824 CVE-2020-27842 CVE-2020-27843 CVE-2020-27845 CVE-2021-29338 CVE-2021-3575 Graphviz is open-source graph-visualization software. Graph visualization is a way of representing structural information as diagrams of abstract graphs and networks. It has important applications in networking, bioinformatics, software engineering, database and web design, machine learning, and in visual interfaces for other technical domains. Security Fix(es): * graphviz: off-by-one in parse_reclbl() in lib/common/shapes.c (CVE-2020-18032) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2020-18032 Threading Building Blocks (TBB) is a C++ runtime library that abstracts the low-level threading details necessary for optimal multi-core performance. Security Fix(es): * jquery: Untrusted code execution via <option> tag in HTML passed to DOM manipulation methods (CVE-2020-11023) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2025 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/a:almalinux:almalinux:8::highavailability cpe:/a:almalinux:almalinux:8::nfv cpe:/a:almalinux:almalinux:8::realtime cpe:/a:almalinux:almalinux:8::resilientstorage cpe:/a:almalinux:almalinux:8::sap cpe:/a:almalinux:almalinux:8::sap_hana cpe:/a:almalinux:almalinux:8::supplementary cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2020-11023 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es): * httpd: mod_session: NULL pointer dereference when parsing Cookie header (CVE-2021-26690) * httpd: Unexpected URL matching with 'MergeSlashes OFF' (CVE-2021-30641) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-26690 CVE-2021-30641 Rust Toolset provides the Rust programming language compiler rustc, the cargo build tool and dependency manager, and required libraries. The following packages have been upgraded to a later upstream version: rust (1.54.0). (BZ#1945805) Security Fix(es): * rust: incorrect parsing of extraneous zero characters at the beginning of an IP address string (CVE-2021-29922) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-29922 The libjpeg-turbo packages contain a library of functions for manipulating JPEG images. They also contain simple client programs for accessing the libjpeg functions. These packages provide the same functionality and API as libjpeg but with better performance. Security Fix(es): * libjpeg-turbo: Stack-based buffer overflow in the "transform" component (CVE-2020-17541) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2020-17541 Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. The following packages have been upgraded to a later upstream version: squid (4.15). (BZ#1964384) Security Fix(es): * squid: denial of service in URN processing (CVE-2021-28651) * squid: denial of service issue in Cache Manager (CVE-2021-28652) * squid: denial of service in HTTP response processing (CVE-2021-28662) * squid: improper input validation in HTTP Range header (CVE-2021-31806) * squid: incorrect memory management in HTTP Range header (CVE-2021-31807) * squid: integer overflow in HTTP Range header (CVE-2021-31808) * squid: denial of service in HTTP response processing (CVE-2021-33620) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-28651 CVE-2021-28652 CVE-2021-28662 CVE-2021-31806 CVE-2021-31807 CVE-2021-31808 CVE-2021-33620 The SpamAssassin tool provides a way to reduce unsolicited commercial email (spam) from incoming email. Security Fix(es): * spamassassin: Malicious rule configuration files can be configured to run system commands (CVE-2020-1946) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-1946 The zziplib is a lightweight library to easily extract data from zip files. Security Fix(es): * zziplib: infinite loop via the return value of zzip_file_read() as used in unzzip_cat_file() (CVE-2020-18442) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Low Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2020-18442 Exiv2 is a C++ library to access image metadata, supporting read and write access to the Exif, IPTC and XMP metadata, Exif MakerNote support, extract and delete methods for Exif thumbnails, classes to access Ifd, and support for various image formats. Security Fix(es): * exiv2: Integer overflow in CrwMap:encode0x1810 leading to heap-based buffer overflow and DoS (CVE-2021-31292) * exiv2: Out-of-bounds read in Exiv2::Jp2Image::printStructure (CVE-2021-37618) * exiv2: Out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header (CVE-2021-37619) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-31292 CVE-2021-37618 CVE-2021-37619 The linuxptp packages provide Precision Time Protocol (PTP) implementation for Linux according to IEEE standard 1588 for Linux. The dual design goals are to provide a robust implementation of the standard and to use the most relevant and modern Application Programming Interfaces (API) offered by the Linux kernel. The following packages have been upgraded to a later upstream version: linuxptp (3.1.1). (BZ#1895005) Security Fix(es): * linuxptp: wrong length of one-step follow-up in transparent clock (CVE-2021-3571) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-3571 psutil is a module providing an interface for retrieving information on all running processes and system utilization (CPU, memory, disks, network, users) in a portable way by using Python. Security Fix(es): * python-psutil: double free because of refcount mishandling (CVE-2019-18874) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2019-18874 The lasso packages provide the Lasso library that implements the Liberty Alliance Single Sign-On standards, including the SAML and SAML2 specifications. It allows handling of the whole life-cycle of SAML-based federations and provides bindings for multiple languages. Security Fix(es): * lasso: XML signature wrapping vulnerability when parsing SAML responses (CVE-2021-28091) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2021-28091 The libX11 packages contain the core X11 protocol client library. Security Fix(es): * libX11: missing request length checks (CVE-2021-31535) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-31535 Grilo is a framework that provides access to different sources of multimedia content, using a pluggable system. The grilo package contains the core library and elements. Security Fix(es): * grilo: missing TLS certificate verification (CVE-2021-39365) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2021-39365 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * kernel: out-of-bounds reads in pinctrl subsystem (CVE-2020-0427) * kernel: Improper input validation in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24502) * kernel: Insufficient access control in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24503) * kernel: Uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers (CVE-2020-24504) * kernel: Fragmentation cache not cleared on reconnection (CVE-2020-24586) * kernel: Reassembling fragments encrypted under different keys (CVE-2020-24587) * kernel: wifi frame payload being parsed incorrectly as an L2 frame (CVE-2020-24588) * kernel: Forwarding EAPOL from unauthenticated wifi client (CVE-2020-26139) * kernel: accepting plaintext data frames in protected networks (CVE-2020-26140) * kernel: not verifying TKIP MIC of fragmented frames (CVE-2020-26141) * kernel: accepting fragmented plaintext frames in protected networks (CVE-2020-26143) * kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header (CVE-2020-26144) * kernel: accepting plaintext broadcast fragments as full frames (CVE-2020-26145) * kernel: powerpc: RTAS calls can be used to compromise kernel integrity (CVE-2020-27777) * kernel: locking inconsistency in tty_io.c and tty_jobctrl.c can lead to a read-after-free (CVE-2020-29660) * kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function via a long SSID value (CVE-2020-36158) * kernel: slab out-of-bounds read in hci_extended_inquiry_result_evt() (CVE-2020-36386) * kernel: Improper access control in BlueZ may allow information disclosure vulnerability. (CVE-2021-0129) * kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c (CVE-2021-3348) * kernel: Linux kernel eBPF RINGBUF map oversized allocation (CVE-2021-3489) * kernel: double free in bluetooth subsystem when the HCI device initialization fails (CVE-2021-3564) * kernel: use-after-free in function hci_sock_bound_ioctl() (CVE-2021-3573) * kernel: eBPF 32-bit source register truncation on div/mod (CVE-2021-3600) * kernel: DoS in rb_per_cpu_empty() (CVE-2021-3679) * kernel: Mounting overlayfs inside an unprivileged user namespace can reveal files (CVE-2021-3732) * kernel: heap overflow in __cgroup_bpf_run_filter_getsockopt() (CVE-2021-20194) * kernel: Race condition in sctp_destroy_sock list_del (CVE-2021-23133) * kernel: fuse: stall on CPU can occur because a retry loop continually finds the same bad inode (CVE-2021-28950) * kernel: System crash in intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c (CVE-2021-28971) * kernel: protection can be bypassed to leak content of kernel memory (CVE-2021-29155) * kernel: improper input validation in tipc_nl_retrieve_key function in net/tipc/node.c (CVE-2021-29646) * kernel: lack a full memory barrier may lead to DoS (CVE-2021-29650) * kernel: local escalation of privileges in handling of eBPF programs (CVE-2021-31440) * kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content of kernel memory (CVE-2021-31829) * kernel: out-of-bounds reads and writes due to enforcing incorrect limits for pointer arithmetic operations by BPF verifier (CVE-2021-33200) * kernel: reassembling encrypted fragments with non-consecutive packet numbers (CVE-2020-26146) * kernel: reassembling mixed encrypted/plaintext fragments (CVE-2020-26147) * kernel: the copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check (CVE-2020-29368) * kernel: flowtable list del corruption with kernel BUG at lib/list_debug.c:50 (CVE-2021-3635) * kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659) * kernel: setsockopt System Call Untrusted Pointer Dereference Information Disclosure (CVE-2021-20239) * kernel: out of bounds array access in drivers/md/dm-ioctl.c (CVE-2021-31916) Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2019-14615 CVE-2020-0427 CVE-2020-24502 CVE-2020-24503 CVE-2020-24504 CVE-2020-24586 CVE-2020-24587 CVE-2020-24588 CVE-2020-26139 CVE-2020-26140 CVE-2020-26141 CVE-2020-26143 CVE-2020-26144 CVE-2020-26145 CVE-2020-26146 CVE-2020-26147 CVE-2020-27777 CVE-2020-29368 CVE-2020-29660 CVE-2020-36158 CVE-2020-36312 CVE-2020-36386 CVE-2021-0129 CVE-2021-20194 CVE-2021-20239 CVE-2021-23133 CVE-2021-28950 CVE-2021-28971 CVE-2021-29155 CVE-2021-29646 CVE-2021-29650 CVE-2021-31440 CVE-2021-31829 CVE-2021-31916 CVE-2021-33033 CVE-2021-33200 CVE-2021-3348 CVE-2021-3489 CVE-2021-3564 CVE-2021-3573 CVE-2021-3600 CVE-2021-3635 CVE-2021-3659 CVE-2021-3679 CVE-2021-3732 NetworkManager is a system network service that manages network devices and connections, attempting to keep active network connectivity when available. Its capabilities include managing Ethernet, wireless, mobile broadband (WWAN), and PPPoE devices, as well as providing VPN integration with a variety of different VPN services. The following packages have been upgraded to a later upstream version: NetworkManager (1.32.10). (BZ#1934465) Security Fix(es): * systemd: DHCP FORCERENEW authentication not implemented can cause a system running the DHCP client to have its network reconfigured (CVE-2020-13529) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2020-13529 The binutils packages provide a collection of binary utilities for the manipulation of object code in various object file formats. It includes the ar, as, gprof, ld, nm, objcopy, objdump, ranlib, readelf, size, strings, strip, and addr2line utilities. Security Fix(es): * binutils: Excessive debug section size can cause excessive memory consumption in bfd's dwarf2.c read_section() (CVE-2021-3487) * binutils: Race window allows users to own arbitrary files (CVE-2021-20197) * binutils: Heap-based buffer overflow in bfd_getl_signed_32() in libbfd.c because sh_entsize is not validated in _bfd_elf_slurp_secondary_reloc_section() in elf.c (CVE-2020-35448) * binutils: Heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section in elf.c (CVE-2021-20284) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2020-35448 CVE-2021-20197 CVE-2021-20284 CVE-2021-3487 OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Security Fix(es): * openssh: Observable discrepancy leading to an information leak in the algorithm negotiation (CVE-2020-14145) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2020-14145 PCRE is a Perl-compatible regular expression library. Security Fix(es): * pcre: Buffer over-read in JIT when UTF is disabled and \X or \R has fixed quantifier greater than 1 (CVE-2019-20838) * pcre: Integer overflow when parsing callout numeric arguments (CVE-2020-14155) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Low Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2019-20838 CVE-2020-14155 The file command is used to identify a particular file according to the type of data the file contains. It can identify many different file types, including Executable and Linkable Format (ELF) binary files, system libraries, RPM packages, and different graphics formats. Security Fix(es): * file: heap-based buffer overflow in cdf_read_property_info in cdf.c (CVE-2019-18218) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2019-18218 GNOME is the default desktop environment of AlmaLinux. The following packages have been upgraded to a later upstream version: gdm (40.0), webkit2gtk3 (2.32.3). (BZ#1909300) Security Fix(es): * webkitgtk: Use-after-free in AudioSourceProviderGStreamer leading to arbitrary code execution (CVE-2020-13558) * LibRaw: Stack buffer overflow in LibRaw::identify_process_dng_fields() in identify.cpp (CVE-2020-24870) * webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2020-27918) * webkitgtk: IFrame sandboxing policy violation (CVE-2021-1765) * webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2021-1788) * webkitgtk: Type confusion issue leading to arbitrary code execution (CVE-2021-1789) * webkitgtk: Access to restricted ports on arbitrary servers via port redirection (CVE-2021-1799) * webkitgtk: IFrame sandboxing policy violation (CVE-2021-1801) * webkitgtk: Memory corruption issue leading to arbitrary code execution (CVE-2021-1844) * webkitgtk: Logic issue leading to arbitrary code execution (CVE-2021-1870) * webkitgtk: Logic issue leading to arbitrary code execution (CVE-2021-1871) * webkitgtk: Use-after-free in ImageLoader dispatchPendingErrorEvent leading to information leak and possibly code execution (CVE-2021-21775) * webkitgtk: Use-after-free in WebCore::GraphicsContext leading to information leak and possibly code execution (CVE-2021-21779) * webkitgtk: Use-after-free in fireEventListeners leading to arbitrary code execution (CVE-2021-21806) * webkitgtk: Integer overflow leading to arbitrary code execution (CVE-2021-30663) * webkitgtk: Memory corruption leading to arbitrary code execution (CVE-2021-30665) * webkitgtk: Logic issue leading to leak of sensitive user information (CVE-2021-30682) * webkitgtk: Logic issue leading to