Headline
RHSA-2022:8626: Red Hat Security Advisory: OpenShift Container Platform 4.11.17 packages and security update
Red Hat OpenShift Container Platform release 4.11.17 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header
- CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY
- CVE-2022-32148: golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
- CVE-2022-32189: golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
Synopsis
Moderate: OpenShift Container Platform 4.11.17 packages and security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
Red Hat OpenShift Container Platform release 4.11.17 is now available with
updates to packages and images that fix several bugs and add enhancements.
This release includes a security update for Red Hat OpenShift Container Platform 4.11.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
Description
Red Hat OpenShift Container Platform is Red Hat’s cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.11.17. See the following advisory for the container images for this release:
https://access.redhat.com/errata/RHBA-2022:8627
Security Fix(es):
- golang: net/http: improper sanitization of Transfer-Encoding header
(CVE-2022-1705)
- golang: net/http: handle server errors after sending GOAWAY
(CVE-2022-27664)
- golang: net/http/httputil: NewSingleHostReverseProxy - omit
X-Forwarded-For not working (CVE-2022-32148)
- golang: math/big: decoding big.Float and big.Rat types can panic if the
encoded message is too short, potentially allowing a denial of service
(CVE-2022-32189)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s)
listed in the References section.
All OpenShift Container Platform 4.11 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html
Affected Products
- Red Hat OpenShift Container Platform 4.11 for RHEL 8 x86_64
- Red Hat OpenShift Container Platform for Power 4.11 for RHEL 8 ppc64le
- Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.11 for RHEL 8 s390x
- Red Hat OpenShift Container Platform for ARM 64 4.11 aarch64
Fixes
- BZ - 2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
- BZ - 2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
- BZ - 2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
- BZ - 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
- OCPBUGS-4045 - Placeholder bug for OCP 4.11.0 rpm release
CVEs
- CVE-2022-1705
- CVE-2022-27664
- CVE-2022-32148
- CVE-2022-32189
Red Hat OpenShift Container Platform 4.11 for RHEL 8
SRPM
cri-o-1.24.3-6.rhaos4.11.gitc4567c0.el8.src.rpm
SHA-256: de99402fd6cd0d2cb8ce18444109753df26b798f3597f0e79d321e5b934b21f3
cri-tools-1.24.2-7.el8.src.rpm
SHA-256: c33a5cc46c82090258df3ff2ba2e719cb19e991d0ce1697f386a458ced7d13a2
ignition-2.14.0-5.rhaos4.11.el8.src.rpm
SHA-256: 23cb03407a87a31fdee7bad7cdac35faa437f736803fdf09c95343bf5e97312a
openshift-4.11.0-202211091106.p0.g5658434.assembly.stream.el8.src.rpm
