Headline
RHSA-2023:4986: Red Hat Security Advisory: Red Hat OpenShift Distributed Tracing 2.9.0 security update
Updated Red Hat OpenShift Distributed Tracing 2.9 container images are now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-24534: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in HTTP and MIME header parsing. By sending a specially crafted request, a remote attacker can cause a denial of service.
- CVE-2023-24536: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by an issue during multipart form parsing. By sending a specially crafted input, a remote attacker can consume large amounts of CPU and memory, resulting in a denial of service.
- CVE-2023-24537: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by an infinite loop due to integer overflow when calling any of the Parse functions. By sending a specially crafted input, a remote attacker can cause a denial of service.
- CVE-2023-24538: A flaw was found in Golang Go. This flaw allows a remote attacker to execute arbitrary code on the system, caused by not properly considering backticks (`) as Javascript string delimiters. By sending a specially crafted request, an attacker execute arbitrary code on the system.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- OpenShift Dev Spaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Quarkus
Integration and Automation
All Products
Issued:
2023-09-06
Updated:
2023-09-06
RHSA-2023:4986 - Security Advisory
- Overview
- Updated Images
Synopsis
Moderate: Red Hat OpenShift Distributed Tracing 2.9.0 security update
Type/Severity
Security Advisory: Moderate
Topic
Updated Red Hat OpenShift Distributed Tracing 2.9 container images are now available.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The Red Hat OpenShift Distributed Tracing 2.9 container images have been released.
Users of Red Hat OpenShift Distributed Tracing 2.8 container images are advised to upgrade to these updated images, which contain backported patches to correct security issues, fix bugs, and include further enhancements.
You can find images updated by this advisory in Red Hat Container Catalog (see References).
Security Fix(es):
- golang: net/http, net/textproto: denial of service from excessive memory allocation (CVE-2023-24534)
- golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption (CVE-2023-24536)
- golang: go/parser: Infinite loop in parsing (CVE-2023-24537)
- golang: html/template: backticks not treated as string delimiters (CVE-2023-24538)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Solution
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs.
Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:
up2date
This will start an interactive process that will result in the appropriate RPMs being upgraded on your system.
Affected Products
- Red Hat OpenShift distributed tracing 2 x86_64
- Red Hat OpenShift distributed tracing for Power, little endian 2 ppc64le
- Red Hat OpenShift distributed tracing for IBM Z and LinuxONE 2 s390x
Fixes
- BZ - 2184481 - CVE-2023-24538 golang: html/template: backticks not treated as string delimiters
- BZ - 2184482 - CVE-2023-24536 golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption
- BZ - 2184483 - CVE-2023-24534 golang: net/http, net/textproto: denial of service from excessive memory allocation
- BZ - 2184484 - CVE-2023-24537 golang: go/parser: Infinite loop in parsing
- TRACING-2968 - Wrong port is exposed for jaeger-production-query resulting in connection refused
- TRACING-3091 - Tempo operator with TLS does not work on OpenShift
- TRACING-3142 - Fix ServiceMonitor for gateway
- TRACING-3143 - tempostack_status_condition metric doesn’t get updated in some cases
- TRACING-3147 - Improve tempo version detection
- TRACING-3173 - jaeger-operator pod restarting with OOMKilled with the default memory value
- TRACING-3190 - opentelemetry-operator-controller-manager crashlooping after receiving opentelemetry-operator.v0.74.0-5
- TRACING-3204 - Remove resource limits for Tempo Operator but keep the resource.requests
- TRACING-3213 - Validation webhooks panics for invalid tenant configuration
- TRACING-3243 - OpenTelemetry Collector version is not reported properly after a upgrading
- TRACING-3312 - When deploying Service Mesh on SNO in a disconnected environment , the Jaeger Pod frequently goes into Pending state
- TRACING-3322 - 16685 is not properly exposed in the Jaeger Operator
- TRACING-3396 - Operator monitoring only works when operator is installed in openshift-operators-redhat
CVEs
- CVE-2023-24534
- CVE-2023-24536
- CVE-2023-24537
- CVE-2023-24538
ppc64le
rhosdt/jaeger-agent-rhel8@sha256:245b3a4fcc6ed62f74679e620284095a7faae32b796571dfd55f1a9f2f05d683
rhosdt/jaeger-all-in-one-rhel8@sha256:26e1ee47bd0d2ca13b14dba616d333d3c0164e7758c893bc6813dfc49bb29040
rhosdt/jaeger-collector-rhel8@sha256:3c69ca16cc58b5472a20aa7feb7f290f97b73125b0f9c9982c87ad4486e8414e
rhosdt/jaeger-es-index-cleaner-rhel8@sha256:510f2f64e5e24c527541300ac9349a8e0ebc1a4856fc347aad5f5f5b187d2225
rhosdt/jaeger-es-rollover-rhel8@sha256:f35f3b371550adba3276ec9e969b51d26b67380294f3775031cda4b1572be084
rhosdt/jaeger-ingester-rhel8@sha256:f4fb59d36ac33e3a5c5b5eedcccfbb039f4ca50e61cc7e1bcb68ed89b0903745
rhosdt/jaeger-operator-bundle@sha256:d60fd47d90d3195ade9ff821520337dadf4128061a3cbeea2eb7bc28f4647e0a
rhosdt/jaeger-query-rhel8@sha256:e5d016116f2d35dabf0e445a920966581b15292bdef782d126f5a56c60077055
rhosdt/jaeger-rhel8-operator@sha256:e04ca83905b906b2ac22fab5420629a61f9210a3a4779a60966813aaced99541
rhosdt/opentelemetry-collector-rhel8@sha256:5cdc56e19e233f07820de14aed266ca8d9121fc06bedd6189401d2f420206901
rhosdt/opentelemetry-operator-bundle@sha256:33a56369c46932a40c67b718df7b10d06b7c3b0ff93b09439a6f3c654c798703
rhosdt/opentelemetry-rhel8-operator@sha256:6b849b43190d300cabc0d9113ffad843e49175a80f38ad5636e20357c722aef1
rhosdt/tempo-gateway-opa-rhel8@sha256:74fb8268f08f8e3902ceeba2ee918bbdae3b4f3247d7df3ae09db88b1ff6112c
rhosdt/tempo-gateway-rhel8@sha256:84e5b718f78e99f5ea97bd72a69d56dd01300dc2d2f23b753de986afb62bb3e3
rhosdt/tempo-operator-bundle@sha256:f38b11f21f25f1c241c079dd85a2e854308577df3adb31724b7dcd0783f29ebe
rhosdt/tempo-query-rhel8@sha256:419de0214012fdadc302ff0a90d10db70321639a0bc3ed512e6fe4fc730b8e1f
rhosdt/tempo-rhel8@sha256:512ce6df09d6bd19a147fff161c6abf7f966e1ef408e74c21435ff5adefa5471
rhosdt/tempo-rhel8-operator@sha256:2dd4b14b120824a67fa0bfa5beb9753f215b5337a1aa65c4fb305fa72a70d006
s390x
rhosdt/jaeger-agent-rhel8@sha256:d26cffb00efb86685fef638702f583f7c157f157246c87366a8d1f77b777cf31
rhosdt/jaeger-all-in-one-rhel8@sha256:6fa1ece1d0e77e540fb80648f318810051025646962da4752420edf6da43caa5
rhosdt/jaeger-collector-rhel8@sha256:f48d37bf230ff3b408302004e7e15d6cd0dedab5877d867b3770863a9d38bea6
rhosdt/jaeger-es-index-cleaner-rhel8@sha256:f1753cf36d7a657a4d60107b342781155289119b39976ddc776c8dd976051766
rhosdt/jaeger-es-rollover-rhel8@sha256:05c490e65a007d04d9006e9be375dc3015eec3ca0c538d5ff24a1b5129c23752
rhosdt/jaeger-ingester-rhel8@sha256:0e0439a327c78aab214d0f00484fe4dafb1c214dfa63c9d1d520f0becc05ae4f
rhosdt/jaeger-operator-bundle@sha256:d220c38ea995ebb78d9df0a8a11c56fcfcc5f26cd6e769cf90c6a703914dcc76
rhosdt/jaeger-query-rhel8@sha256:22177a3d088095292aaae48023477e3069f10cf91586f0236e02b481098eff2d
rhosdt/jaeger-rhel8-operator@sha256:e81105452ece3ccd9d1e7cf9f91d2fbbb06f12b4892289ddc94b0e922321589f
rhosdt/opentelemetry-collector-rhel8@sha256:84e253ca4781b8f6845cbcb6d9ef9e68cd152f72f5217d9befa2b8a47ca67516
rhosdt/opentelemetry-operator-bundle@sha256:b0890928d9ebc88f1fa059112859c5b5b4139e2ea3542724f76f8c9f9d6044ca
rhosdt/opentelemetry-rhel8-operator@sha256:3b8e624b4915d7625551b50b36d2b75a6c3be0fbbfb2be01cb63e972999303ca
rhosdt/tempo-gateway-opa-rhel8@sha256:8f06abe7773af8901a8c4beeea8aed9e464852101cced7acda66aa80444cbafe
