Red Hat 9042 Published by

A Red Hat Fuse 7.8.1 patch release and security update has been released.



RHSA-2021:1401-01: Moderate: Red Hat Fuse 7.8.1 patch release and security update



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat Fuse 7.8.1 patch release and security update
Advisory ID: RHSA-2021:1401-01
Product: Red Hat JBoss Fuse
Advisory URL:   https://access.redhat.com/errata/RHSA-2021:1401
Issue date: 2021-04-27
CVE Names: CVE-2020-28052
=====================================================================

1. Summary:

A micro version update (from 7.8.0 to 7.8.1) is now available for Red Hat
Fuse on Karaf and Red Hat Fuse on Spring Boot 2. The purpose of this
text-only errata is to inform you about the security issues fixed in this
release.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

This release of Red Hat Fuse 7.8.1 serves as a patch to Red Hat Fuse on
Karaf and Red Hat Fuse on Spring Boot 2 (7.8.0), and includes security
fixes, which are documented in the Release Notes document linked to in the
References.

Security Fix(es):

* bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility
possible - Karaf (CVE-2020-28052)

* bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility
possible - Spring Boot 2 (CVE-2020-28052)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

Installation instructions are available from the Fuse 7.8.0 product
documentation page:

  https://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/html/install
ing_on_apache_karaf/apply-hotfix-patch

  https://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/html/deployi
ng_into_spring_boot/patch-red-hat-fuse-applications

4. Bugs fixed (  https://bugzilla.redhat.com/):

1912881 - CVE-2020-28052 bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible

5. References:

  https://access.redhat.com/security/cve/CVE-2020-28052
  https://access.redhat.com/security/updates/classification/#moderate
  https://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/html/installing_on_apache_karaf/apply-hotfix-patch
  https://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/html/deploying_into_spring_boot/patch-red-hat-fuse-applications
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=7.8.0

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.