SHA-256: 571045973f7c7713c4690cc6c179cd8328a418dceb0c73c84cae0f7e38d2cb8b
python-sushy-4.1.3-0.20221107175431.1da4385.el8.src.rpm
SHA-256: 60d41f18bccb532cf9239be301c353258fe22f625287f124cf5d0952361bfed9
x86_64
cri-o-1.24.3-6.rhaos4.11.gitc4567c0.el8.x86_64.rpm
SHA-256: 693fd0c8add6abd1e863ac02d1d23ca24014da2d6765ebfea5f780dec47f6fb7
cri-o-debuginfo-1.24.3-6.rhaos4.11.gitc4567c0.el8.x86_64.rpm
SHA-256: 9dadbf6a58196b81e507b46bee6133570954ea1217cbaf68ab5cab73d8e69d7b
cri-o-debugsource-1.24.3-6.rhaos4.11.gitc4567c0.el8.x86_64.rpm
SHA-256: 6ffc5b38a4e982f92273d5c87be6856e3068273d01f612c328efae4e0cfb3524
cri-tools-1.24.2-7.el8.x86_64.rpm
SHA-256: 5aceaaf287ff5f07d2da8e7481ffbe58556196f8f06a4882e48b297d144b6e45
cri-tools-debuginfo-1.24.2-7.el8.x86_64.rpm
SHA-256: 798cec7c8dab5a804c5ebca3ea820144a691a0e9916f3257635508e6b77124d6
cri-tools-debugsource-1.24.2-7.el8.x86_64.rpm
SHA-256: 709521da0e392cb5d4988bc6eef8c2bec5cf81987229bdca3e588600434e415c
ignition-2.14.0-5.rhaos4.11.el8.x86_64.rpm
SHA-256: aff763e3aa1a524e44e6a048ca878706c1b247f21b795097c8777f74b9e3ec8e
ignition-debuginfo-2.14.0-5.rhaos4.11.el8.x86_64.rpm
SHA-256: 3ab5823c24c84232678047590964a4427f15ef0a4aecded9e9b8ab151d5d859e
ignition-debugsource-2.14.0-5.rhaos4.11.el8.x86_64.rpm
SHA-256: f47f35eb7358721339273233722de940ac35976f114e73b11963ccf761707965
ignition-validate-2.14.0-5.rhaos4.11.el8.x86_64.rpm
SHA-256: 7a35390afdb893e90020973b51bdfabf08958052e31a9566fbad915f0dff857c
ignition-validate-debuginfo-2.14.0-5.rhaos4.11.el8.x86_64.rpm
SHA-256: 9eba3673c4315ef95c035f5cae961ae5fe3a06ea5714e529680f2fd05e57e690
openshift-hyperkube-4.11.0-202211091106.p0.g5658434.assembly.stream.el8.x86_64.rpm
SHA-256: 6bbb6813da697c8fd5511558c4c997f9577efa04218ecb42054e0a59a4228bd7
python3-sushy-4.1.3-0.20221107175431.1da4385.el8.noarch.rpm
SHA-256: 793dc33c6967ce00d0bdd92e9604903490a49e6ce33ae9d9da514e95a9a5c784
python3-sushy-tests-4.1.3-0.20221107175431.1da4385.el8.noarch.rpm
SHA-256: 71c079ea84da5665be9e848ffd8b9a48a63de97958c195cc2c56b682797defa5
Red Hat OpenShift Container Platform for Power 4.11 for RHEL 8
SRPM
cri-o-1.24.3-6.rhaos4.11.gitc4567c0.el8.src.rpm
SHA-256: de99402fd6cd0d2cb8ce18444109753df26b798f3597f0e79d321e5b934b21f3
cri-tools-1.24.2-7.el8.src.rpm
SHA-256: c33a5cc46c82090258df3ff2ba2e719cb19e991d0ce1697f386a458ced7d13a2
ignition-2.14.0-5.rhaos4.11.el8.src.rpm
SHA-256: 23cb03407a87a31fdee7bad7cdac35faa437f736803fdf09c95343bf5e97312a
openshift-4.11.0-202211091106.p0.g5658434.assembly.stream.el8.src.rpm
SHA-256: 571045973f7c7713c4690cc6c179cd8328a418dceb0c73c84cae0f7e38d2cb8b
ppc64le
cri-o-1.24.3-6.rhaos4.11.gitc4567c0.el8.ppc64le.rpm
SHA-256: dc56b85a219e207a6bc591c55fc395bbbd1afb6e56adc1c4c3f8b4e695e192c1
cri-o-debuginfo-1.24.3-6.rhaos4.11.gitc4567c0.el8.ppc64le.rpm
SHA-256: fe3c125c5cacba37a2aa81956a5d8b83cc9360ac9f97196ae00b67798f2a7448
