Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1108 Red Hat build of Eclipse Vert.x 4.0.3 security update 1 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Eclipse Vert.x Publisher: Red Hat Operating System: Red Hat Impact/Access: Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-21295 CVE-2021-21290 Reference: ESB-2021.1053 ESB-2021.0515 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:0943 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat build of Eclipse Vert.x 4.0.3 security update Advisory ID: RHSA-2021:0943-01 Product: Red Hat OpenShift Application Runtimes Advisory URL: https://access.redhat.com/errata/RHSA-2021:0943 Issue date: 2021-03-31 CVE Names: CVE-2021-21290 CVE-2021-21295 ===================================================================== 1. Summary: An update is now available for Red Hat build of Eclipse Vert.x. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE pages listed in the References section. 2. Description: This release of Red Hat build of Eclipse Vert.x 4.0.3 includes security updates, bug fixes, and enhancements. For more information, see the release notes listed in the References section. Security Fix(es): * netty: Information disclosure via the local system temporary directory (CVE-2021-21290) * netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295) For more details about the security issues and their impact, the CVSS score, acknowledgements, and other related information, see the CVE pages listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in to download the update. 4. Bugs fixed (https://bugzilla.redhat.com/): 1927028 - CVE-2021-21290 netty: Information disclosure via the local system temporary directory 1937364 - CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation 5. References: https://access.redhat.com/security/cve/CVE-2021-21290 https://access.redhat.com/security/cve/CVE-2021-21295 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.eclipse.vertx&version=4.0.3 https://access.redhat.com/documentation/en-us/red_hat_build_of_eclipse_vert.x/4.0/html/release_notes_for_eclipse_vert.x_4.0/index https://access.redhat.com/documentation/en-us/red_hat_build_of_eclipse_vert.x/4.0/html/eclipse_vert.x_4.0_migration_guide/index 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYGRDR9zjgjWX9erEAQh9IQ//ZWUE0Mj0hVag/gdeQVTB7VGQFbPje2oB Rl6J7IfOBLNRa/mUN6MP8NezNeNtW/FUk71TwkyoIO1gesFlCdbd02qFnac19JBs PADuR1kWKQlL6CsS9bhl4c84m3bw8AYqa7FsoOKjeWLcR2T3twafw0+LrL/aaUrd Kj3l68L5DIZWpQ/o8uCGHxmq5Gz1H6XvYsH6m9w3Jmvq6v5psm7rRofYsj3UgWS2 3Uvc0ICmVAkLK1mc2Fqby23mUt2zMDdDjb0yEOE7UyIYD8MMZmn74SOH0yl/ZRmD LmcFv8Se6TDEMCBwzVCXKCfE38GIx5Y0PiWpQ6NOmEziDmUFmWaOrHNvs98cgkd+ BKlLo98iBi0878oJpSImV0e5h/MzNi2R0EHUpdI6zWiMV+cqcPLpLr1N5xQqE1Q7 EH169GmOBqvUJxKh07bP8jICeJ3u8GssHwqQL5lQAV97AwVFc3JipIG922QhThMP acpi3dmOP9F+wIXyIhv61g7ZWohH0edwxVhN+2LxIcNMBGXQtOHvOecyDTTWEcVx gUJq2D/z4Y6aJPI5XaXrj4c0mtNGBMYqjWsQQdGdqPaFoIXq2UfZiNFIvIC4L/A+ 6DTfUy9IIaOcroSu20NVfH7vWi0RDHT8l7aml3zK84kieZAcAuYwo3i8W3U93ZB6 adeqT0ijyKI= =aIC7 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYGUKzeNLKJtyKPYoAQjM7g//Sz+ghKNBdGCNzaRUeYGVe3GQudMd+Qp8 MWCUJ405H9YlgsLmfDtoHOSfXchaXtYD3zpzOrumJeM0sk/8UB480RA5Xq1BegmY Ll94vGiYR0E13KieMvxYBnT51/MQKCQZbqWwfy65NAo+mNaFdiRVWLUmEfDTLdD9 8e+AttZukFw9nHhBHMDstHjMzAicien+hMDDyUfu+/GQEINpY3bMGJ8DEImlYJMl YhpibYbaj/sdZBRvtDJWLFoE8wyNyXujrk+fny0M4sjWgf9N8Z8CphjDlAXBZ0oa OwJysnrXxEmgtq6Sj5DPnh9IcMXyXzlP4+pvZLqR2oLGqLigmk5ky8WMtkmUAnyj /jQiLS6pfXKdibnELA7mF+DxKJfn9UW320oQW7VA+vpPBiaKqpQhDpd7EKymngG3 gLPLeoigiTVSP1oMgiLp89nDEizKPIEmIaPAdY2TG457UGJRcpAJRnOJsHKFQMBa x17n+FYLuSFgiu6I6zPll6D8tVhMjeLEDtQi5ddjMt8vdjft2hTO9UfBYlN1Aqid ur2leyyECB1l0LLywrTzU8N80Qj1m7HtuizBnHaSHuQcoKP8UthuWESTpPF9rG0t U6NWLub0TF0RQglJTXgQntJ6fszR7iGG5FEN2jw3O1EiB4nwu8U9kirndLtgYPd3 vBxn29LCsow= =SOJY -----END PGP SIGNATURE-----