rhosdt/tempo-gateway-rhel8@sha256:37208be11e9af9009bd8ad16eb591b78d250bb1603f9e67ad9a1aa31a390772d
rhosdt/tempo-operator-bundle@sha256:d93d10ed6c15912c8b2dd259e0b9008f7c37706e9b6388a5f1b89a7175b99c55
rhosdt/tempo-query-rhel8@sha256:4bfd3efce54c8527d26d9c06ab3e42725d6edb1395ba94c3632b216df7b4948c
rhosdt/tempo-rhel8@sha256:08ac8806edeac078a11dcb00bda791ef869c68287faa3ea577c614c228141bcc
rhosdt/tempo-rhel8-operator@sha256:cf9d2e1f3b7b178b846d4a8e45fe1f4e221cabc0d60d0357768a1580c9df7148
x86_64
rhosdt/jaeger-agent-rhel8@sha256:d8bc6495463d50293f954ce8dd7f70e0416e78baed86cbd4355693f701593c17
rhosdt/jaeger-all-in-one-rhel8@sha256:8af8b45b6a81bc08043171c76414d3e07f96ef160e9d46867ecc7d9b904465eb
rhosdt/jaeger-collector-rhel8@sha256:595b6828dd9cd8d1b6643682ada8d1192cbb5c65a1cfb9da452ad184d2523223
rhosdt/jaeger-es-index-cleaner-rhel8@sha256:acb3481b4a9640fdcea057098d8bafdc17c80dfea8beff51aae912d31d03fd0d
rhosdt/jaeger-es-rollover-rhel8@sha256:97b4b06104ef210e6684f00d2b58406975d08342b8ae537dd3b54c87223d5752
rhosdt/jaeger-ingester-rhel8@sha256:476cece9d0a3a846c4dc008e13ebe86cf52fb49b0963224c8d83ffa00f99baa1
rhosdt/jaeger-operator-bundle@sha256:cd4e0e2caa098465cbc2bd770904f471a9a95059145c01bd4c17689c2217bbd7
rhosdt/jaeger-query-rhel8@sha256:1934e02db3e8462475b7ba51860fb7df81da92e5c3cbaabc2eac0a88350d176a
rhosdt/jaeger-rhel8-operator@sha256:da1cc99bce2cca6127a887fc4c2190f97fb7b5ec3be119cc8ff6bfb2cbc4606d
rhosdt/opentelemetry-collector-rhel8@sha256:0604dab5223b184fe502a493e7d2e96082e17ef3cf9864f37d889ac18aa19876
rhosdt/opentelemetry-operator-bundle@sha256:5c174a544295cf8a2f60ff6e518d157b162ab005ba447e9f147276c026362e01
rhosdt/opentelemetry-rhel8-operator@sha256:7d7bec09d4ab03fd266dcb2f4ba40450d055f3be704367a737ff52ae2d7eb5cf
rhosdt/tempo-gateway-opa-rhel8@sha256:6d75b80bb63ee161721ac638a8c557dee1c22c8aa62404fbcaea860f1a411334
rhosdt/tempo-gateway-rhel8@sha256:2ce312488986d2b998c2d1241ba603353aeda667fe2e8e334e2b69b826127180
rhosdt/tempo-operator-bundle@sha256:7b1846b0f0e31aad9d31cb1deb11b8671e0f12ef2d375bf739c52006e3d3280a
rhosdt/tempo-query-rhel8@sha256:3f7d332ed5e713cb683919824d63570e10664d3ca88a1e62c36a8f765a541140
rhosdt/tempo-rhel8@sha256:b6b8624bf309f0dcdb41a0e3d2d5657529a162b245537d7f08178edd3eef74a2
rhosdt/tempo-rhel8-operator@sha256:bcee0df7299e003f07d5491334d7a961d0d338af8c8a9e1bf2ba942258c8ce30
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Ubuntu Security Notice 7061-1 - Hunter Wittenborn discovered that Go incorrectly handled the sanitization of environment variables. An attacker could possibly use this issue to run arbitrary commands. Sohom Datta discovered that Go did not properly validate backticks as Javascript string delimiters, and did not escape them as expected. An attacker could possibly use this issue to inject arbitrary Javascript code into the Go template.
Ubuntu Security Notice 6038-2 - USN-6038-1 fixed several vulnerabilities in Go 1.18. This update provides the corresponding updates for Go 1.13 and Go 1.16. CVE-2022-29526 and CVE-2022-30630 only affected Go 1.16. It was discovered that the Go net/http module incorrectly handled Transfer-Encoding headers in the HTTP/1 client. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack.
Red Hat Security Advisory 2023-5964-01 - An update for collectd-libpod-stats is now available for Red Hat OpenStack Platform 16.2.5. Issues addressed include a denial of service vulnerability.
Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g., "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template. Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitint...
An update is now available for Red Hat Ansible Automation Platform 2.3 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys ca...
An update is now available for Red Hat Ansible Automation Platform 2.3 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys ca...
An update is now available for Red Hat Ansible Automation Platform 2.3 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys ca...