cri-o-debugsource-1.24.3-6.rhaos4.11.gitc4567c0.el8.ppc64le.rpm
SHA-256: 3cf8ddb7acc432b1bb871b91e039067937c814745c64e9f1751b2d6a34986e21
cri-tools-1.24.2-7.el8.ppc64le.rpm
SHA-256: b1000c152140a0776653a6eba7c1bbf510c8badd9144d2b0e99a9cb88263018b
cri-tools-debuginfo-1.24.2-7.el8.ppc64le.rpm
SHA-256: d12f0d55be5530884172ddc07322e17bdf26e0a1c150f81e875194312213aed2
cri-tools-debugsource-1.24.2-7.el8.ppc64le.rpm
SHA-256: cfc287faf25ef4e6af57fbe1b7756ac287523ad29e9cf6ea3da16e647c89f6db
ignition-2.14.0-5.rhaos4.11.el8.ppc64le.rpm
SHA-256: 77bbd8e560f7aa547ac8f37874b3d93287644b47eef941ce4cb970ed45228ead
ignition-debuginfo-2.14.0-5.rhaos4.11.el8.ppc64le.rpm
SHA-256: 9133ab3a30f3794420e9c85e9fbac0fecec4583bbf127aac2303f9dded6ec7da
ignition-debugsource-2.14.0-5.rhaos4.11.el8.ppc64le.rpm
SHA-256: 82b20c0fc7d939ec48edfc47063a31af4279b70b13c13a165b06e04c075e2b06
ignition-validate-2.14.0-5.rhaos4.11.el8.ppc64le.rpm
SHA-256: 9e4c532c4782fa002d9d706e1b36efe53f06d4fcb2828494a160655fac050322
ignition-validate-debuginfo-2.14.0-5.rhaos4.11.el8.ppc64le.rpm
SHA-256: 44882519c6d3d6f2271c3f3b6d440e1d79bf804a763a6382b8c7a531840c12ea
openshift-hyperkube-4.11.0-202211091106.p0.g5658434.assembly.stream.el8.ppc64le.rpm
SHA-256: 503888affe39357509e5470ac59aa13ab39977857bc2c977b5419f722449de28
python3-sushy-4.1.3-0.20221107175431.1da4385.el8.noarch.rpm
SHA-256: 793dc33c6967ce00d0bdd92e9604903490a49e6ce33ae9d9da514e95a9a5c784
python3-sushy-tests-4.1.3-0.20221107175431.1da4385.el8.noarch.rpm
SHA-256: 71c079ea84da5665be9e848ffd8b9a48a63de97958c195cc2c56b682797defa5
Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.11 for RHEL 8
SRPM
cri-o-1.24.3-6.rhaos4.11.gitc4567c0.el8.src.rpm
SHA-256: de99402fd6cd0d2cb8ce18444109753df26b798f3597f0e79d321e5b934b21f3
cri-tools-1.24.2-7.el8.src.rpm
SHA-256: c33a5cc46c82090258df3ff2ba2e719cb19e991d0ce1697f386a458ced7d13a2
ignition-2.14.0-5.rhaos4.11.el8.src.rpm
SHA-256: 23cb03407a87a31fdee7bad7cdac35faa437f736803fdf09c95343bf5e97312a
openshift-4.11.0-202211091106.p0.g5658434.assembly.stream.el8.src.rpm
SHA-256: 571045973f7c7713c4690cc6c179cd8328a418dceb0c73c84cae0f7e38d2cb8b
s390x
cri-o-1.24.3-6.rhaos4.11.gitc4567c0.el8.s390x.rpm
SHA-256: eb38364124b66adf5c0c12b37b62969b6c0e510e1e138139b04083819025d442
cri-o-debuginfo-1.24.3-6.rhaos4.11.gitc4567c0.el8.s390x.rpm
SHA-256: 6d70d0028d4b227964a0944785ac7042aa88d28abfb5ffd1547827bff82d2d10
cri-o-debugsource-1.24.3-6.rhaos4.11.gitc4567c0.el8.s390x.rpm
SHA-256: 8ca5a141f62589006d26fd65f8975504c2bb4eca4ebd37f4227f093d508e9ee1
cri-tools-1.24.2-7.el8.s390x.rpm
SHA-256: a9ffda1fddf976f029c0dd44b6f6b02c3b531fabfeb986fe9df45768d1652e7b
cri-tools-debuginfo-1.24.2-7.el8.s390x.rpm
SHA-256: 484e0703f9697cc1dbde5a64833c66a0d12f87a9f0f7a8fbcd27a55b4ce01f7d
cri-tools-debugsource-1.24.2-7.el8.s390x.rpm
SHA-256: f1ab8266bf004f8810839749d5280db092cc60b2d83a20bd302f86521354309d