universal cross site scripting attack (CVE-2021-30689) * webkitgtk: Logic issue allowing access to restricted ports on arbitrary servers (CVE-2021-30720) * webkitgtk: Memory corruptions leading to arbitrary code execution (CVE-2021-30734) * webkitgtk: Cross-origin issue with iframe elements leading to universal cross site scripting attack (CVE-2021-30744) * webkitgtk: Memory corruptions leading to arbitrary code execution (CVE-2021-30749) * webkitgtk: Type confusion leading to arbitrary code execution (CVE-2021-30758) * webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2021-30795) * webkitgtk: Insufficient checks leading to arbitrary code execution (CVE-2021-30797) * webkitgtk: Memory corruptions leading to arbitrary code execution (CVE-2021-30799) * webkitgtk: User may be unable to fully delete browsing history (CVE-2020-29623) * gnome-autoar: Directory traversal via directory symbolic links pointing outside of the destination directory (CVE-2020-36241) * gnome-autoar: Directory traversal via directory symbolic links pointing outside of the destination directory (incomplete CVE-2020-36241 fix) (CVE-2021-28650) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2020-13558 CVE-2020-24870 CVE-2020-27918 CVE-2020-29623 CVE-2020-36241 CVE-2021-1765 CVE-2021-1788 CVE-2021-1789 CVE-2021-1799 CVE-2021-1801 CVE-2021-1844 CVE-2021-1870 CVE-2021-1871 CVE-2021-21775 CVE-2021-21779 CVE-2021-21806 CVE-2021-28650 CVE-2021-30663 CVE-2021-30665 CVE-2021-30682 CVE-2021-30689 CVE-2021-30720 CVE-2021-30734 CVE-2021-30744 CVE-2021-30749 CVE-2021-30758 CVE-2021-30795 CVE-2021-30797 CVE-2021-30799 JSON-C implements a reference counting object model that allows users to easily construct JavaScript Object Notation (JSON) objects in C, output them as JSON formatted strings, and parse JSON formatted strings back into the C representation of JSON objects. Security Fix(es): * json-c: integer overflow and out-of-bounds write via a large JSON file (CVE-2020-12762) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2020-12762 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * bind: Broken inbound incremental zone update (IXFR) can cause named to terminate unexpectedly (CVE-2021-25214) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-25214 GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures. Security Fix(es): * glib2: Possible privilege escalation thourgh pkexec and aliases (CVE-2021-3800) * glib: g_file_replace() with G_FILE_CREATE_REPLACE_DESTINATION creates empty target for dangling symlink (CVE-2021-28153) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-28153 CVE-2021-3800 The gcc packages provide compilers for C, C++, Java, Fortran, Objective C, and Ada 95 GNU, as well as related support libraries. Security Fix(es): * libiberty: Integer overflow in demangle_template() function (CVE-2018-20673) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Low Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2018-20673 libssh is a library which implements the SSH protocol. It can be used to implement client and server applications. Security Fix(es): * libssh: NULL pointer dereference in sftpserver.c if ssh_buffer_new returns NULL (CVE-2020-16135) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Low Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2020-16135 The Common UNIX Printing System (CUPS) provides a portable printing layer for Linux, UNIX, and similar operating systems. Security Fix(es): * cups: access to uninitialized buffer in ipp.c (CVE-2020-10001) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2020-10001 SQLite is a C library that implements an SQL database engine. A large subset of SQL92 is supported. A complete database is stored in a single disk file. The API is designed for convenience and ease of use. Applications that link against SQLite can enjoy the power and flexibility of an SQL database without the administrative hassles of supporting a separate database server. Security Fix(es): * sqlite: out-of-bounds access due to the use of 32-bit memory allocator interfaces (CVE-2019-5827) * sqlite: dropping of shadow tables not restricted in defensive mode (CVE-2019-13750) * sqlite: fts3: improve detection of corrupted records (CVE-2019-13751) * sqlite: mishandling of certain SELECT statements with non-existent VIEW can lead to DoS (CVE-2019-19603) * sqlite: NULL pointer dereference in sqlite3ExprCodeTarget() (CVE-2020-13435) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2019-13750 CVE-2019-13751 CVE-2019-19603 CVE-2019-5827 CVE-2020-13435 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * python: Information disclosure via pydoc (CVE-2021-3426) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-3426 The libsolv packages provide a library for resolving package dependencies using a satisfiability algorithm. Security Fix(es): * libsolv: heap-based buffer overflow in testcase_read() in src/testcase.c (CVE-2021-3200) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Low Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-3200 The libgcrypt library provides general-purpose implementations of various cryptographic algorithms. Security Fix(es): * libgcrypt: mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm (CVE-2021-33560) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-33560 The tpm2-tools packages add a set of utilities for management and utilization of Trusted Platform Module (TPM) 2.0 devices from user space. Security Fix(es): * tpm2-tools: fixed AES wrapping key in tpm2_import (CVE-2021-3565) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-3565 The ncurses (new curses) library routines are a terminal-independent method of updating character screens with reasonable optimization. The ncurses packages contain support utilities including a terminfo compiler tic, a decompiler infocmp, clear, tput, tset, and a termcap conversion tool captoinfo. Security Fix(es): * ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c (CVE-2019-17594) * ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c (CVE-2019-17595) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2019-17594 CVE-2019-17595 The gnutls packages provide the GNU Transport Layer Security (GnuTLS) library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS. Nettle is a cryptographic library that is designed to fit easily in almost any context: In crypto toolkits for object-oriented languages, such as C++, Python, or Pike, in applications like LSH or GNUPG, or even in kernel space. The following packages have been upgraded to a later upstream version: gnutls (3.6.16). (BZ#1956783) Security Fix(es): * nettle: Remote crash in RSA decryption via manipulated ciphertext (CVE-2021-3580) * gnutls: Use after free in client key_share extension (CVE-2021-20231) * gnutls: Use after free in client_send_params in lib/ext/pre_shared_key.c (CVE-2021-20232) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-20231 CVE-2021-20232 CVE-2021-3580 The Common UNIX Printing System (CUPS) provides a portable printing layer for Linux, UNIX, and similar operating systems. Security Fix(es): * cups: libppd: remote command injection via attacker controlled data in PPD file (CVE-2024-47175) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Low Copyright 2025 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/a:almalinux:almalinux:8::highavailability cpe:/a:almalinux:almalinux:8::nfv cpe:/a:almalinux:almalinux:8::realtime cpe:/a:almalinux:almalinux:8::resilientstorage cpe:/a:almalinux:almalinux:8::sap cpe:/a:almalinux:almalinux:8::sap_hana cpe:/a:almalinux:almalinux:8::supplementary cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2024-47175 pip is a package management system used to install and manage software packages written in Python. Many packages can be found in the Python Package Index (PyPI). pip is a recursive acronym that can stand for either "Pip Installs Packages" or "Pip Installs Python". Security Fix(es): * python-pip: Incorrect handling of unicode separators in git references (CVE-2021-3572) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Low Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-3572 dnf is a package manager that allows users to manage packages on their systems. It supports RPMs, modules and comps groups & environments. Security Fix(es): * libdnf: Signature verification bypass via signature placed in the main RPM header (CVE-2021-3445) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-3445 The RPM Package Manager (RPM) is a command-line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages. Security Fix(es): * rpm: missing length checks in hdrblobInit() (CVE-2021-20266) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Low Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-20266 The lua packages provide support for Lua, a powerful light-weight programming language designed for extending applications. Lua is also frequently used as a general-purpose, stand-alone language. Security Fix(es): * lua: segmentation fault in getlocal and setlocal functions in ldebug.c (CVE-2020-24370) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Low Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2020-24370 The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es): * curl: Leak of authentication credentials in URL via automatic Referer (CVE-2021-22876) * curl: TELNET stack contents disclosure (CVE-2021-22898) * curl: Incorrect fix for CVE-2021-22898 TELNET stack contents disclosure (CVE-2021-22925) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-22876 CVE-2021-22898 CVE-2021-22925 The libsepol library provides an API for the manipulation of SELinux binary policies. It is used by checkpolicy (the policy compiler) and similar tools, as well as by programs like load_policy that need to perform specific transformations on binary policies (for example, customizing policy boolean settings). Security Fix(es): * libsepol: use-after-free in __cil_verify_classperms() (CVE-2021-36084) * libsepol: use-after-free in __cil_verify_classperms() (CVE-2021-36085) * libsepol: use-after-free in cil_reset_classpermission() (CVE-2021-36086) * libsepol: heap-based buffer overflow in ebitmap_match_any() (CVE-2021-36087) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-36084 CVE-2021-36085 CVE-2021-36086 CVE-2021-36087 Vim (Vi IMproved) is an updated and improved version of the vi editor. Security Fix(es): * vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c (CVE-2021-3778) * vim: use-after-free in nv_replace() in normal.c (CVE-2021-3796) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-3778 CVE-2021-3796 AutoTrace is a program for converting bitmaps to vector graphics. Security Fix(es): * autotrace: bitmap double free in main.c allows attackers to cause an unspecified impact (CVE-2019-19005) * autotrace: integer overflow in input-bmp.c (CVE-2019-19004) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools CVE-2019-19004 CVE-2019-19005 GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures. The following packages have been upgraded to a later upstream version: mingw-glib2 (2.66.7). (BZ#1935248, BZ#1939111) Security Fix(es): * glib: integer overflow in g_bytes_new function on 64-bit platforms due to an implicit cast from 64 bits to 32 bits (CVE-2021-27219) * glib: integer overflow in g_byte_array_new_take function when called with a buffer of 4GB or more on a 64-bit platform (CVE-2021-27218) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools CVE-2021-27218 CVE-2021-27219 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es): * httpd: Regression of CVE-2021-40438 and CVE-2021-26691 fixes in AlmaLinux (CVE-2021-20325) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-20325 The gcc packages provide compilers for C, C++, Java, Fortran, Objective C, and Ada 95 GNU, as well as related support libraries. Security Fix(es): * Developer environment: Unicode's bidirectional (BiDi) override characters can cause trojan source attacks (CVE-2021-42574) The following changes were introduced in gcc in order to facilitate detection of BiDi Unicode characters: This update implements a new warning option -Wbidirectional to warn about possibly dangerous bidirectional characters. There are three levels of warning supported by gcc: "-Wbidirectional=unpaired", which warns about improperly terminated BiDi contexts. (This is the default.) "-Wbidirectional=none", which turns the warning off. "-Wbidirectional=any", which warns about any use of bidirectional characters. For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2021-42574 The gcc packages provide compilers for C, C++, Java, Fortran, Objective C, and Ada 95 GNU, as well as related support libraries. Security Fix(es): * Developer environment: Unicode's bidirectional (BiDi) override characters can cause trojan source attacks (CVE-2021-42574) The following changes were introduced in gcc in order to facilitate detection of BiDi Unicode characters: This update implements a new warning option -Wbidirectional to warn about possibly dangerous bidirectional characters. There are three levels of warning supported by gcc: "-Wbidirectional=unpaired", which warns about improperly terminated BiDi contexts. (This is the default.) "-Wbidirectional=none", which turns the warning off. "-Wbidirectional=any", which warns about any use of bidirectional characters. For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-42574 The gcc packages provide compilers for C, C++, Java, Fortran, Objective C, and Ada 95 GNU, as well as related support libraries. Security Fix(es): * Developer environment: Unicode's bidirectional (BiDi) override characters can cause trojan source attacks (CVE-2021-42574) The following changes were introduced in gcc in order to facilitate detection of BiDi Unicode characters: This update implements a new warning option -Wbidirectional to warn about possibly dangerous bidirectional characters. There are three levels of warning supported by gcc: "-Wbidirectional=unpaired", which warns about improperly terminated BiDi contexts. (This is the default.) "-Wbidirectional=none", which turns the warning off. "-Wbidirectional=any", which warns about any use of bidirectional characters. For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-42574 Annobin provides a compiler plugin to annotate and tools to examine compiled binary files. Security Fix(es): * Developer environment: Unicode's bidirectional (BiDi) override characters can cause trojan source attacks (CVE-2021-42574) The following changes were introduced in annobin in order to facilitate detection of BiDi Unicode characters: This update of annobin adds a new annocheck test to detect the presence of multibyte characters in symbol names. For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-42574 Annobin provides a compiler plugin to annotate and tools to examine compiled binary files. Security Fix(es): * Developer environment: Unicode's bidirectional (BiDi) override characters can cause trojan source attacks (CVE-2021-42574) The following changes were introduced in annobin in order to facilitate detection of BiDi Unicode characters: This update of annobin adds a new annocheck test to detect the presence of multibyte characters in symbol names. For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-42574 Annobin provides a compiler plugin to annotate and tools to examine compiled binary files. Security Fix(es): * Developer environment: Unicode's bidirectional (BiDi) override characters can cause trojan source attacks (CVE-2021-42574) The following changes were introduced in annobin in order to facilitate detection of BiDi Unicode characters: This update of annobin adds a new annocheck test to detect the presence of multibyte characters in symbol names. For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-42574 The binutils packages provide a collection of binary utilities for the manipulation of object code in various object file formats. It includes the ar, as, gprof, ld, nm, objcopy, objdump, ranlib, readelf, size, strings, strip, and addr2line utilities. Security Fix(es): * Developer environment: Unicode's bidirectional (BiDi) override characters can cause trojan source attacks (CVE-2021-42574) The following changes were introduced in binutils in order to facilitate detection of BiDi Unicode characters: Tools which display names or strings (readelf, strings, nm, objdump) have a new command line option --unicode / -U which controls how Unicode characters are handled. Using "--unicode=default" will treat them as normal for the tool. This is the default behaviour when --unicode option is not used. Using "--unicode=locale" will display them according to the current locale. Using "--unicode=hex" will display them as hex byte values. Using "--unicode=escape" will display them as Unicode escape sequences. Using "--unicode=highlight" will display them as Unicode escape sequences highlighted in red, if supported by the output device. For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-42574 The binutils packages provide a collection of binary utilities for the manipulation of object code in various object file formats. It includes the ar, as, gprof, ld, nm, objcopy, objdump, ranlib, readelf, size, strings, strip, and addr2line utilities. Security Fix(es): * Developer environment: Unicode's bidirectional (BiDi) override characters can cause trojan source attacks (CVE-2021-42574) The following changes were introduced in binutils in order to facilitate detection of BiDi Unicode characters: Tools which display names or strings (readelf, strings, nm, objdump) have a new command line option --unicode / -U which controls how Unicode characters are handled. Using "--unicode=default" will treat them as normal for the tool. This is the default behaviour when --unicode option is not used. Using "--unicode=locale" will display them according to the current locale. Using "--unicode=hex" will display them as hex byte values. Using "--unicode=escape" will display them as Unicode escape sequences. Using "--unicode=highlight" will display them as Unicode escape sequences highlighted in red, if supported by the output device. For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-42574 FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. The xfreerdp client can connect to RDP servers such as Microsoft Windows machines, xrdp, and VirtualBox. Security Fix(es): * freerdp: improper client input validation for gateway connections allows to overwrite memory (CVE-2021-41159) * freerdp: improper region checks in all clients allow out of bound write to memory (CVE-2021-41160) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2021-41159 CVE-2021-41160 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * kernel: Insufficient validation of user-supplied sizes for the MSG_CRYPTO message type (CVE-2021-43267) * kernel: timer tree corruption leads to missing wakeup and system freeze (CVE-2021-20317) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-20317 CVE-2021-43267 The binutils packages provide a collection of binary utilities for the manipulation of object code in various object file formats. It includes the ar, as, gprof, ld, nm, objcopy, objdump, ranlib, readelf, size, strings, strip, and addr2line utilities. Security Fix(es): * Developer environment: Unicode's bidirectional (BiDi) override characters can cause trojan source attacks (CVE-2021-42574) The following changes were introduced in binutils in order to facilitate detection of BiDi Unicode characters: Tools which display names or strings (readelf, strings, nm, objdump) have a new command line option --unicode / -U which controls how Unicode characters are handled. Using "--unicode=default" will treat them as normal for the tool. This is the default behaviour when --unicode option is not used. Using "--unicode=locale" will display them according to the current locale. Using "--unicode=hex" will display them as hex byte values. Using "--unicode=escape" will display them as Unicode escape sequences. Using "--unicode=highlight" will display them as Unicode escape sequences highlighted in red, if supported by the output device. For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-42574 LLVM Toolset provides the LLVM compiler infrastructure framework, the Clang compiler for the C and C++ languages, the LLDB debugger, and related tools for code analysis. Security Fix(es): * Developer environment: Unicode's bidirectional (BiDi) override characters can cause trojan source attacks (CVE-2021-42574) The following changes were introduced in clang in order to facilitate detection of BiDi Unicode characters: clang-tidy now finds identifiers that contain Unicode characters with right-to-left direction, which can be confusing as they may change the understanding of a whole statement. For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-42574 Mailman is a program used to help manage e-mail discussion lists. Security Fix(es): * mailman: CSRF token bypass allows to perform CSRF attacks and account takeover (CVE-2021-42097) * mailman: CSRF token derived from admin password allows offline brute-force attack (CVE-2021-42096) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-42096 CVE-2021-42097 Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix(es): * nss: Memory corruption in decodeECorDsaSignature with DSA signatures (and RSA-PSS) (CVE-2021-43527) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Critical Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-43527 Mailman is a program used to help manage e-mail discussion lists. Security Fix(es): * mailman: CSRF token bypass allows to perform CSRF attacks and admin takeover (CVE-2021-44227) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-44227 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.4.0 ESR. Security Fix(es): * Mozilla: Memory safety bugs fixed in Firefox 95 and Firefox ESR 91.4 * Mozilla: URL leakage when navigating while executing asynchronous function (CVE-2021-43536) * Mozilla: Heap buffer overflow when using structured clone (CVE-2021-43537) * Mozilla: Missing fullscreen and pointer lock notification when requesting both (CVE-2021-43538) * Mozilla: GC rooting failure when calling wasm instance methods (CVE-2021-43539) * Mozilla: External protocol handler parameters were unescaped (CVE-2021-43541) * Mozilla: XMLHttpRequest error codes could have leaked the existence of an external protocol handler (CVE-2021-43542) * Mozilla: Bypass of CSP sandbox directive when embedding (CVE-2021-43543) * Mozilla: Denial of Service when using the Location API in a loop (CVE-2021-43545) * Mozilla: Cursor spoofing could overlay user interface when native cursor is zoomed (CVE-2021-43546) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-43536 CVE-2021-43537 CVE-2021-43538 CVE-2021-43539 CVE-2021-43541 CVE-2021-43542 CVE-2021-43543 CVE-2021-43545 