Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2022:8626: Red Hat Security Advisory: OpenShift Container Platform 4.11.17 packages and security update

Red Hat OpenShift Container Platform release 4.11.17 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header
  • CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY
  • CVE-2022-32148: golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
  • CVE-2022-32189: golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
Red Hat Security Data
#vulnerability#linux#red_hat#dos#git#kubernetes#ibm#rpm

Synopsis

Moderate: OpenShift Container Platform 4.11.17 packages and security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Red Hat OpenShift Container Platform release 4.11.17 is now available with
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.11.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat’s cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.11.17. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHBA-2022:8627

Security Fix(es):

  • golang: net/http: improper sanitization of Transfer-Encoding header

(CVE-2022-1705)

  • golang: net/http: handle server errors after sending GOAWAY

(CVE-2022-27664)

  • golang: net/http/httputil: NewSingleHostReverseProxy - omit

X-Forwarded-For not working (CVE-2022-32148)

  • golang: math/big: decoding big.Float and big.Rat types can panic if the

encoded message is too short, potentially allowing a denial of service
(CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s)
listed in the References section.

All OpenShift Container Platform 4.11 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

Affected Products

  • Red Hat OpenShift Container Platform 4.11 for RHEL 8 x86_64
  • Red Hat OpenShift Container Platform for Power 4.11 for RHEL 8 ppc64le
  • Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.11 for RHEL 8 s390x
  • Red Hat OpenShift Container Platform for ARM 64 4.11 aarch64

Fixes

  • BZ - 2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
  • BZ - 2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
  • BZ - 2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
  • BZ - 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
  • OCPBUGS-4045 - Placeholder bug for OCP 4.11.0 rpm release