ignition-2.14.0-5.rhaos4.11.el8.s390x.rpm
SHA-256: 56ac9cb04fc8491f739e8cf2edeb797642e1526d9589ddd2bd118f3503468136
ignition-debuginfo-2.14.0-5.rhaos4.11.el8.s390x.rpm
SHA-256: 037493866488518f784fcfe7de28761586dafd95f3dd9d7de5b558deb0e5db00
ignition-debugsource-2.14.0-5.rhaos4.11.el8.s390x.rpm
SHA-256: d58cf35492a78274b8c1898995774775cc64c0f8489e8c9b453e737548c1a920
ignition-validate-2.14.0-5.rhaos4.11.el8.s390x.rpm
SHA-256: a414f316cd6a16670fe4860047ac3a92e9b82fd949fa3e8ba7d60ec3e9f727a2
ignition-validate-debuginfo-2.14.0-5.rhaos4.11.el8.s390x.rpm
SHA-256: 70b0e2ac2e3b2bd1d4c2692681303464c68a20a8c276619c2aa5bae2fd1fe841
openshift-hyperkube-4.11.0-202211091106.p0.g5658434.assembly.stream.el8.s390x.rpm
SHA-256: 3e9ace5222a55309fb5fb3f32f5db1875f1038638e2d85f278e4ce930ce4064a
python3-sushy-4.1.3-0.20221107175431.1da4385.el8.noarch.rpm
SHA-256: 793dc33c6967ce00d0bdd92e9604903490a49e6ce33ae9d9da514e95a9a5c784
python3-sushy-tests-4.1.3-0.20221107175431.1da4385.el8.noarch.rpm
SHA-256: 71c079ea84da5665be9e848ffd8b9a48a63de97958c195cc2c56b682797defa5
Red Hat OpenShift Container Platform for ARM 64 4.11
SRPM
cri-o-1.24.3-6.rhaos4.11.gitc4567c0.el8.src.rpm
SHA-256: de99402fd6cd0d2cb8ce18444109753df26b798f3597f0e79d321e5b934b21f3
cri-tools-1.24.2-7.el8.src.rpm
SHA-256: c33a5cc46c82090258df3ff2ba2e719cb19e991d0ce1697f386a458ced7d13a2
ignition-2.14.0-5.rhaos4.11.el8.src.rpm
SHA-256: 23cb03407a87a31fdee7bad7cdac35faa437f736803fdf09c95343bf5e97312a
openshift-4.11.0-202211091106.p0.g5658434.assembly.stream.el8.src.rpm
SHA-256: 571045973f7c7713c4690cc6c179cd8328a418dceb0c73c84cae0f7e38d2cb8b
python-sushy-4.1.3-0.20221107175431.1da4385.el8.src.rpm
SHA-256: 60d41f18bccb532cf9239be301c353258fe22f625287f124cf5d0952361bfed9
aarch64
cri-o-1.24.3-6.rhaos4.11.gitc4567c0.el8.aarch64.rpm
SHA-256: 712a1c07b681ce0382f13ca4d4cdbd9392a6c8c012d14c96580795b63d61654c
cri-o-debuginfo-1.24.3-6.rhaos4.11.gitc4567c0.el8.aarch64.rpm
SHA-256: e8be745290999e7abca45ed1220ac38c864fab8213a8757428fdfdb6872261f6
cri-o-debugsource-1.24.3-6.rhaos4.11.gitc4567c0.el8.aarch64.rpm
SHA-256: 197a4d0f39ff9827f93615dfe7fe4afce152034f699a1a48d69925270d022043
cri-tools-1.24.2-7.el8.aarch64.rpm
SHA-256: 5b9abfa7a5734192309a52ede40d9db72856c9712c6ade680746d3ad2c52fbc6
cri-tools-debuginfo-1.24.2-7.el8.aarch64.rpm
SHA-256: 35cb8465998d3fda9cbba041f673d02fcc35913719f7680bb10b10457207f69c
cri-tools-debugsource-1.24.2-7.el8.aarch64.rpm
SHA-256: a8ede3ff20ace5f139d6b64d8edd0285383c011c6f6c76cdfd8946e69ad1e22f
ignition-2.14.0-5.rhaos4.11.el8.aarch64.rpm
SHA-256: 011057ae665101582d71971431f50ce9eca6a4b9e780b2dc3fdc48ab1e2d1086
ignition-debuginfo-2.14.0-5.rhaos4.11.el8.aarch64.rpm
SHA-256: 715c8ee9776298739a31a87f7a7d77fd639e1b6267d8336b8cf3a557c73f1ab9
ignition-debugsource-2.14.0-5.rhaos4.11.el8.aarch64.rpm
SHA-256: 4a8c03e1a43530b536706b2a9d4980580a6dd1119ef8cd314b0b577f540bebca
ignition-validate-2.14.0-5.rhaos4.11.el8.aarch64.rpm
SHA-256: 8ebedc5faeeb7e5294dd284bd4c19b1f0751ae6b1c05997887a7452ffecdda4d
ignition-validate-debuginfo-2.14.0-5.rhaos4.11.el8.aarch64.rpm
SHA-256: 3b0064673b44f6e8ab470864a4e83c2db67fc9d45d3c8114894f9598fdc5b79d
openshift-hyperkube-4.11.0-202211091106.p0.g5658434.assembly.stream.el8.aarch64.rpm
SHA-256: 5206299331fabae84bc2f5c8e3d3c99aa29408fdc4ac1e95dcbe3f173e4ca774
python3-sushy-4.1.3-0.20221107175431.1da4385.el8.noarch.rpm
SHA-256: 793dc33c6967ce00d0bdd92e9604903490a49e6ce33ae9d9da514e95a9a5c784
python3-sushy-tests-4.1.3-0.20221107175431.1da4385.el8.noarch.rpm
SHA-256: 71c079ea84da5665be9e848ffd8b9a48a63de97958c195cc2c56b682797defa5
Related news
Red Hat Security Advisory 2023-4674-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.30.
Red Hat Security Advisory 2023-3742-02 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. Issues addressed include bypass, denial of service, and remote SQL injection vulnerabilities.
Red Hat Security Advisory 2023-3642-01 - Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services. This new container image is based on Red Hat Ceph Storage 6.1 and Red Hat Enterprise Linux 9. Issues addressed include bypass, cross site scripting, denial of service, information leakage, spoofing, and traversal vulnerabilities.
Red Hat OpenShift Service Mesh Containers for 2.4.0 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24540: A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
Red Hat Security Advisory 2023-0584-01 - Secondary Scheduler Operator for Red Hat OpenShift 1.1.1. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-3204-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 4.13.0 RPMs. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Virtualization release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27664: A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown. * CVE-2022-32149: A vulnerability was found in the golang.org/x/text/language pack...
An update for grafana is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy saniti...
An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, ...
An update for git-lfs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by r...
An update for grafana is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy saniti...
Red Hat Security Advisory 2023-2041-01 - Migration Toolkit for Applications 6.1.0 Images. Issues addressed include denial of service, privilege escalation, server-side request forgery, and traversal vulnerabilities.
Ubuntu Security Notice 6038-1 - It was discovered that the Go net/http module incorrectly handled Transfer-Encoding headers in the HTTP/1 client. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack. It was discovered that Go did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause a panic resulting into a denial of service.