CVE-2021-43546 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.4.0. Security Fix(es): * Mozilla: Memory safety bugs fixed in Firefox 95 and Firefox ESR 91.4 (BZ#2030116) * Mozilla: URL leakage when navigating while executing asynchronous function (CVE-2021-43536) * Mozilla: Heap buffer overflow when using structured clone (CVE-2021-43537) * Mozilla: Missing fullscreen and pointer lock notification when requesting both (CVE-2021-43538) * Mozilla: GC rooting failure when calling wasm instance methods (CVE-2021-43539) * Mozilla: External protocol handler parameters were unescaped (CVE-2021-43541) * Mozilla: XMLHttpRequest error codes could have leaked the existence of an external protocol handler (CVE-2021-43542) * Mozilla: Bypass of CSP sandbox directive when embedding (CVE-2021-43543) * Mozilla: JavaScript unexpectedly enabled for the composition area (CVE-2021-43528) * Mozilla: Denial of Service when using the Location API in a loop (CVE-2021-43545) * Mozilla: Cursor spoofing could overlay user interface when native cursor is zoomed (CVE-2021-43546) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-43528 CVE-2021-43536 CVE-2021-43537 CVE-2021-43538 CVE-2021-43539 CVE-2021-43541 CVE-2021-43542 CVE-2021-43543 CVE-2021-43545 CVE-2021-43546 Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix(es): * samba: Active Directory (AD) domain user could become root on domain members (CVE-2020-25717) * samba: SMB1 client connections can be downgraded to plaintext authentication (CVE-2016-2124) * samba: Subsequent DCE/RPC fragment injection vulnerability (CVE-2021-23192) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2016-2124 CVE-2020-25717 CVE-2021-23192 AlmaLinux Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. Security Fix(es): * samba: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets (CVE-2020-25719) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-25719 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix(es): * golang: net/http: limit growth of header canonicalization cache (CVE-2021-44716) * golang: syscall: don't close fd 0 on ForkExec error (CVE-2021-44717) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Rebase Go to 1.16.12 (BZ#2031125) Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-44716 CVE-2021-44717 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon (2.0.15). (BZ#2027610) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-28469 CVE-2020-7788 CVE-2021-22959 CVE-2021-22960 CVE-2021-33502 CVE-2021-3807 CVE-2021-3918 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * kernel: In Overlayfs missing a check for a negative dentry before calling vfs_rename() (CVE-2021-20321) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * panic while breaking a lease/delegation after user mode helper invocation (BZ#2010333) * The ASR driver is causing a system crash in AlmaLinux8.4 compared to AlmaLinux8.3 due to kernel changes (BZ#2016384) * AlmaLinux8: DFS provided SMB shares are not accessible following unprivileged access (BZ#2017177) * Avoid hitting the rtnl_trylock/restart_syscall logic in net-sysfs when possible (BZ#2021165) * AlmaLinux8: x86/Kconfig: Do not enable AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT (BZ#2024678) * AlmaLinux8.4-[Regression][P10][DD2.0][Rainier/Denali] - system crashed while offlining and onlining cores (BZ#2026450) Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-20321 PostgreSQL is an advanced object-relational database management system (DBMS). The following packages have been upgraded to a later upstream version: postgresql (12.9). Security Fix(es): * postgresql: memory disclosure in certain queries (CVE-2021-3677) * postgresql: server processes unencrypted bytes from man-in-the-middle (CVE-2021-23214) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-23214 CVE-2021-3677 PostgreSQL is an advanced object-relational database management system (DBMS). The following packages have been upgraded to a later upstream version: postgresql (13.5). Security Fix(es): * postgresql: memory disclosure in certain queries (CVE-2021-3677) * postgresql: server processes unencrypted bytes from man-in-the-middle (CVE-2021-23214) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-23214 CVE-2021-3677 The libblockdev packages provide a C library with GObject introspection support used for low-level operations on block devices. The library serves as a thin wrapper around plug-ins for specific functionality, such as LVM, Btrfs, LUKS, or MD RAID. Security Fix(es): * libblockdev: LPE from allow_active to root in libblockdev via udisks (CVE-2025-6019) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2025 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/a:almalinux:almalinux:8::highavailability cpe:/a:almalinux:almalinux:8::nfv cpe:/a:almalinux:almalinux:8::realtime cpe:/a:almalinux:almalinux:8::resilientstorage cpe:/a:almalinux:almalinux:8::sap cpe:/a:almalinux:almalinux:8::sap_hana cpe:/a:almalinux:almalinux:8::supplementary cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2025-6019 Kernel-based Virtual Machine (KVM) offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems. Security Fix(es): * QEMU: off-by-one error in mode_sense_page() in hw/scsi/scsi-disk.c (CVE-2021-3930) * QEMU: net: e1000: infinite loop while processing transmit descriptors (CVE-2021-20257) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Low Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2021-20257 CVE-2021-3930 Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Security Fix(es): * golang: net/http: limit growth of header canonicalization cache (CVE-2021-44716) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-44716 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.5.0. Security Fix(es): * Mozilla: Iframe sandbox bypass with XSLT (CVE-2021-4140) * Mozilla: Race condition when playing audio files (CVE-2022-22737) * Mozilla: Heap-buffer-overflow in blendGaussianBlur (CVE-2022-22738) * Mozilla: Use-after-free of ChannelEventQueue::mOwner (CVE-2022-22740) * Mozilla: Browser window spoof using fullscreen mode (CVE-2022-22741) * Mozilla: Out-of-bounds memory access when inserting text in edit mode (CVE-2022-22742) * Mozilla: Browser window spoof using fullscreen mode (CVE-2022-22743) * Mozilla: Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5 (CVE-2022-22751) * Mozilla: Leaking cross-origin URLs through securitypolicyviolation event (CVE-2022-22745) * Mozilla: Spoofed origin on external protocol launch dialog (CVE-2022-22748) * Mozilla: Missing throttling on external protocol launch dialog (CVE-2022-22739) * Mozilla: Crash when handling empty pkcs7 sequence (CVE-2022-22747) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-4140 CVE-2022-22737 CVE-2022-22738 CVE-2022-22739 CVE-2022-22740 CVE-2022-22741 CVE-2022-22742 CVE-2022-22743 CVE-2022-22745 CVE-2022-22747 CVE-2022-22748 CVE-2022-22751 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.5.0 ESR. Security Fix(es): * Mozilla: Iframe sandbox bypass with XSLT (CVE-2021-4140) * Mozilla: Race condition when playing audio files (CVE-2022-22737) * Mozilla: Heap-buffer-overflow in blendGaussianBlur (CVE-2022-22738) * Mozilla: Use-after-free of ChannelEventQueue::mOwner (CVE-2022-22740) * Mozilla: Browser window spoof using fullscreen mode (CVE-2022-22741) * Mozilla: Out-of-bounds memory access when inserting text in edit mode (CVE-2022-22742) * Mozilla: Browser window spoof using fullscreen mode (CVE-2022-22743) * Mozilla: Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5 (CVE-2022-22751) * Mozilla: Leaking cross-origin URLs through securitypolicyviolation event (CVE-2022-22745) * Mozilla: Spoofed origin on external protocol launch dialog (CVE-2022-22748) * Mozilla: Missing throttling on external protocol launch dialog (CVE-2022-22739) * Mozilla: Crash when handling empty pkcs7 sequence (CVE-2022-22747) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-4140 CVE-2022-22737 CVE-2022-22738 CVE-2022-22739 CVE-2022-22740 CVE-2022-22741 CVE-2022-22742 CVE-2022-22743 CVE-2022-22745 CVE-2022-22747 CVE-2022-22748 CVE-2022-22751 The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit. Security Fix(es): * OpenJDK: Incomplete deserialization class filtering in ObjectInputStream (Serialization, 8264934) (CVE-2022-21248) * OpenJDK: Incorrect reading of TIFF files in TIFFNullDecompressor (ImageIO, 8270952) (CVE-2022-21277) * OpenJDK: Insufficient URI checks in the XSLT TransformerImpl (JAXP, 8270492) (CVE-2022-21282) * OpenJDK: Unexpected exception thrown in regex Pattern (Libraries, 8268813) (CVE-2022-21283) * OpenJDK: Incorrect marking of writeable fields (Hotspot, 8270386) (CVE-2022-21291) * OpenJDK: Incomplete checks of StringBuffer and StringBuilder during deserialization (Libraries, 8270392) (CVE-2022-21293) * OpenJDK: Incorrect IdentityHashMap size checks during deserialization (Libraries, 8270416) (CVE-2022-21294) * OpenJDK: Incorrect access checks in XMLEntityManager (JAXP, 8270498) (CVE-2022-21296) * OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646) (CVE-2022-21299) * OpenJDK: Array indexing issues in LIRGenerator (Hotspot, 8272014) (CVE-2022-21305) * OpenJDK: Excessive resource use when reading JAR manifest attributes (Libraries, 8272026) (CVE-2022-21340) * OpenJDK: Insufficient checks when deserializing exceptions in ObjectInputStream (Serialization, 8272236) (CVE-2022-21341) * OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8273756) (CVE-2022-21360) * OpenJDK: Integer overflow in BMPImageReader (ImageIO, 8273838) (CVE-2022-21365) * OpenJDK: Excessive memory allocation in TIFF*Decompressor (ImageIO, 8274096) (CVE-2022-21366) For more details about the security issues and their impact, the CVSS score, acknowledgements, and other related information, see the CVE pages listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2022-21248 CVE-2022-21277 CVE-2022-21282 CVE-2022-21283 CVE-2022-21291 CVE-2022-21293 CVE-2022-21294 CVE-2022-21296 CVE-2022-21299 CVE-2022-21305 CVE-2022-21340 CVE-2022-21341 CVE-2022-21360 CVE-2022-21365 CVE-2022-21366 GEGL (Generic Graphics Library) is a graph-based image processing framework. Security Fix(es): * gegl: shell expansion via a crafted pathname (CVE-2021-45463) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2021-45463 The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix(es): * OpenJDK: Incomplete deserialization class filtering in ObjectInputStream (Serialization, 8264934) (CVE-2022-21248) * OpenJDK: Incorrect reading of TIFF files in TIFFNullDecompressor (ImageIO, 8270952) (CVE-2022-21277) * OpenJDK: Insufficient URI checks in the XSLT TransformerImpl (JAXP, 8270492) (CVE-2022-21282) * OpenJDK: Unexpected exception thrown in regex Pattern (Libraries, 8268813) (CVE-2022-21283) * OpenJDK: Incorrect marking of writeable fields (Hotspot, 8270386) (CVE-2022-21291) * OpenJDK: Incomplete checks of StringBuffer and StringBuilder during deserialization (Libraries, 8270392) (CVE-2022-21293) * OpenJDK: Incorrect IdentityHashMap size checks during deserialization (Libraries, 8270416) (CVE-2022-21294) * OpenJDK: Incorrect access checks in XMLEntityManager (JAXP, 8270498) (CVE-2022-21296) * OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646) (CVE-2022-21299) * OpenJDK: Array indexing issues in LIRGenerator (Hotspot, 8272014) (CVE-2022-21305) * OpenJDK: Excessive resource use when reading JAR manifest attributes (Libraries, 8272026) (CVE-2022-21340) * OpenJDK: Insufficient checks when deserializing exceptions in ObjectInputStream (Serialization, 8272236) (CVE-2022-21341) * OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8273756) (CVE-2022-21360) * OpenJDK: Integer overflow in BMPImageReader (ImageIO, 8273838) (CVE-2022-21365) * OpenJDK: Excessive memory allocation in TIFF*Decompressor (ImageIO, 8274096) (CVE-2022-21366) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2022-21248 CVE-2022-21277 CVE-2022-21282 CVE-2022-21283 CVE-2022-21291 CVE-2022-21293 CVE-2022-21294 CVE-2022-21296 CVE-2022-21299 CVE-2022-21305 CVE-2022-21340 CVE-2022-21341 CVE-2022-21360 CVE-2022-21365 CVE-2022-21366 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * kernel: xfs: raw block device data leak in XFS_IOC_ALLOCSP IOCTL (CVE-2021-4155) * kernel: fs_context: heap overflow in legacy parameter handling (CVE-2022-0185) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * kernel show “ BUG: scheduling while atomic:xxx“ and reboot when an uncorrectable memory error injection on AlmaLinux8.4 beta and GA (BZ#2008789) * tcp: Sockets can be orphaned in the FIN-WAIT-1 or CLOSING states. (BZ#2021574) * Hostnetwork pod to service backed by hostnetwork on the same node is not working with OVN Kubernetes (BZ#2024411) * ice: bug fixes for kernel crashes (BZ#2026698) * [AlmaLinux-8.6][SanityOnly] Backport leftover migrate_disable BPF related change (BZ#2027689) * xfs: I_DONTCACHE flag is ignored [xfstests: xfs/177] (BZ#2028534) * FIPS: deadlock between PID 1 and "modprobe crypto-jitterentropy_rng" at boot, preventing system to boot (BZ#2029365) * AlmaLinux8.6: Backport upstream RCU commits up to v5.12 (BZ#2029449) * i40e,ixgbe: revert XDP partial backport from kernel 5.13 (BZ#2029845) * spec: Support separate tools build (BZ#2031053) * RCU stall WARNING: at kernel/rcu/tree.c:1392 rcu_advance_cbs_nowake+0x51/0x60 (BZ#2032579) * block: update to upstream v5.14 (BZ#2034396) Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-4155 CVE-2022-0185 Libreswan is an implementation of IPsec and IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks such as virtual private network (VPN). Security Fix(es): * libreswan: Malicious IKEv1 packet can cause libreswan to restart (CVE-2022-23094) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2022-23094 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es): * httpd: mod_lua: Possible buffer overflow when parsing multipart content (CVE-2021-44790) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-44790 The polkit packages provide a component for controlling system-wide privileges. This component provides a uniform and organized way for non-privileged processes to communicate with privileged ones. Security Fix(es): * polkit: Local privilege escalation in pkexec due to incorrect handling of argument vector (CVE-2021-4034) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-4034 Parfait is a Java performance monitoring library that collects metrics and exposes them through a variety of outputs. It provides APIs for extracting performance metrics from the JVM and other sources. It interfaces to Performance Co-Pilot (PCP) using the Memory Mapped Value (MMV) machinery for extremely lightweight instrumentation. Security Fix(es): * log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305) * log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307) * log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104) * log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-4104 CVE-2022-23302 CVE-2022-23305 CVE-2022-23307 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es): * OpenJDK: Incomplete deserialization class filtering in ObjectInputStream (Serialization, 8264934) (CVE-2022-21248) * OpenJDK: Insufficient URI checks in the XSLT TransformerImpl (JAXP, 8270492) (CVE-2022-21282) * OpenJDK: Unexpected exception thrown in regex Pattern (Libraries, 8268813) (CVE-2022-21283) * OpenJDK: Incomplete checks of StringBuffer and StringBuilder during deserialization (Libraries, 8270392) (CVE-2022-21293) * OpenJDK: Incorrect IdentityHashMap size checks during deserialization (Libraries, 8270416) (CVE-2022-21294) * OpenJDK: Incorrect access checks in XMLEntityManager (JAXP, 8270498) (CVE-2022-21296) * OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646) (CVE-2022-21299) * OpenJDK: Array indexing issues in LIRGenerator (Hotspot, 8272014) (CVE-2022-21305) * OpenJDK: Excessive resource use when reading JAR manifest attributes (Libraries, 8272026) (CVE-2022-21340) * OpenJDK: Insufficient checks when deserializing exceptions in ObjectInputStream (Serialization, 8272236) (CVE-2022-21341) * OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8273756) (CVE-2022-21360) * OpenJDK: Integer overflow in BMPImageReader (ImageIO, 8273838) (CVE-2022-21365) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Previously, OpenJDK would crash when running the Java Flight Recorder (JFR) on PowerPC 64 (ppc64) machines. This was found to be due to missing crash protection in the ppc64 port. With this update, JFR should be run without crashing on ppc64. (BZ#2038935) Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2022-21248 CVE-2022-21282 CVE-2022-21283 CVE-2022-21293 CVE-2022-21294 CVE-2022-21296 CVE-2022-21299 CVE-2022-21305 CVE-2022-21340 CVE-2022-21341 CVE-2022-21360 CVE-2022-21365 nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. The following packages have been upgraded to a later upstream version: nginx (1.20.1). (BZ#2031030) Security Fix(es): * nginx: Off-by-one in ngx_resolver_copy() when labels are followed by a pointer to a root domain name (CVE-2021-23017) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-23017 Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix(es): * samba: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution (CVE-2021-44142) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Fix username map script regression introduced with CVE-2020-25717 (BZ#2046174) * Fix possible segfault when joining the domain (BZ#2046160) Critical Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-44142 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon (2.0.15). (BZ#2027609) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-28469 CVE-2020-7788 CVE-2021-22959 CVE-2021-22960 CVE-2021-33502 CVE-2021-37701 CVE-2021-37712 CVE-2021-3807 CVE-2021-3918 Vim (Vi IMproved) is an updated and improved version of the vi editor. Security Fix(es): * vim: heap-based buffer overflow in win_redr_status() in drawscreen.c (CVE-2021-3872) * vim: illegal memory access in find_start_brace() in cindent.c when C-indenting (CVE-2021-3984) * vim: heap-based buffer overflow in find_help_tags() in help.c (CVE-2021-4019) * vim: use-after-free in win_linetabsize() (CVE-2021-4192) * vim: out-of-bound read in getvcol() (CVE-2021-4193) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-3872 CVE-2021-3984 CVE-2021-4019 CVE-2021-4192 CVE-2021-4193 The RPM Package Manager (RPM) is a command-line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages. Security Fix(es): * rpm: RPM does not require subkeys to have a valid binding signature (CVE-2021-3521) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-3521 The cryptsetup packages provide a utility for setting up disk encryption using the dm-crypt kernel module. Security Fix(es): * cryptsetup: disable encryption via header rewrite (CVE-2021-4122) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Moderate Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/o:almalinux:almalinux:8 cpe:/o:almalinux:almalinux:8::baseos CVE-2021-4122 Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up. Security Fix(es): * varnish: HTTP/1 request smuggling vulnerability (CVE-2022-23959) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2022-23959 Advanced Intrusion Detection Environment (AIDE) is a utility that creates a database of files on the system, and then uses that database to ensure file integrity and detect system intrusions. Security Fix(es): * aide: heap-based buffer overflow on outputs larger than B64_BUF (CVE-2021-45417) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2021-45417 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 5.0.211 and .NET Runtime 5.0.14. Security Fix(es): * dotnet: ASP.NET Core Krestel HTTP headers pooling denial of service (CVE-2022-219862) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream cpe:/a:almalinux:almalinux:8::powertools CVE-2022-21986 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.102 and .NET Runtime 6.0.2. Security Fix(es): * dotnet: ASP.NET Core Krestel HTTP headers pooling denial of service (CVE-2022-219862) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2022-21986 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.6.0 ESR. Security Fix(es): * Mozilla: Extensions could have bypassed permission confirmation during update (CVE-2022-22754) * Mozilla: Memory safety bugs fixed in Firefox 97 and Firefox ESR 91.6 (CVE-2022-22764) * Mozilla: Drag and dropping an image could have resulted in the dropped object being an executable (CVE-2022-22756) * Mozilla: Sandboxed iframes could have executed script if the parent appended elements (CVE-2022-22759) * Mozilla: Cross-Origin responses could be distinguished between script and non-script content-types (CVE-2022-22760) * Mozilla: frame-ancestors Content Security Policy directive was not enforced for framed extension pages (CVE-2022-22761) * Mozilla: Script Execution during invalid object state (CVE-2022-22763) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2022-22754 CVE-2022-22756 CVE-2022-22759 CVE-2022-22760 CVE-2022-22761 CVE-2022-22763 CVE-2022-22764 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.6.0. Security Fix(es): * Mozilla: Extensions could have bypassed permission confirmation during update (CVE-2022-22754) * Mozilla: Memory safety bugs fixed in Firefox 97 and Firefox ESR 91.6 (CVE-2022-22764) * Mozilla: Drag and dropping an image could have resulted in the dropped object being an executable (CVE-2022-22756) * Mozilla: Sandboxed iframes could have executed script if the parent appended elements (CVE-2022-22759) * Mozilla: Cross-Origin responses could be distinguished between script and non-script content-types (CVE-2022-22760) * Mozilla: frame-ancestors Content Security Policy directive was not enforced for framed extension pages (CVE-2022-22761) * Mozilla: Script Execution during invalid object state (CVE-2022-22763) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2022-22754 CVE-2022-22756 CVE-2022-22759 CVE-2022-22760 CVE-2022-22761 CVE-2022-22763 CVE-2022-22764 Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Security Fix(es): * rubygem-bundler: Dependencies of gems with explicit source may be installed from a different source (CVE-2020-36327) * rubygem-rdoc: Command injection vulnerability in RDoc (CVE-2021-31799) * ruby: FTP PASV command response can cause Net::FTP to connect to arbitrary host (CVE-2021-31810) * ruby: StartTLS stripping vulnerability in Net::IMAP (CVE-2021-32066) * ruby: Regular expression denial of service vulnerability of Date parsing methods (CVE-2021-41817) * ruby: Cookie prefix spoofing in CGI::Cookie.parse (CVE-2021-41819) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Important Copyright 2022 AlmaLinux OS cpe:/a:almalinux:almalinux:8 cpe:/a:almalinux:almalinux:8::appstream CVE-2020-36327 CVE-2021-31799 CVE-2021-31810 CVE-2021-32066 CVE-2021-41817 CVE-2021-41819