add 1 more RPM CVE; spiff up metadata in list-fixed-security-issues-in-rpm-1.3.1.txt file too

nickboldt · nickboldt · commit 3d4e86e1b659 · 2024-11-08T15:56:15.000-05:00
Signed-off-by: Nick Boldt &lt;nboldt@redhat.com&gt;
diff --git a/modules/release-notes/list-fixed-security-issues-in-rpm-1.3.1.txt b/modules/release-notes/list-fixed-security-issues-in-rpm-1.3.1.txt
@@ -1,16 +1,18 @@
-CVE-2024-34156 
-CVE-2023-28746
-CVE-2024-27403
-CVE-2023-52658
-CVE-2024-35989
-CVE-2021-47385
-CVE-2024-36889
-CVE-2024-36978
-CVE-2024-38556
-CVE-2024-39483
-CVE-2024-39502
-CVE-2024-40959 
-CVE-2024-42079 
-CVE-2024-42272
-CVE-2024-42284
-CVE-2024-9355
+# CVE number, Errata details, Bugzilla
+CVE-2021-47385, kernel: hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary structure field, https://bugzilla.redhat.com/show_bug.cgi?id=2282355
+CVE-2023-28746, kernel: Local information disclosure on Intel(R) Atom(R) processors, https://bugzilla.redhat.com/show_bug.cgi?id=2270700
+CVE-2023-52658, kernel: Revert &#34;net/mlx5: Block entering switchdev mode with ns inconsistency&#34;, https://bugzilla.redhat.com/show_bug.cgi?id=2281149
+CVE-2024-27403, kernel: netfilter: nft_flow_offload: reset dst in route object after setting up flow, https://bugzilla.redhat.com/show_bug.cgi?id=2281127
+CVE-2024-34156, encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion, https://bugzilla.redhat.com/show_bug.cgi?id=2310528
+CVE-2024-35989, kernel: dmaengine: idxd: Fix oops during rmmod on single-CPU platforms, https://bugzilla.redhat.com/show_bug.cgi?id=2281847
+CVE-2024-36889, kernel: mptcp: ensure snd_nxt is properly initialized on connect, https://bugzilla.redhat.com/show_bug.cgi?id=2284571
+CVE-2024-36978, kernel: net: sched: sch_multiq: fix possible OOB write in multiq_tune(), https://bugzilla.redhat.com/show_bug.cgi?id=2293078
+CVE-2024-38556, kernel: net/mlx5: Add a timeout to acquire the command queue semaphore, https://bugzilla.redhat.com/show_bug.cgi?id=2293443
+CVE-2024-39483, kernel: KVM: SVM: WARN on vNMI + NMI window iff NMIs are outright masked, https://bugzilla.redhat.com/show_bug.cgi?id=2295921
+CVE-2024-39502, kernel: ionic: fix use after netif_napi_del(), https://bugzilla.redhat.com/show_bug.cgi?id=2297474
+CVE-2024-40959, kernel: xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr(), https://bugzilla.redhat.com/show_bug.cgi?id=2297543
+CVE-2024-42079, kernel: gfs2: Fix NULL pointer dereference in gfs2_log_flush, https://bugzilla.redhat.com/show_bug.cgi?id=2300517
+CVE-2024-42272, kernel: sched: act_ct: take care of padding in struct zones_ht_key, https://bugzilla.redhat.com/show_bug.cgi?id=2305417
+CVE-2024-42284, kernel: tipc: Return non-zero value from tipc_udp_addr2str() on error, https://bugzilla.redhat.com/show_bug.cgi?id=2305429
+CVE-2024-6232, python: cpython: tarfile: ReDos via excessive backtracking while parsing header values, https://bugzilla.redhat.com/show_bug.cgi?id=2309426
+CVE-2024-9355, Golang FIPS OpenSSL: zeroed buffer, https://bugzilla.redhat.com/show_bug.cgi?id=2315719
diff --git a/modules/release-notes/snip-fixed-security-issues-in-rpm-1.3.1.adoc b/modules/release-notes/snip-fixed-security-issues-in-rpm-1.3.1.adoc
@@ -11,6 +11,9 @@ link:https://access.redhat.com/security/cve/CVE-2023-52658[CVE-2023-52658]::
 In the Linux kernel, the following vulnerability has been resolved:
 Revert "net/mlx5: Block entering switchdev mode with ns inconsistency"
 
+link:https://access.redhat.com/security/cve/CVE-2024-6232[CVE-2024-6232]::
+A regular expression denial of service (ReDos) vulnerability was found in Python's tarfile module. Due to excessive backtracking while tarfile parses headers, an attacker may be able to trigger a denial of service via a specially crafted tar archive.
+
 link:https://access.redhat.com/security/cve/CVE-2024-9355[CVE-2024-9355]::
 A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.  It is also possible to force a derived key to be all zeros instead of an unpredictable value.  This may have follow-on implications for the Go TLS stack.
 