Red Hat Security Advisory 2023-1529-01 - Service Telemetry Framework provides automated collection of measurements and data from remote clients, such as Red Hat OpenStack Platform or third-party nodes. STF then transmits the information to a centralized, receiving Red Hat OpenShift Container Platform deployment for storage, retrieval, and monitoring. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-1275-01 - An update for etcd is now available for Red Hat OpenStack Platform. Issues addressed include a denial of service vulnerability.
An update for etcd is now available for Red Hat OpenStack Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by rev...
Custom Metrics Autoscaler Operator for Red Hat OpenShift including security updates. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-1962: A flaw was found in the golang standard library, go/par...
Red Hat Security Advisory 2023-0708-01 - Red Hat OpenShift Serverless Client kn 1.27.0 provides a CLI to interact with Red Hat OpenShift Serverless 1.27.0. The kn CLI is delivered as an RPM package for installation on RHEL platforms, and as binaries for non-Linux platforms.
The Migration Toolkit for Containers (MTC) 1.7.7 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-43138: A vulnerability was found in the async package. This flaw allows a malicious user to obtain privileges via the mapValues() method. * CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw a...
Submariner 0.14 packages that fix various bugs and add various enhancements that are now available for Red Hat Advanced Cluster Management for Kubernetes version 2.7 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go ...
Red Hat Security Advisory 2023-0542-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release. Issues addressed include denial of service and spoofing vulnerabilities.
Red Hat OpenShift Service Mesh 2.3.1 Containers Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-3962: kiali: error message spoofing in kiali UI * CVE-2022-27664: golang: ...
Red Hat OpenShift Virtualization release 4.12 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2021-44716: golang: net/http: limit growth of header canonicalization cache * CVE-2021-44717: golang: syscall: don't close fd 0 on ForkExec error * CVE-2022-1705: golang: net/http: improper sanitizat...
Red Hat Security Advisory 2023-0069-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.24.
Red Hat Security Advisory 2023-0264-01 - An update for Logging Subsystem (5.6.0) is now available for Red Hat OpenShift Container Platform. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-7401-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include denial of service and out of bounds read vulnerabilities.
Red Hat Security Advisory 2022-7399-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.0. Issues addressed include denial of service, memory leak, and out of bounds read vulnerabilities.
Red Hat Security Advisory 2022-7398-02 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.0. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Container Platform release 4.12.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-2879: golang: arc...
The Migration Toolkit for Containers (MTC) 1.7.6 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-28131: golang: encoding/xml: stack exhaustion in Decoder.Skip * CVE-2022-30629: golang: crypto/tls: session tickets lack random ticket_age_add * CVE-2022-30630: golang: io/fs: stack exhaustion in G...
IBM Db2U 3.5, 4.0, and 4.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 237210.
Red Hat Security Advisory 2022-8781-01 - Logging Subsystem for Red Hat OpenShift has a security update. Issues addressed include a denial of service vulnerability.
Logging Subsystem 5.5.5 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36518: jackson-databind: denial of service via a large depth of nested objects * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-32189: golang: math/b...
Red Hat Security Advisory 2022-8626-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.11.17. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-8634-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.
OpenShift API for Data Protection (OADP) 1.1.1 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27191: golang: crash in a golang.org/x/crypto/ssh server * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-30632: golang: path/filepath: stack exhaustion in Glob * CVE-2022-30635: golang: encoding/gob: stack exhaustion in Decoder.Decode * CVE-2022-32190: golang: net/url: JoinPath does not strip relative path components i...
Red Hat Security Advisory 2022-8535-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.16. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-8535-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.16. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-8534-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.11.16. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Container Platform release 4.11.16 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-32189: golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, po...
Red Hat OpenShift Container Platform release 4.11.16 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-32189: golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, po...
