-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: xmlrpc-c security update Advisory ID: RHSA-2022:1539-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:1539 Issue date: 2022-04-26 CVE Names: CVE-2022-25235 ===================================================================== 1. Summary: An update for xmlrpc-c is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux BaseOS E4S (v. 8.1) - aarch64, ppc64le, s390x, x86_64 3. Description: XML-RPC is a remote procedure call (RPC) protocol that uses XML to encode its calls and HTTP as a transport mechanism. The xmlrpc-c packages provide a network protocol to allow a client program to make a simple RPC (remote procedure call) over the Internet. It converts an RPC into an XML document, sends it to a remote server using HTTP, and gets back the response in XML. Security Fix(es): * expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution (CVE-2022-25235) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2056366 - CVE-2022-25235 expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution 6. Package List: Red Hat Enterprise Linux BaseOS E4S (v. 8.1): Source: xmlrpc-c-1.51.0-5.el8_1.1.src.rpm aarch64: xmlrpc-c-1.51.0-5.el8_1.1.aarch64.rpm xmlrpc-c-apps-debuginfo-1.51.0-5.el8_1.1.aarch64.rpm xmlrpc-c-c++-debuginfo-1.51.0-5.el8_1.1.aarch64.rpm xmlrpc-c-client++-debuginfo-1.51.0-5.el8_1.1.aarch64.rpm xmlrpc-c-client-1.51.0-5.el8_1.1.aarch64.rpm xmlrpc-c-client-debuginfo-1.51.0-5.el8_1.1.aarch64.rpm xmlrpc-c-debuginfo-1.51.0-5.el8_1.1.aarch64.rpm xmlrpc-c-debugsource-1.51.0-5.el8_1.1.aarch64.rpm ppc64le: xmlrpc-c-1.51.0-5.el8_1.1.ppc64le.rpm xmlrpc-c-apps-debuginfo-1.51.0-5.el8_1.1.ppc64le.rpm xmlrpc-c-c++-debuginfo-1.51.0-5.el8_1.1.ppc64le.rpm xmlrpc-c-client++-debuginfo-1.51.0-5.el8_1.1.ppc64le.rpm xmlrpc-c-client-1.51.0-5.el8_1.1.ppc64le.rpm xmlrpc-c-client-debuginfo-1.51.0-5.el8_1.1.ppc64le.rpm xmlrpc-c-debuginfo-1.51.0-5.el8_1.1.ppc64le.rpm xmlrpc-c-debugsource-1.51.0-5.el8_1.1.ppc64le.rpm s390x: xmlrpc-c-1.51.0-5.el8_1.1.s390x.rpm xmlrpc-c-apps-debuginfo-1.51.0-5.el8_1.1.s390x.rpm xmlrpc-c-c++-debuginfo-1.51.0-5.el8_1.1.s390x.rpm xmlrpc-c-client++-debuginfo-1.51.0-5.el8_1.1.s390x.rpm xmlrpc-c-client-1.51.0-5.el8_1.1.s390x.rpm xmlrpc-c-client-debuginfo-1.51.0-5.el8_1.1.s390x.rpm xmlrpc-c-debuginfo-1.51.0-5.el8_1.1.s390x.rpm xmlrpc-c-debugsource-1.51.0-5.el8_1.1.s390x.rpm x86_64: xmlrpc-c-1.51.0-5.el8_1.1.i686.rpm xmlrpc-c-1.51.0-5.el8_1.1.x86_64.rpm xmlrpc-c-apps-debuginfo-1.51.0-5.el8_1.1.i686.rpm xmlrpc-c-apps-debuginfo-1.51.0-5.el8_1.1.x86_64.rpm xmlrpc-c-c++-debuginfo-1.51.0-5.el8_1.1.i686.rpm xmlrpc-c-c++-debuginfo-1.51.0-5.el8_1.1.x86_64.rpm xmlrpc-c-client++-debuginfo-1.51.0-5.el8_1.1.i686.rpm xmlrpc-c-client++-debuginfo-1.51.0-5.el8_1.1.x86_64.rpm xmlrpc-c-client-1.51.0-5.el8_1.1.i686.rpm xmlrpc-c-client-1.51.0-5.el8_1.1.x86_64.rpm xmlrpc-c-client-debuginfo-1.51.0-5.el8_1.1.i686.rpm xmlrpc-c-client-debuginfo-1.51.0-5.el8_1.1.x86_64.rpm xmlrpc-c-debuginfo-1.51.0-5.el8_1.1.i686.rpm xmlrpc-c-debuginfo-1.51.0-5.el8_1.1.x86_64.rpm xmlrpc-c-debugsource-1.51.0-5.el8_1.1.i686.rpm xmlrpc-c-debugsource-1.51.0-5.el8_1.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-25235 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYmga8dzjgjWX9erEAQgapw//XhcvNxYnp6Qtm/aJepfUAUEL5c3eXy4d u9bXtLD3mLIyJH6K698F74TxK8uIeC00t0jw/M5y57YORd+bMt13H1bgKf3DCBw7 G8MHTwWhwhT1ex8jJo3TcG05+ounKqs70J+MtlpxDNOpUEpbX8mDsWE53SYeYr76 l/ibI229I/nJO8vboz/Qmg3vcTI+k8iGJNnqVN2THRtgUXfZ4CnbNFzKe3x1VX8b uttEBxp6tOnXjqLJ4XCeywJbA1ef44nvD6BhIznxZ2MfUEgRBdLM63AcTzTFk8Ie 2slI9OfBtCVaJV9UnQxrrY12nY1RS6Vjp//NqhEMxEYcq2XozBLMXMitrHdXPwb7 rB8KUdtTdv7caHVWb6l94eOrTM8qAA6wgkQ8DYvzX+5CWj7cHSQUcduBp4OdL6b+ p4skOpKWVgQUgxvoEknT9wLuUzzD7hqoQbPTGxRtgBD4dAvWAKO+jAcHWcLtS/dw R537E4emI7BvPVXoT6OeLN9u8cr+0/nJIdB5JZwLqx2vQ+nkl5k0nyVDvIr2R6Cy yrFF0nZWDpKWD28TtlKZsa9NQe/YRPSbmrEW1fLD+NudzhuLQZcNb7/sRKZEuxv1 kXArqwtv1pU3+EUM70nvmmRRb2KH2a9983S4HfTb129fcSgXeglYIekTVHA3jARH rbuSYb0t5Ew= =NpRA -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce