Headline
RHSA-2022:7950: Red Hat Security Advisory: Image Builder security, bug fix, and enhancement update
An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-32189: golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
Synopsis
Low: Image Builder security, bug fix, and enhancement update
Type/Severity
Security Advisory: Low
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood.
Security Fix(es):
- golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 9 x86_64
- Red Hat Enterprise Linux for IBM z Systems 9 s390x
- Red Hat Enterprise Linux for Power, little endian 9 ppc64le
- Red Hat Enterprise Linux for ARM 64 9 aarch64
Fixes
- BZ - 2059869 - Update osbuild to the newest upstream version in RHEL 9.1
- BZ - 2059870 - Update osbuild-composer to the newest upstream version in RHEL 9.1
- BZ - 2060061 - Rebase cockpit-composer to newest release for RHEL 9.1
- BZ - 2062597 - [cockpit-composer] RHEL 9.1 Tier 0 Localization
- BZ - 2064087 - suggest to exclude dracut-config-rescue in rhel ec2 images
- BZ - 2088459 - [osbuild-composer] cannot build an edge container with sssd
- BZ - 2105961 - edge-installer (anaconda) fails if user has ssh-key defined
- BZ - 2110864 - edge-installer ISO image can’t boot on BIOS VM
- BZ - 2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
- BZ - 2118831 - Backport test changes for new osbuild-composer
- BZ - 2123055 - edge images default to LVM
- BZ - 2123210 - podman network backend does not switch to netavark when embedding container in image
References
- https://access.redhat.com/security/updates/classification/#low
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index
Red Hat Enterprise Linux for x86_64 9
SRPM
cockpit-composer-41-1.el9.src.rpm
SHA-256: 53cecc4da5ac3962f6bf8ee57a174c1ba824a05875077e5705eab48c5406838b
osbuild-65-1.el9.src.rpm
SHA-256: 4ba112dbe61504b7506856d5de1c60738fef86afb4d2cc4502aa00bf49a0286f
osbuild-composer-62.1-1.el9.src.rpm
SHA-256: 72f962670101ce3591b3b29f72a7109ca7c32921e6406a53da8f5295d108b2b5
weldr-client-35.5-4.el9.src.rpm
SHA-256: 33ece02c67717d6cf19f7076f6c276999720acd01cd7a2d6ff7487e29861c587
x86_64
cockpit-composer-41-1.el9.noarch.rpm
SHA-256: 1d46083c578e93c075cfc63d7a9acdf1ce28eeeda3cfddd87107bdda1f8098de
osbuild-65-1.el9.noarch.rpm
SHA-256: cf95636a9568701420059e0227b1331451b03f68ec9568752fb2b3b93d8aecaa
osbuild-composer-62.1-1.el9.x86_64.rpm
SHA-256: 11f21014ef738a94b4ab1f4812a55ec83f4ceadf15612290469c7ede888f4f5d
osbuild-composer-core-62.1-1.el9.x86_64.rpm
SHA-256: a2f416549a1a0e625169a9c487c9c55086de784747730b2cc4b1c141212f5bcc
osbuild-composer-core-debuginfo-62.1-1.el9.x86_64.rpm
SHA-256: 06a1d1ba4fef4c2dbf77a4d3b21aba6ccbb9287776f466d3cb00a4105516fdf9
osbuild-composer-debugsource-62.1-1.el9.x86_64.rpm
SHA-256: 4eed4ebfba98ab05b173835884184ef60cbd21deafaae831b3c37b488c6e5c61
osbuild-composer-dnf-json-62.1-1.el9.x86_64.rpm
SHA-256: 3e1bed16eab6336b5f70163a88e0d1ea2debce431aa986cba148b01a75a2d0a9
osbuild-composer-tests-debuginfo-62.1-1.el9.x86_64.rpm
SHA-256: 12b6e19664c068a5846424612ecea0eb0968052c1e3b07dcaf1e5d5aff76127b
osbuild-composer-worker-62.1-1.el9.x86_64.rpm
SHA-256: e6573c81ecfcfb5041efa9bbbcf77a65895b9ca3286a1b71a8de2a93383539e3
osbuild-composer-worker-debuginfo-62.1-1.el9.x86_64.rpm
SHA-256: c98a52c44a5cece81e9edb3e4de34467d391c276e551444a7e4215c5a3da4e3a
osbuild-luks2-65-1.el9.noarch.rpm
SHA-256: 5d93fb2a822fd4d78d4f9ed965287f17d8a02140937ee945edd0a4adaffc2e2d
osbuild-lvm2-65-1.el9.noarch.rpm
SHA-256: 81a53b15d18e53a7163288d7bb0cfa7030aaeb59132b59bc5f53db9b0ae56649
osbuild-ostree-65-1.el9.noarch.rpm
SHA-256: 49248fa96ddd6c1307e185228447d732847548a138e2a7552480ce5b466014e6
osbuild-selinux-65-1.el9.noarch.rpm
SHA-256: cf70ff73d300169eb340b048391ce3e8663efaf095315804bcfaadf3fc61e4f7
python3-osbuild-65-1.el9.noarch.rpm
SHA-256: 526d497b1ed0e9787cff15135da068d4faa1ab4ad0d9a3d8f932a4358394268c
weldr-client-35.5-4.el9.x86_64.rpm
SHA-256: 932be00cf6d79cb1936fca3b1b8e639bd3e05333b4a6f9129bd06a1b651321f4
weldr-client-debuginfo-35.5-4.el9.x86_64.rpm
SHA-256: 438a9bb05949d22a1889d4dce772fe6fc97fcad3ec853da3df398652082d6662
weldr-client-debugsource-35.5-4.el9.x86_64.rpm
SHA-256: a6f65a8fe3f0f713a7c4043664c993ef612419623a206e91278ece46cda9154d
weldr-client-tests-debuginfo-35.5-4.el9.x86_64.rpm
SHA-256: ccd9f5b5aeb910ede0d2708aab858c9d0dcb12259ee0bcd1a5ccd27586ec3e0e
Red Hat Enterprise Linux for IBM z Systems 9
SRPM
cockpit-composer-41-1.el9.src.rpm
SHA-256: 53cecc4da5ac3962f6bf8ee57a174c1ba824a05875077e5705eab48c5406838b
osbuild-65-1.el9.src.rpm
SHA-256: 4ba112dbe61504b7506856d5de1c60738fef86afb4d2cc4502aa00bf49a0286f
osbuild-composer-62.1-1.el9.src.rpm
SHA-256: 72f962670101ce3591b3b29f72a7109ca7c32921e6406a53da8f5295d108b2b5
weldr-client-35.5-4.el9.src.rpm
SHA-256: 33ece02c67717d6cf19f7076f6c276999720acd01cd7a2d6ff7487e29861c587
s390x
cockpit-composer-41-1.el9.noarch.rpm
SHA-256: 1d46083c578e93c075cfc63d7a9acdf1ce28eeeda3cfddd87107bdda1f8098de
osbuild-65-1.el9.noarch.rpm
SHA-256: cf95636a9568701420059e0227b1331451b03f68ec9568752fb2b3b93d8aecaa
osbuild-composer-62.1-1.el9.s390x.rpm
SHA-256: 475fdef21d8562976b781b9c30660f259edd2277e9211713b74114b204509bd7
