Operating System:

[RedHat]

Published:

21 March 2024

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2024.1695 

===========================================================================
             AUSCERT External Security Bulletin Redistribution             
                                                                           
                               ESB-2024.1695                               
      Migration Toolkit for Applications security and bug fix update       
                               21 March 2024                               
                                                                           
===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Migration Toolkit for Applications                      
Publisher:         Red Hat                                                 
Operating System:  Red Hat                                                 
Resolution:        Patch/Upgrade                                           
CVE Names:         CVE-2022-1962                                           

Original Bulletin:
   https://access.redhat.com/errata/RHSA-2024:1433

Comment: CVSS (Max):  5.5 CVE-2022-1962 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
         CVSS Source: Red Hat                                              
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H


- --------------------------BEGIN INCLUDED TEXT--------------------

=====================================================================
                Red Hat Security Advisory

Synopsis:          Moderate: Migration Toolkit for Applications
                   security and bug fix update
Advisory ID:       RHSA-2024:1433
Product:           MTA 7.0 for RHEL 9
Advisory URL:      https://access.redhat.com/errata/RHSA-2024:1433
Issue date:        2024-03-20
CVE Names:         CVE-2022-1962
=====================================================================

1. Summary:

Migration Toolkit for Applications 7.0.2 release

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

MTA 7.0 for RHEL 9 - amd64, arm64 
MTA 7.0 for RHEL 8 - amd64, arm64 

3. Description:

Migration Toolkit for Applications 7.0.2 Images

Security Fix(es) from Bugzilla:

* golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in the
References section.

4. Solution:

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2107376 - CVE-2022-1962 - golang: go/parser: stack exhaustion in all Parse*
functions

6. Package List:

MTA 7.0 for RHEL 9

0:mta/mta-hub-rhel9@sha256:5690f54c7dde45d95b407c0f1393a8e01e6f8e5512a2595ef8eff
e74b19a6d4a_amd64:
mta/mta-hub-rhel9@sha256:5690f54c7dde45d95b407c0f1393a8e01e6f8e5512a2595ef8effe7
4b19a6d4a_amd64.rpm

0:mta/mta-analyzer-addon-rhel9@sha256:9b3bd8a8bc45ebb2ebfbd13cd571bd52d5d210b82e
760ef8ca49d597709d7f83_amd64:
mta/mta-analyzer-addon-rhel9@sha256:9b3bd8a8bc45ebb2ebfbd13cd571bd52d5d210b82e76
0ef8ca49d597709d7f83_amd64.rpm

0:mta/mta-analyzer-lsp-rhel9@sha256:b0a3d36ec379c6c796d18e31b238f2112a3a6ab31f68
798c36fb3b588477c451_arm64:
mta/mta-analyzer-lsp-rhel9@sha256:b0a3d36ec379c6c796d18e31b238f2112a3a6ab31f6879
8c36fb3b588477c451_arm64.rpm

0:mta/mta-analyzer-lsp-rhel9@sha256:e318451c6efa1559657e9fe928087ff8fea30478d64f
4cb75c5919c5279ebba1_amd64:
mta/mta-analyzer-lsp-rhel9@sha256:e318451c6efa1559657e9fe928087ff8fea30478d64f4c
b75c5919c5279ebba1_amd64.rpm

0:mta/mta-cli-rhel9@sha256:afc5c7e7d8cd563a47a6475eb9c23e31553eeeaa0709407a8cd1e
7492657ea08_amd64:
mta/mta-cli-rhel9@sha256:afc5c7e7d8cd563a47a6475eb9c23e31553eeeaa0709407a8cd1e74
92657ea08_amd64.rpm

0:mta/mta-cli-rhel9@sha256:d7e65ce9ab3b1d91205a2edbb4293cb8362a323b650a3daf7caf9
103ae258812_arm64:
mta/mta-cli-rhel9@sha256:d7e65ce9ab3b1d91205a2edbb4293cb8362a323b650a3daf7caf910
3ae258812_arm64.rpm

0:mta/mta-operator-bundle@sha256:b8c09648ffba53778128e145ab66b347f68e7960eaa3458
30363313f9d564d88_amd64:
mta/mta-operator-bundle@sha256:b8c09648ffba53778128e145ab66b347f68e7960eaa345830
363313f9d564d88_amd64.rpm

0:mta/mta-ui-rhel9@sha256:06c7b18081e2285b29082e26bd013a8d8d464a7641dd8d285e4909
ca86514fde_amd64:
mta/mta-ui-rhel9@sha256:06c7b18081e2285b29082e26bd013a8d8d464a7641dd8d285e4909ca
86514fde_amd64.rpm

0:mta/mta-windup-shim-rhel9@sha256:3322ff5bdd8d9422567b37888cfe132d48455503e62a3
8953d5b318d80a02c91_arm64:
mta/mta-windup-shim-rhel9@sha256:3322ff5bdd8d9422567b37888cfe132d48455503e62a389
53d5b318d80a02c91_arm64.rpm

0:mta/mta-windup-shim-rhel9@sha256:4a35cbbe8c24232c138460ff50d1076392136ddedb711
1c26ab2b074ad4017a7_amd64:
mta/mta-windup-shim-rhel9@sha256:4a35cbbe8c24232c138460ff50d1076392136ddedb7111c
26ab2b074ad4017a7_amd64.rpm

MTA 7.0 for RHEL 8

0:mta/mta-rhel8-operator@sha256:cc32dfeeb33b7e2d2a63098b2c1c09999a955b69349cbe3e
3902fc1101d176a0_amd64:
mta/mta-rhel8-operator@sha256:cc32dfeeb33b7e2d2a63098b2c1c09999a955b69349cbe3e39
02fc1101d176a0_amd64.rpm

7. References:

https://access.redhat.com/security/cve/CVE-2022-1962
https://access.redhat.com/security/updates/classification/#moderate

- --------------------------END INCLUDED TEXT----------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================