CVEs

  • CVE-2022-1705
  • CVE-2022-27664
  • CVE-2022-32148
  • CVE-2022-32189

Red Hat OpenShift Container Platform 4.11 for RHEL 8

SRPM

cri-o-1.24.3-6.rhaos4.11.gitc4567c0.el8.src.rpm

SHA-256: de99402fd6cd0d2cb8ce18444109753df26b798f3597f0e79d321e5b934b21f3

cri-tools-1.24.2-7.el8.src.rpm

SHA-256: c33a5cc46c82090258df3ff2ba2e719cb19e991d0ce1697f386a458ced7d13a2

ignition-2.14.0-5.rhaos4.11.el8.src.rpm

SHA-256: 23cb03407a87a31fdee7bad7cdac35faa437f736803fdf09c95343bf5e97312a

openshift-4.11.0-202211091106.p0.g5658434.assembly.stream.el8.src.rpm

SHA-256: 571045973f7c7713c4690cc6c179cd8328a418dceb0c73c84cae0f7e38d2cb8b

python-sushy-4.1.3-0.20221107175431.1da4385.el8.src.rpm

SHA-256: 60d41f18bccb532cf9239be301c353258fe22f625287f124cf5d0952361bfed9

x86_64

cri-o-1.24.3-6.rhaos4.11.gitc4567c0.el8.x86_64.rpm

SHA-256: 693fd0c8add6abd1e863ac02d1d23ca24014da2d6765ebfea5f780dec47f6fb7

cri-o-debuginfo-1.24.3-6.rhaos4.11.gitc4567c0.el8.x86_64.rpm

SHA-256: 9dadbf6a58196b81e507b46bee6133570954ea1217cbaf68ab5cab73d8e69d7b

cri-o-debugsource-1.24.3-6.rhaos4.11.gitc4567c0.el8.x86_64.rpm

SHA-256: 6ffc5b38a4e982f92273d5c87be6856e3068273d01f612c328efae4e0cfb3524

cri-tools-1.24.2-7.el8.x86_64.rpm

SHA-256: 5aceaaf287ff5f07d2da8e7481ffbe58556196f8f06a4882e48b297d144b6e45

cri-tools-debuginfo-1.24.2-7.el8.x86_64.rpm

SHA-256: 798cec7c8dab5a804c5ebca3ea820144a691a0e9916f3257635508e6b77124d6

cri-tools-debugsource-1.24.2-7.el8.x86_64.rpm

SHA-256: 709521da0e392cb5d4988bc6eef8c2bec5cf81987229bdca3e588600434e415c

ignition-2.14.0-5.rhaos4.11.el8.x86_64.rpm

SHA-256: aff763e3aa1a524e44e6a048ca878706c1b247f21b795097c8777f74b9e3ec8e

ignition-debuginfo-2.14.0-5.rhaos4.11.el8.x86_64.rpm

SHA-256: 3ab5823c24c84232678047590964a4427f15ef0a4aecded9e9b8ab151d5d859e

ignition-debugsource-2.14.0-5.rhaos4.11.el8.x86_64.rpm

SHA-256: f47f35eb7358721339273233722de940ac35976f114e73b11963ccf761707965

ignition-validate-2.14.0-5.rhaos4.11.el8.x86_64.rpm

SHA-256: 7a35390afdb893e90020973b51bdfabf08958052e31a9566fbad915f0dff857c

ignition-validate-debuginfo-2.14.0-5.rhaos4.11.el8.x86_64.rpm

SHA-256: 9eba3673c4315ef95c035f5cae961ae5fe3a06ea5714e529680f2fd05e57e690

openshift-hyperkube-4.11.0-202211091106.p0.g5658434.assembly.stream.el8.x86_64.rpm

SHA-256: 6bbb6813da697c8fd5511558c4c997f9577efa04218ecb42054e0a59a4228bd7

python3-sushy-4.1.3-0.20221107175431.1da4385.el8.noarch.rpm

SHA-256: 793dc33c6967ce00d0bdd92e9604903490a49e6ce33ae9d9da514e95a9a5c784

python3-sushy-tests-4.1.3-0.20221107175431.1da4385.el8.noarch.rpm

SHA-256: 71c079ea84da5665be9e848ffd8b9a48a63de97958c195cc2c56b682797defa5

Red Hat OpenShift Container Platform for Power 4.11 for RHEL 8

SRPM

cri-o-1.24.3-6.rhaos4.11.gitc4567c0.el8.src.rpm

SHA-256: de99402fd6cd0d2cb8ce18444109753df26b798f3597f0e79d321e5b934b21f3

cri-tools-1.24.2-7.el8.src.rpm

SHA-256: c33a5cc46c82090258df3ff2ba2e719cb19e991d0ce1697f386a458ced7d13a2

ignition-2.14.0-5.rhaos4.11.el8.src.rpm

SHA-256: 23cb03407a87a31fdee7bad7cdac35faa437f736803fdf09c95343bf5e97312a

openshift-4.11.0-202211091106.p0.g5658434.assembly.stream.el8.src.rpm

SHA-256: 571045973f7c7713c4690cc6c179cd8328a418dceb0c73c84cae0f7e38d2cb8b

ppc64le

cri-o-1.24.3-6.rhaos4.11.gitc4567c0.el8.ppc64le.rpm

SHA-256: dc56b85a219e207a6bc591c55fc395bbbd1afb6e56adc1c4c3f8b4e695e192c1

cri-o-debuginfo-1.24.3-6.rhaos4.11.gitc4567c0.el8.ppc64le.rpm

SHA-256: fe3c125c5cacba37a2aa81956a5d8b83cc9360ac9f97196ae00b67798f2a7448

cri-o-debugsource-1.24.3-6.rhaos4.11.gitc4567c0.el8.ppc64le.rpm

SHA-256: 3cf8ddb7acc432b1bb871b91e039067937c814745c64e9f1751b2d6a34986e21

cri-tools-1.24.2-7.el8.ppc64le.rpm

SHA-256: b1000c152140a0776653a6eba7c1bbf510c8badd9144d2b0e99a9cb88263018b

cri-tools-debuginfo-1.24.2-7.el8.ppc64le.rpm

SHA-256: d12f0d55be5530884172ddc07322e17bdf26e0a1c150f81e875194312213aed2

cri-tools-debugsource-1.24.2-7.el8.ppc64le.rpm

SHA-256: cfc287faf25ef4e6af57fbe1b7756ac287523ad29e9cf6ea3da16e647c89f6db

ignition-2.14.0-5.rhaos4.11.el8.ppc64le.rpm

SHA-256: 77bbd8e560f7aa547ac8f37874b3d93287644b47eef941ce4cb970ed45228ead

ignition-debuginfo-2.14.0-5.rhaos4.11.el8.ppc64le.rpm

SHA-256: 9133ab3a30f3794420e9c85e9fbac0fecec4583bbf127aac2303f9dded6ec7da

ignition-debugsource-2.14.0-5.rhaos4.11.el8.ppc64le.rpm

SHA-256: 82b20c0fc7d939ec48edfc47063a31af4279b70b13c13a165b06e04c075e2b06

ignition-validate-2.14.0-5.rhaos4.11.el8.ppc64le.rpm

SHA-256: 9e4c532c4782fa002d9d706e1b36efe53f06d4fcb2828494a160655fac050322

ignition-validate-debuginfo-2.14.0-5.rhaos4.11.el8.ppc64le.rpm

SHA-256: 44882519c6d3d6f2271c3f3b6d440e1d79bf804a763a6382b8c7a531840c12ea

openshift-hyperkube-4.11.0-202211091106.p0.g5658434.assembly.stream.el8.ppc64le.rpm

SHA-256: 503888affe39357509e5470ac59aa13ab39977857bc2c977b5419f722449de28

python3-sushy-4.1.3-0.20221107175431.1da4385.el8.noarch.rpm

SHA-256: 793dc33c6967ce00d0bdd92e9604903490a49e6ce33ae9d9da514e95a9a5c784

python3-sushy-tests-4.1.3-0.20221107175431.1da4385.el8.noarch.rpm

SHA-256: 71c079ea84da5665be9e848ffd8b9a48a63de97958c195cc2c56b682797defa5

Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.11 for RHEL 8

SRPM

cri-o-1.24.3-6.rhaos4.11.gitc4567c0.el8.src.rpm

SHA-256: de99402fd6cd0d2cb8ce18444109753df26b798f3597f0e79d321e5b934b21f3

cri-tools-1.24.2-7.el8.src.rpm

SHA-256: c33a5cc46c82090258df3ff2ba2e719cb19e991d0ce1697f386a458ced7d13a2

ignition-2.14.0-5.rhaos4.11.el8.src.rpm

SHA-256: 23cb03407a87a31fdee7bad7cdac35faa437f736803fdf09c95343bf5e97312a

openshift-4.11.0-202211091106.p0.g5658434.assembly.stream.el8.src.rpm

SHA-256: 571045973f7c7713c4690cc6c179cd8328a418dceb0c73c84cae0f7e38d2cb8b

s390x

cri-o-1.24.3-6.rhaos4.11.gitc4567c0.el8.s390x.rpm

SHA-256: eb38364124b66adf5c0c12b37b62969b6c0e510e1e138139b04083819025d442

cri-o-debuginfo-1.24.3-6.rhaos4.11.gitc4567c0.el8.s390x.rpm

SHA-256: 6d70d0028d4b227964a0944785ac7042aa88d28abfb5ffd1547827bff82d2d10

cri-o-debugsource-1.24.3-6.rhaos4.11.gitc4567c0.el8.s390x.rpm

SHA-256: 8ca5a141f62589006d26fd65f8975504c2bb4eca4ebd37f4227f093d508e9ee1

cri-tools-1.24.2-7.el8.s390x.rpm

SHA-256: a9ffda1fddf976f029c0dd44b6f6b02c3b531fabfeb986fe9df45768d1652e7b

cri-tools-debuginfo-1.24.2-7.el8.s390x.rpm

SHA-256: 484e0703f9697cc1dbde5a64833c66a0d12f87a9f0f7a8fbcd27a55b4ce01f7d

cri-tools-debugsource-1.24.2-7.el8.s390x.rpm

SHA-256: f1ab8266bf004f8810839749d5280db092cc60b2d83a20bd302f86521354309d

ignition-2.14.0-5.rhaos4.11.el8.s390x.rpm

SHA-256: 56ac9cb04fc8491f739e8cf2edeb797642e1526d9589ddd2bd118f3503468136

ignition-debuginfo-2.14.0-5.rhaos4.11.el8.s390x.rpm

SHA-256: 037493866488518f784fcfe7de28761586dafd95f3dd9d7de5b558deb0e5db00

ignition-debugsource-2.14.0-5.rhaos4.11.el8.s390x.rpm

SHA-256: d58cf35492a78274b8c1898995774775cc64c0f8489e8c9b453e737548c1a920

ignition-validate-2.14.0-5.rhaos4.11.el8.s390x.rpm

SHA-256: a414f316cd6a16670fe4860047ac3a92e9b82fd949fa3e8ba7d60ec3e9f727a2

ignition-validate-debuginfo-2.14.0-5.rhaos4.11.el8.s390x.rpm

SHA-256: 70b0e2ac2e3b2bd1d4c2692681303464c68a20a8c276619c2aa5bae2fd1fe841

openshift-hyperkube-4.11.0-202211091106.p0.g5658434.assembly.stream.el8.s390x.rpm

SHA-256: 3e9ace5222a55309fb5fb3f32f5db1875f1038638e2d85f278e4ce930ce4064a

python3-sushy-4.1.3-0.20221107175431.1da4385.el8.noarch.rpm

SHA-256: 793dc33c6967ce00d0bdd92e9604903490a49e6ce33ae9d9da514e95a9a5c784

python3-sushy-tests-4.1.3-0.20221107175431.1da4385.el8.noarch.rpm

SHA-256: 71c079ea84da5665be9e848ffd8b9a48a63de97958c195cc2c56b682797defa5

Red Hat OpenShift Container Platform for ARM 64 4.11

SRPM

cri-o-1.24.3-6.rhaos4.11.gitc4567c0.el8.src.rpm

SHA-256: de99402fd6cd0d2cb8ce18444109753df26b798f3597f0e79d321e5b934b21f3

cri-tools-1.24.2-7.el8.src.rpm

SHA-256: c33a5cc46c82090258df3ff2ba2e719cb19e991d0ce1697f386a458ced7d13a2

ignition-2.14.0-5.rhaos4.11.el8.src.rpm

SHA-256: 23cb03407a87a31fdee7bad7cdac35faa437f736803fdf09c95343bf5e97312a

openshift-4.11.0-202211091106.p0.g5658434.assembly.stream.el8.src.rpm

SHA-256: 571045973f7c7713c4690cc6c179cd8328a418dceb0c73c84cae0f7e38d2cb8b

python-sushy-4.1.3-0.20221107175431.1da4385.el8.src.rpm

SHA-256: 60d41f18bccb532cf9239be301c353258fe22f625287f124cf5d0952361bfed9

aarch64

cri-o-1.24.3-6.rhaos4.11.gitc4567c0.el8.aarch64.rpm

SHA-256: 712a1c07b681ce0382f13ca4d4cdbd9392a6c8c012d14c96580795b63d61654c

cri-o-debuginfo-1.24.3-6.rhaos4.11.gitc4567c0.el8.aarch64.rpm

SHA-256: e8be745290999e7abca45ed1220ac38c864fab8213a8757428fdfdb6872261f6

cri-o-debugsource-1.24.3-6.rhaos4.11.gitc4567c0.el8.aarch64.rpm

SHA-256: 197a4d0f39ff9827f93615dfe7fe4afce152034f699a1a48d69925270d022043

cri-tools-1.24.2-7.el8.aarch64.rpm

SHA-256: 5b9abfa7a5734192309a52ede40d9db72856c9712c6ade680746d3ad2c52fbc6

cri-tools-debuginfo-1.24.2-7.el8.aarch64.rpm

SHA-256: 35cb8465998d3fda9cbba041f673d02fcc35913719f7680bb10b10457207f69c

cri-tools-debugsource-1.24.2-7.el8.aarch64.rpm

SHA-256: a8ede3ff20ace5f139d6b64d8edd0285383c011c6f6c76cdfd8946e69ad1e22f

ignition-2.14.0-5.rhaos4.11.el8.aarch64.rpm

SHA-256: 011057ae665101582d71971431f50ce9eca6a4b9e780b2dc3fdc48ab1e2d1086

ignition-debuginfo-2.14.0-5.rhaos4.11.el8.aarch64.rpm

SHA-256: 715c8ee9776298739a31a87f7a7d77fd639e1b6267d8336b8cf3a557c73f1ab9

ignition-debugsource-2.14.0-5.rhaos4.11.el8.aarch64.rpm

SHA-256: 4a8c03e1a43530b536706b2a9d4980580a6dd1119ef8cd314b0b577f540bebca

ignition-validate-2.14.0-5.rhaos4.11.el8.aarch64.rpm

SHA-256: 8ebedc5faeeb7e5294dd284bd4c19b1f0751ae6b1c05997887a7452ffecdda4d

ignition-validate-debuginfo-2.14.0-5.rhaos4.11.el8.aarch64.rpm

SHA-256: 3b0064673b44f6e8ab470864a4e83c2db67fc9d45d3c8114894f9598fdc5b79d

openshift-hyperkube-4.11.0-202211091106.p0.g5658434.assembly.stream.el8.aarch64.rpm

SHA-256: 5206299331fabae84bc2f5c8e3d3c99aa29408fdc4ac1e95dcbe3f173e4ca774

python3-sushy-4.1.3-0.20221107175431.1da4385.el8.noarch.rpm

SHA-256: 793dc33c6967ce00d0bdd92e9604903490a49e6ce33ae9d9da514e95a9a5c784

python3-sushy-tests-4.1.3-0.20221107175431.1da4385.el8.noarch.rpm

SHA-256: 71c079ea84da5665be9e848ffd8b9a48a63de97958c195cc2c56b682797defa5

Related news

Red Hat Security Advisory 2023-4674-01

Red Hat Security Advisory 2023-4674-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.30.

Red Hat Security Advisory 2023-3742-02

Red Hat Security Advisory 2023-3742-02 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. Issues addressed include bypass, denial of service, and remote SQL injection vulnerabilities.

Red Hat Security Advisory 2023-3642-01

Red Hat Security Advisory 2023-3642-01 - Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services. This new container image is based on Red Hat Ceph Storage 6.1 and Red Hat Enterprise Linux 9. Issues addressed include bypass, cross site scripting, denial of service, information leakage, spoofing, and traversal vulnerabilities.

RHSA-2023:3644: Red Hat Security Advisory: Red Hat OpenShift Service Mesh Containers for 2.4.0

Red Hat OpenShift Service Mesh Containers for 2.4.0 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24540: A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.

Red Hat Security Advisory 2023-0584-01

Red Hat Security Advisory 2023-0584-01 - Secondary Scheduler Operator for Red Hat OpenShift 1.1.1. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-3204-01

Red Hat Security Advisory 2023-3204-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 4.13.0 RPMs. Issues addressed include a denial of service vulnerability.

RHSA-2023:3204: Red Hat Security Advisory: OpenShift Virtualization 4.13.0 RPMs security and bug fix update

Red Hat OpenShift Virtualization release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27664: A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown. * CVE-2022-32149: A vulnerability was found in the golang.org/x/text/language pack...

RHSA-2023:2784: Red Hat Security Advisory: grafana security update

An update for grafana is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy saniti...

RHSA-2023:2204: Red Hat Security Advisory: Image Builder security, bug fix, and enhancement update

An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, ...

RHSA-2023:2357: Red Hat Security Advisory: git-lfs security and bug fix update

An update for git-lfs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by r...

RHSA-2023:2167: Red Hat Security Advisory: grafana security and enhancement update

An update for grafana is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy saniti...

Red Hat Security Advisory 2023-2041-01

Red Hat Security Advisory 2023-2041-01 - Migration Toolkit for Applications 6.1.0 Images. Issues addressed include denial of service, privilege escalation, server-side request forgery, and traversal vulnerabilities.

Ubuntu Security Notice USN-6038-1

Ubuntu Security Notice 6038-1 - It was discovered that the Go net/http module incorrectly handled Transfer-Encoding headers in the HTTP/1 client. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack. It was discovered that Go did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause a panic resulting into a denial of service.

Red Hat Security Advisory 2023-1529-01

Red Hat Security Advisory 2023-1529-01 - Service Telemetry Framework provides automated collection of measurements and data from remote clients, such as Red Hat OpenStack Platform or third-party nodes. STF then transmits the information to a centralized, receiving Red Hat OpenShift Container Platform deployment for storage, retrieval, and monitoring. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-1275-01

Red Hat Security Advisory 2023-1275-01 - An update for etcd is now available for Red Hat OpenStack Platform. Issues addressed include a denial of service vulnerability.

RHSA-2023:1275: Red Hat Security Advisory: Red Hat OpenStack Platform (etcd) security update

An update for etcd is now available for Red Hat OpenStack Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by rev...

RHSA-2023:1042: Red Hat Security Advisory: Custom Metrics Autoscaler Operator for Red Hat OpenShift (with security updates)

Custom Metrics Autoscaler Operator for Red Hat OpenShift including security updates. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-1962: A flaw was found in the golang standard library, go/par...

Red Hat Security Advisory 2023-0708-01

Red Hat Security Advisory 2023-0708-01 - Red Hat OpenShift Serverless Client kn 1.27.0 provides a CLI to interact with Red Hat OpenShift Serverless 1.27.0. The kn CLI is delivered as an RPM package for installation on RHEL platforms, and as binaries for non-Linux platforms.

RHSA-2023:0693: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.7 security and bug fix update

The Migration Toolkit for Containers (MTC) 1.7.7 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-43138: A vulnerability was found in the async package. This flaw allows a malicious user to obtain privileges via the mapValues() method. * CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw a...

RHSA-2023:0631: Red Hat Security Advisory: RHSA: Submariner 0.14 - bug fix and security updates

Submariner 0.14 packages that fix various bugs and add various enhancements that are now available for Red Hat Advanced Cluster Management for Kubernetes version 2.7 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go ...

Red Hat Security Advisory 2023-0542-01

Red Hat Security Advisory 2023-0542-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release. Issues addressed include denial of service and spoofing vulnerabilities.

RHSA-2023:0542: Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.3.1 Containers security update

Red Hat OpenShift Service Mesh 2.3.1 Containers Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-3962: kiali: error message spoofing in kiali UI * CVE-2022-27664: golang: ...

RHSA-2023:0408: Red Hat Security Advisory: OpenShift Virtualization 4.12.0 Images security update

Red Hat OpenShift Virtualization release 4.12 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2021-44716: golang: net/http: limit growth of header canonicalization cache * CVE-2021-44717: golang: syscall: don't close fd 0 on ForkExec error * CVE-2022-1705: golang: net/http: improper sanitizat...

Red Hat Security Advisory 2023-0069-01

Red Hat Security Advisory 2023-0069-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.24.

Red Hat Security Advisory 2023-0264-01

Red Hat Security Advisory 2023-0264-01 - An update for Logging Subsystem (5.6.0) is now available for Red Hat OpenShift Container Platform. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2022-7401-01

Red Hat Security Advisory 2022-7401-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include denial of service and out of bounds read vulnerabilities.

Red Hat Security Advisory 2022-7399-01

Red Hat Security Advisory 2022-7399-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.0. Issues addressed include denial of service, memory leak, and out of bounds read vulnerabilities.

Red Hat Security Advisory 2022-7398-02

Red Hat Security Advisory 2022-7398-02 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.0. Issues addressed include a denial of service vulnerability.

RHSA-2022:7399: Red Hat Security Advisory: OpenShift Container Platform 4.12.0 bug fix and security update

Red Hat OpenShift Container Platform release 4.12.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-2879: golang: arc...

RHSA-2022:9047: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.6 security and bug fix update

The Migration Toolkit for Containers (MTC) 1.7.6 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-28131: golang: encoding/xml: stack exhaustion in Decoder.Skip * CVE-2022-30629: golang: crypto/tls: session tickets lack random ticket_age_add * CVE-2022-30630: golang: io/fs: stack exhaustion in G...

CVE-2022-41296: Multiple vulnerabilities affect IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data

IBM Db2U 3.5, 4.0, and 4.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 237210.

Red Hat Security Advisory 2022-8781-01

Red Hat Security Advisory 2022-8781-01 - Logging Subsystem for Red Hat OpenShift has a security update. Issues addressed include a denial of service vulnerability.

RHSA-2022:8781: Red Hat Security Advisory: Logging Subsystem 5.5.5 - Red Hat OpenShift security update

Logging Subsystem 5.5.5 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36518: jackson-databind: denial of service via a large depth of nested objects * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-32189: golang: math/b...

Red Hat Security Advisory 2022-8626-01

Red Hat Security Advisory 2022-8626-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.11.17. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2022-8634-01

Red Hat Security Advisory 2022-8634-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.

RHSA-2022:8634: Red Hat Security Advisory: OpenShift API for Data Protection (OADP) 1.1.1 security and bug fix update

OpenShift API for Data Protection (OADP) 1.1.1 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27191: golang: crash in a golang.org/x/crypto/ssh server * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-30632: golang: path/filepath: stack exhaustion in Glob * CVE-2022-30635: golang: encoding/gob: stack exhaustion in Decoder.Decode * CVE-2022-32190: golang: net/url: JoinPath does not strip relative path components i...

Red Hat Security Advisory 2022-8535-01

Red Hat Security Advisory 2022-8535-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.16. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2022-8535-01

Red Hat Security Advisory 2022-8535-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.16. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2022-8534-01

Red Hat Security Advisory 2022-8534-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.11.16. Issues addressed include a denial of service vulnerability.

RHSA-2022:8535: Red Hat Security Advisory: OpenShift Container Platform 4.11.16 security update

Red Hat OpenShift Container Platform release 4.11.16 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-32189: golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, po...

RHSA-2022:8535: Red Hat Security Advisory: OpenShift Container Platform 4.11.16 security update

Red Hat OpenShift Container Platform release 4.11.16 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-32189: golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, po...

RHSA-2022:8534: Red Hat Security Advisory: OpenShift Container Platform 4.11.16 security update

Red Hat OpenShift Container Platform release 4.11.16 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32189: golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service

RHSA-2022:7950: Red Hat Security Advisory: Image Builder security, bug fix, and enhancement update

An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32189: golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service

RHSA-2022:7548: Red Hat Security Advisory: Image Builder security, bug fix, and enhancement update

An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32189: golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service

Red Hat Security Advisory 2022-7129-01

Red Hat Security Advisory 2022-7129-01 - Git Large File Storage replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2022-7129-01

Red Hat Security Advisory 2022-7129-01 - Git Large File Storage replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server. Issues addressed include a denial of service vulnerability.

RHSA-2022:7129: Red Hat Security Advisory: git-lfs security and bug fix update

An update for git-lfs is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-28851: golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension * CVE-2020-28852: golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWA...

RHSA-2022:7129: Red Hat Security Advisory: git-lfs security and bug fix update

An update for git-lfs is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-28851: golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension * CVE-2020-28852: golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWA...

Gentoo Linux Security Advisory 202209-26

Gentoo Linux Security Advisory 202209-26 - Multiple vulnerabilities have been discovered in Go, the worst of which could result in denial of service. Versions less than 1.18.6 are affected.

Red Hat Security Advisory 2022-6430-01

Red Hat Security Advisory 2022-6430-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2022-6430-01

Red Hat Security Advisory 2022-6430-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Issues addressed include a denial of service vulnerability.

RHSA-2022:6430: Red Hat Security Advisory: OpenShift API for Data Protection (OADP) 1.0.4 security and bug fix update

OpenShift API for Data Protection (OADP) 1.0.4 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-30629: golang: crypto/tls: session ti...

RHSA-2022:6430: Red Hat Security Advisory: OpenShift API for Data Protection (OADP) 1.0.4 security and bug fix update

OpenShift API for Data Protection (OADP) 1.0.4 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-30629: golang: crypto/tls: session ti...

Red Hat Security Advisory 2022-6183-01

Red Hat Security Advisory 2022-6183-01 - Logging Subsystem 5.4.5 for Red Hat OpenShift has been released. Issue addressed include a stack exhaustion vulnerability.

Red Hat Security Advisory 2022-6183-01

Red Hat Security Advisory 2022-6183-01 - Logging Subsystem 5.4.5 for Red Hat OpenShift has been released. Issue addressed include a stack exhaustion vulnerability.

Red Hat Security Advisory 2022-6344-01

Red Hat Security Advisory 2022-6344-01 - Logging Subsystem 5.5.1 for Red Hat OpenShift has been released. Issue addressed include a stack exhaustion vulnerability.

Red Hat Security Advisory 2022-6344-01

Red Hat Security Advisory 2022-6344-01 - Logging Subsystem 5.5.1 for Red Hat OpenShift has been released. Issue addressed include a stack exhaustion vulnerability.

CVE-2022-27664: [security] Go 1.19.1 and Go 1.18.6 are released

In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.

RHSA-2022:6344: Red Hat Security Advisory: Logging Subsystem 5.5.1 Security and Bug Fix Update

Logging Subsystem 5.5.1 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-30631: golang: compress/gzip: stack exhaustion in Reader.Read * CVE-2022-32148: golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working

RHSA-2022:6344: Red Hat Security Advisory: Logging Subsystem 5.5.1 Security and Bug Fix Update

Logging Subsystem 5.5.1 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-30631: golang: compress/gzip: stack exhaustion in Reader.Read * CVE-2022-32148: golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working

RHSA-2022:6183: Red Hat Security Advisory: Logging Subsystem 5.4.5 Security and Bug Fix Update

Logging Subsystem 5.4.5 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-30631: golang: compress/gzip: stack exhaustion in Reader.Read * CVE-2022-32148: golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working

RHSA-2022:6183: Red Hat Security Advisory: Logging Subsystem 5.4.5 Security and Bug Fix Update

Logging Subsystem 5.4.5 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-30631: golang: compress/gzip: stack exhaustion in Reader.Read * CVE-2022-32148: golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working

Red Hat Security Advisory 2022-6187-01

Red Hat Security Advisory 2022-6187-01 - This is an updated release of the Node Health Check Operator. You can use the Node Health Check Operator to deploy the Node Health Check controller. The controller identifies unhealthy nodes and uses the Self Node Remediation Operator to remediate the unhealthy nodes.

RHSA-2022:6187: Red Hat Security Advisory: Node Health Check Operator 0.3.1 security update

An update for node-healthcheck-operator-bundle-container and node-healthcheck-operator-container is now available for Node Healthcheck Operator 0.3 for RHEL 8. This Operator is delivered by Red Hat Workload Availability. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-28327: golang: crypto/elliptic: panic caused by oversized scalar * CVE-2022-30631: golang: compress/gzip: stack exhaust...

Red Hat Security Advisory 2022-6040-01

Red Hat Security Advisory 2022-6040-01 - Version 1.24.0 of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.6, 4.7, 4.8, 4.9, 4.10, and 4.11. This release includes security and bug fixes, and enhancements. Issues addressed include bypass and denial of service vulnerabilities.

Red Hat Security Advisory 2022-6040-01

Red Hat Security Advisory 2022-6040-01 - Version 1.24.0 of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.6, 4.7, 4.8, 4.9, 4.10, and 4.11. This release includes security and bug fixes, and enhancements. Issues addressed include bypass and denial of service vulnerabilities.

CVE-2022-32148

Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.

CVE-2022-1705

Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.

CVE-2022-32189: math/big: index out of range in Float.GobDecode · Issue #53871 · golang/go

A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.

RHSA-2022:6040: Red Hat Security Advisory: Release of OpenShift Serverless 1.24.0

Release of OpenShift Serverless 1.24.0 The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-1996: go-restful: Authorization Bypass Through User-Controlled Key * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-24921: golang: regexp: stack exhaustion via a deeply nested expression * C...

Gentoo Linux Security Advisory 202208-02

Gentoo Linux Security Advisory 202208-2 - Multiple vulnerabilities have been found in Go, the worst of which could result in remote code execution. Versions less than 1.18.5 are affected.

Gentoo Linux Security Advisory 202208-02

Gentoo Linux Security Advisory 202208-2 - Multiple vulnerabilities have been found in Go, the worst of which could result in remote code execution. Versions less than 1.18.5 are affected.

CVE-2021-21285: Docker Engine release notes

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.