osbuild-composer-core-62.1-1.el9.s390x.rpm
SHA-256: 93cfb4bd7188a5a4d775cd0434f1d45b773d4f3bbaadaf0bfca87b2ffb31e605
osbuild-composer-core-debuginfo-62.1-1.el9.s390x.rpm
SHA-256: bc5875bdf0327a0eb26cf14473979a1253791b80e0d895c5e47eef64cce278b0
osbuild-composer-debugsource-62.1-1.el9.s390x.rpm
SHA-256: 90251c063abe79e340b600bd7f43c96bc64098c721bdc8a5459c9a5a66a25858
osbuild-composer-dnf-json-62.1-1.el9.s390x.rpm
SHA-256: d2c85a07252d73b56dd74c1b9842b3c3c81b7ac62726a768f39fc877e9fa891e
osbuild-composer-tests-debuginfo-62.1-1.el9.s390x.rpm
SHA-256: 7e875efbf03cf243ec963c0c68c8ef90de682144da351c5e4d890e87f2afa118
osbuild-composer-worker-62.1-1.el9.s390x.rpm
SHA-256: 7e6e10cd6754480e578dbe5dabef09b2ecd76d9a160925e8f310af3652a74022
osbuild-composer-worker-debuginfo-62.1-1.el9.s390x.rpm
SHA-256: fc5c79dbf4c0fecf4bba7696311406e8da3393a6a59626aaa32365f405b4617a
osbuild-luks2-65-1.el9.noarch.rpm
SHA-256: 5d93fb2a822fd4d78d4f9ed965287f17d8a02140937ee945edd0a4adaffc2e2d
osbuild-lvm2-65-1.el9.noarch.rpm
SHA-256: 81a53b15d18e53a7163288d7bb0cfa7030aaeb59132b59bc5f53db9b0ae56649
osbuild-ostree-65-1.el9.noarch.rpm
SHA-256: 49248fa96ddd6c1307e185228447d732847548a138e2a7552480ce5b466014e6
osbuild-selinux-65-1.el9.noarch.rpm
SHA-256: cf70ff73d300169eb340b048391ce3e8663efaf095315804bcfaadf3fc61e4f7
python3-osbuild-65-1.el9.noarch.rpm
SHA-256: 526d497b1ed0e9787cff15135da068d4faa1ab4ad0d9a3d8f932a4358394268c
weldr-client-35.5-4.el9.s390x.rpm
SHA-256: 98702ee05846b2f3b49670c42d6e76947d6a69f8dab5a892d1037ac63a3291b4
weldr-client-debuginfo-35.5-4.el9.s390x.rpm
SHA-256: 8c0c69ee0f537c1be0db139914aaa5a80fd9405ecc6e85823f2c958b324b90fb
weldr-client-debugsource-35.5-4.el9.s390x.rpm
SHA-256: fe4bd9e37575e7538cdea88f1b7a4dd38cc2509d2c6e56696be53f93251e5ee3
weldr-client-tests-debuginfo-35.5-4.el9.s390x.rpm
SHA-256: ac10c744299cf0db02fe7b5e885dbbdd43edfe7a58dc48109fa60f45b83bec4d
Red Hat Enterprise Linux for Power, little endian 9
SRPM
cockpit-composer-41-1.el9.src.rpm
SHA-256: 53cecc4da5ac3962f6bf8ee57a174c1ba824a05875077e5705eab48c5406838b
osbuild-65-1.el9.src.rpm
SHA-256: 4ba112dbe61504b7506856d5de1c60738fef86afb4d2cc4502aa00bf49a0286f
osbuild-composer-62.1-1.el9.src.rpm
SHA-256: 72f962670101ce3591b3b29f72a7109ca7c32921e6406a53da8f5295d108b2b5
weldr-client-35.5-4.el9.src.rpm
SHA-256: 33ece02c67717d6cf19f7076f6c276999720acd01cd7a2d6ff7487e29861c587
ppc64le
cockpit-composer-41-1.el9.noarch.rpm
SHA-256: 1d46083c578e93c075cfc63d7a9acdf1ce28eeeda3cfddd87107bdda1f8098de
osbuild-65-1.el9.noarch.rpm
SHA-256: cf95636a9568701420059e0227b1331451b03f68ec9568752fb2b3b93d8aecaa
osbuild-composer-62.1-1.el9.ppc64le.rpm
SHA-256: a86fe3b9a0f065d35aa9c97f15f8c918764a536bf6848a084ebad00244bbf65c
osbuild-composer-core-62.1-1.el9.ppc64le.rpm
SHA-256: 5e292f96a5fc35abaf496fc0c9130b014b537bee492e6d32d378588e8be0c8ca
osbuild-composer-core-debuginfo-62.1-1.el9.ppc64le.rpm
SHA-256: 7a9306207c86bc8b0129bc6f1f0d7299c5ddbc5035e8a50837ca4edbea6e1127
osbuild-composer-debugsource-62.1-1.el9.ppc64le.rpm
SHA-256: 2cf4e093f7669acf853b03d673a53f023bebb3497f0466979abb08e7881d9f36
osbuild-composer-dnf-json-62.1-1.el9.ppc64le.rpm
SHA-256: 12d2aabc3608bc8c979520531a71bc13bed1645c23a48adb0f7c6ee183df548e
osbuild-composer-tests-debuginfo-62.1-1.el9.ppc64le.rpm
SHA-256: f80af7d0f4ce0929b420e30ec8aedcee301ee669bd246533d0bd5be7c0b5e3db
osbuild-composer-worker-62.1-1.el9.ppc64le.rpm
SHA-256: 8898388acd5a908d33e22eb27a1114a97e9dbe27e06563b5e7abee96ea4799e3
osbuild-composer-worker-debuginfo-62.1-1.el9.ppc64le.rpm
SHA-256: bec6869e32efa3ea7225b5a986a0ee43c9b77ccf188dd304a554e75ecfd0b1b9
osbuild-luks2-65-1.el9.noarch.rpm
SHA-256: 5d93fb2a822fd4d78d4f9ed965287f17d8a02140937ee945edd0a4adaffc2e2d
osbuild-lvm2-65-1.el9.noarch.rpm
SHA-256: 81a53b15d18e53a7163288d7bb0cfa7030aaeb59132b59bc5f53db9b0ae56649
osbuild-ostree-65-1.el9.noarch.rpm
SHA-256: 49248fa96ddd6c1307e185228447d732847548a138e2a7552480ce5b466014e6
osbuild-selinux-65-1.el9.noarch.rpm
SHA-256: cf70ff73d300169eb340b048391ce3e8663efaf095315804bcfaadf3fc61e4f7
python3-osbuild-65-1.el9.noarch.rpm
SHA-256: 526d497b1ed0e9787cff15135da068d4faa1ab4ad0d9a3d8f932a4358394268c
weldr-client-35.5-4.el9.ppc64le.rpm
SHA-256: e04f78bdfbeeb7d6ce12499fd6f277fa17a6aa19fc8d4dd53335ac79471db064
weldr-client-debuginfo-35.5-4.el9.ppc64le.rpm
SHA-256: 88f30e60bbeef4da415a811339d7cc5c96c1ba435ffb4ae743cc3bed05eb9309
weldr-client-debugsource-35.5-4.el9.ppc64le.rpm
SHA-256: 1960886b62341c305555973a63d46645a95b328a8a917bac4dc1670b7adb2690
weldr-client-tests-debuginfo-35.5-4.el9.ppc64le.rpm
SHA-256: 737478578e62bbcf90a610322cb273688f22e85177c7d3131cff8c8c4582ac78
Red Hat Enterprise Linux for ARM 64 9
SRPM
cockpit-composer-41-1.el9.src.rpm
SHA-256: 53cecc4da5ac3962f6bf8ee57a174c1ba824a05875077e5705eab48c5406838b
osbuild-65-1.el9.src.rpm
SHA-256: 4ba112dbe61504b7506856d5de1c60738fef86afb4d2cc4502aa00bf49a0286f
osbuild-composer-62.1-1.el9.src.rpm
SHA-256: 72f962670101ce3591b3b29f72a7109ca7c32921e6406a53da8f5295d108b2b5
weldr-client-35.5-4.el9.src.rpm
SHA-256: 33ece02c67717d6cf19f7076f6c276999720acd01cd7a2d6ff7487e29861c587
aarch64
cockpit-composer-41-1.el9.noarch.rpm
SHA-256: 1d46083c578e93c075cfc63d7a9acdf1ce28eeeda3cfddd87107bdda1f8098de
osbuild-65-1.el9.noarch.rpm
SHA-256: cf95636a9568701420059e0227b1331451b03f68ec9568752fb2b3b93d8aecaa
osbuild-composer-62.1-1.el9.aarch64.rpm
SHA-256: 5a94b4842bc7ebd5dd7175983ffbddbbb22a63121c8636267d9b2b42979ccb8f
osbuild-composer-core-62.1-1.el9.aarch64.rpm
SHA-256: 528176b41d92bd94b34310de4e4ea4b99ad6310020cdddecd929722d8f17bbd7
osbuild-composer-core-debuginfo-62.1-1.el9.aarch64.rpm
SHA-256: 7a163143ea0e034c8eaa75df5a65eafc8a27914911b2e0abf1fa64c99de5b10f
osbuild-composer-debugsource-62.1-1.el9.aarch64.rpm
SHA-256: fc3671e0eb80bb242010b1142a5d47c263b994f81fc3318eb7b73bc6ad960840
osbuild-composer-dnf-json-62.1-1.el9.aarch64.rpm
SHA-256: 317f4966e84d62bd4fa9a3a35ed20d0d70d5ac04ad0399d4ced0709bf0f02f7a
osbuild-composer-tests-debuginfo-62.1-1.el9.aarch64.rpm
SHA-256: d4cbf22c02ce1b6178ff2b828c343c0555196b5445dcb096d400b72b6865f2f1
osbuild-composer-worker-62.1-1.el9.aarch64.rpm
SHA-256: 9fbfd96e66615664f82c5fda1f41b6e6ead2550457e656124dadf5d73ed33475
osbuild-composer-worker-debuginfo-62.1-1.el9.aarch64.rpm
SHA-256: 3963fa39ac8543b85b7b917bc7d1f7e50a20df0069e98c40452a46fd45399b85
osbuild-luks2-65-1.el9.noarch.rpm
SHA-256: 5d93fb2a822fd4d78d4f9ed965287f17d8a02140937ee945edd0a4adaffc2e2d
osbuild-lvm2-65-1.el9.noarch.rpm
SHA-256: 81a53b15d18e53a7163288d7bb0cfa7030aaeb59132b59bc5f53db9b0ae56649
osbuild-ostree-65-1.el9.noarch.rpm
SHA-256: 49248fa96ddd6c1307e185228447d732847548a138e2a7552480ce5b466014e6
osbuild-selinux-65-1.el9.noarch.rpm
SHA-256: cf70ff73d300169eb340b048391ce3e8663efaf095315804bcfaadf3fc61e4f7
python3-osbuild-65-1.el9.noarch.rpm
SHA-256: 526d497b1ed0e9787cff15135da068d4faa1ab4ad0d9a3d8f932a4358394268c
weldr-client-35.5-4.el9.aarch64.rpm
SHA-256: 9fb65ddd1bccedc19c524fd22d3bd1dac29d50620ca4415bf39fa350f9675a86
weldr-client-debuginfo-35.5-4.el9.aarch64.rpm
SHA-256: 1e10014f4d432a18adca2abbe55893246d181dfbd9070b48f5dd166f7c130c73
weldr-client-debugsource-35.5-4.el9.aarch64.rpm
SHA-256: 9fcdde4eaf4957306e066fb4cd9b7d2dcc320c03f990ab73c76b6e26104bf57d
weldr-client-tests-debuginfo-35.5-4.el9.aarch64.rpm
SHA-256: ffdb0a1f6296539a981f21d1349d8ec3d611cba7f966fb46f0a2beaae3fca878
Related news
Ubuntu Security Notice 6038-2 - USN-6038-1 fixed several vulnerabilities in Go 1.18. This update provides the corresponding updates for Go 1.13 and Go 1.16. CVE-2022-29526 and CVE-2022-30630 only affected Go 1.16. It was discovered that the Go net/http module incorrectly handled Transfer-Encoding headers in the HTTP/1 client. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack.
Red Hat Security Advisory 2023-3642-01 - Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services. This new container image is based on Red Hat Ceph Storage 6.1 and Red Hat Enterprise Linux 9. Issues addressed include bypass, cross site scripting, denial of service, information leakage, spoofing, and traversal vulnerabilities.
Red Hat OpenShift Service Mesh Containers for 2.4.0 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24540: A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
Red Hat Security Advisory 2023-0584-01 - Secondary Scheduler Operator for Red Hat OpenShift 1.1.1. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Virtualization release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27664: A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown. * CVE-2022-32149: A vulnerability was found in the golang.org/x/text/language pack...
Red Hat Security Advisory 2023-2802-01 - The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Issues addressed include denial of service and information leakage vulnerabilities.
An update for toolbox is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27664: A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown. * CVE-2022-32189: An uncontrolled resource consumption flaw was found in Golang math/big. A too-short encoded message can cause a panic in Float.GobDecode a...
Migration Toolkit for Applications 6.1.0 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3782: A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect ...
An update is now available for Service Telemetry Framework 1.5. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-23772: A flaw was found in the big package of the math library in golang. The Rat....
The Migration Toolkit for Containers (MTC) 1.7.8 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36567: A flaw was found in gin. This issue occurs when the default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path. * CVE-2022-24999: A flaw was found in the express.js npm package. Express.js Express is vulnerable to a d...
An update for etcd is now available for Red Hat OpenStack Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by rev...
The Migration Toolkit for Containers (MTC) 1.7.7 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-43138: A vulnerability was found in the async package. This flaw allows a malicious user to obtain privileges via the mapValues() method. * CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw a...
Red Hat OpenShift Service Mesh 2.3.1 Containers Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-3962: kiali: error message spoofing in kiali UI * CVE-2022-27664: golang: ...
Red Hat Security Advisory 2023-0069-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.24.
Red Hat Security Advisory 2022-7399-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.0. Issues addressed include denial of service, memory leak, and out of bounds read vulnerabilities.
Red Hat OpenShift Container Platform release 4.12.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4235: go-yaml: Denial of Service in go-yaml * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-2995: cri-o: incorrect handlin...
The Migration Toolkit for Containers (MTC) 1.7.6 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-28131: golang: encoding/xml: stack exhaustion in Decoder.Skip * CVE-2022-30629: golang: crypto/tls: session tickets lack random ticket_age_add * CVE-2022-30630: golang: io/fs: stack exhaustion in G...
Red Hat Security Advisory 2022-8781-01 - Logging Subsystem for Red Hat OpenShift has a security update. Issues addressed include a denial of service vulnerability.
Logging Subsystem 5.5.5 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36518: jackson-databind: denial of service via a large depth of nested objects * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-32189: golang: math/b...
Red Hat Security Advisory 2022-8626-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.11.17. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Container Platform release 4.11.17 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-32148: golang: net/http/ht...
Red Hat Security Advisory 2022-8535-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.16. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-8534-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.11.16. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Container Platform release 4.11.16 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-32189: golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, po...
Red Hat OpenShift Container Platform release 4.11.16 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32189: golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32189: golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
Red Hat Security Advisory 2022-7129-01 - Git Large File Storage replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server. Issues addressed include a denial of service vulnerability.
An update for git-lfs is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-28851: golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension * CVE-2020-28852: golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWA...
A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.
Gentoo Linux Security Advisory 202208-2 - Multiple vulnerabilities have been found in Go, the worst of which could result in remote code execution. Versions less than 1.18.5 are affected.