Red Hat OpenShift Container Platform release 4.11.16 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32189: golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32189: golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32189: golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
Red Hat Security Advisory 2022-7129-01 - Git Large File Storage replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-7129-01 - Git Large File Storage replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server. Issues addressed include a denial of service vulnerability.
An update for git-lfs is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-28851: golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension * CVE-2020-28852: golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWA...
An update for git-lfs is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-28851: golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension * CVE-2020-28852: golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWA...
Gentoo Linux Security Advisory 202209-26 - Multiple vulnerabilities have been discovered in Go, the worst of which could result in denial of service. Versions less than 1.18.6 are affected.
Red Hat Security Advisory 2022-6430-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-6430-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Issues addressed include a denial of service vulnerability.
OpenShift API for Data Protection (OADP) 1.0.4 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-30629: golang: crypto/tls: session ti...
OpenShift API for Data Protection (OADP) 1.0.4 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-30629: golang: crypto/tls: session ti...
Red Hat Security Advisory 2022-6183-01 - Logging Subsystem 5.4.5 for Red Hat OpenShift has been released. Issue addressed include a stack exhaustion vulnerability.
Red Hat Security Advisory 2022-6183-01 - Logging Subsystem 5.4.5 for Red Hat OpenShift has been released. Issue addressed include a stack exhaustion vulnerability.
Red Hat Security Advisory 2022-6344-01 - Logging Subsystem 5.5.1 for Red Hat OpenShift has been released. Issue addressed include a stack exhaustion vulnerability.
Red Hat Security Advisory 2022-6344-01 - Logging Subsystem 5.5.1 for Red Hat OpenShift has been released. Issue addressed include a stack exhaustion vulnerability.
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
Logging Subsystem 5.5.1 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-30631: golang: compress/gzip: stack exhaustion in Reader.Read * CVE-2022-32148: golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
Logging Subsystem 5.5.1 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-30631: golang: compress/gzip: stack exhaustion in Reader.Read * CVE-2022-32148: golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
Logging Subsystem 5.4.5 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-30631: golang: compress/gzip: stack exhaustion in Reader.Read * CVE-2022-32148: golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
Logging Subsystem 5.4.5 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-30631: golang: compress/gzip: stack exhaustion in Reader.Read * CVE-2022-32148: golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
Red Hat Security Advisory 2022-6187-01 - This is an updated release of the Node Health Check Operator. You can use the Node Health Check Operator to deploy the Node Health Check controller. The controller identifies unhealthy nodes and uses the Self Node Remediation Operator to remediate the unhealthy nodes.
An update for node-healthcheck-operator-bundle-container and node-healthcheck-operator-container is now available for Node Healthcheck Operator 0.3 for RHEL 8. This Operator is delivered by Red Hat Workload Availability. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-28327: golang: crypto/elliptic: panic caused by oversized scalar * CVE-2022-30631: golang: compress/gzip: stack exhaust...
Red Hat Security Advisory 2022-6040-01 - Version 1.24.0 of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.6, 4.7, 4.8, 4.9, 4.10, and 4.11. This release includes security and bug fixes, and enhancements. Issues addressed include bypass and denial of service vulnerabilities.
Red Hat Security Advisory 2022-6040-01 - Version 1.24.0 of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.6, 4.7, 4.8, 4.9, 4.10, and 4.11. This release includes security and bug fixes, and enhancements. Issues addressed include bypass and denial of service vulnerabilities.
Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.
Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.
A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.
Release of OpenShift Serverless 1.24.0 The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-1996: go-restful: Authorization Bypass Through User-Controlled Key * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-24921: golang: regexp: stack exhaustion via a deeply nested expression * C...
Gentoo Linux Security Advisory 202208-2 - Multiple vulnerabilities have been found in Go, the worst of which could result in remote code execution. Versions less than 1.18.5 are affected.
Gentoo Linux Security Advisory 202208-2 - Multiple vulnerabilities have been found in Go, the worst of which could result in remote code execution. Versions less than 1.18.5 are affected.
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.