Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2024-9355 (GCVE-0-2024-9355)
Vulnerability from cvelistv5 – Published: 2024-10-01 18:17 – Updated: 2026-04-30 16:33
VLAI
EPSS
Title
Golang-fips: golang fips zeroed buffer
Summary
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-457 - Use of Uninitialized Variable
Assigner
References
14 references
Impacted products
37 products
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux 7 Extended Lifecycle Support |
Unaffected:
0:0.10-2.el7_9 , < *
(rpm)
cpe:/o:redhat:rhel_els:7 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
Unaffected:
8100020241001112709.a3795dee , < *
(rpm)
cpe:/a:redhat:enterprise_linux:8::appstream |
|
| Red Hat | Red Hat Enterprise Linux 8 |
Unaffected:
0:9.2.10-20.el8_10 , < *
(rpm)
cpe:/a:redhat:enterprise_linux:8::appstream |
|
| Red Hat | Red Hat Enterprise Linux 8 |
Unaffected:
0:5.1.1-9.el8_10 , < *
(rpm)
cpe:/a:redhat:enterprise_linux:8::appstream |
|
| Red Hat | Red Hat Enterprise Linux 9 |
Unaffected:
0:1.21.13-4.el9_4 , < *
(rpm)
cpe:/a:redhat:enterprise_linux:9::appstream |
|
| Red Hat | Red Hat Enterprise Linux 9 |
Unaffected:
0:9.2.10-19.el9_4 , < *
(rpm)
cpe:/a:redhat:enterprise_linux:9::appstream |
|
| Red Hat | Red Hat Enterprise Linux 9 |
Unaffected:
0:132-1.el9 , < *
(rpm)
cpe:/a:redhat:enterprise_linux:9::appstream |
|
| Red Hat | Red Hat Enterprise Linux 9 |
Unaffected:
0:3.6.1-1.el9 , < *
(rpm)
cpe:/a:redhat:enterprise_linux:9::appstream |
|
| Red Hat | Red Hat Enterprise Linux 9.4 Extended Update Support |
Unaffected:
0:5.1.1-4.el9_4 , < *
(rpm)
cpe:/a:redhat:rhel_eus:9.4::appstream |
|
| Red Hat | Satellite Client 6 for RHEL 10 |
Unaffected:
0:0.3.1-1.el10sat , < *
(rpm)
cpe:/a:redhat:rhel_satellite_client:6::el10 cpe:/a:redhat:rhel_satellite_client:6::el8 cpe:/a:redhat:rhel_satellite_client:6::el9 |
|
| Red Hat | Satellite Client 6 for RHEL 8 |
Unaffected:
0:0.3.1-1.el8sat , < *
(rpm)
cpe:/a:redhat:rhel_satellite_client:6::el10 cpe:/a:redhat:rhel_satellite_client:6::el8 cpe:/a:redhat:rhel_satellite_client:6::el9 |
|
| Red Hat | Satellite Client 6 for RHEL 9 |
Unaffected:
0:0.3.1-1.el9sat , < *
(rpm)
cpe:/a:redhat:rhel_satellite_client:6::el10 cpe:/a:redhat:rhel_satellite_client:6::el8 cpe:/a:redhat:rhel_satellite_client:6::el9 |
|
| Red Hat | Streams for Apache Kafka 2.9.0 |
cpe:/a:redhat:amq_streams:2 |
|
| Red Hat | NBDE Tang Server |
cpe:/a:redhat:network_bound_disk_encryption_tang:1 |
|
| Red Hat | OpenShift Developer Tools and Services |
cpe:/a:redhat:ocp_tools |
|
| Red Hat | OpenShift Pipelines |
cpe:/a:redhat:openshift_pipelines:1 |
|
| Red Hat | OpenShift Serverless |
cpe:/a:redhat:serverless:1 |
|
| Red Hat | Red Hat Ansible Automation Platform 1.2 |
cpe:/a:redhat:ansible_automation_platform |
|
| Red Hat | Red Hat Ansible Automation Platform 2 |
cpe:/a:redhat:ansible_automation_platform:2 |
|
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 7 |
cpe:/o:redhat:enterprise_linux:7 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
|
| Red Hat | Red Hat OpenShift Container Platform 4 |
cpe:/a:redhat:openshift:4 |
|
| Red Hat | Red Hat Openshift Container Storage 4 |
cpe:/a:redhat:openshift_container_storage:4 |
|
| Red Hat | Red Hat Openshift Data Foundation 4 |
cpe:/a:redhat:openshift_data_foundation:4 |
|
| Red Hat | Red Hat OpenShift Dev Spaces |
cpe:/a:redhat:openshift_devspaces:3 |
|
| Red Hat | Red Hat OpenShift GitOps |
cpe:/a:redhat:openshift_gitops:1 |
|
| Red Hat | Red Hat OpenShift on AWS |
cpe:/a:redhat:openshift_service_on_aws:1 |
|
| Red Hat | Red Hat OpenShift Virtualization 4 |
cpe:/a:redhat:container_native_virtualization:4 |
|
| Red Hat | Red Hat OpenStack Platform 16.2 |
cpe:/a:redhat:openstack:16.2 |
|
| Red Hat | Red Hat OpenStack Platform 17.1 |
cpe:/a:redhat:openstack:17.1 |
|
| Red Hat | Red Hat Satellite 6 |
cpe:/a:redhat:satellite:6 |
|
| Red Hat | Red Hat Service Interconnect 1 |
cpe:/a:redhat:service_interconnect:1 |
|
| Red Hat | Red Hat Storage 3 |
cpe:/a:redhat:storage:3 |
|
| Red Hat | Red Hat Trusted Artifact Signer |
cpe:/a:redhat:trusted_artifact_signer:1 |
Date Public
2024-09-30 20:53
Credits
This issue was discovered by David Benoit (Red Hat).
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9355",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-01T18:35:51.670441Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T18:37:53.436Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/golang-fips/openssl",
"defaultStatus": "affected",
"packageName": "github.com/golang-fips/openssl"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_els:7"
],
"defaultStatus": "affected",
"packageName": "rhc-worker-script",
"product": "Red Hat Enterprise Linux 7 Extended Lifecycle Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:0.10-2.el7_9",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::appstream"
],
"defaultStatus": "affected",
"packageName": "go-toolset:rhel8",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "8100020241001112709.a3795dee",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::appstream"
],
"defaultStatus": "affected",
"packageName": "grafana",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:9.2.10-20.el8_10",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::appstream"
],
"defaultStatus": "affected",
"packageName": "grafana-pcp",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.1.1-9.el8_10",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"packageName": "golang",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:1.21.13-4.el9_4",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"packageName": "grafana",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:9.2.10-19.el9_4",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"packageName": "osbuild-composer",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:132-1.el9",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"packageName": "git-lfs",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.6.1-1.el9",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::appstream"
],
"defaultStatus": "affected",
"packageName": "grafana-pcp",
"product": "Red Hat Enterprise Linux 9.4 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:5.1.1-4.el9_4",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_satellite_client:6::el10",
"cpe:/a:redhat:rhel_satellite_client:6::el8",
"cpe:/a:redhat:rhel_satellite_client:6::el9"
],
"defaultStatus": "affected",
"packageName": "foreman_ygg_worker",
"product": "Satellite Client 6 for RHEL 10",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:0.3.1-1.el10sat",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_satellite_client:6::el10",
"cpe:/a:redhat:rhel_satellite_client:6::el8",
"cpe:/a:redhat:rhel_satellite_client:6::el9"
],
"defaultStatus": "affected",
"packageName": "foreman_ygg_worker",
"product": "Satellite Client 6 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:0.3.1-1.el8sat",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_satellite_client:6::el10",
"cpe:/a:redhat:rhel_satellite_client:6::el8",
"cpe:/a:redhat:rhel_satellite_client:6::el9"
],
"defaultStatus": "affected",
"packageName": "foreman_ygg_worker",
"product": "Satellite Client 6 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:0.3.1-1.el9sat",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:amq_streams:2"
],
"defaultStatus": "unaffected",
"packageName": "golang-github-danielqsj-kafka_exporter",
"product": "Streams for Apache Kafka 2.9.0",
"vendor": "Red Hat"
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:network_bound_disk_encryption_tang:1"
],
"defaultStatus": "affected",
"packageName": "tang-operator-bundle-container",
"product": "NBDE Tang Server",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ocp_tools"
],
"defaultStatus": "affected",
"packageName": "helm",
"product": "OpenShift Developer Tools and Services",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ocp_tools"
],
"defaultStatus": "affected",
"packageName": "odo",
"product": "OpenShift Developer Tools and Services",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_pipelines:1"
],
"defaultStatus": "affected",
"packageName": "openshift-pipelines-client",
"product": "OpenShift Pipelines",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:serverless:1"
],
"defaultStatus": "affected",
"packageName": "openshift-serverless-clients",
"product": "OpenShift Serverless",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ansible_automation_platform"
],
"defaultStatus": "affected",
"packageName": "helm",
"product": "Red Hat Ansible Automation Platform 1.2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ansible_automation_platform"
],
"defaultStatus": "affected",
"packageName": "openshift-clients",
"product": "Red Hat Ansible Automation Platform 1.2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "affected",
"packageName": "automation-gateway-proxy",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "affected",
"packageName": "receptor",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "buildah",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "butane",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "conmon",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "containers-common",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "delve",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "git-lfs",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "golang-github-openprinting-ipp-usb",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "grafana",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "grafana-pcp",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "gvisor-tap-vsock",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "ignition",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "osbuild-composer",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "podman",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "rsyslog",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "skopeo",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "toolbox",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "yggdrasil",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "yggdrasil-worker-package-manager",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"packageName": "host-metering",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"packageName": "skopeo",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"packageName": "container-tools:rhel8/buildah",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"packageName": "container-tools:rhel8/conmon",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"packageName": "container-tools:rhel8/containernetworking-plugins",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"packageName": "container-tools:rhel8/podman",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"packageName": "container-tools:rhel8/runc",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"packageName": "container-tools:rhel8/skopeo",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"packageName": "container-tools:rhel8/toolbox",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"packageName": "git-lfs",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"packageName": "osbuild-composer",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"packageName": "rhc",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"packageName": "rsyslog",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"packageName": "weldr-client",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "buildah",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "butane",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"packageName": "conmon",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "containernetworking-plugins",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "grafana-pcp",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "gvisor-tap-vsock",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "ignition",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "opentelemetry-collector",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "podman",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"packageName": "rsyslog",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "runc",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "skopeo",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"packageName": "toolbox",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "weldr-client",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "buildah",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "butane",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "unaffected",
"packageName": "conmon",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "conmon-rs",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "containernetworking-plugins",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "unaffected",
"packageName": "cri-o",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "cri-tools",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "golang-github-prometheus-promu",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "ignition",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "lifecycle-agent-operator-bundle-container",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "microshift",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "openshift",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "openshift4/bare-metal-event-relay-operator-bundle",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "openshift4/numaresources-operator-bundle",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "openshift4/ose-aws-efs-csi-driver-container-rhel8",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "openshift4/ose-gcp-filestore-csi-driver-rhel8",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "openshift4/ose-secrets-store-csi-driver-rhel9",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "openshift4/ose-sriov-network-metrics-exporter-rhel9",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "openshift4/ose-sriov-rdma-cni-rhel9",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "openshift4/ose-vertical-pod-autoscaler-rhel8",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "openshift4/rdma-cni-rhel9",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "openshift4/sriov-network-metrics-exporter-rhel9",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "openshift4/topology-aware-lifecycle-manager-operator-bundle",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "openshift-clients",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "ose-aws-ecr-image-credential-provider",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "ose-azure-acr-image-credential-provider",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "ose-gcp-gcr-image-credential-provider",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "podman",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "runc",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "skopeo",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_container_storage:4"
],
"defaultStatus": "affected",
"packageName": "mcg",
"product": "Red Hat Openshift Container Storage 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_data_foundation:4"
],
"defaultStatus": "affected",
"packageName": "mcg",
"product": "Red Hat Openshift Data Foundation 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3"
],
"defaultStatus": "unaffected",
"packageName": "devspaces/machineexec-rhel8",
"product": "Red Hat OpenShift Dev Spaces",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_gitops:1"
],
"defaultStatus": "affected",
"packageName": "openshift-gitops-1/gitops-operator-bundle",
"product": "Red Hat OpenShift GitOps",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift_service_on_aws:1"
],
"defaultStatus": "affected",
"packageName": "rosa",
"product": "Red Hat OpenShift on AWS",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:container_native_virtualization:4"
],
"defaultStatus": "affected",
"packageName": "kubevirt",
"product": "Red Hat OpenShift Virtualization 4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:16.2"
],
"defaultStatus": "affected",
"packageName": "etcd",
"product": "Red Hat OpenStack Platform 16.2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:16.2"
],
"defaultStatus": "affected",
"packageName": "golang-github-infrawatch-apputils",
"product": "Red Hat OpenStack Platform 16.2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:16.2"
],
"defaultStatus": "affected",
"packageName": "golang-qpid-apache",
"product": "Red Hat OpenStack Platform 16.2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:16.2"
],
"defaultStatus": "affected",
"packageName": "qpid-proton",
"product": "Red Hat OpenStack Platform 16.2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:17.1"
],
"defaultStatus": "affected",
"packageName": "etcd",
"product": "Red Hat OpenStack Platform 17.1",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:17.1"
],
"defaultStatus": "affected",
"packageName": "golang-github-infrawatch-apputils",
"product": "Red Hat OpenStack Platform 17.1",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:17.1"
],
"defaultStatus": "affected",
"packageName": "golang-qpid-apache",
"product": "Red Hat OpenStack Platform 17.1",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:17.1"
],
"defaultStatus": "affected",
"packageName": "qpid-proton",
"product": "Red Hat OpenStack Platform 17.1",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:satellite:6"
],
"defaultStatus": "unaffected",
"packageName": "qpid-proton",
"product": "Red Hat Satellite 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:satellite:6"
],
"defaultStatus": "unaffected",
"packageName": "satellite-capsule:el8/qpid-proton",
"product": "Red Hat Satellite 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:satellite:6"
],
"defaultStatus": "affected",
"packageName": "satellite:el8/qpid-proton",
"product": "Red Hat Satellite 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:satellite:6"
],
"defaultStatus": "affected",
"packageName": "satellite:el8/yggdrasil-worker-forwarder",
"product": "Red Hat Satellite 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:satellite:6"
],
"defaultStatus": "affected",
"packageName": "yggdrasil",
"product": "Red Hat Satellite 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:satellite:6"
],
"defaultStatus": "affected",
"packageName": "yggdrasil-worker-forwarder",
"product": "Red Hat Satellite 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:service_interconnect:1"
],
"defaultStatus": "affected",
"packageName": "qpid-proton",
"product": "Red Hat Service Interconnect 1",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:service_interconnect:1"
],
"defaultStatus": "affected",
"packageName": "skupper-cli",
"product": "Red Hat Service Interconnect 1",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:service_interconnect:1"
],
"defaultStatus": "affected",
"packageName": "skupper-router",
"product": "Red Hat Service Interconnect 1",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:storage:3"
],
"defaultStatus": "affected",
"packageName": "heketi",
"product": "Red Hat Storage 3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:trusted_artifact_signer:1"
],
"defaultStatus": "affected",
"packageName": "rhtas/fulcio-rhel9",
"product": "Red Hat Trusted Artifact Signer",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by David Benoit (Red Hat)."
}
],
"datePublic": "2024-09-30T20:53:42.833Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.\u00a0 It is also possible to force a derived key to be all zeros instead of an unpredictable value.\u00a0 This may have follow-on implications for the Go TLS stack."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-457",
"description": "Use of Uninitialized Variable",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T16:33:24.121Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2024:10133",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:10133"
},
{
"name": "RHSA-2024:7502",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:7502"
},
{
"name": "RHSA-2024:7550",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:7550"
},
{
"name": "RHSA-2024:8327",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:8327"
},
{
"name": "RHSA-2024:8678",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:8678"
},
{
"name": "RHSA-2024:8847",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:8847"
},
{
"name": "RHSA-2024:9551",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:9551"
},
{
"name": "RHSA-2025:2416",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:2416"
},
{
"name": "RHSA-2025:7118",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:7118"
},
{
"name": "RHSA-2025:7256",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:7256"
},
{
"name": "RHSA-2025:7624",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:7624"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-9355"
},
{
"name": "RHBZ#2315719",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
},
{
"url": "https://github.com/golang-fips/openssl/pull/198"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-30T17:51:17.811Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-09-30T20:53:42.833Z",
"value": "Made public."