An update is now available for Red Hat Ansible Automation Platform 2.3 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys ca...
Red Hat Security Advisory 2023-4093-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.5. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-4093-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.5. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-4093-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.5. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-4093-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.5. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-4003-01 - As a Kubernetes user, I cannot connect easily connect services from one cluster with services on another cluster. Red Hat Application Interconnect enables me to create a service network and it allows geographically distributed services to connect as if they were all running in the same site. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-3612-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.4. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-3612-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.4. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-3612-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.4. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-3612-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.4. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-3540-01 - Red Hat build of MicroShift is Red Hat's light-weight Kubernetes orchestration solution designed for edge device deployments and is built from the edge capabilities of Red Hat OpenShift. MicroShift is an application that is deployed on top of Red Hat Enterprise Linux devices at the edge, providing an efficient way to operate single-node clusters in these low-resource environments. This advisory contains the RPM packages for Red Hat build of MicroShift 4.13.3. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-3540-01 - Red Hat build of MicroShift is Red Hat's light-weight Kubernetes orchestration solution designed for edge device deployments and is built from the edge capabilities of Red Hat OpenShift. MicroShift is an application that is deployed on top of Red Hat Enterprise Linux devices at the edge, providing an efficient way to operate single-node clusters in these low-resource environments. This advisory contains the RPM packages for Red Hat build of MicroShift 4.13.3. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-3540-01 - Red Hat build of MicroShift is Red Hat's light-weight Kubernetes orchestration solution designed for edge device deployments and is built from the edge capabilities of Red Hat OpenShift. MicroShift is an application that is deployed on top of Red Hat Enterprise Linux devices at the edge, providing an efficient way to operate single-node clusters in these low-resource environments. This advisory contains the RPM packages for Red Hat build of MicroShift 4.13.3. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-3540-01 - Red Hat build of MicroShift is Red Hat's light-weight Kubernetes orchestration solution designed for edge device deployments and is built from the edge capabilities of Red Hat OpenShift. MicroShift is an application that is deployed on top of Red Hat Enterprise Linux devices at the edge, providing an efficient way to operate single-node clusters in these low-resource environments. This advisory contains the RPM packages for Red Hat build of MicroShift 4.13.3. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Container Platform release 4.13.3 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24534: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in HTTP and MIME header parsing. By sending a specially crafted request, a remote attacker can cause a denial of service. * CVE-2023-24536: A ...
Red Hat OpenShift Container Platform release 4.13.3 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24534: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in HTTP and MIME header parsing. By sending a specially crafted request, a remote attacker can cause a denial of service. * CVE-2023-24536: A ...
Red Hat OpenShift Container Platform release 4.13.3 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24534: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in HTTP and MIME header parsing. By sending a specially crafted request, a remote attacker can cause a denial of service. * CVE-2023-24536: A ...
Red Hat OpenShift Container Platform release 4.13.3 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24534: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in HTTP and MIME header parsing. By sending a specially crafted request, a remote attacker can cause a denial of service. * CVE-2023-24536: A ...
Ubuntu Security Notice 6140-1 - It was discovered that Go did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause a panic resulting in a denial of service. This issue only affected golang-1.19 on Ubuntu 22.10. It was discovered that Go did not properly validate the amount of memory and disk files ReadForm can consume. An attacker could possibly use this issue to cause a panic resulting in a denial of service. This issue only affected golang-1.19 on Ubuntu 22.10.
Ubuntu Security Notice 6140-1 - It was discovered that Go did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause a panic resulting in a denial of service. This issue only affected golang-1.19 on Ubuntu 22.10. It was discovered that Go did not properly validate the amount of memory and disk files ReadForm can consume. An attacker could possibly use this issue to cause a panic resulting in a denial of service. This issue only affected golang-1.19 on Ubuntu 22.10.
Ubuntu Security Notice 6140-1 - It was discovered that Go did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause a panic resulting in a denial of service. This issue only affected golang-1.19 on Ubuntu 22.10. It was discovered that Go did not properly validate the amount of memory and disk files ReadForm can consume. An attacker could possibly use this issue to cause a panic resulting in a denial of service. This issue only affected golang-1.19 on Ubuntu 22.10.
OpenShift Serverless version 1.29.0 contains a moderate security impact. The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker ...
OpenShift Serverless version 1.29.0 contains a moderate security impact. The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker ...
OpenShift Serverless version 1.29.0 contains a moderate security impact. The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker ...
OpenShift Serverless version 1.29.0 contains a moderate security impact. The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker ...
OpenShift Serverless 1.29.0 has been released. The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of serv...
OpenShift Serverless 1.29.0 has been released. The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of serv...
Red Hat Security Advisory 2023-3323-01 - Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.
Red Hat Security Advisory 2023-3323-01 - Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.
An update for go-toolset-1.19 and go-toolset-1.19-golang is now available for Red Hat Developer Tools. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24537: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by an infinite loop due to integer overflow when calling any of the Parse functions. By sending a specially crafted input, a remote attacker can cause a denial of service. * CVE-2023-24538: A flaw was found in Golang Go. This flaw ...
An update for go-toolset-1.19 and go-toolset-1.19-golang is now available for Red Hat Developer Tools. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24537: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by an infinite loop due to integer overflow when calling any of the Parse functions. By sending a specially crafted input, a remote attacker can cause a denial of service. * CVE-2023-24538: A flaw was found in Golang Go. This flaw ...
Red Hat Security Advisory 2023-3167-01 - New Red Hat build of Cryostat 2.3.0 on RHEL 8 container images have been released, adding a variety of features and bug fixes. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-3167-01 - New Red Hat build of Cryostat 2.3.0 on RHEL 8 container images have been released, adding a variety of features and bug fixes. Issues addressed include a denial of service vulnerability.
HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers.
Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMul...
Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.
Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinte...