Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.0694
xterm security update
25 February 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: xterm
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2021-27135
Reference: ESB-2021.0664
ESB-2021.0615
ESB-2021.0549
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:0650
https://access.redhat.com/errata/RHSA-2021:0651
Comment: This bulletin contains two (2) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: xterm security update
Advisory ID: RHSA-2021:0650-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0650
Issue date: 2021-02-24
CVE Names: CVE-2021-27135
=====================================================================
1. Summary:
An update for xterm is now available for Red Hat Enterprise Linux 8.1
Extended Update Support.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream EUS (v. 8.1) - aarch64, ppc64le, s390x, x86_64
3. Description:
The xterm program is a terminal emulator for the X Window System. It
provides DEC VT102 and Tektronix 4014 compatible terminals for programs
that can't use the window system directly.
Security Fix(es):
* xterm: crash when processing combining characters (CVE-2021-27135)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1927559 - CVE-2021-27135 xterm: crash when processing combining characters
6. Package List:
Red Hat Enterprise Linux AppStream EUS (v. 8.1):
Source:
xterm-331-1.el8_1.1.src.rpm
aarch64:
xterm-331-1.el8_1.1.aarch64.rpm
xterm-debuginfo-331-1.el8_1.1.aarch64.rpm
xterm-debugsource-331-1.el8_1.1.aarch64.rpm
xterm-resize-331-1.el8_1.1.aarch64.rpm
xterm-resize-debuginfo-331-1.el8_1.1.aarch64.rpm
ppc64le:
xterm-331-1.el8_1.1.ppc64le.rpm
xterm-debuginfo-331-1.el8_1.1.ppc64le.rpm
xterm-debugsource-331-1.el8_1.1.ppc64le.rpm
xterm-resize-331-1.el8_1.1.ppc64le.rpm
xterm-resize-debuginfo-331-1.el8_1.1.ppc64le.rpm
s390x:
xterm-331-1.el8_1.1.s390x.rpm
xterm-debuginfo-331-1.el8_1.1.s390x.rpm
xterm-debugsource-331-1.el8_1.1.s390x.rpm
xterm-resize-331-1.el8_1.1.s390x.rpm
xterm-resize-debuginfo-331-1.el8_1.1.s390x.rpm
x86_64:
xterm-331-1.el8_1.1.x86_64.rpm
xterm-debuginfo-331-1.el8_1.1.x86_64.rpm
xterm-debugsource-331-1.el8_1.1.x86_64.rpm
xterm-resize-331-1.el8_1.1.x86_64.rpm
xterm-resize-debuginfo-331-1.el8_1.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-27135
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYDYEStzjgjWX9erEAQh+LA/9EBOOJP4SWvgHxheOcH8YCbDy71RDV/WF
Vh8KEi+OsdYNOaYzkM4/0Lc621sCPMMoE/o3NyiKa21qqmCgA0pueYbkNZzEPgef
g4SBnThkjqrzUWuBNdS8tQw+ZlTON+D9Ig0diY2maknv+E2Tn7TZW2L+lBwJlAWg
5Zyh7U9tmErtakwhgp4P4ztOv3yIBxhpRglBHnLfh+bahI5i91/ugJ3bJLa2a8hD
qcov/Erj0IEygaLWVQ+AXnf/be/X0t/R7jO+484Ib1FR54BgckjujptSYuvNhq+t
mM8npCDniVY8efZ0Y4z551NBl/XShn3viX5ZO36eyPdgT3IThSxuO2z6WSQOHu6/
FJ69ncuGAKsV8s3NKGu8NTSVnTL461yDqpKt8xQjec7Em92Q+30FgF68JpXy9AqB
JDZvDQ9jQ1nkddxATzuN6h9VdGFj9u5xUxhpU4rG7qlTXXRXuF6ontHymtHVyd0K
poL4o6Gm8CmJojk/fMlMfY2slIjn7XbzHps6tSNP+FRSAIAEbVpdRP7R64ABSxtb
QV06ph41kXLtrzqBlEvcB8OGCvGZXaJ3cwo1Gxh4A3W8mUM24CrTm7WcVv2v+sh1
OzwhwBNbtWAqwjaAg6V/xkxu3v51Qv0XrqkLOvRkUUQJjY43RJlAt0oFEnYVq1kL
0/JGlSMq8Y8=
=tYGD
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: xterm security update
Advisory ID: RHSA-2021:0651-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0651
Issue date: 2021-02-24
CVE Names: CVE-2021-27135
=====================================================================
1. Summary:
An update for xterm is now available for Red Hat Enterprise Linux 8.2
Extended Update Support.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream EUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64
3. Description:
The xterm program is a terminal emulator for the X Window System. It
provides DEC VT102 and Tektronix 4014 compatible terminals for programs
that can't use the window system directly.
Security Fix(es):
* xterm: crash when processing combining characters (CVE-2021-27135)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1927559 - CVE-2021-27135 xterm: crash when processing combining characters
6. Package List:
Red Hat Enterprise Linux AppStream EUS (v. 8.2):
Source:
xterm-331-1.el8_2.1.src.rpm
aarch64:
xterm-331-1.el8_2.1.aarch64.rpm
xterm-debuginfo-331-1.el8_2.1.aarch64.rpm
xterm-debugsource-331-1.el8_2.1.aarch64.rpm
xterm-resize-331-1.el8_2.1.aarch64.rpm
xterm-resize-debuginfo-331-1.el8_2.1.aarch64.rpm
ppc64le:
xterm-331-1.el8_2.1.ppc64le.rpm
xterm-debuginfo-331-1.el8_2.1.ppc64le.rpm
xterm-debugsource-331-1.el8_2.1.ppc64le.rpm
xterm-resize-331-1.el8_2.1.ppc64le.rpm
xterm-resize-debuginfo-331-1.el8_2.1.ppc64le.rpm
s390x:
xterm-331-1.el8_2.1.s390x.rpm
xterm-debuginfo-331-1.el8_2.1.s390x.rpm
xterm-debugsource-331-1.el8_2.1.s390x.rpm
xterm-resize-331-1.el8_2.1.s390x.rpm
xterm-resize-debuginfo-331-1.el8_2.1.s390x.rpm
x86_64:
xterm-331-1.el8_2.1.x86_64.rpm
xterm-debuginfo-331-1.el8_2.1.x86_64.rpm
xterm-debugsource-331-1.el8_2.1.x86_64.rpm
xterm-resize-331-1.el8_2.1.x86_64.rpm
xterm-resize-debuginfo-331-1.el8_2.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-27135
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYDYGodzjgjWX9erEAQhS1Q/+NdlvE2UbAcJxvCu0RXvrFDxlqXcpeuj/
fRc47T24EeTYXGw/mc6jHXvAOWgUqKHSl4IH/J4nKo5FXsHquML84IW0HhgW6lJE
pk3wfv9SVuXZfT5v0kA83w121glKdmaRbRR9US9H0mv8C5ioKpYT4OTbylG4o28P
FigAfw4U01MlZYIk4edvGJTcuN9yaWZf3g5z+lgFOkAwLQ8i3dqXdZ1bIkkAAxWD
BN7/nBYEqVtF/+4wxHggxLpobUzD3lNNJ1fZTFg24pOU/2NmoyWkcmeIdWjoCOxs
2XhObSyx65PzqGWVjGn3Cv1jB+dbClZ0l9FZu0yl9v86ZT3ppXfIX3a1G3trWA/i
D/hZZaUp8mkxzpKouT58FN68/WNVYGFhZNpfjCLpga+DG/zgdhB7xb1fMKobI2IH
nJLyW13NVHBnfQ8KxjNmTgkHtAwCdTO33gGh286Dm7PQmue3flbRsz7ldFX9pWSs
Fztq661aHmJkI4SLhWaCAEkFJBkf1RIX7qpZVkIraocutwLde5ULfNAYHbBGXnE/
MS5FVFGIEqATWavyEiuj6hw6HMtPoXCLol8lO60pHQKKivJwDeBiYPs4/CltzP+s
Vl3TYa6tWXN47hb7JfvJ8pSs71SkbuzhFXXrelUaYDrPXZNGCFAUV6BxMFTZbuVs
aifmbwYCepo=
=PWNo
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYDbwu+NLKJtyKPYoAQhWcw/9HVSvrGxi8GJM5/KiJnQNMheyTPaZjn68
Kn4lM3OpzvmSkWDLF/+vNcP/EFbaahVZGKFNm83IIqd7OLakeUzyeaK6vtqkhDvd
1WAvVKXPySwpQaBQRQGzk5v+HNx0oXIzcaMrwOrkxzDuYM3O/iM/UxamB942V73p
ajqrWu3DpJKtY3wzNhw6zdkoS9kY0RPnqcN7Ty5D9AKslHajOzWsiEDVLR0SenAy
l8oYXB5N9rYkLeDQbLL5Hok0Dsda1m+ftzPqPoV1yv811IWL7F5wJeRCty0+musX
b5NlvdPKyQnSwIcFt7JT56Xvltl3i5YOZ51g7asiYfgq73sSwPhjuw3hcQvT3doJ
6apKB8+WHH3qT+t+A9GdlTg6sRL+Z9gqaghsLi3303HpbBll9QTpDKSUDkHAaNRY
jWaWKsj9LDP7tDbteQpeTBY5GeYsTNWbSDLNTf51Fb34VeqD9DT5R4RyTcgp1fMk
WctoR55NibHgy4B9Xbbz2TVY3j70RbByXYUCeRHEM+DJZFaNcL/aJtbs3WFtTOX7
YbUjNVBu0gUPpLwH+NV/0+jjgB2I0vglxp1ctHMKrAQlE5eTPQbFnrN3Os1oUERO
l0aHHaZfN+TeMR1PdLADaM4LGwQeBHS2aXlTe7b8YaurZMKGUnV1c6MY/eQwu7an
h5Fzx/9OFzU=
=U8L0
-----END PGP SIGNATURE-----