}
],
"title": "Golang-fips: golang fips zeroed buffer",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-457: Use of Uninitialized Variable"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2024-9355",
"datePublished": "2024-10-01T18:17:29.420Z",
"dateReserved": "2024-09-30T17:07:30.833Z",
"dateUpdated": "2026-04-30T16:33:24.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2024-9355",
"date": "2026-06-02",
"epss": "0.0007",
"percentile": "0.21678"
},
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.\\u00a0 It is also possible to force a derived key to be all zeros instead of an unpredictable value.\\u00a0 This may have follow-on implications for the Go TLS stack.\"}, {\"lang\": \"es\", \"value\": \"Se encontr\\u00f3 una vulnerabilidad en Golang FIPS OpenSSL. Esta falla permite que un usuario malintencionado haga que se devuelva aleatoriamente una variable de longitud de b\\u00fafer no inicializada con un b\\u00fafer puesto a cero en modo FIPS. Tambi\\u00e9n es posible forzar una coincidencia de falso positivo entre hashes no iguales al comparar una suma hmac calculada confiable con una suma de entrada no confiable si un atacante puede enviar un b\\u00fafer puesto a cero en lugar de una suma calculada previamente. Tambi\\u00e9n es posible forzar que una clave derivada sea todo ceros en lugar de un valor impredecible. Esto puede tener implicaciones posteriores para la pila TLS de Go.\"}]",
"id": "CVE-2024-9355",
"lastModified": "2024-11-21T20:15:45.247",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"secalert@redhat.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 1.0, \"impactScore\": 5.5}]}",
"published": "2024-10-01T19:15:09.793",
"references": "[{\"url\": \"https://access.redhat.com/errata/RHSA-2024:10133\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:7502\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:7550\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:8327\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:8678\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:8847\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:9551\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://access.redhat.com/security/cve/CVE-2024-9355\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2315719\", \"source\": \"secalert@redhat.com\"}]",
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Undergoing Analysis",
"weaknesses": "[{\"source\": \"secalert@redhat.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-457\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-9355\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2024-10-01T19:15:09.793\",\"lastModified\":\"2025-10-02T17:16:04.647\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.\u00a0 It is also possible to force a derived key to be all zeros instead of an unpredictable value.\u00a0 This may have follow-on implications for the Go TLS stack.\"},{\"lang\":\"es\",\"value\":\"Se encontr\u00f3 una vulnerabilidad en Golang FIPS OpenSSL. Esta falla permite que un usuario malintencionado haga que se devuelva aleatoriamente una variable de longitud de b\u00fafer no inicializada con un b\u00fafer puesto a cero en modo FIPS. Tambi\u00e9n es posible forzar una coincidencia de falso positivo entre hashes no iguales al comparar una suma hmac calculada confiable con una suma de entrada no confiable si un atacante puede enviar un b\u00fafer puesto a cero en lugar de una suma calculada previamente. Tambi\u00e9n es posible forzar que una clave derivada sea todo ceros en lugar de un valor impredecible. Esto puede tener implicaciones posteriores para la pila TLS de Go.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.0,\"impactScore\":5.5}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-457\"}]}],\"references\":[{\"url\":\"https://access.redhat.com/errata/RHSA-2024:10133\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2024:7502\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2024:7550\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2024:8327\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2024:8678\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2024:8847\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2024:9551\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2025:2416\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2025:7118\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2025:7256\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2025:7624\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2024-9355\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2315719\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://github.com/golang-fips/openssl/pull/198\",\"source\":\"secalert@redhat.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-9355\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-01T18:35:51.670441Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-01T18:37:43.886Z\"}}], \"cna\": {\"title\": \"Golang-fips: golang fips zeroed buffer\", \"credits\": [{\"lang\": \"en\", \"value\": \"This issue was discovered by David Benoit (Red Hat).\"}], \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Moderate\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"packageName\": \"github.com/golang-fips/openssl\", \"collectionURL\": \"https://github.com/golang-fips/openssl\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:rhel_els:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 7 Extended Lifecycle Support\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"0:0.10-2.el7_9\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"rhc-worker-script\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:enterprise_linux:8::appstream\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 8\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"8100020241001112709.a3795dee\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"go-toolset:rhel8\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:enterprise_linux:8::appstream\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 8\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"0:9.2.10-20.el8_10\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"grafana\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:enterprise_linux:8::appstream\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 8\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"0:5.1.1-9.el8_10\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"grafana-pcp\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:enterprise_linux:9::appstream\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"0:1.21.13-4.el9_4\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"golang\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:enterprise_linux:9::appstream\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"0:9.2.10-19.el9_4\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"grafana\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:enterprise_linux:9::appstream\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"0:132-1.el9\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"osbuild-composer\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:enterprise_linux:9::appstream\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"0:3.6.1-1.el9\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"git-lfs\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:rhel_eus:9.4::appstream\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9.4 Extended Update Support\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"0:5.1.1-4.el9_4\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"grafana-pcp\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:rhel_satellite_client:6::el10\", \"cpe:/a:redhat:rhel_satellite_client:6::el8\", \"cpe:/a:redhat:rhel_satellite_client:6::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Satellite Client 6 for RHEL 10\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"0:0.3.1-1.el10sat\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"foreman_ygg_worker\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:rhel_satellite_client:6::el10\", \"cpe:/a:redhat:rhel_satellite_client:6::el8\", \"cpe:/a:redhat:rhel_satellite_client:6::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Satellite Client 6 for RHEL 8\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"0:0.3.1-1.el8sat\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"foreman_ygg_worker\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:rhel_satellite_client:6::el10\", \"cpe:/a:redhat:rhel_satellite_client:6::el8\", \"cpe:/a:redhat:rhel_satellite_client:6::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Satellite Client 6 for RHEL 9\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"0:0.3.1-1.el9sat\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"foreman_ygg_worker\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:amq_streams:2\"], \"vendor\": \"Red Hat\", \"product\": \"Streams for Apache Kafka 2.9.0\", \"packageName\": \"golang-github-danielqsj-kafka_exporter\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:network_bound_disk_encryption_tang:1\"], \"vendor\": \"Red Hat\", \"product\": \"NBDE Tang Server\", \"packageName\": \"tang-operator-bundle-container\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:ocp_tools\"], \"vendor\": \"Red Hat\", \"product\": \"OpenShift Developer Tools and Services\", \"packageName\": \"helm\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:ocp_tools\"], \"vendor\": \"Red Hat\", \"product\": \"OpenShift Developer Tools and Services\", \"packageName\": \"odo\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_pipelines:1\"], \"vendor\": \"Red Hat\", \"product\": \"OpenShift Pipelines\", \"packageName\": \"openshift-pipelines-client\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:serverless:1\"], \"vendor\": \"Red Hat\", \"product\": \"OpenShift Serverless\", \"packageName\": \"openshift-serverless-clients\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:ansible_automation_platform\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ansible Automation Platform 1.2\", \"packageName\": \"helm\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:ansible_automation_platform\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ansible Automation Platform 1.2\", \"packageName\": \"openshift-clients\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:ansible_automation_platform:2\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ansible Automation Platform 2\", \"packageName\": \"automation-gateway-proxy\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:ansible_automation_platform:2\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ansible Automation Platform 2\", \"packageName\": \"receptor\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"packageName\": \"buildah\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"packageName\": \"butane\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"packageName\": \"conmon\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"packageName\": \"containers-common\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"packageName\": \"delve\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"packageName\": \"git-lfs\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"packageName\": \"golang-github-openprinting-ipp-usb\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"packageName\": \"grafana\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"packageName\": \"grafana-pcp\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"packageName\": \"gvisor-tap-vsock\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"packageName\": \"ignition\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"packageName\": \"osbuild-composer\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"packageName\": \"podman\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"packageName\": \"rsyslog\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"packageName\": \"skopeo\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"packageName\": \"toolbox\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"packageName\": \"yggdrasil\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"packageName\": \"yggdrasil-worker-package-manager\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 7\", \"packageName\": \"host-metering\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 7\", \"packageName\": \"skopeo\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 8\", \"packageName\": \"container-tools:rhel8/buildah\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 8\", \"packageName\": \"container-tools:rhel8/conmon\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 8\", \"packageName\": \"container-tools:rhel8/containernetworking-plugins\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 8\", \"packageName\": \"container-tools:rhel8/podman\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 8\", \"packageName\": \"container-tools:rhel8/runc\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 8\", \"packageName\": \"container-tools:rhel8/skopeo\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 8\", \"packageName\": \"container-tools:rhel8/toolbox\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 8\", \"packageName\": \"git-lfs\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 8\", \"packageName\": \"osbuild-composer\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 8\", \"packageName\": \"rhc\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 8\", \"packageName\": \"rsyslog\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 8\", \"packageName\": \"weldr-client\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"packageName\": \"buildah\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"packageName\": \"butane\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"packageName\": \"conmon\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"packageName\": \"containernetworking-plugins\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"packageName\": \"grafana-pcp\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"packageName\": \"gvisor-tap-vsock\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"packageName\": \"ignition\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"packageName\": \"opentelemetry-collector\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"packageName\": \"podman\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"packageName\": \"rsyslog\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"packageName\": \"runc\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"packageName\": \"skopeo\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"packageName\": \"toolbox\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"packageName\": \"weldr-client\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"buildah\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"butane\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"conmon\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"conmon-rs\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"containernetworking-plugins\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"cri-o\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"cri-tools\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"golang-github-prometheus-promu\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"ignition\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"lifecycle-agent-operator-bundle-container\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"microshift\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"openshift\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"openshift4/bare-metal-event-relay-operator-bundle\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"openshift4/numaresources-operator-bundle\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"openshift4/ose-aws-efs-csi-driver-container-rhel8\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"openshift4/ose-gcp-filestore-csi-driver-rhel8\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"openshift4/ose-secrets-store-csi-driver-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"openshift4/ose-sriov-network-metrics-exporter-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"openshift4/ose-sriov-rdma-cni-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"openshift4/ose-vertical-pod-autoscaler-rhel8\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"openshift4/rdma-cni-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"openshift4/sriov-network-metrics-exporter-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"openshift4/topology-aware-lifecycle-manager-operator-bundle\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"openshift-clients\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"ose-aws-ecr-image-credential-provider\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"ose-azure-acr-image-credential-provider\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"ose-gcp-gcr-image-credential-provider\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"podman\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"runc\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Container Platform 4\", \"packageName\": \"skopeo\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_container_storage:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Openshift Container Storage 4\", \"packageName\": \"mcg\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_data_foundation:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Openshift Data Foundation 4\", \"packageName\": \"mcg\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_devspaces:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Dev Spaces\", \"packageName\": \"devspaces/machineexec-rhel8\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_gitops:1\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift GitOps\", \"packageName\": \"openshift-gitops-1/gitops-operator-bundle\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openshift_service_on_aws:1\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift on AWS\", \"packageName\": \"rosa\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:container_native_virtualization:4\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenShift Virtualization 4\", \"packageName\": \"kubevirt\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openstack:16.2\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenStack Platform 16.2\", \"packageName\": \"etcd\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openstack:16.2\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenStack Platform 16.2\", \"packageName\": \"golang-github-infrawatch-apputils\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openstack:16.2\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenStack Platform 16.2\", \"packageName\": \"golang-qpid-apache\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openstack:16.2\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenStack Platform 16.2\", \"packageName\": \"qpid-proton\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openstack:17.1\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenStack Platform 17.1\", \"packageName\": \"etcd\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openstack:17.1\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenStack Platform 17.1\", \"packageName\": \"golang-github-infrawatch-apputils\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openstack:17.1\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenStack Platform 17.1\", \"packageName\": \"golang-qpid-apache\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:openstack:17.1\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat OpenStack Platform 17.1\", \"packageName\": \"qpid-proton\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:satellite:6\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Satellite 6\", \"packageName\": \"qpid-proton\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:satellite:6\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Satellite 6\", \"packageName\": \"satellite-capsule:el8/qpid-proton\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:satellite:6\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Satellite 6\", \"packageName\": \"satellite:el8/qpid-proton\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:satellite:6\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Satellite 6\", \"packageName\": \"satellite:el8/yggdrasil-worker-forwarder\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:satellite:6\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Satellite 6\", \"packageName\": \"yggdrasil\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:satellite:6\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Satellite 6\", \"packageName\": \"yggdrasil-worker-forwarder\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:service_interconnect:1\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Service Interconnect 1\", \"packageName\": \"qpid-proton\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:service_interconnect:1\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Service Interconnect 1\", \"packageName\": \"skupper-cli\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:service_interconnect:1\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Service Interconnect 1\", \"packageName\": \"skupper-router\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:storage:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Storage 3\", \"packageName\": \"heketi\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:trusted_artifact_signer:1\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Trusted Artifact Signer\", \"packageName\": \"rhtas/fulcio-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2024-09-30T17:51:17.811Z\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2024-09-30T20:53:42.833Z\", \"value\": \"Made public.\"}], \"datePublic\": \"2024-09-30T20:53:42.833Z\", \"references\": [{\"url\": \"https://access.redhat.com/errata/RHSA-2024:10133\", \"name\": \"RHSA-2024:10133\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:7502\", \"name\": \"RHSA-2024:7502\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:7550\", \"name\": \"RHSA-2024:7550\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:8327\", \"name\": \"RHSA-2024:8327\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:8678\", \"name\": \"RHSA-2024:8678\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:8847\", \"name\": \"RHSA-2024:8847\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:9551\", \"name\": \"RHSA-2024:9551\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2025:2416\", \"name\": \"RHSA-2025:2416\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2025:7118\", \"name\": \"RHSA-2025:7118\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2025:7256\", \"name\": \"RHSA-2025:7256\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2025:7624\", \"name\": \"RHSA-2025:7624\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/security/cve/CVE-2024-9355\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2315719\", \"name\": \"RHBZ#2315719\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://github.com/golang-fips/openssl/pull/198\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.\"}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.\\u00a0 It is also possible to force a derived key to be all zeros instead of an unpredictable value.\\u00a0 This may have follow-on implications for the Go TLS stack.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-457\", \"description\": \"Use of Uninitialized Variable\"}]}], \"providerMetadata\": {\"orgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"shortName\": \"redhat\", \"dateUpdated\": \"2026-04-30T16:33:24.121Z\"}, \"x_redhatCweChain\": \"CWE-457: Use of Uninitialized Variable\"}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-9355\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-30T16:33:24.121Z\", \"dateReserved\": \"2024-09-30T17:07:30.833Z\", \"assignerOrgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"datePublished\": \"2024-10-01T18:17:29.420Z\", \"assignerShortName\": \"redhat\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
RHSA-2024:9551
Vulnerability from csaf_redhat - Published: 2024-11-13 14:54 - Updated: 2026-04-30 16:33Summary
Red Hat Security Advisory: grafana-pcp security update
Severity
Moderate
Notes
Topic: An update for grafana-pcp is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards.
Security Fix(es):
* golang-fips: Golang FIPS zeroed buffer (CVE-2024-9355)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
6.5 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
9 references
Acknowledgments
Red Hat
David Benoit
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for grafana-pcp is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards.\n\nSecurity Fix(es):\n\n* golang-fips: Golang FIPS zeroed buffer (CVE-2024-9355)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:9551",
"url": "https://access.redhat.com/errata/RHSA-2024:9551"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2315719",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9551.json"
}
],
"title": "Red Hat Security Advisory: grafana-pcp security update",
"tracking": {
"current_release_date": "2026-04-30T16:33:31+00:00",
"generator": {
"date": "2026-04-30T16:33:31+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.7"
}
},
"id": "RHSA-2024:9551",
"initial_release_date": "2024-11-13T14:54:47+00:00",
"revision_history": [
{
"date": "2024-11-13T14:54:47+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-11-13T14:54:47+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-30T16:33:31+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:9.4::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-4.el9_4.src",
"product": {
"name": "grafana-pcp-0:5.1.1-4.el9_4.src",
"product_id": "grafana-pcp-0:5.1.1-4.el9_4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-4.el9_4?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-4.el9_4.aarch64",
"product": {
"name": "grafana-pcp-0:5.1.1-4.el9_4.aarch64",
"product_id": "grafana-pcp-0:5.1.1-4.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-4.el9_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.aarch64",
"product": {
"name": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.aarch64",
"product_id": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debugsource@5.1.1-4.el9_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.aarch64",
"product": {
"name": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.aarch64",
"product_id": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debuginfo@5.1.1-4.el9_4?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-4.el9_4.ppc64le",
"product": {
"name": "grafana-pcp-0:5.1.1-4.el9_4.ppc64le",
"product_id": "grafana-pcp-0:5.1.1-4.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-4.el9_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.ppc64le",
"product": {
"name": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.ppc64le",
"product_id": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debugsource@5.1.1-4.el9_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.ppc64le",
"product": {
"name": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.ppc64le",
"product_id": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debuginfo@5.1.1-4.el9_4?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-4.el9_4.x86_64",
"product": {
"name": "grafana-pcp-0:5.1.1-4.el9_4.x86_64",
"product_id": "grafana-pcp-0:5.1.1-4.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-4.el9_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.x86_64",
"product": {
"name": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.x86_64",
"product_id": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debugsource@5.1.1-4.el9_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.x86_64",
"product": {
"name": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.x86_64",
"product_id": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debuginfo@5.1.1-4.el9_4?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-4.el9_4.s390x",
"product": {
"name": "grafana-pcp-0:5.1.1-4.el9_4.s390x",
"product_id": "grafana-pcp-0:5.1.1-4.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-4.el9_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.s390x",
"product": {
"name": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.s390x",
"product_id": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debugsource@5.1.1-4.el9_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.s390x",
"product": {
"name": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.s390x",
"product_id": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debuginfo@5.1.1-4.el9_4?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-4.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.aarch64"
},
"product_reference": "grafana-pcp-0:5.1.1-4.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-4.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.ppc64le"
},
"product_reference": "grafana-pcp-0:5.1.1-4.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-4.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.s390x"
},
"product_reference": "grafana-pcp-0:5.1.1-4.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-4.el9_4.src as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.src"
},
"product_reference": "grafana-pcp-0:5.1.1-4.el9_4.src",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-4.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.x86_64"
},
"product_reference": "grafana-pcp-0:5.1.1-4.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.aarch64"
},
"product_reference": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.ppc64le"
},
"product_reference": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.s390x"
},
"product_reference": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.x86_64"
},
"product_reference": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.aarch64"
},
"product_reference": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.ppc64le"
},
"product_reference": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.s390x"
},
"product_reference": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.x86_64"
},
"product_reference": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"David Benoit"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2024-9355",
"cwe": {
"id": "CWE-457",
"name": "Use of Uninitialized Variable"
},
"discovery_date": "2024-09-30T17:51:17.811000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2315719"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.\u00a0 It is also possible to force a derived key to be all zeros instead of an unpredictable value.\u00a0 This may have follow-on implications for the Go TLS stack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang-fips: Golang FIPS zeroed buffer",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue is specific to the Go language and only affects the test code in cri-o and conmon, not the production code. Since both projects use Go exclusively for testing purposes, this issue does not impact their production environment. Therefore, cri-o and conmon are not affected by this vulnerability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.src",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-9355"
},
{
"category": "external",
"summary": "RHBZ#2315719",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-9355",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-9355"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355"
},
{
"category": "external",
"summary": "https://github.com/golang-fips/openssl/pull/198",
"url": "https://github.com/golang-fips/openssl/pull/198"
}
],
"release_date": "2024-09-30T20:53:42.833000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-11-13T14:54:47+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.src",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:9551"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.src",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.src",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang-fips: Golang FIPS zeroed buffer"
}
]
}
RHSA-2024_10133
Vulnerability from csaf_redhat - Published: 2024-11-21 01:11 - Updated: 2024-12-18 04:15Summary
Red Hat Security Advisory: rhc-worker-script security update
Severity
Moderate
Notes
Topic: An update for rhc-worker-script is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Remote Host Configuration (rhc) worker for executing scripts on hosts managed by Red Hat Insights.
Security Fix(es):
* net/http: Denial of service due to improper 100-continue handling in net/http (CVE-2024-24791)
* golang-fips: Golang FIPS zeroed buffer (CVE-2024-9355)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
6.5 (Medium)
Affected products
Threats
Impact
Moderate
A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service.
5.9 (Medium)
Affected products
Threats
Impact
Moderate
References
16 references
Acknowledgments
Red Hat
David Benoit
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for rhc-worker-script is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Remote Host Configuration (rhc) worker for executing scripts on hosts managed by Red Hat Insights.\n\nSecurity Fix(es):\n\n* net/http: Denial of service due to improper 100-continue handling in net/http (CVE-2024-24791)\n\n* golang-fips: Golang FIPS zeroed buffer (CVE-2024-9355)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:10133",
"url": "https://access.redhat.com/errata/RHSA-2024:10133"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2295310",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295310"
},
{
"category": "external",
"summary": "2315719",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10133.json"
}
],
"title": "Red Hat Security Advisory: rhc-worker-script security update",
"tracking": {
"current_release_date": "2024-12-18T04:15:27+00:00",
"generator": {
"date": "2024-12-18T04:15:27+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2024:10133",
"initial_release_date": "2024-11-21T01:11:03+00:00",
"revision_history": [
{
"date": "2024-11-21T01:11:03+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-11-21T01:11:03+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-18T04:15:27+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server (v. 7 ELS)",
"product": {
"name": "Red Hat Enterprise Linux Server (v. 7 ELS)",
"product_id": "7Server-ELS",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:rhel_els:7"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "rhc-worker-script-0:0.10-2.el7_9.src",
"product": {
"name": "rhc-worker-script-0:0.10-2.el7_9.src",
"product_id": "rhc-worker-script-0:0.10-2.el7_9.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhc-worker-script@0.10-2.el7_9?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rhc-worker-script-0:0.10-2.el7_9.x86_64",
"product": {
"name": "rhc-worker-script-0:0.10-2.el7_9.x86_64",
"product_id": "rhc-worker-script-0:0.10-2.el7_9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhc-worker-script@0.10-2.el7_9?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhc-worker-script-0:0.10-2.el7_9.src as a component of Red Hat Enterprise Linux Server (v. 7 ELS)",
"product_id": "7Server-ELS:rhc-worker-script-0:0.10-2.el7_9.src"
},
"product_reference": "rhc-worker-script-0:0.10-2.el7_9.src",
"relates_to_product_reference": "7Server-ELS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhc-worker-script-0:0.10-2.el7_9.x86_64 as a component of Red Hat Enterprise Linux Server (v. 7 ELS)",
"product_id": "7Server-ELS:rhc-worker-script-0:0.10-2.el7_9.x86_64"
},
"product_reference": "rhc-worker-script-0:0.10-2.el7_9.x86_64",
"relates_to_product_reference": "7Server-ELS"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"David Benoit"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2024-9355",
"cwe": {
"id": "CWE-457",
"name": "Use of Uninitialized Variable"
},
"discovery_date": "2024-09-30T17:51:17.811000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2315719"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.\u00a0 It is also possible to force a derived key to be all zeros instead of an unpredictable value.\u00a0 This may have follow-on implications for the Go TLS stack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang-fips: Golang FIPS zeroed buffer",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-ELS:rhc-worker-script-0:0.10-2.el7_9.src",
"7Server-ELS:rhc-worker-script-0:0.10-2.el7_9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-9355"
},
{
"category": "external",
"summary": "RHBZ#2315719",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-9355",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-9355"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355"
}
],
"release_date": "2024-09-30T20:53:42.833000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-11-21T01:11:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-ELS:rhc-worker-script-0:0.10-2.el7_9.src",
"7Server-ELS:rhc-worker-script-0:0.10-2.el7_9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:10133"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"7Server-ELS:rhc-worker-script-0:0.10-2.el7_9.src",
"7Server-ELS:rhc-worker-script-0:0.10-2.el7_9.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"7Server-ELS:rhc-worker-script-0:0.10-2.el7_9.src",
"7Server-ELS:rhc-worker-script-0:0.10-2.el7_9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang-fips: Golang FIPS zeroed buffer"
},
{
"cve": "CVE-2024-24791",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2024-07-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2295310"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "net/http: Denial of service due to improper 100-continue handling in net/http",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "An attacker would need to control a malicious server and induce a client to connect to it, requiring some amount of preparation outside of the attacker\u0027s control. This reduces the severity score of this flaw to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-ELS:rhc-worker-script-0:0.10-2.el7_9.src",
"7Server-ELS:rhc-worker-script-0:0.10-2.el7_9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-24791"
},
{
"category": "external",
"summary": "RHBZ#2295310",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295310"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-24791",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24791"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-24791",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24791"
},
{
"category": "external",
"summary": "https://go.dev/cl/591255",
"url": "https://go.dev/cl/591255"
},
{
"category": "external",
"summary": "https://go.dev/issue/67555",
"url": "https://go.dev/issue/67555"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ",
"url": "https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ"
}
],
"release_date": "2024-07-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-11-21T01:11:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-ELS:rhc-worker-script-0:0.10-2.el7_9.src",
"7Server-ELS:rhc-worker-script-0:0.10-2.el7_9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:10133"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"7Server-ELS:rhc-worker-script-0:0.10-2.el7_9.src",
"7Server-ELS:rhc-worker-script-0:0.10-2.el7_9.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-ELS:rhc-worker-script-0:0.10-2.el7_9.src",
"7Server-ELS:rhc-worker-script-0:0.10-2.el7_9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "net/http: Denial of service due to improper 100-continue handling in net/http"
}
]
}
RHSA-2024_7502
Vulnerability from csaf_redhat - Published: 2024-10-02 11:50 - Updated: 2024-12-18 04:15Summary
Red Hat Security Advisory: go-toolset:rhel8 security update
Severity
Moderate
Notes
Topic: An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.
Security Fix(es):
* golang-fips: Golang FIPS zeroed buffer (CVE-2024-9355)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
6.5 (Medium)
Affected products
Fixed
29 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-docs-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-misc-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-src-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-tests-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
8 references
Acknowledgments
Red Hat
David Benoit
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. \n\nSecurity Fix(es):\n\n* golang-fips: Golang FIPS zeroed buffer (CVE-2024-9355)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:7502",
"url": "https://access.redhat.com/errata/RHSA-2024:7502"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2315719",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7502.json"
}
],
"title": "Red Hat Security Advisory: go-toolset:rhel8 security update",
"tracking": {
"current_release_date": "2024-12-18T04:15:04+00:00",
"generator": {
"date": "2024-12-18T04:15:04+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2024:7502",
"initial_release_date": "2024-10-02T11:50:23+00:00",
"revision_history": [
{
"date": "2024-10-02T11:50:23+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-10-02T11:50:23+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-18T04:15:04+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:8::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset:rhel8:8100020241001112709:a3795dee",
"product": {
"name": "go-toolset:rhel8:8100020241001112709:a3795dee",
"product_id": "go-toolset:rhel8:8100020241001112709:a3795dee",
"product_identification_helper": {
"purl": "pkg:rpmmod/redhat/go-toolset@rhel8:8100020241001112709:a3795dee"
}
}
},
{
"category": "product_version",
"name": "golang-docs-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch",
"product": {
"name": "golang-docs-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch",
"product_id": "golang-docs-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-docs@1.21.13-3.module%2Bel8.10.0%2B22345%2Bacdd8d0e?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-misc-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch",
"product": {
"name": "golang-misc-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch",
"product_id": "golang-misc-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-misc@1.21.13-3.module%2Bel8.10.0%2B22345%2Bacdd8d0e?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-src-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch",
"product": {
"name": "golang-src-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch",
"product_id": "golang-src-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-src@1.21.13-3.module%2Bel8.10.0%2B22345%2Bacdd8d0e?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-tests-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch",
"product": {
"name": "golang-tests-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch",
"product_id": "golang-tests-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-tests@1.21.13-3.module%2Bel8.10.0%2B22345%2Bacdd8d0e?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.src",
"product": {
"name": "delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.src",
"product_id": "delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve@1.21.2-4.module%2Bel8.10.0%2B22329%2B6cd5c9c6?arch=src"
}
}
},
{
"category": "product_version",
"name": "go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.src",
"product": {
"name": "go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.src",
"product_id": "go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.21.13-1.module%2Bel8.10.0%2B22329%2B6cd5c9c6?arch=src"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.src",
"product": {
"name": "golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.src",
"product_id": "golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.21.13-3.module%2Bel8.10.0%2B22345%2Bacdd8d0e?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64",
"product": {
"name": "delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64",
"product_id": "delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve@1.21.2-4.module%2Bel8.10.0%2B22329%2B6cd5c9c6?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64",
"product": {
"name": "delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64",
"product_id": "delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debuginfo@1.21.2-4.module%2Bel8.10.0%2B22329%2B6cd5c9c6?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64",
"product": {
"name": "delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64",
"product_id": "delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debugsource@1.21.2-4.module%2Bel8.10.0%2B22329%2B6cd5c9c6?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.aarch64",
"product": {
"name": "go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.aarch64",
"product_id": "go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.21.13-1.module%2Bel8.10.0%2B22329%2B6cd5c9c6?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.aarch64",
"product": {
"name": "golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.aarch64",
"product_id": "golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.21.13-3.module%2Bel8.10.0%2B22345%2Bacdd8d0e?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.aarch64",
"product": {
"name": "golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.aarch64",
"product_id": "golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.21.13-3.module%2Bel8.10.0%2B22345%2Bacdd8d0e?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"product": {
"name": "delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"product_id": "delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve@1.21.2-4.module%2Bel8.10.0%2B22329%2B6cd5c9c6?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"product": {
"name": "delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"product_id": "delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debuginfo@1.21.2-4.module%2Bel8.10.0%2B22329%2B6cd5c9c6?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"product": {
"name": "delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"product_id": "delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debugsource@1.21.2-4.module%2Bel8.10.0%2B22329%2B6cd5c9c6?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"product": {
"name": "go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"product_id": "go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.21.13-1.module%2Bel8.10.0%2B22329%2B6cd5c9c6?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.ppc64le",
"product": {
"name": "golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.ppc64le",
"product_id": "golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.21.13-3.module%2Bel8.10.0%2B22345%2Bacdd8d0e?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.ppc64le",
"product": {
"name": "golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.ppc64le",
"product_id": "golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.21.13-3.module%2Bel8.10.0%2B22345%2Bacdd8d0e?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64",
"product": {
"name": "delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64",
"product_id": "delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve@1.21.2-4.module%2Bel8.10.0%2B22329%2B6cd5c9c6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64",
"product": {
"name": "delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64",
"product_id": "delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debuginfo@1.21.2-4.module%2Bel8.10.0%2B22329%2B6cd5c9c6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64",
"product": {
"name": "delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64",
"product_id": "delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debugsource@1.21.2-4.module%2Bel8.10.0%2B22329%2B6cd5c9c6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.x86_64",
"product": {
"name": "go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.x86_64",
"product_id": "go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.21.13-1.module%2Bel8.10.0%2B22329%2B6cd5c9c6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.x86_64",
"product": {
"name": "golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.x86_64",
"product_id": "golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.21.13-3.module%2Bel8.10.0%2B22345%2Bacdd8d0e?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.x86_64",
"product": {
"name": "golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.x86_64",
"product_id": "golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.21.13-3.module%2Bel8.10.0%2B22345%2Bacdd8d0e?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.s390x",
"product": {
"name": "go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.s390x",
"product_id": "go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.21.13-1.module%2Bel8.10.0%2B22329%2B6cd5c9c6?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.s390x",
"product": {
"name": "golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.s390x",
"product_id": "golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.21.13-3.module%2Bel8.10.0%2B22345%2Bacdd8d0e?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.s390x",
"product": {
"name": "golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.s390x",
"product_id": "golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.21.13-3.module%2Bel8.10.0%2B22345%2Bacdd8d0e?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset:rhel8:8100020241001112709:a3795dee as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee"
},
"product_reference": "go-toolset:rhel8:8100020241001112709:a3795dee",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64 as a component of go-toolset:rhel8:8100020241001112709:a3795dee as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64"
},
"product_reference": "delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le as a component of go-toolset:rhel8:8100020241001112709:a3795dee as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le"
},
"product_reference": "delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.src as a component of go-toolset:rhel8:8100020241001112709:a3795dee as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.src"
},
"product_reference": "delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.src",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64 as a component of go-toolset:rhel8:8100020241001112709:a3795dee as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64"
},
"product_reference": "delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64 as a component of go-toolset:rhel8:8100020241001112709:a3795dee as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64"
},
"product_reference": "delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le as a component of go-toolset:rhel8:8100020241001112709:a3795dee as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le"
},
"product_reference": "delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64 as a component of go-toolset:rhel8:8100020241001112709:a3795dee as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64"
},
"product_reference": "delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64 as a component of go-toolset:rhel8:8100020241001112709:a3795dee as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64"
},
"product_reference": "delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le as a component of go-toolset:rhel8:8100020241001112709:a3795dee as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le"
},
"product_reference": "delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64 as a component of go-toolset:rhel8:8100020241001112709:a3795dee as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64"
},
"product_reference": "delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.aarch64 as a component of go-toolset:rhel8:8100020241001112709:a3795dee as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.aarch64"
},
"product_reference": "go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.aarch64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.ppc64le as a component of go-toolset:rhel8:8100020241001112709:a3795dee as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.ppc64le"
},
"product_reference": "go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.s390x as a component of go-toolset:rhel8:8100020241001112709:a3795dee as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.s390x"
},
"product_reference": "go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.s390x",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.src as a component of go-toolset:rhel8:8100020241001112709:a3795dee as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.src"
},
"product_reference": "go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.src",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.x86_64 as a component of go-toolset:rhel8:8100020241001112709:a3795dee as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.x86_64"
},
"product_reference": "go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.x86_64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.aarch64 as a component of go-toolset:rhel8:8100020241001112709:a3795dee as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.aarch64"
},
"product_reference": "golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.aarch64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.ppc64le as a component of go-toolset:rhel8:8100020241001112709:a3795dee as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.ppc64le"
},
"product_reference": "golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.ppc64le",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.s390x as a component of go-toolset:rhel8:8100020241001112709:a3795dee as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.s390x"
},
"product_reference": "golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.s390x",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.src as a component of go-toolset:rhel8:8100020241001112709:a3795dee as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.src"
},
"product_reference": "golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.src",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.x86_64 as a component of go-toolset:rhel8:8100020241001112709:a3795dee as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.x86_64"
},
"product_reference": "golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.x86_64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.aarch64 as a component of go-toolset:rhel8:8100020241001112709:a3795dee as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.aarch64"
},
"product_reference": "golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.aarch64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.ppc64le as a component of go-toolset:rhel8:8100020241001112709:a3795dee as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.ppc64le"
},
"product_reference": "golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.ppc64le",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.s390x as a component of go-toolset:rhel8:8100020241001112709:a3795dee as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.s390x"
},
"product_reference": "golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.s390x",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.x86_64 as a component of go-toolset:rhel8:8100020241001112709:a3795dee as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.x86_64"
},
"product_reference": "golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.x86_64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-docs-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch as a component of go-toolset:rhel8:8100020241001112709:a3795dee as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-docs-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch"
},
"product_reference": "golang-docs-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-misc-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch as a component of go-toolset:rhel8:8100020241001112709:a3795dee as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-misc-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch"
},
"product_reference": "golang-misc-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-src-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch as a component of go-toolset:rhel8:8100020241001112709:a3795dee as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-src-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch"
},
"product_reference": "golang-src-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-tests-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch as a component of go-toolset:rhel8:8100020241001112709:a3795dee as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-tests-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch"
},
"product_reference": "golang-tests-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"David Benoit"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2024-9355",
"cwe": {
"id": "CWE-457",
"name": "Use of Uninitialized Variable"
},
"discovery_date": "2024-09-30T17:51:17.811000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2315719"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.\u00a0 It is also possible to force a derived key to be all zeros instead of an unpredictable value.\u00a0 This may have follow-on implications for the Go TLS stack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang-fips: Golang FIPS zeroed buffer",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.src",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.src",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.src",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-docs-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-misc-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-src-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-tests-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-9355"
},
{
"category": "external",
"summary": "RHBZ#2315719",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-9355",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-9355"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355"
}
],
"release_date": "2024-09-30T20:53:42.833000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-02T11:50:23+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.src",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.src",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.src",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-docs-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-misc-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-src-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-tests-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:7502"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.src",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.src",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.src",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-docs-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-misc-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-src-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-tests-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.src",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debuginfo-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:delve-debugsource-0:1.21.2-4.module+el8.10.0+22329+6cd5c9c6.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.src",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:go-toolset-0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.src",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-bin-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-docs-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-misc-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-src-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020241001112709:a3795dee:golang-tests-0:1.21.13-3.module+el8.10.0+22345+acdd8d0e.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang-fips: Golang FIPS zeroed buffer"
}
]
}
RHSA-2024_7550
Vulnerability from csaf_redhat - Published: 2024-10-02 18:24 - Updated: 2024-12-18 04:15Summary
Red Hat Security Advisory: golang security update
Severity
Moderate
Notes
Topic: An update for golang is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The golang packages provide the Go programming language compiler.
