Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3778 json-c security and bug fix update 10 November 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: json-c Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-12762 Reference: ESB-2020.2678 ESB-2020.1899 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:4382 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: json-c security and bug fix update Advisory ID: RHSA-2021:4382-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:4382 Issue date: 2021-11-09 CVE Names: CVE-2020-12762 ===================================================================== 1. Summary: An update for json-c is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux CRB (v. 8) - noarch 3. Description: JSON-C implements a reference counting object model that allows users to easily construct JavaScript Object Notation (JSON) objects in C, output them as JSON formatted strings, and parse JSON formatted strings back into the C representation of JSON objects. Security Fix(es): * json-c: integer overflow and out-of-bounds write via a large JSON file (CVE-2020-12762) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1835253 - CVE-2020-12762 json-c: integer overflow and out-of-bounds write via a large JSON file 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): aarch64: json-c-debuginfo-0.13.1-2.el8.aarch64.rpm json-c-debugsource-0.13.1-2.el8.aarch64.rpm json-c-devel-0.13.1-2.el8.aarch64.rpm ppc64le: json-c-debuginfo-0.13.1-2.el8.ppc64le.rpm json-c-debugsource-0.13.1-2.el8.ppc64le.rpm json-c-devel-0.13.1-2.el8.ppc64le.rpm s390x: json-c-debuginfo-0.13.1-2.el8.s390x.rpm json-c-debugsource-0.13.1-2.el8.s390x.rpm json-c-devel-0.13.1-2.el8.s390x.rpm x86_64: json-c-debuginfo-0.13.1-2.el8.i686.rpm json-c-debuginfo-0.13.1-2.el8.x86_64.rpm json-c-debugsource-0.13.1-2.el8.i686.rpm json-c-debugsource-0.13.1-2.el8.x86_64.rpm json-c-devel-0.13.1-2.el8.i686.rpm json-c-devel-0.13.1-2.el8.x86_64.rpm Red Hat Enterprise Linux BaseOS (v. 8): Source: json-c-0.13.1-2.el8.src.rpm aarch64: json-c-0.13.1-2.el8.aarch64.rpm json-c-debuginfo-0.13.1-2.el8.aarch64.rpm json-c-debugsource-0.13.1-2.el8.aarch64.rpm ppc64le: json-c-0.13.1-2.el8.ppc64le.rpm json-c-debuginfo-0.13.1-2.el8.ppc64le.rpm json-c-debugsource-0.13.1-2.el8.ppc64le.rpm s390x: json-c-0.13.1-2.el8.s390x.rpm json-c-debuginfo-0.13.1-2.el8.s390x.rpm json-c-debugsource-0.13.1-2.el8.s390x.rpm x86_64: json-c-0.13.1-2.el8.i686.rpm json-c-0.13.1-2.el8.x86_64.rpm json-c-debuginfo-0.13.1-2.el8.i686.rpm json-c-debuginfo-0.13.1-2.el8.x86_64.rpm json-c-debugsource-0.13.1-2.el8.i686.rpm json-c-debugsource-0.13.1-2.el8.x86_64.rpm Red Hat Enterprise Linux CRB (v. 8): noarch: json-c-doc-0.13.1-2.el8.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-12762 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYYrej9zjgjWX9erEAQiU1g//YzM77GdfeN9wtXjfeQ400cw5AsR8XjOm 3eS4kMuwlN0w5reO9n3OnPs3SCZVDcoRmPJ1Z71eK796SyczEzfItkB8HVpPIL2E c8QfOQ1a2m/Izws30u8/xASfY3JXEWFeX5Pip7OrQ8T+6BhpsYEMzD7zC6aPXgzw g7T87IaVa1WPsORtd/KvDivVGBLt9jwzvjbJAOmRQ0ccWC9ylsjqXiuvDzFlyL+h R0tSJXyNDFebOwwAY5cJ0Go1NjlGC61K0SgB/S/WnQyqKcqN6kss/1fFCjGs/wvy Z52AMuB1BeOjPdxPydwErGjtl7qxn0ygpKwxKsHJwbhYpuUEBhkn6LG998y9QBVj gQDuySEzrR+0j1Tg579g/z1fvtbvXCU0/Wt01uoeWJlyKVR4B8dJAV4NHLFXoon8 Uw+dlJFvFPlu0LERlaYquQJ0FksWZH9G+3mrVo2F9X8IOMint0zNe+X+mE7zuhOX qluAe5stgV5BNtXkboSmt3R4mk4suNbgexZvyC9cMeIY+A2GNB4NHcVtwPVSs4Bg QG2SPVqwXL73ViKAS9YSof9uSY2hRXqSKs+BRnIVxKZS0EzFybv76NQtmx7NjZlG JUkHfT/W9UnTxfgmrDs6xYUKNCs6lyvkTmBfGf0+S+CLTToVImr9DPN/EO2r+/xS A4oHKkiq9g8= =8Eca - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYYtIdeNLKJtyKPYoAQiE3Q/+PZDqSM7j4NwFdsSgbQjHNk9+UGT0mMbc /y0B0NpqkK7zF/pagGokX/XO4xZSNvAgMjg10DmyRjRpuS39Q+xTqjcvpZ7REqR9 cBI5eX8CoFJqB9nxdP1tWbu0kCw24ZqqUdtrd20wysf1EcbwQyj0lReLrzAdpd/d SPpnEy/yzzsbV6n6a/DF+H54HiNWdqDQgI0DsatT6/trR1d1NkbMbx1GXoNec6Zv KcK2aSL/nihmNyhEcLFnTR5w5GYRyDkTHF8xOTVU7oXuMpZ6edDSie/G/KCC0SJk ZoEm1Qq3iYt/Q5d7SaoNFV5FMadphVj94kxO7J8f6Wf78wdsHQdwhr3v/GxZT/WU flRPJpgOaAtfYhotj4NCAqB48B8ldMq47jIL9X8AA/3rvQOWe9SRhHddgN97UeVK vq04A4RSBCXBvha2AdIcmMPUYs5MIxltpHcC3+ZpuZrqESHQOioO+qXjHrmVkxaL 73N8DoxbWL6k5tjExvM+jJubTicSuqnFmkQ5LnotqLlYRWyAqCSiQlHMHSPnuTLQ IQfXsqJ2otNsiZYY2psEtSxOzAePqoXYZX0rOqsxAhcz/tXSVOCal3/E44yhowoe Oq5bek7QoJKDHTDqVzrG2vwNC3ENlt6oV5MhXK43e5F59TV7Lnb8wfWN04vvGQCc 43QEnQoAp14= =tEES -----END PGP SIGNATURE-----