Security Fix(es):
* golang-fips: Golang FIPS zeroed buffer (CVE-2024-9355)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
6.5 (Medium)
Affected products
Fixed
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:go-toolset-0:1.21.13-4.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:go-toolset-0:1.21.13-4.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:go-toolset-0:1.21.13-4.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:go-toolset-0:1.21.13-4.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:golang-bin-0:1.21.13-4.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:golang-bin-0:1.21.13-4.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:golang-bin-0:1.21.13-4.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:golang-bin-0:1.21.13-4.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:golang-docs-0:1.21.13-4.el9_4.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:golang-misc-0:1.21.13-4.el9_4.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:golang-src-0:1.21.13-4.el9_4.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:golang-tests-0:1.21.13-4.el9_4.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
8 references
Acknowledgments
Red Hat
David Benoit
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for golang is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The golang packages provide the Go programming language compiler.\n\nSecurity Fix(es):\n\n* golang-fips: Golang FIPS zeroed buffer (CVE-2024-9355)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:7550",
"url": "https://access.redhat.com/errata/RHSA-2024:7550"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2315719",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7550.json"
}
],
"title": "Red Hat Security Advisory: golang security update",
"tracking": {
"current_release_date": "2024-12-18T04:15:16+00:00",
"generator": {
"date": "2024-12-18T04:15:16+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2024:7550",
"initial_release_date": "2024-10-02T18:24:59+00:00",
"revision_history": [
{
"date": "2024-10-02T18:24:59+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-10-02T18:24:59+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-18T04:15:16+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.21.13-4.el9_4.aarch64",
"product": {
"name": "go-toolset-0:1.21.13-4.el9_4.aarch64",
"product_id": "go-toolset-0:1.21.13-4.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.21.13-4.el9_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.21.13-4.el9_4.aarch64",
"product": {
"name": "golang-0:1.21.13-4.el9_4.aarch64",
"product_id": "golang-0:1.21.13-4.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.21.13-4.el9_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.21.13-4.el9_4.aarch64",
"product": {
"name": "golang-bin-0:1.21.13-4.el9_4.aarch64",
"product_id": "golang-bin-0:1.21.13-4.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.21.13-4.el9_4?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.21.13-4.el9_4.ppc64le",
"product": {
"name": "go-toolset-0:1.21.13-4.el9_4.ppc64le",
"product_id": "go-toolset-0:1.21.13-4.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.21.13-4.el9_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.21.13-4.el9_4.ppc64le",
"product": {
"name": "golang-0:1.21.13-4.el9_4.ppc64le",
"product_id": "golang-0:1.21.13-4.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.21.13-4.el9_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.21.13-4.el9_4.ppc64le",
"product": {
"name": "golang-bin-0:1.21.13-4.el9_4.ppc64le",
"product_id": "golang-bin-0:1.21.13-4.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.21.13-4.el9_4?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.21.13-4.el9_4.x86_64",
"product": {
"name": "go-toolset-0:1.21.13-4.el9_4.x86_64",
"product_id": "go-toolset-0:1.21.13-4.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.21.13-4.el9_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.21.13-4.el9_4.x86_64",
"product": {
"name": "golang-0:1.21.13-4.el9_4.x86_64",
"product_id": "golang-0:1.21.13-4.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.21.13-4.el9_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.21.13-4.el9_4.x86_64",
"product": {
"name": "golang-bin-0:1.21.13-4.el9_4.x86_64",
"product_id": "golang-bin-0:1.21.13-4.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.21.13-4.el9_4?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.21.13-4.el9_4.s390x",
"product": {
"name": "go-toolset-0:1.21.13-4.el9_4.s390x",
"product_id": "go-toolset-0:1.21.13-4.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.21.13-4.el9_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.21.13-4.el9_4.s390x",
"product": {
"name": "golang-0:1.21.13-4.el9_4.s390x",
"product_id": "golang-0:1.21.13-4.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.21.13-4.el9_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.21.13-4.el9_4.s390x",
"product": {
"name": "golang-bin-0:1.21.13-4.el9_4.s390x",
"product_id": "golang-bin-0:1.21.13-4.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.21.13-4.el9_4?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.21.13-4.el9_4.src",
"product": {
"name": "golang-0:1.21.13-4.el9_4.src",
"product_id": "golang-0:1.21.13-4.el9_4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.21.13-4.el9_4?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-docs-0:1.21.13-4.el9_4.noarch",
"product": {
"name": "golang-docs-0:1.21.13-4.el9_4.noarch",
"product_id": "golang-docs-0:1.21.13-4.el9_4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-docs@1.21.13-4.el9_4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-misc-0:1.21.13-4.el9_4.noarch",
"product": {
"name": "golang-misc-0:1.21.13-4.el9_4.noarch",
"product_id": "golang-misc-0:1.21.13-4.el9_4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-misc@1.21.13-4.el9_4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-src-0:1.21.13-4.el9_4.noarch",
"product": {
"name": "golang-src-0:1.21.13-4.el9_4.noarch",
"product_id": "golang-src-0:1.21.13-4.el9_4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-src@1.21.13-4.el9_4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-tests-0:1.21.13-4.el9_4.noarch",
"product": {
"name": "golang-tests-0:1.21.13-4.el9_4.noarch",
"product_id": "golang-tests-0:1.21.13-4.el9_4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-tests@1.21.13-4.el9_4?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.21.13-4.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:go-toolset-0:1.21.13-4.el9_4.aarch64"
},
"product_reference": "go-toolset-0:1.21.13-4.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.21.13-4.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:go-toolset-0:1.21.13-4.el9_4.ppc64le"
},
"product_reference": "go-toolset-0:1.21.13-4.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.21.13-4.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:go-toolset-0:1.21.13-4.el9_4.s390x"
},
"product_reference": "go-toolset-0:1.21.13-4.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.21.13-4.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:go-toolset-0:1.21.13-4.el9_4.x86_64"
},
"product_reference": "go-toolset-0:1.21.13-4.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.21.13-4.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.aarch64"
},
"product_reference": "golang-0:1.21.13-4.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.21.13-4.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.ppc64le"
},
"product_reference": "golang-0:1.21.13-4.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.21.13-4.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.s390x"
},
"product_reference": "golang-0:1.21.13-4.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.21.13-4.el9_4.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.src"
},
"product_reference": "golang-0:1.21.13-4.el9_4.src",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.21.13-4.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.x86_64"
},
"product_reference": "golang-0:1.21.13-4.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.21.13-4.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:golang-bin-0:1.21.13-4.el9_4.aarch64"
},
"product_reference": "golang-bin-0:1.21.13-4.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.21.13-4.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:golang-bin-0:1.21.13-4.el9_4.ppc64le"
},
"product_reference": "golang-bin-0:1.21.13-4.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.21.13-4.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:golang-bin-0:1.21.13-4.el9_4.s390x"
},
"product_reference": "golang-bin-0:1.21.13-4.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.21.13-4.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:golang-bin-0:1.21.13-4.el9_4.x86_64"
},
"product_reference": "golang-bin-0:1.21.13-4.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-docs-0:1.21.13-4.el9_4.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:golang-docs-0:1.21.13-4.el9_4.noarch"
},
"product_reference": "golang-docs-0:1.21.13-4.el9_4.noarch",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-misc-0:1.21.13-4.el9_4.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:golang-misc-0:1.21.13-4.el9_4.noarch"
},
"product_reference": "golang-misc-0:1.21.13-4.el9_4.noarch",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-src-0:1.21.13-4.el9_4.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:golang-src-0:1.21.13-4.el9_4.noarch"
},
"product_reference": "golang-src-0:1.21.13-4.el9_4.noarch",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-tests-0:1.21.13-4.el9_4.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:golang-tests-0:1.21.13-4.el9_4.noarch"
},
"product_reference": "golang-tests-0:1.21.13-4.el9_4.noarch",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"David Benoit"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2024-9355",
"cwe": {
"id": "CWE-457",
"name": "Use of Uninitialized Variable"
},
"discovery_date": "2024-09-30T17:51:17.811000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2315719"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.\u00a0 It is also possible to force a derived key to be all zeros instead of an unpredictable value.\u00a0 This may have follow-on implications for the Go TLS stack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang-fips: Golang FIPS zeroed buffer",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.4.0.Z.MAIN.EUS:go-toolset-0:1.21.13-4.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:go-toolset-0:1.21.13-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:go-toolset-0:1.21.13-4.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:go-toolset-0:1.21.13-4.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.src",
"AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:golang-bin-0:1.21.13-4.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:golang-bin-0:1.21.13-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:golang-bin-0:1.21.13-4.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:golang-bin-0:1.21.13-4.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:golang-docs-0:1.21.13-4.el9_4.noarch",
"AppStream-9.4.0.Z.MAIN.EUS:golang-misc-0:1.21.13-4.el9_4.noarch",
"AppStream-9.4.0.Z.MAIN.EUS:golang-src-0:1.21.13-4.el9_4.noarch",
"AppStream-9.4.0.Z.MAIN.EUS:golang-tests-0:1.21.13-4.el9_4.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-9355"
},
{
"category": "external",
"summary": "RHBZ#2315719",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-9355",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-9355"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355"
}
],
"release_date": "2024-09-30T20:53:42.833000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-02T18:24:59+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.4.0.Z.MAIN.EUS:go-toolset-0:1.21.13-4.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:go-toolset-0:1.21.13-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:go-toolset-0:1.21.13-4.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:go-toolset-0:1.21.13-4.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.src",
"AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:golang-bin-0:1.21.13-4.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:golang-bin-0:1.21.13-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:golang-bin-0:1.21.13-4.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:golang-bin-0:1.21.13-4.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:golang-docs-0:1.21.13-4.el9_4.noarch",
"AppStream-9.4.0.Z.MAIN.EUS:golang-misc-0:1.21.13-4.el9_4.noarch",
"AppStream-9.4.0.Z.MAIN.EUS:golang-src-0:1.21.13-4.el9_4.noarch",
"AppStream-9.4.0.Z.MAIN.EUS:golang-tests-0:1.21.13-4.el9_4.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:7550"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.4.0.Z.MAIN.EUS:go-toolset-0:1.21.13-4.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:go-toolset-0:1.21.13-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:go-toolset-0:1.21.13-4.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:go-toolset-0:1.21.13-4.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.src",
"AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:golang-bin-0:1.21.13-4.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:golang-bin-0:1.21.13-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:golang-bin-0:1.21.13-4.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:golang-bin-0:1.21.13-4.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:golang-docs-0:1.21.13-4.el9_4.noarch",
"AppStream-9.4.0.Z.MAIN.EUS:golang-misc-0:1.21.13-4.el9_4.noarch",
"AppStream-9.4.0.Z.MAIN.EUS:golang-src-0:1.21.13-4.el9_4.noarch",
"AppStream-9.4.0.Z.MAIN.EUS:golang-tests-0:1.21.13-4.el9_4.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.4.0.Z.MAIN.EUS:go-toolset-0:1.21.13-4.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:go-toolset-0:1.21.13-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:go-toolset-0:1.21.13-4.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:go-toolset-0:1.21.13-4.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.src",
"AppStream-9.4.0.Z.MAIN.EUS:golang-0:1.21.13-4.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:golang-bin-0:1.21.13-4.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:golang-bin-0:1.21.13-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:golang-bin-0:1.21.13-4.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:golang-bin-0:1.21.13-4.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:golang-docs-0:1.21.13-4.el9_4.noarch",
"AppStream-9.4.0.Z.MAIN.EUS:golang-misc-0:1.21.13-4.el9_4.noarch",
"AppStream-9.4.0.Z.MAIN.EUS:golang-src-0:1.21.13-4.el9_4.noarch",
"AppStream-9.4.0.Z.MAIN.EUS:golang-tests-0:1.21.13-4.el9_4.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang-fips: Golang FIPS zeroed buffer"
}
]
}
RHSA-2024_8327
Vulnerability from csaf_redhat - Published: 2024-10-22 15:15 - Updated: 2024-12-18 04:16Summary
Red Hat Security Advisory: grafana security update
Severity
Important
Notes
Topic: An update for grafana is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
Security Fix(es):
* golang-fips: Golang FIPS zeroed buffer (CVE-2024-9355)
* dompurify: nesting-based mutation XSS vulnerability (CVE-2024-47875)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
6.5 (Medium)
Affected products
Fixed
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.
8.0 (High)
Affected products
Fixed
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
17 references
Acknowledgments
Red Hat
David Benoit
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for grafana is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB. \n\nSecurity Fix(es):\n\n* golang-fips: Golang FIPS zeroed buffer (CVE-2024-9355)\n\n* dompurify: nesting-based mutation XSS vulnerability (CVE-2024-47875)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:8327",
"url": "https://access.redhat.com/errata/RHSA-2024:8327"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2315719",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
},
{
"category": "external",
"summary": "2318052",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318052"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8327.json"
}
],
"title": "Red Hat Security Advisory: grafana security update",
"tracking": {
"current_release_date": "2024-12-18T04:16:27+00:00",
"generator": {
"date": "2024-12-18T04:16:27+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2024:8327",
"initial_release_date": "2024-10-22T15:15:27+00:00",
"revision_history": [
{
"date": "2024-10-22T15:15:27+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-10-22T15:15:27+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-18T04:16:27+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:8::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.2.10-20.el8_10.src",
"product": {
"name": "grafana-0:9.2.10-20.el8_10.src",
"product_id": "grafana-0:9.2.10-20.el8_10.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.2.10-20.el8_10?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.2.10-20.el8_10.aarch64",
"product": {
"name": "grafana-0:9.2.10-20.el8_10.aarch64",
"product_id": "grafana-0:9.2.10-20.el8_10.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.2.10-20.el8_10?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-selinux-0:9.2.10-20.el8_10.aarch64",
"product": {
"name": "grafana-selinux-0:9.2.10-20.el8_10.aarch64",
"product_id": "grafana-selinux-0:9.2.10-20.el8_10.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-selinux@9.2.10-20.el8_10?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.2.10-20.el8_10.aarch64",
"product": {
"name": "grafana-debugsource-0:9.2.10-20.el8_10.aarch64",
"product_id": "grafana-debugsource-0:9.2.10-20.el8_10.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.2.10-20.el8_10?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.2.10-20.el8_10.aarch64",
"product": {
"name": "grafana-debuginfo-0:9.2.10-20.el8_10.aarch64",
"product_id": "grafana-debuginfo-0:9.2.10-20.el8_10.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.2.10-20.el8_10?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.2.10-20.el8_10.ppc64le",
"product": {
"name": "grafana-0:9.2.10-20.el8_10.ppc64le",
"product_id": "grafana-0:9.2.10-20.el8_10.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.2.10-20.el8_10?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-selinux-0:9.2.10-20.el8_10.ppc64le",
"product": {
"name": "grafana-selinux-0:9.2.10-20.el8_10.ppc64le",
"product_id": "grafana-selinux-0:9.2.10-20.el8_10.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-selinux@9.2.10-20.el8_10?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.2.10-20.el8_10.ppc64le",
"product": {
"name": "grafana-debugsource-0:9.2.10-20.el8_10.ppc64le",
"product_id": "grafana-debugsource-0:9.2.10-20.el8_10.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.2.10-20.el8_10?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.2.10-20.el8_10.ppc64le",
"product": {
"name": "grafana-debuginfo-0:9.2.10-20.el8_10.ppc64le",
"product_id": "grafana-debuginfo-0:9.2.10-20.el8_10.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.2.10-20.el8_10?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.2.10-20.el8_10.x86_64",
"product": {
"name": "grafana-0:9.2.10-20.el8_10.x86_64",
"product_id": "grafana-0:9.2.10-20.el8_10.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.2.10-20.el8_10?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-selinux-0:9.2.10-20.el8_10.x86_64",
"product": {
"name": "grafana-selinux-0:9.2.10-20.el8_10.x86_64",
"product_id": "grafana-selinux-0:9.2.10-20.el8_10.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-selinux@9.2.10-20.el8_10?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.2.10-20.el8_10.x86_64",
"product": {
"name": "grafana-debugsource-0:9.2.10-20.el8_10.x86_64",
"product_id": "grafana-debugsource-0:9.2.10-20.el8_10.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.2.10-20.el8_10?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.2.10-20.el8_10.x86_64",
"product": {
"name": "grafana-debuginfo-0:9.2.10-20.el8_10.x86_64",
"product_id": "grafana-debuginfo-0:9.2.10-20.el8_10.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.2.10-20.el8_10?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.2.10-20.el8_10.s390x",
"product": {
"name": "grafana-0:9.2.10-20.el8_10.s390x",
"product_id": "grafana-0:9.2.10-20.el8_10.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.2.10-20.el8_10?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-selinux-0:9.2.10-20.el8_10.s390x",
"product": {
"name": "grafana-selinux-0:9.2.10-20.el8_10.s390x",
"product_id": "grafana-selinux-0:9.2.10-20.el8_10.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-selinux@9.2.10-20.el8_10?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.2.10-20.el8_10.s390x",
"product": {
"name": "grafana-debugsource-0:9.2.10-20.el8_10.s390x",
"product_id": "grafana-debugsource-0:9.2.10-20.el8_10.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.2.10-20.el8_10?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.2.10-20.el8_10.s390x",
"product": {
"name": "grafana-debuginfo-0:9.2.10-20.el8_10.s390x",
"product_id": "grafana-debuginfo-0:9.2.10-20.el8_10.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.2.10-20.el8_10?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.2.10-20.el8_10.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.aarch64"
},
"product_reference": "grafana-0:9.2.10-20.el8_10.aarch64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.2.10-20.el8_10.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.ppc64le"
},
"product_reference": "grafana-0:9.2.10-20.el8_10.ppc64le",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.2.10-20.el8_10.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.s390x"
},
"product_reference": "grafana-0:9.2.10-20.el8_10.s390x",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.2.10-20.el8_10.src as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.src"
},
"product_reference": "grafana-0:9.2.10-20.el8_10.src",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.2.10-20.el8_10.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.x86_64"
},
"product_reference": "grafana-0:9.2.10-20.el8_10.x86_64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.2.10-20.el8_10.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.aarch64"
},
"product_reference": "grafana-debuginfo-0:9.2.10-20.el8_10.aarch64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.2.10-20.el8_10.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.ppc64le"
},
"product_reference": "grafana-debuginfo-0:9.2.10-20.el8_10.ppc64le",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.2.10-20.el8_10.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.s390x"
},
"product_reference": "grafana-debuginfo-0:9.2.10-20.el8_10.s390x",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.2.10-20.el8_10.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.x86_64"
},
"product_reference": "grafana-debuginfo-0:9.2.10-20.el8_10.x86_64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.2.10-20.el8_10.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.aarch64"
},
"product_reference": "grafana-debugsource-0:9.2.10-20.el8_10.aarch64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.2.10-20.el8_10.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.ppc64le"
},
"product_reference": "grafana-debugsource-0:9.2.10-20.el8_10.ppc64le",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.2.10-20.el8_10.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.s390x"
},
"product_reference": "grafana-debugsource-0:9.2.10-20.el8_10.s390x",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.2.10-20.el8_10.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.x86_64"
},
"product_reference": "grafana-debugsource-0:9.2.10-20.el8_10.x86_64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-selinux-0:9.2.10-20.el8_10.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.aarch64"
},
"product_reference": "grafana-selinux-0:9.2.10-20.el8_10.aarch64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-selinux-0:9.2.10-20.el8_10.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.ppc64le"
},
"product_reference": "grafana-selinux-0:9.2.10-20.el8_10.ppc64le",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-selinux-0:9.2.10-20.el8_10.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.s390x"
},
"product_reference": "grafana-selinux-0:9.2.10-20.el8_10.s390x",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-selinux-0:9.2.10-20.el8_10.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.x86_64"
},
"product_reference": "grafana-selinux-0:9.2.10-20.el8_10.x86_64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"David Benoit"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2024-9355",
"cwe": {
"id": "CWE-457",
"name": "Use of Uninitialized Variable"
},
"discovery_date": "2024-09-30T17:51:17.811000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2315719"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.\u00a0 It is also possible to force a derived key to be all zeros instead of an unpredictable value.\u00a0 This may have follow-on implications for the Go TLS stack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang-fips: Golang FIPS zeroed buffer",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.src",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-9355"
},
{
"category": "external",
"summary": "RHBZ#2315719",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-9355",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-9355"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355"
}
],
"release_date": "2024-09-30T20:53:42.833000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-22T15:15:27+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.src",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:8327"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.src",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.src",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang-fips: Golang FIPS zeroed buffer"
},
{
"cve": "CVE-2024-47875",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2024-10-11T15:20:07.304345+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2318052"
}
],
"notes": [
{
"category": "description",
"text": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "dompurify: nesting-based mutation XSS vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.src",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-47875"
},
{
"category": "external",
"summary": "RHBZ#2318052",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318052"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-47875",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47875"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-47875",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47875"
},
{
"category": "external",
"summary": "https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098",
"url": "https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098"
},
{
"category": "external",
"summary": "https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f",
"url": "https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f"
},
{
"category": "external",
"summary": "https://github.com/cure53/DOMPurify/commit/6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a",
"url": "https://github.com/cure53/DOMPurify/commit/6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a"
},
{
"category": "external",
"summary": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-gx9m-whjm-85jf",
"url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-gx9m-whjm-85jf"
}
],
"release_date": "2024-10-11T15:15:05.860000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-22T15:15:27+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.src",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:8327"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.src",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.src",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-0:9.2.10-20.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-20.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-20.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-20.el8_10.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "dompurify: nesting-based mutation XSS vulnerability"
}
]
}
RHSA-2024_8678
Vulnerability from csaf_redhat - Published: 2024-10-30 19:42 - Updated: 2024-12-18 04:17Summary
Red Hat Security Advisory: grafana security update
Severity
Important
Notes
Topic: An update for grafana is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
Security Fix(es):
* golang-fips: Golang FIPS zeroed buffer (CVE-2024-9355)
* dompurify: nesting-based mutation XSS vulnerability (CVE-2024-47875)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
6.5 (Medium)
Affected products
Fixed
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.
8.0 (High)
Affected products
Fixed
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
17 references
Acknowledgments
Red Hat
David Benoit
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for grafana is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB. \n\nSecurity Fix(es):\n\n* golang-fips: Golang FIPS zeroed buffer (CVE-2024-9355)\n\n* dompurify: nesting-based mutation XSS vulnerability (CVE-2024-47875)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:8678",
"url": "https://access.redhat.com/errata/RHSA-2024:8678"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2315719",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
},
{
"category": "external",
"summary": "2318052",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318052"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8678.json"
}
],
"title": "Red Hat Security Advisory: grafana security update",
"tracking": {
"current_release_date": "2024-12-18T04:17:58+00:00",
"generator": {
"date": "2024-12-18T04:17:58+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2024:8678",
"initial_release_date": "2024-10-30T19:42:46+00:00",
"revision_history": [
{
"date": "2024-10-30T19:42:46+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-10-30T19:42:46+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-18T04:17:58+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.2.10-19.el9_4.src",
"product": {
"name": "grafana-0:9.2.10-19.el9_4.src",
"product_id": "grafana-0:9.2.10-19.el9_4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.2.10-19.el9_4?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.2.10-19.el9_4.aarch64",
"product": {
"name": "grafana-0:9.2.10-19.el9_4.aarch64",
"product_id": "grafana-0:9.2.10-19.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.2.10-19.el9_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-selinux-0:9.2.10-19.el9_4.aarch64",
"product": {
"name": "grafana-selinux-0:9.2.10-19.el9_4.aarch64",
"product_id": "grafana-selinux-0:9.2.10-19.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-selinux@9.2.10-19.el9_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.2.10-19.el9_4.aarch64",
"product": {
"name": "grafana-debugsource-0:9.2.10-19.el9_4.aarch64",
"product_id": "grafana-debugsource-0:9.2.10-19.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.2.10-19.el9_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.2.10-19.el9_4.aarch64",
"product": {
"name": "grafana-debuginfo-0:9.2.10-19.el9_4.aarch64",
"product_id": "grafana-debuginfo-0:9.2.10-19.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.2.10-19.el9_4?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.2.10-19.el9_4.ppc64le",
"product": {
"name": "grafana-0:9.2.10-19.el9_4.ppc64le",
"product_id": "grafana-0:9.2.10-19.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.2.10-19.el9_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-selinux-0:9.2.10-19.el9_4.ppc64le",
"product": {
"name": "grafana-selinux-0:9.2.10-19.el9_4.ppc64le",
"product_id": "grafana-selinux-0:9.2.10-19.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-selinux@9.2.10-19.el9_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.2.10-19.el9_4.ppc64le",
"product": {
"name": "grafana-debugsource-0:9.2.10-19.el9_4.ppc64le",
"product_id": "grafana-debugsource-0:9.2.10-19.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.2.10-19.el9_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.2.10-19.el9_4.ppc64le",
"product": {
"name": "grafana-debuginfo-0:9.2.10-19.el9_4.ppc64le",
"product_id": "grafana-debuginfo-0:9.2.10-19.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.2.10-19.el9_4?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.2.10-19.el9_4.x86_64",
"product": {
"name": "grafana-0:9.2.10-19.el9_4.x86_64",
"product_id": "grafana-0:9.2.10-19.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.2.10-19.el9_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-selinux-0:9.2.10-19.el9_4.x86_64",
"product": {
"name": "grafana-selinux-0:9.2.10-19.el9_4.x86_64",
"product_id": "grafana-selinux-0:9.2.10-19.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-selinux@9.2.10-19.el9_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.2.10-19.el9_4.x86_64",
"product": {
"name": "grafana-debugsource-0:9.2.10-19.el9_4.x86_64",
"product_id": "grafana-debugsource-0:9.2.10-19.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.2.10-19.el9_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.2.10-19.el9_4.x86_64",
"product": {
"name": "grafana-debuginfo-0:9.2.10-19.el9_4.x86_64",
"product_id": "grafana-debuginfo-0:9.2.10-19.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.2.10-19.el9_4?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.2.10-19.el9_4.s390x",
"product": {
"name": "grafana-0:9.2.10-19.el9_4.s390x",
"product_id": "grafana-0:9.2.10-19.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.2.10-19.el9_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-selinux-0:9.2.10-19.el9_4.s390x",
"product": {
"name": "grafana-selinux-0:9.2.10-19.el9_4.s390x",
"product_id": "grafana-selinux-0:9.2.10-19.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-selinux@9.2.10-19.el9_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.2.10-19.el9_4.s390x",
"product": {
"name": "grafana-debugsource-0:9.2.10-19.el9_4.s390x",
"product_id": "grafana-debugsource-0:9.2.10-19.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.2.10-19.el9_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.2.10-19.el9_4.s390x",
"product": {
"name": "grafana-debuginfo-0:9.2.10-19.el9_4.s390x",
"product_id": "grafana-debuginfo-0:9.2.10-19.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.2.10-19.el9_4?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.2.10-19.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.aarch64"
},
"product_reference": "grafana-0:9.2.10-19.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.2.10-19.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.ppc64le"
},
"product_reference": "grafana-0:9.2.10-19.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.2.10-19.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.s390x"
},
"product_reference": "grafana-0:9.2.10-19.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.2.10-19.el9_4.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.src"
},
"product_reference": "grafana-0:9.2.10-19.el9_4.src",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.2.10-19.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.x86_64"
},
"product_reference": "grafana-0:9.2.10-19.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.2.10-19.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.aarch64"
},
"product_reference": "grafana-debuginfo-0:9.2.10-19.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.2.10-19.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.ppc64le"
},
"product_reference": "grafana-debuginfo-0:9.2.10-19.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.2.10-19.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.s390x"
},
"product_reference": "grafana-debuginfo-0:9.2.10-19.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.2.10-19.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.x86_64"
},
"product_reference": "grafana-debuginfo-0:9.2.10-19.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.2.10-19.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.aarch64"
},
"product_reference": "grafana-debugsource-0:9.2.10-19.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.2.10-19.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.ppc64le"
},
"product_reference": "grafana-debugsource-0:9.2.10-19.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.2.10-19.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.s390x"
},
"product_reference": "grafana-debugsource-0:9.2.10-19.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.2.10-19.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.x86_64"
},
"product_reference": "grafana-debugsource-0:9.2.10-19.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-selinux-0:9.2.10-19.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.aarch64"
},
"product_reference": "grafana-selinux-0:9.2.10-19.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-selinux-0:9.2.10-19.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.ppc64le"
},
"product_reference": "grafana-selinux-0:9.2.10-19.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-selinux-0:9.2.10-19.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.s390x"
},
"product_reference": "grafana-selinux-0:9.2.10-19.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-selinux-0:9.2.10-19.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.x86_64"
},
"product_reference": "grafana-selinux-0:9.2.10-19.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.MAIN.EUS"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"David Benoit"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2024-9355",
"cwe": {
"id": "CWE-457",
"name": "Use of Uninitialized Variable"
},
"discovery_date": "2024-09-30T17:51:17.811000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2315719"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.\u00a0 It is also possible to force a derived key to be all zeros instead of an unpredictable value.\u00a0 This may have follow-on implications for the Go TLS stack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang-fips: Golang FIPS zeroed buffer",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.src",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-9355"
},
{
"category": "external",
"summary": "RHBZ#2315719",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-9355",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-9355"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355"
}
],
"release_date": "2024-09-30T20:53:42.833000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-30T19:42:46+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.src",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:8678"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.src",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.src",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang-fips: Golang FIPS zeroed buffer"
},
{
"cve": "CVE-2024-47875",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2024-10-11T15:20:07.304345+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2318052"
}
],
"notes": [
{
"category": "description",
"text": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "dompurify: nesting-based mutation XSS vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.src",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-47875"
},
{
"category": "external",
"summary": "RHBZ#2318052",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318052"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-47875",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47875"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-47875",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47875"
},
{
"category": "external",
"summary": "https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098",
"url": "https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098"
},
{
"category": "external",
"summary": "https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f",
"url": "https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f"
},
{
"category": "external",
"summary": "https://github.com/cure53/DOMPurify/commit/6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a",
"url": "https://github.com/cure53/DOMPurify/commit/6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a"
},
{
"category": "external",
"summary": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-gx9m-whjm-85jf",
"url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-gx9m-whjm-85jf"
}
],
"release_date": "2024-10-11T15:15:05.860000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-30T19:42:46+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.src",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:8678"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.src",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.src",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-0:9.2.10-19.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debuginfo-0:9.2.10-19.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-debugsource-0:9.2.10-19.el9_4.x86_64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.aarch64",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.ppc64le",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.s390x",
"AppStream-9.4.0.Z.MAIN.EUS:grafana-selinux-0:9.2.10-19.el9_4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "dompurify: nesting-based mutation XSS vulnerability"
}
]
}
RHSA-2024_8847
Vulnerability from csaf_redhat - Published: 2024-11-05 03:58 - Updated: 2024-12-18 04:18Summary
Red Hat Security Advisory: grafana-pcp security update
Severity
Moderate
Notes
Topic: An update for grafana-pcp is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards.
Security Fix(es):
* golang-fips: Golang FIPS zeroed buffer (CVE-2024-9355)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
6.5 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-9.el8_10.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-9.el8_10.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-9.el8_10.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-9.el8_10.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-9.el8_10.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-9.el8_10.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-9.el8_10.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-9.el8_10.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
8 references
Acknowledgments
Red Hat
David Benoit
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for grafana-pcp is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards.\n\nSecurity Fix(es):\n\n* golang-fips: Golang FIPS zeroed buffer (CVE-2024-9355)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:8847",
"url": "https://access.redhat.com/errata/RHSA-2024:8847"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2315719",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8847.json"
}
],
"title": "Red Hat Security Advisory: grafana-pcp security update",
"tracking": {
"current_release_date": "2024-12-18T04:18:23+00:00",
"generator": {
"date": "2024-12-18T04:18:23+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2024:8847",
"initial_release_date": "2024-11-05T03:58:20+00:00",
"revision_history": [
{
"date": "2024-11-05T03:58:20+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-11-05T03:58:20+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-18T04:18:23+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:8::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-9.el8_10.src",
"product": {
"name": "grafana-pcp-0:5.1.1-9.el8_10.src",
"product_id": "grafana-pcp-0:5.1.1-9.el8_10.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-9.el8_10?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-9.el8_10.aarch64",
"product": {
"name": "grafana-pcp-0:5.1.1-9.el8_10.aarch64",
"product_id": "grafana-pcp-0:5.1.1-9.el8_10.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-9.el8_10?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debugsource-0:5.1.1-9.el8_10.aarch64",
"product": {
"name": "grafana-pcp-debugsource-0:5.1.1-9.el8_10.aarch64",
"product_id": "grafana-pcp-debugsource-0:5.1.1-9.el8_10.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debugsource@5.1.1-9.el8_10?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debuginfo-0:5.1.1-9.el8_10.aarch64",
"product": {
"name": "grafana-pcp-debuginfo-0:5.1.1-9.el8_10.aarch64",
"product_id": "grafana-pcp-debuginfo-0:5.1.1-9.el8_10.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debuginfo@5.1.1-9.el8_10?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-9.el8_10.ppc64le",
"product": {
"name": "grafana-pcp-0:5.1.1-9.el8_10.ppc64le",
"product_id": "grafana-pcp-0:5.1.1-9.el8_10.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-9.el8_10?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debugsource-0:5.1.1-9.el8_10.ppc64le",
"product": {
"name": "grafana-pcp-debugsource-0:5.1.1-9.el8_10.ppc64le",
"product_id": "grafana-pcp-debugsource-0:5.1.1-9.el8_10.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debugsource@5.1.1-9.el8_10?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debuginfo-0:5.1.1-9.el8_10.ppc64le",
"product": {
"name": "grafana-pcp-debuginfo-0:5.1.1-9.el8_10.ppc64le",
"product_id": "grafana-pcp-debuginfo-0:5.1.1-9.el8_10.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debuginfo@5.1.1-9.el8_10?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-9.el8_10.x86_64",
"product": {
"name": "grafana-pcp-0:5.1.1-9.el8_10.x86_64",
"product_id": "grafana-pcp-0:5.1.1-9.el8_10.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-9.el8_10?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debugsource-0:5.1.1-9.el8_10.x86_64",
"product": {
"name": "grafana-pcp-debugsource-0:5.1.1-9.el8_10.x86_64",
"product_id": "grafana-pcp-debugsource-0:5.1.1-9.el8_10.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debugsource@5.1.1-9.el8_10?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debuginfo-0:5.1.1-9.el8_10.x86_64",
"product": {
"name": "grafana-pcp-debuginfo-0:5.1.1-9.el8_10.x86_64",
"product_id": "grafana-pcp-debuginfo-0:5.1.1-9.el8_10.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debuginfo@5.1.1-9.el8_10?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-9.el8_10.s390x",
"product": {
"name": "grafana-pcp-0:5.1.1-9.el8_10.s390x",
"product_id": "grafana-pcp-0:5.1.1-9.el8_10.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-9.el8_10?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debugsource-0:5.1.1-9.el8_10.s390x",
"product": {
"name": "grafana-pcp-debugsource-0:5.1.1-9.el8_10.s390x",
"product_id": "grafana-pcp-debugsource-0:5.1.1-9.el8_10.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debugsource@5.1.1-9.el8_10?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debuginfo-0:5.1.1-9.el8_10.s390x",
"product": {
"name": "grafana-pcp-debuginfo-0:5.1.1-9.el8_10.s390x",
"product_id": "grafana-pcp-debuginfo-0:5.1.1-9.el8_10.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debuginfo@5.1.1-9.el8_10?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-9.el8_10.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.aarch64"
},
"product_reference": "grafana-pcp-0:5.1.1-9.el8_10.aarch64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-9.el8_10.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.ppc64le"
},
"product_reference": "grafana-pcp-0:5.1.1-9.el8_10.ppc64le",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-9.el8_10.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.s390x"
},
"product_reference": "grafana-pcp-0:5.1.1-9.el8_10.s390x",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-9.el8_10.src as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.src"
},
"product_reference": "grafana-pcp-0:5.1.1-9.el8_10.src",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-9.el8_10.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.x86_64"
},
"product_reference": "grafana-pcp-0:5.1.1-9.el8_10.x86_64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debuginfo-0:5.1.1-9.el8_10.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-9.el8_10.aarch64"
},
"product_reference": "grafana-pcp-debuginfo-0:5.1.1-9.el8_10.aarch64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debuginfo-0:5.1.1-9.el8_10.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-9.el8_10.ppc64le"
},
"product_reference": "grafana-pcp-debuginfo-0:5.1.1-9.el8_10.ppc64le",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debuginfo-0:5.1.1-9.el8_10.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-9.el8_10.s390x"
},
"product_reference": "grafana-pcp-debuginfo-0:5.1.1-9.el8_10.s390x",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debuginfo-0:5.1.1-9.el8_10.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-9.el8_10.x86_64"
},
"product_reference": "grafana-pcp-debuginfo-0:5.1.1-9.el8_10.x86_64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debugsource-0:5.1.1-9.el8_10.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-9.el8_10.aarch64"
},
"product_reference": "grafana-pcp-debugsource-0:5.1.1-9.el8_10.aarch64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debugsource-0:5.1.1-9.el8_10.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-9.el8_10.ppc64le"
},
"product_reference": "grafana-pcp-debugsource-0:5.1.1-9.el8_10.ppc64le",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debugsource-0:5.1.1-9.el8_10.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-9.el8_10.s390x"
},
"product_reference": "grafana-pcp-debugsource-0:5.1.1-9.el8_10.s390x",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debugsource-0:5.1.1-9.el8_10.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-9.el8_10.x86_64"
},
"product_reference": "grafana-pcp-debugsource-0:5.1.1-9.el8_10.x86_64",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"David Benoit"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2024-9355",
"cwe": {
"id": "CWE-457",
"name": "Use of Uninitialized Variable"
},
"discovery_date": "2024-09-30T17:51:17.811000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2315719"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.\u00a0 It is also possible to force a derived key to be all zeros instead of an unpredictable value.\u00a0 This may have follow-on implications for the Go TLS stack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang-fips: Golang FIPS zeroed buffer",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.src",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-9.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-9.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-9.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-9.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-9.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-9.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-9.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-9.el8_10.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-9355"
},
{
"category": "external",
"summary": "RHBZ#2315719",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-9355",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-9355"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355"
}
],
"release_date": "2024-09-30T20:53:42.833000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-11-05T03:58:20+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.src",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-9.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-9.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-9.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-9.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-9.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-9.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-9.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-9.el8_10.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:8847"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.src",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-9.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-9.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-9.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-9.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-9.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-9.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-9.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-9.el8_10.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.src",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-0:5.1.1-9.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-9.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-9.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-9.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debuginfo-0:5.1.1-9.el8_10.x86_64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-9.el8_10.aarch64",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-9.el8_10.ppc64le",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-9.el8_10.s390x",
"AppStream-8.10.0.Z.MAIN.EUS:grafana-pcp-debugsource-0:5.1.1-9.el8_10.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang-fips: Golang FIPS zeroed buffer"
}
]
}
RHSA-2024_9551
Vulnerability from csaf_redhat - Published: 2024-11-13 14:54 - Updated: 2024-12-18 04:18Summary
Red Hat Security Advisory: grafana-pcp security update
Severity
Moderate
Notes
Topic: An update for grafana-pcp is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards.
Security Fix(es):
* golang-fips: Golang FIPS zeroed buffer (CVE-2024-9355)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
6.5 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
8 references
Acknowledgments
Red Hat
David Benoit
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for grafana-pcp is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards.\n\nSecurity Fix(es):\n\n* golang-fips: Golang FIPS zeroed buffer (CVE-2024-9355)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:9551",
"url": "https://access.redhat.com/errata/RHSA-2024:9551"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2315719",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9551.json"
}
],
"title": "Red Hat Security Advisory: grafana-pcp security update",
"tracking": {
"current_release_date": "2024-12-18T04:18:55+00:00",
"generator": {
"date": "2024-12-18T04:18:55+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2024:9551",
"initial_release_date": "2024-11-13T14:54:47+00:00",
"revision_history": [
{
"date": "2024-11-13T14:54:47+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-11-13T14:54:47+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-18T04:18:55+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:9.4::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-4.el9_4.src",
"product": {
"name": "grafana-pcp-0:5.1.1-4.el9_4.src",
"product_id": "grafana-pcp-0:5.1.1-4.el9_4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-4.el9_4?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-4.el9_4.aarch64",
"product": {
"name": "grafana-pcp-0:5.1.1-4.el9_4.aarch64",
"product_id": "grafana-pcp-0:5.1.1-4.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-4.el9_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.aarch64",
"product": {
"name": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.aarch64",
"product_id": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debugsource@5.1.1-4.el9_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.aarch64",
"product": {
"name": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.aarch64",
"product_id": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debuginfo@5.1.1-4.el9_4?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-4.el9_4.ppc64le",
"product": {
"name": "grafana-pcp-0:5.1.1-4.el9_4.ppc64le",
"product_id": "grafana-pcp-0:5.1.1-4.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-4.el9_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.ppc64le",
"product": {
"name": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.ppc64le",
"product_id": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debugsource@5.1.1-4.el9_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.ppc64le",
"product": {
"name": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.ppc64le",
"product_id": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debuginfo@5.1.1-4.el9_4?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-4.el9_4.x86_64",
"product": {
"name": "grafana-pcp-0:5.1.1-4.el9_4.x86_64",
"product_id": "grafana-pcp-0:5.1.1-4.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-4.el9_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.x86_64",
"product": {
"name": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.x86_64",
"product_id": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debugsource@5.1.1-4.el9_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.x86_64",
"product": {
"name": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.x86_64",
"product_id": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debuginfo@5.1.1-4.el9_4?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-pcp-0:5.1.1-4.el9_4.s390x",
"product": {
"name": "grafana-pcp-0:5.1.1-4.el9_4.s390x",
"product_id": "grafana-pcp-0:5.1.1-4.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp@5.1.1-4.el9_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.s390x",
"product": {
"name": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.s390x",
"product_id": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debugsource@5.1.1-4.el9_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.s390x",
"product": {
"name": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.s390x",
"product_id": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-pcp-debuginfo@5.1.1-4.el9_4?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-4.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.aarch64"
},
"product_reference": "grafana-pcp-0:5.1.1-4.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-4.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.ppc64le"
},
"product_reference": "grafana-pcp-0:5.1.1-4.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-4.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.s390x"
},
"product_reference": "grafana-pcp-0:5.1.1-4.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-4.el9_4.src as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.src"
},
"product_reference": "grafana-pcp-0:5.1.1-4.el9_4.src",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-0:5.1.1-4.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.x86_64"
},
"product_reference": "grafana-pcp-0:5.1.1-4.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.aarch64"
},
"product_reference": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.ppc64le"
},
"product_reference": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.s390x"
},
"product_reference": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.x86_64"
},
"product_reference": "grafana-pcp-debuginfo-0:5.1.1-4.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.aarch64"
},
"product_reference": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.ppc64le"
},
"product_reference": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.s390x"
},
"product_reference": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.x86_64"
},
"product_reference": "grafana-pcp-debugsource-0:5.1.1-4.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"David Benoit"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2024-9355",
"cwe": {
"id": "CWE-457",
"name": "Use of Uninitialized Variable"
},
"discovery_date": "2024-09-30T17:51:17.811000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2315719"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.\u00a0 It is also possible to force a derived key to be all zeros instead of an unpredictable value.\u00a0 This may have follow-on implications for the Go TLS stack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang-fips: Golang FIPS zeroed buffer",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.src",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-9355"
},
{
"category": "external",
"summary": "RHBZ#2315719",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-9355",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-9355"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355"
}
],
"release_date": "2024-09-30T20:53:42.833000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-11-13T14:54:47+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.src",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:9551"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.src",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.src",
"AppStream-9.4.0.Z.EUS:grafana-pcp-0:5.1.1-4.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debuginfo-0:5.1.1-4.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:grafana-pcp-debugsource-0:5.1.1-4.el9_4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang-fips: Golang FIPS zeroed buffer"
}
]
}
RHSA-2025:2416
Vulnerability from csaf_redhat - Published: 2025-03-05 20:59 - Updated: 2026-06-02 15:10Summary
Red Hat Security Advisory: Streams for Apache Kafka 2.9.0 release and security update
Severity
Important
Notes
Topic: Streams for Apache Kafka 2.9.0 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed
backbone that allows microservices and other applications to share data with
extremely high throughput and extremely low latency.
This release of Red Hat Streams for Apache Kafka 2.9.0 serves as a replacement for Red Hat Streams for Apache Kafka 2.8.0, and includes security and bug fixes, and enhancements.
Security Fix(es):
* Cruise Control:cio.netty:netty-common:4.1.115.Final-redhat [amq-st-2] "(CVE-2023-52428)"
* Cruise Control:com.nimbusds:nimbus-jose-jwt:9.37.2.redhat [amq-st-2] "(CVE-2024-47535)"
* Cruise Control:org.apache.kafka:kafka-clients:3.5.2.redhat+ [amq-st-2] "(CVE-2024-31141)"
* Cruise Control:io:commons-io:2.15.1.redhat+ [amq-st-2] "(CVE-2024-47554)"
* Cruise Control:org.eclipse.jetty:jetty-server:9.4.56.v20240826-redhat+ [amq-st-2] "(CVE-2024-8184)"
* Cruise Control:org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks [amq-st-2] "(CVE-2024-8184)"
* Kafka Exporter:golang-github-danielqsj-kafka_exporter: Golang FIPS zeroed buffer [amq-st-2] "(CVE-2024-9355)"
* Kafka Exporter:golang-github-danielqsj-kafka_exporter: net/http: Denial of service due to improper 100-continue handling in net/http [amq-st-2] "(CVE-2024-24791)"
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A vulnerability was found in the Nimbus Jose JWT package. By crafting a JWE with an excessively large p2c value, an attacker can trigger significant resource consumption during decryption, potentially leading to application slowdown or unavailability.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 2.9.0
Red Hat / Streams for Apache Kafka
|
cpe:/a:redhat:amq_streams:2
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Jetty's ThreadLimitHandler.getRemote(). This flaw allows unauthorized users to cause remote denial of service (DoS) attacks. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 2.9.0
Red Hat / Streams for Apache Kafka
|
cpe:/a:redhat:amq_streams:2
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 2.9.0
Red Hat / Streams for Apache Kafka
|
cpe:/a:redhat:amq_streams:2
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service.
5.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 2.9.0
Red Hat / Streams for Apache Kafka
|
cpe:/a:redhat:amq_streams:2
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Apache Kafka Clients. Apache Kafka Clients accepts configuration data for customizing behavior and includes ConfigProvider plugins to manipulate these configurations. Apache Kafka also provides FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider implementations, which include the ability to read from disk or environment variables. In applications where an untrusted party can specify Apache Kafka Clients configurations, attackers may use these ConfigProviders to read arbitrary contents of the disk and environment variables.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 2.9.0
Red Hat / Streams for Apache Kafka
|
cpe:/a:redhat:amq_streams:2
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Netty. An unsafe reading of the environment file could potentially cause a denial of service. When loaded on a Windows application, Netty attempts to load a file that does not exist. If an attacker creates a large file, the Netty application crashes.
5.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 2.9.0
Red Hat / Streams for Apache Kafka
|
cpe:/a:redhat:amq_streams:2
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A vulnerability was found in the Apache Commons IO component in the org.apache.commons.io.input.XmlStreamReader class. Excessive CPU resource consumption can lead to a denial of service when an untrusted input is processed.
4.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 2.9.0
Red Hat / Streams for Apache Kafka
|
cpe:/a:redhat:amq_streams:2
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
49 references
Acknowledgments
Red Hat
David Benoit
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Streams for Apache Kafka 2.9.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed\nbackbone that allows microservices and other applications to share data with\nextremely high throughput and extremely low latency.\n\nThis release of Red Hat Streams for Apache Kafka 2.9.0 serves as a replacement for Red Hat Streams for Apache Kafka 2.8.0, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n* Cruise Control:cio.netty:netty-common:4.1.115.Final-redhat [amq-st-2] \"(CVE-2023-52428)\"\n\n* Cruise Control:com.nimbusds:nimbus-jose-jwt:9.37.2.redhat [amq-st-2] \"(CVE-2024-47535)\"\n\n* Cruise Control:org.apache.kafka:kafka-clients:3.5.2.redhat+ [amq-st-2] \"(CVE-2024-31141)\"\n\n* Cruise Control:io:commons-io:2.15.1.redhat+ [amq-st-2] \"(CVE-2024-47554)\"\n\n* Cruise Control:org.eclipse.jetty:jetty-server:9.4.56.v20240826-redhat+ [amq-st-2] \"(CVE-2024-8184)\"\n\n* Cruise Control:org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks [amq-st-2] \"(CVE-2024-8184)\"\n\n* Kafka Exporter:golang-github-danielqsj-kafka_exporter: Golang FIPS zeroed buffer [amq-st-2] \"(CVE-2024-9355)\"\n\n* Kafka Exporter:golang-github-danielqsj-kafka_exporter: net/http: Denial of service due to improper 100-continue handling in net/http [amq-st-2] \"(CVE-2024-24791)\"",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:2416",
"url": "https://access.redhat.com/errata/RHSA-2025:2416"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2295310",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295310"
},
{
"category": "external",
"summary": "2309764",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309764"
},
{
"category": "external",
"summary": "2315719",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
},
{
"category": "external",
"summary": "2316271",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316271"
},
{
"category": "external",
"summary": "2318564",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318564"
},
{
"category": "external",
"summary": "2325538",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2325538"
},
{
"category": "external",
"summary": "2327264",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2327264"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_2416.json"
}
],
"title": "Red Hat Security Advisory: Streams for Apache Kafka 2.9.0 release and security update",
"tracking": {
"current_release_date": "2026-06-02T15:10:20+00:00",
"generator": {
"date": "2026-06-02T15:10:20+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2025:2416",
"initial_release_date": "2025-03-05T20:59:06+00:00",
"revision_history": [
{
"date": "2025-03-05T20:59:06+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-03-05T20:59:06+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-02T15:10:20+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Streams for Apache Kafka 2.9.0",
"product": {
"name": "Streams for Apache Kafka 2.9.0",
"product_id": "Streams for Apache Kafka 2.9.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:amq_streams:2"
}
}
}
],
"category": "product_family",
"name": "Streams for Apache Kafka"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-52428",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2024-09-04T17:02:58.468000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2309764"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in the Nimbus Jose JWT package. By crafting a JWE with an excessively large p2c value, an attacker can trigger significant resource consumption during decryption, potentially leading to application slowdown or unavailability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nimbus-jose-jwt: large JWE p2c header value causes Denial of Service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 2.9.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-52428"
},
{
"category": "external",
"summary": "RHBZ#2309764",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309764"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-52428",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52428"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-52428",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52428"
}
],
"release_date": "2024-02-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-03-05T20:59:06+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 2.9.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:2416"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 2.9.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "nimbus-jose-jwt: large JWE p2c header value causes Denial of Service"
},
{
"cve": "CVE-2024-8184",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2024-10-14T16:01:01.239238+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2318564"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jetty\u0027s ThreadLimitHandler.getRemote(). This flaw allows unauthorized users to cause remote denial of service (DoS) attacks. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server\u0027s memory.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated as moderate rather than important because it requires specific conditions to be met, including continuous, crafted requests that deliberately target memory allocation to exhaust resources. While it can cause a denial of service, it does not lead to direct compromise of sensitive data, unauthorized access, or code execution.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 2.9.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-8184"
},
{
"category": "external",
"summary": "RHBZ#2318564",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318564"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-8184",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-8184"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-8184",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8184"
},
{
"category": "external",
"summary": "https://github.com/jetty/jetty.project/pull/11723",
"url": "https://github.com/jetty/jetty.project/pull/11723"
},
{
"category": "external",
"summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq",
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq"
},
{
"category": "external",
"summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30",
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30"
}
],
"release_date": "2024-10-14T15:09:37.861000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-03-05T20:59:06+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 2.9.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:2416"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 2.9.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 2.9.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks"
},
{
"acknowledgments": [
{
"names": [
"David Benoit"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2024-9355",
"cwe": {
"id": "CWE-457",
"name": "Use of Uninitialized Variable"
},
"discovery_date": "2024-09-30T17:51:17.811000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2315719"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.\u00a0 It is also possible to force a derived key to be all zeros instead of an unpredictable value.\u00a0 This may have follow-on implications for the Go TLS stack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang-fips: Golang FIPS zeroed buffer",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue is specific to the Go language and only affects the test code in cri-o and conmon, not the production code. Since both projects use Go exclusively for testing purposes, this issue does not impact their production environment. Therefore, cri-o and conmon are not affected by this vulnerability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 2.9.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-9355"
},
{
"category": "external",
"summary": "RHBZ#2315719",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-9355",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-9355"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355"
},
{
"category": "external",
"summary": "https://github.com/golang-fips/openssl/pull/198",
"url": "https://github.com/golang-fips/openssl/pull/198"
}
],
"release_date": "2024-09-30T20:53:42.833000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-03-05T20:59:06+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 2.9.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:2416"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 2.9.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 2.9.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang-fips: Golang FIPS zeroed buffer"
},
{
"cve": "CVE-2024-24791",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2024-07-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2295310"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "net/http: Denial of service due to improper 100-continue handling in net/http",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "An attacker would need to control a malicious server and induce a client to connect to it, requiring some amount of preparation outside of the attacker\u0027s control. This reduces the severity score of this flaw to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 2.9.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-24791"
},
{
"category": "external",
"summary": "RHBZ#2295310",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295310"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-24791",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24791"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-24791",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24791"
},
{
"category": "external",
"summary": "https://go.dev/cl/591255",
"url": "https://go.dev/cl/591255"
},
{
"category": "external",
"summary": "https://go.dev/issue/67555",
"url": "https://go.dev/issue/67555"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ",
"url": "https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ"
}
],
"release_date": "2024-07-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-03-05T20:59:06+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 2.9.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:2416"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 2.9.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 2.9.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "net/http: Denial of service due to improper 100-continue handling in net/http"
},
{
"cve": "CVE-2024-31141",
"cwe": {
"id": "CWE-73",
"name": "External Control of File Name or Path"
},
"discovery_date": "2024-11-19T09:00:35.857468+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2327264"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Kafka Clients. Apache Kafka Clients accepts configuration data for customizing behavior and includes ConfigProvider plugins to manipulate these configurations. Apache Kafka also provides FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider implementations, which include the ability to read from disk or environment variables. In applications where an untrusted party can specify Apache Kafka Clients configurations, attackers may use these ConfigProviders to read arbitrary contents of the disk and environment variables.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "kafka-clients: privilege escalation to filesystem read-access via automatic ConfigProvider",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 2.9.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-31141"
},
{
"category": "external",
"summary": "RHBZ#2327264",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2327264"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-31141",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-31141"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-31141",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31141"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/9whdzfr0zwdhr364604w5ssnzmg4v2lv",
"url": "https://lists.apache.org/thread/9whdzfr0zwdhr364604w5ssnzmg4v2lv"
}
],
"release_date": "2024-11-19T08:40:50.695000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-03-05T20:59:06+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 2.9.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:2416"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 2.9.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "kafka-clients: privilege escalation to filesystem read-access via automatic ConfigProvider"
},
{
"cve": "CVE-2024-47535",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2024-11-12T16:01:18.772613+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2325538"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty. An unsafe reading of the environment file could potentially cause a denial of service. When loaded on a Windows application, Netty attempts to load a file that does not exist. If an attacker creates a large file, the Netty application crashes.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: Denial of Service attack on windows app using Netty",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 2.9.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-47535"
},
{
"category": "external",
"summary": "RHBZ#2325538",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2325538"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-47535",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47535"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-47535",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47535"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/commit/fbf7a704a82e7449b48bd0bbb679f5661c6d61a3",
"url": "https://github.com/netty/netty/commit/fbf7a704a82e7449b48bd0bbb679f5661c6d61a3"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv",
"url": "https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv"
}
],
"release_date": "2024-11-12T15:50:08.334000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-03-05T20:59:06+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 2.9.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:2416"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 2.9.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty: Denial of Service attack on windows app using Netty"
},
{
"cve": "CVE-2024-47554",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2024-10-03T12:00:40.921058+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2316271"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in the Apache Commons IO component in the org.apache.commons.io.input.XmlStreamReader class. Excessive CPU resource consumption can lead to a denial of service when an untrusted input is processed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 2.9.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-47554"
},
{
"category": "external",
"summary": "RHBZ#2316271",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316271"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-47554",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47554"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-47554",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47554"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1",
"url": "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1"
}
],
"release_date": "2024-10-03T11:32:48.936000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-03-05T20:59:06+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 2.9.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:2416"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 2.9.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader"
}
]
}
RHSA-2025:7118
Vulnerability from csaf_redhat - Published: 2025-05-13 08:41 - Updated: 2026-06-02 15:10Summary
Red Hat Security Advisory: osbuild and osbuild-composer security update
Severity
Important
Notes
Topic: An update for osbuild and osbuild-composer is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud. It is compatible with composer-cli and cockpit-composer clients.
Security Fix(es):
* golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (CVE-2024-1394)
* go/build/constraint: golang: Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion (CVE-2024-34158)
* golang-fips: Golang FIPS zeroed buffer (CVE-2024-9355)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9 Release Notes linked from the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.
7.5 (High)
Affected products
Fixed
33 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-0:141-1.el9.noarch | — |
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-0:141-1.el9.src | — |
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-depsolve-dnf-0:141-1.el9.noarch | — |
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-luks2-0:141-1.el9.noarch | — |
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-lvm2-0:141-1.el9.noarch | — |
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-ostree-0:141-1.el9.noarch | — |
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-selinux-0:141-1.el9.noarch | — |
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:python3-osbuild-0:141-1.el9.noarch | — |
Workaround
|
Threats
Impact
Important
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
6.5 (Medium)
Affected products
Fixed
33 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-0:141-1.el9.noarch | — |
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-0:141-1.el9.src | — |
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-depsolve-dnf-0:141-1.el9.noarch | — |
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-luks2-0:141-1.el9.noarch | — |
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-lvm2-0:141-1.el9.noarch | — |
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-ostree-0:141-1.el9.noarch | — |
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-selinux-0:141-1.el9.noarch | — |
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:python3-osbuild-0:141-1.el9.noarch | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in the go/build/constraint package of the Golang standard library. Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
5.9 (Medium)
Affected products
Fixed
33 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-0:141-1.el9.noarch | — |
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-0:141-1.el9.src | — |
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-depsolve-dnf-0:141-1.el9.noarch | — |
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-luks2-0:141-1.el9.noarch | — |
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-lvm2-0:141-1.el9.noarch | — |
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-ostree-0:141-1.el9.noarch | — |
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:osbuild-selinux-0:141-1.el9.noarch | — |
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.GA:python3-osbuild-0:141-1.el9.noarch | — |
Workaround
|
Threats
Impact
Moderate
References
35 references
Acknowledgments
@r3kumar
@qmuntal
Red Hat
David Benoit
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for osbuild and osbuild-composer is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud. It is compatible with composer-cli and cockpit-composer clients.\n\nSecurity Fix(es):\n\n* golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (CVE-2024-1394)\n\n* go/build/constraint: golang: Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion (CVE-2024-34158)\n\n* golang-fips: Golang FIPS zeroed buffer (CVE-2024-9355)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 9 Release Notes linked from the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:7118",
"url": "https://access.redhat.com/errata/RHSA-2025:7118"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/9.6_release_notes/index",
"url": "https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/9.6_release_notes/index"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2262921",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262921"
},
{
"category": "external",
"summary": "2310529",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2310529"
},
{
"category": "external",
"summary": "2315719",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
},
{
"category": "external",
"summary": "RHEL-16396",
"url": "https://issues.redhat.com/browse/RHEL-16396"
},
{
"category": "external",
"summary": "RHEL-4570",
"url": "https://issues.redhat.com/browse/RHEL-4570"
},
{
"category": "external",
"summary": "RHEL-4617",
"url": "https://issues.redhat.com/browse/RHEL-4617"
},
{
"category": "external",
"summary": "RHEL-4636",
"url": "https://issues.redhat.com/browse/RHEL-4636"
},
{
"category": "external",
"summary": "RHEL-56049",
"url": "https://issues.redhat.com/browse/RHEL-56049"
},
{
"category": "external",
"summary": "RHEL-78659",
"url": "https://issues.redhat.com/browse/RHEL-78659"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_7118.json"
}
],
"title": "Red Hat Security Advisory: osbuild and osbuild-composer security update",
"tracking": {
"current_release_date": "2026-06-02T15:10:59+00:00",
"generator": {
"date": "2026-06-02T15:10:59+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2025:7118",
"initial_release_date": "2025-05-13T08:41:23+00:00",
"revision_history": [
{
"date": "2025-05-13T08:41:23+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-05-13T08:41:23+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-02T15:10:59+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "osbuild-composer-0:132-1.el9.src",
"product": {
"name": "osbuild-composer-0:132-1.el9.src",
"product_id": "osbuild-composer-0:132-1.el9.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer@132-1.el9?arch=src"
}
}
},
{
"category": "product_version",
"name": "osbuild-0:141-1.el9.src",
"product": {
"name": "osbuild-0:141-1.el9.src",
"product_id": "osbuild-0:141-1.el9.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild@141-1.el9?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "osbuild-composer-0:132-1.el9.aarch64",
"product": {
"name": "osbuild-composer-0:132-1.el9.aarch64",
"product_id": "osbuild-composer-0:132-1.el9.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer@132-1.el9?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-0:132-1.el9.aarch64",
"product": {
"name": "osbuild-composer-core-0:132-1.el9.aarch64",
"product_id": "osbuild-composer-core-0:132-1.el9.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core@132-1.el9?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-0:132-1.el9.aarch64",
"product": {
"name": "osbuild-composer-worker-0:132-1.el9.aarch64",
"product_id": "osbuild-composer-worker-0:132-1.el9.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker@132-1.el9?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debugsource-0:132-1.el9.aarch64",
"product": {
"name": "osbuild-composer-debugsource-0:132-1.el9.aarch64",
"product_id": "osbuild-composer-debugsource-0:132-1.el9.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debugsource@132-1.el9?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-debuginfo-0:132-1.el9.aarch64",
"product": {
"name": "osbuild-composer-core-debuginfo-0:132-1.el9.aarch64",
"product_id": "osbuild-composer-core-debuginfo-0:132-1.el9.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core-debuginfo@132-1.el9?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debuginfo-0:132-1.el9.aarch64",
"product": {
"name": "osbuild-composer-debuginfo-0:132-1.el9.aarch64",
"product_id": "osbuild-composer-debuginfo-0:132-1.el9.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debuginfo@132-1.el9?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-tests-debuginfo-0:132-1.el9.aarch64",
"product": {
"name": "osbuild-composer-tests-debuginfo-0:132-1.el9.aarch64",
"product_id": "osbuild-composer-tests-debuginfo-0:132-1.el9.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-tests-debuginfo@132-1.el9?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-debuginfo-0:132-1.el9.aarch64",
"product": {
"name": "osbuild-composer-worker-debuginfo-0:132-1.el9.aarch64",
"product_id": "osbuild-composer-worker-debuginfo-0:132-1.el9.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker-debuginfo@132-1.el9?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "osbuild-composer-0:132-1.el9.ppc64le",
"product": {
"name": "osbuild-composer-0:132-1.el9.ppc64le",
"product_id": "osbuild-composer-0:132-1.el9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer@132-1.el9?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-0:132-1.el9.ppc64le",
"product": {
"name": "osbuild-composer-core-0:132-1.el9.ppc64le",
"product_id": "osbuild-composer-core-0:132-1.el9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core@132-1.el9?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-0:132-1.el9.ppc64le",
"product": {
"name": "osbuild-composer-worker-0:132-1.el9.ppc64le",
"product_id": "osbuild-composer-worker-0:132-1.el9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker@132-1.el9?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debugsource-0:132-1.el9.ppc64le",
"product": {
"name": "osbuild-composer-debugsource-0:132-1.el9.ppc64le",
"product_id": "osbuild-composer-debugsource-0:132-1.el9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debugsource@132-1.el9?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-debuginfo-0:132-1.el9.ppc64le",
"product": {
"name": "osbuild-composer-core-debuginfo-0:132-1.el9.ppc64le",
"product_id": "osbuild-composer-core-debuginfo-0:132-1.el9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core-debuginfo@132-1.el9?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debuginfo-0:132-1.el9.ppc64le",
"product": {
"name": "osbuild-composer-debuginfo-0:132-1.el9.ppc64le",
"product_id": "osbuild-composer-debuginfo-0:132-1.el9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debuginfo@132-1.el9?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-tests-debuginfo-0:132-1.el9.ppc64le",
"product": {
"name": "osbuild-composer-tests-debuginfo-0:132-1.el9.ppc64le",
"product_id": "osbuild-composer-tests-debuginfo-0:132-1.el9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-tests-debuginfo@132-1.el9?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-debuginfo-0:132-1.el9.ppc64le",
"product": {
"name": "osbuild-composer-worker-debuginfo-0:132-1.el9.ppc64le",
"product_id": "osbuild-composer-worker-debuginfo-0:132-1.el9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker-debuginfo@132-1.el9?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "osbuild-composer-0:132-1.el9.x86_64",
"product": {
"name": "osbuild-composer-0:132-1.el9.x86_64",
"product_id": "osbuild-composer-0:132-1.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer@132-1.el9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-0:132-1.el9.x86_64",
"product": {
"name": "osbuild-composer-core-0:132-1.el9.x86_64",
"product_id": "osbuild-composer-core-0:132-1.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core@132-1.el9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-0:132-1.el9.x86_64",
"product": {
"name": "osbuild-composer-worker-0:132-1.el9.x86_64",
"product_id": "osbuild-composer-worker-0:132-1.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker@132-1.el9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debugsource-0:132-1.el9.x86_64",
"product": {
"name": "osbuild-composer-debugsource-0:132-1.el9.x86_64",
"product_id": "osbuild-composer-debugsource-0:132-1.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debugsource@132-1.el9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-debuginfo-0:132-1.el9.x86_64",
"product": {
"name": "osbuild-composer-core-debuginfo-0:132-1.el9.x86_64",
"product_id": "osbuild-composer-core-debuginfo-0:132-1.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core-debuginfo@132-1.el9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debuginfo-0:132-1.el9.x86_64",
"product": {
"name": "osbuild-composer-debuginfo-0:132-1.el9.x86_64",
"product_id": "osbuild-composer-debuginfo-0:132-1.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debuginfo@132-1.el9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-tests-debuginfo-0:132-1.el9.x86_64",
"product": {
"name": "osbuild-composer-tests-debuginfo-0:132-1.el9.x86_64",
"product_id": "osbuild-composer-tests-debuginfo-0:132-1.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-tests-debuginfo@132-1.el9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-debuginfo-0:132-1.el9.x86_64",
"product": {
"name": "osbuild-composer-worker-debuginfo-0:132-1.el9.x86_64",
"product_id": "osbuild-composer-worker-debuginfo-0:132-1.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker-debuginfo@132-1.el9?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "osbuild-composer-0:132-1.el9.s390x",
"product": {
"name": "osbuild-composer-0:132-1.el9.s390x",
"product_id": "osbuild-composer-0:132-1.el9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer@132-1.el9?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-0:132-1.el9.s390x",
"product": {
"name": "osbuild-composer-core-0:132-1.el9.s390x",
"product_id": "osbuild-composer-core-0:132-1.el9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core@132-1.el9?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-0:132-1.el9.s390x",
"product": {
"name": "osbuild-composer-worker-0:132-1.el9.s390x",
"product_id": "osbuild-composer-worker-0:132-1.el9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker@132-1.el9?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debugsource-0:132-1.el9.s390x",
"product": {
"name": "osbuild-composer-debugsource-0:132-1.el9.s390x",
"product_id": "osbuild-composer-debugsource-0:132-1.el9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debugsource@132-1.el9?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-core-debuginfo-0:132-1.el9.s390x",
"product": {
"name": "osbuild-composer-core-debuginfo-0:132-1.el9.s390x",
"product_id": "osbuild-composer-core-debuginfo-0:132-1.el9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-core-debuginfo@132-1.el9?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-debuginfo-0:132-1.el9.s390x",
"product": {
"name": "osbuild-composer-debuginfo-0:132-1.el9.s390x",
"product_id": "osbuild-composer-debuginfo-0:132-1.el9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-debuginfo@132-1.el9?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-tests-debuginfo-0:132-1.el9.s390x",
"product": {
"name": "osbuild-composer-tests-debuginfo-0:132-1.el9.s390x",
"product_id": "osbuild-composer-tests-debuginfo-0:132-1.el9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-tests-debuginfo@132-1.el9?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "osbuild-composer-worker-debuginfo-0:132-1.el9.s390x",
"product": {
"name": "osbuild-composer-worker-debuginfo-0:132-1.el9.s390x",
"product_id": "osbuild-composer-worker-debuginfo-0:132-1.el9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-composer-worker-debuginfo@132-1.el9?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "osbuild-0:141-1.el9.noarch",
"product": {
"name": "osbuild-0:141-1.el9.noarch",
"product_id": "osbuild-0:141-1.el9.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild@141-1.el9?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "osbuild-depsolve-dnf-0:141-1.el9.noarch",
"product": {
"name": "osbuild-depsolve-dnf-0:141-1.el9.noarch",
"product_id": "osbuild-depsolve-dnf-0:141-1.el9.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-depsolve-dnf@141-1.el9?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "osbuild-luks2-0:141-1.el9.noarch",
"product": {
"name": "osbuild-luks2-0:141-1.el9.noarch",
"product_id": "osbuild-luks2-0:141-1.el9.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-luks2@141-1.el9?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "osbuild-lvm2-0:141-1.el9.noarch",
"product": {
"name": "osbuild-lvm2-0:141-1.el9.noarch",
"product_id": "osbuild-lvm2-0:141-1.el9.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-lvm2@141-1.el9?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "osbuild-ostree-0:141-1.el9.noarch",
"product": {
"name": "osbuild-ostree-0:141-1.el9.noarch",
"product_id": "osbuild-ostree-0:141-1.el9.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-ostree@141-1.el9?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "osbuild-selinux-0:141-1.el9.noarch",
"product": {
"name": "osbuild-selinux-0:141-1.el9.noarch",
"product_id": "osbuild-selinux-0:141-1.el9.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/osbuild-selinux@141-1.el9?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python3-osbuild-0:141-1.el9.noarch",
"product": {
"name": "python3-osbuild-0:141-1.el9.noarch",
"product_id": "python3-osbuild-0:141-1.el9.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-osbuild@141-1.el9?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-0:141-1.el9.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-0:141-1.el9.noarch"
},
"product_reference": "osbuild-0:141-1.el9.noarch",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-0:141-1.el9.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-0:141-1.el9.src"
},
"product_reference": "osbuild-0:141-1.el9.src",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-0:132-1.el9.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.aarch64"
},
"product_reference": "osbuild-composer-0:132-1.el9.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-0:132-1.el9.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.ppc64le"
},
"product_reference": "osbuild-composer-0:132-1.el9.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-0:132-1.el9.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.s390x"
},
"product_reference": "osbuild-composer-0:132-1.el9.s390x",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-0:132-1.el9.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.src"
},
"product_reference": "osbuild-composer-0:132-1.el9.src",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-0:132-1.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.x86_64"
},
"product_reference": "osbuild-composer-0:132-1.el9.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-0:132-1.el9.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.aarch64"
},
"product_reference": "osbuild-composer-core-0:132-1.el9.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-0:132-1.el9.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.ppc64le"
},
"product_reference": "osbuild-composer-core-0:132-1.el9.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-0:132-1.el9.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.s390x"
},
"product_reference": "osbuild-composer-core-0:132-1.el9.s390x",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-0:132-1.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.x86_64"
},
"product_reference": "osbuild-composer-core-0:132-1.el9.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-debuginfo-0:132-1.el9.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.aarch64"
},
"product_reference": "osbuild-composer-core-debuginfo-0:132-1.el9.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-debuginfo-0:132-1.el9.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.ppc64le"
},
"product_reference": "osbuild-composer-core-debuginfo-0:132-1.el9.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-debuginfo-0:132-1.el9.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.s390x"
},
"product_reference": "osbuild-composer-core-debuginfo-0:132-1.el9.s390x",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-core-debuginfo-0:132-1.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.x86_64"
},
"product_reference": "osbuild-composer-core-debuginfo-0:132-1.el9.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debuginfo-0:132-1.el9.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.aarch64"
},
"product_reference": "osbuild-composer-debuginfo-0:132-1.el9.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debuginfo-0:132-1.el9.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.ppc64le"
},
"product_reference": "osbuild-composer-debuginfo-0:132-1.el9.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debuginfo-0:132-1.el9.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.s390x"
},
"product_reference": "osbuild-composer-debuginfo-0:132-1.el9.s390x",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debuginfo-0:132-1.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.x86_64"
},
"product_reference": "osbuild-composer-debuginfo-0:132-1.el9.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debugsource-0:132-1.el9.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.aarch64"
},
"product_reference": "osbuild-composer-debugsource-0:132-1.el9.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debugsource-0:132-1.el9.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.ppc64le"
},
"product_reference": "osbuild-composer-debugsource-0:132-1.el9.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debugsource-0:132-1.el9.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.s390x"
},
"product_reference": "osbuild-composer-debugsource-0:132-1.el9.s390x",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-debugsource-0:132-1.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.x86_64"
},
"product_reference": "osbuild-composer-debugsource-0:132-1.el9.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-tests-debuginfo-0:132-1.el9.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.aarch64"
},
"product_reference": "osbuild-composer-tests-debuginfo-0:132-1.el9.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-tests-debuginfo-0:132-1.el9.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.ppc64le"
},
"product_reference": "osbuild-composer-tests-debuginfo-0:132-1.el9.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-tests-debuginfo-0:132-1.el9.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.s390x"
},
"product_reference": "osbuild-composer-tests-debuginfo-0:132-1.el9.s390x",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-tests-debuginfo-0:132-1.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.x86_64"
},
"product_reference": "osbuild-composer-tests-debuginfo-0:132-1.el9.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-0:132-1.el9.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.aarch64"
},
"product_reference": "osbuild-composer-worker-0:132-1.el9.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-0:132-1.el9.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.ppc64le"
},
"product_reference": "osbuild-composer-worker-0:132-1.el9.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-0:132-1.el9.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.s390x"
},
"product_reference": "osbuild-composer-worker-0:132-1.el9.s390x",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-0:132-1.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.x86_64"
},
"product_reference": "osbuild-composer-worker-0:132-1.el9.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-debuginfo-0:132-1.el9.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.aarch64"
},
"product_reference": "osbuild-composer-worker-debuginfo-0:132-1.el9.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-debuginfo-0:132-1.el9.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.ppc64le"
},
"product_reference": "osbuild-composer-worker-debuginfo-0:132-1.el9.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-debuginfo-0:132-1.el9.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.s390x"
},
"product_reference": "osbuild-composer-worker-debuginfo-0:132-1.el9.s390x",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-composer-worker-debuginfo-0:132-1.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.x86_64"
},
"product_reference": "osbuild-composer-worker-debuginfo-0:132-1.el9.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-depsolve-dnf-0:141-1.el9.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-depsolve-dnf-0:141-1.el9.noarch"
},
"product_reference": "osbuild-depsolve-dnf-0:141-1.el9.noarch",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-luks2-0:141-1.el9.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-luks2-0:141-1.el9.noarch"
},
"product_reference": "osbuild-luks2-0:141-1.el9.noarch",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-lvm2-0:141-1.el9.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-lvm2-0:141-1.el9.noarch"
},
"product_reference": "osbuild-lvm2-0:141-1.el9.noarch",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-ostree-0:141-1.el9.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-ostree-0:141-1.el9.noarch"
},
"product_reference": "osbuild-ostree-0:141-1.el9.noarch",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "osbuild-selinux-0:141-1.el9.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:osbuild-selinux-0:141-1.el9.noarch"
},
"product_reference": "osbuild-selinux-0:141-1.el9.noarch",
"relates_to_product_reference": "AppStream-9.6.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-osbuild-0:141-1.el9.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.GA:python3-osbuild-0:141-1.el9.noarch"
},
"product_reference": "python3-osbuild-0:141-1.el9.noarch",
"relates_to_product_reference": "AppStream-9.6.0.GA"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"@r3kumar",
"@qmuntal"
]
}
],
"cve": "CVE-2024-1394",
"cwe": {
"id": "CWE-401",
"name": "Missing Release of Memory after Effective Lifetime"
},
"discovery_date": "2024-02-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"AppStream-9.6.0.GA:osbuild-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-0:141-1.el9.src",
"AppStream-9.6.0.GA:osbuild-depsolve-dnf-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-luks2-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-lvm2-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-ostree-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-selinux-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:python3-osbuild-0:141-1.el9.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2262921"
}
],
"notes": [
{
"category": "description",
"text": "A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs\u200b. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey\u200b and ctx\u200b. That function uses named return parameters to free pkey\u200b and ctx\u200b if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the \"return nil, nil, fail(...)\" pattern, meaning that pkey\u200b and ctx\u200b will be nil inside the deferred function that should free them.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The majority of RHEL utilities are not long-running applications; instead, they are command-line tools. These tools utilize Golang package as build-time dependency, which is why they are classified as having a \"Moderate\" level of impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.src",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.x86_64"
],
"known_not_affected": [
"AppStream-9.6.0.GA:osbuild-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-0:141-1.el9.src",
"AppStream-9.6.0.GA:osbuild-depsolve-dnf-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-luks2-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-lvm2-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-ostree-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-selinux-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:python3-osbuild-0:141-1.el9.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-1394"
},
{
"category": "external",
"summary": "RHBZ#2262921",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262921"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-1394",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-1394"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-1394",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1394"
},
{
"category": "external",
"summary": "https://github.com/golang-fips/openssl/commit/85d31d0d257ce842c8a1e63c4d230ae850348136",
"url": "https://github.com/golang-fips/openssl/commit/85d31d0d257ce842c8a1e63c4d230ae850348136"
},
{
"category": "external",
"summary": "https://github.com/golang-fips/openssl/security/advisories/GHSA-78hx-gp6g-7mj6",
"url": "https://github.com/golang-fips/openssl/security/advisories/GHSA-78hx-gp6g-7mj6"
},
{
"category": "external",
"summary": "https://github.com/microsoft/go-crypto-openssl/commit/104fe7f6912788d2ad44602f77a0a0a62f1f259f",
"url": "https://github.com/microsoft/go-crypto-openssl/commit/104fe7f6912788d2ad44602f77a0a0a62f1f259f"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2024-2660",
"url": "https://pkg.go.dev/vuln/GO-2024-2660"
},
{
"category": "external",
"summary": "https://vuln.go.dev/ID/GO-2024-2660.json",
"url": "https://vuln.go.dev/ID/GO-2024-2660.json"
}
],
"release_date": "2024-03-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-05-13T08:41:23+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.src",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:7118"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.6.0.GA:osbuild-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-0:141-1.el9.src",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.src",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-depsolve-dnf-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-luks2-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-lvm2-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-ostree-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-selinux-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:python3-osbuild-0:141-1.el9.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.GA:osbuild-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-0:141-1.el9.src",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.src",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-depsolve-dnf-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-luks2-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-lvm2-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-ostree-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-selinux-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:python3-osbuild-0:141-1.el9.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads"
},
{
"acknowledgments": [
{
"names": [
"David Benoit"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2024-9355",
"cwe": {
"id": "CWE-457",
"name": "Use of Uninitialized Variable"
},
"discovery_date": "2024-09-30T17:51:17.811000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"AppStream-9.6.0.GA:osbuild-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-0:141-1.el9.src",
"AppStream-9.6.0.GA:osbuild-depsolve-dnf-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-luks2-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-lvm2-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-ostree-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-selinux-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:python3-osbuild-0:141-1.el9.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2315719"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.\u00a0 It is also possible to force a derived key to be all zeros instead of an unpredictable value.\u00a0 This may have follow-on implications for the Go TLS stack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang-fips: Golang FIPS zeroed buffer",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue is specific to the Go language and only affects the test code in cri-o and conmon, not the production code. Since both projects use Go exclusively for testing purposes, this issue does not impact their production environment. Therefore, cri-o and conmon are not affected by this vulnerability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.src",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.x86_64"
],
"known_not_affected": [
"AppStream-9.6.0.GA:osbuild-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-0:141-1.el9.src",
"AppStream-9.6.0.GA:osbuild-depsolve-dnf-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-luks2-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-lvm2-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-ostree-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-selinux-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:python3-osbuild-0:141-1.el9.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-9355"
},
{
"category": "external",
"summary": "RHBZ#2315719",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-9355",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-9355"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9355"
},
{
"category": "external",
"summary": "https://github.com/golang-fips/openssl/pull/198",
"url": "https://github.com/golang-fips/openssl/pull/198"
}
],
"release_date": "2024-09-30T20:53:42.833000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-05-13T08:41:23+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.src",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:7118"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.6.0.GA:osbuild-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-0:141-1.el9.src",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.src",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-depsolve-dnf-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-luks2-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-lvm2-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-ostree-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-selinux-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:python3-osbuild-0:141-1.el9.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.GA:osbuild-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-0:141-1.el9.src",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.src",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-depsolve-dnf-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-luks2-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-lvm2-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-ostree-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-selinux-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:python3-osbuild-0:141-1.el9.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang-fips: Golang FIPS zeroed buffer"
},
{
"cve": "CVE-2024-34158",
"cwe": {
"id": "CWE-1325",
"name": "Improperly Controlled Sequential Memory Allocation"
},
"discovery_date": "2024-09-06T21:20:12.126400+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"AppStream-9.6.0.GA:osbuild-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-0:141-1.el9.src",
"AppStream-9.6.0.GA:osbuild-depsolve-dnf-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-luks2-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-lvm2-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-ostree-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-selinux-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:python3-osbuild-0:141-1.el9.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2310529"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the go/build/constraint package of the Golang standard library. Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "go/build/constraint: golang: Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.src",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.x86_64"
],
"known_not_affected": [
"AppStream-9.6.0.GA:osbuild-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-0:141-1.el9.src",
"AppStream-9.6.0.GA:osbuild-depsolve-dnf-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-luks2-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-lvm2-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-ostree-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-selinux-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:python3-osbuild-0:141-1.el9.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-34158"
},
{
"category": "external",
"summary": "RHBZ#2310529",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2310529"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-34158",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34158"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-34158",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34158"
},
{
"category": "external",
"summary": "https://go.dev/cl/611240",
"url": "https://go.dev/cl/611240"
},
{
"category": "external",
"summary": "https://go.dev/issue/69141",
"url": "https://go.dev/issue/69141"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk",
"url": "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2024-3107",
"url": "https://pkg.go.dev/vuln/GO-2024-3107"
}
],
"release_date": "2024-09-06T21:15:12.083000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-05-13T08:41:23+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.src",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:7118"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.6.0.GA:osbuild-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-0:141-1.el9.src",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.src",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-depsolve-dnf-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-luks2-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-lvm2-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-ostree-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-selinux-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:python3-osbuild-0:141-1.el9.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.GA:osbuild-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-0:141-1.el9.src",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.src",
"AppStream-9.6.0.GA:osbuild-composer-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-core-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-core-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-debugsource-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-tests-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-worker-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.aarch64",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.ppc64le",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.s390x",
"AppStream-9.6.0.GA:osbuild-composer-worker-debuginfo-0:132-1.el9.x86_64",
"AppStream-9.6.0.GA:osbuild-depsolve-dnf-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-luks2-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-lvm2-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-ostree-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:osbuild-selinux-0:141-1.el9.noarch",
"AppStream-9.6.0.GA:python3-osbuild-0:141-1.el9.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "go/build/constraint: golang: Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…