Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:2780: Red Hat Security Advisory: Image Builder security, bug fix, and enhancement update

An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic.
  • CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query parameters in the forwarded query when the outbound request’s form field is set after the reverse proxy. The director function returns, indicating that the proxy has parsed the query parameters. Proxies that do not parse query parameters continue to forward the original query parameters unchanged.
  • CVE-2022-27664: A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown.
  • CVE-2022-41715: A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.
  • CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
Red Hat Security Data
#vulnerability#linux#red_hat#dos#js#ibm

Synopsis

Moderate: Image Builder security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood.

Security Fix(es):

  • golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)
  • golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
  • golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
  • golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
  • golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.8 Release Notes linked from the References section.

Affected Products

  • Red Hat Enterprise Linux for x86_64 8 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 8 s390x
  • Red Hat Enterprise Linux for Power, little endian 8 ppc64le
  • Red Hat Enterprise Linux for ARM 64 8 aarch64

Fixes

  • BZ - 2033192 - weldr-client doesn’t convert --size to bytes before sending it to osbuild-composer
  • BZ - 2063126 - [Azure] Suggest to add 68-azure-sriov-nm-unmanaged.rules
  • BZ - 2072834 - [Azure][image] Suggest to enable nm-cloud-setup.timer in Azure images
  • BZ - 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
  • BZ - 2132254 - Update Image Builder suite of projects to their latest upstream releases [RHEL-8.8]
  • BZ - 2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers
  • BZ - 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
  • BZ - 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
  • BZ - 2136503 - osbuild-composer can’t access /var/cache/osbuild-composer/rpmmd on package upgrade from 8.6
  • BZ - 2139721 - [cockpit-composer] RHEL 8.8 Tier 0 Localization
  • BZ - 2141738 - Image builder fails with Volume group “XXX” has insufficient free space (975 extents): 977 required.
  • BZ - 2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests
  • BZ - 2168666 - Rebase to weldr-client v35.9

CVEs

  • CVE-2022-2879
  • CVE-2022-2880
  • CVE-2022-27664
  • CVE-2022-41715
  • CVE-2022-41717

References

  • https://access.redhat.com/security/updates/classification/#moderate
  • https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index

Red Hat Enterprise Linux for x86_64 8

SRPM

cockpit-composer-45-1.el8_8.src.rpm

SHA-256: f2bd4a227c11da67e47452dbf6d9bc743e0a3cf7fe5a63fac4870ec4515bde7b

osbuild-81-1.el8.src.rpm

SHA-256: e6991f4ee9309fe23e8f4486f3ea733769acb33cb3276cd07b016c9295b0ad75

osbuild-composer-75-1.el8.src.rpm

SHA-256: 461d7604d0556d64370eb6b7bb34c1400affc3de200c1baee596b2d4bf9eedeb

weldr-client-35.9-2.el8.src.rpm

SHA-256: 68707f6c8032d8020d767c35dc4205113efa4921063b44bb8385bf26aeb5ca95

x86_64

cockpit-composer-45-1.el8_8.noarch.rpm

SHA-256: 58b36053f36b90ebc2e9fb47fb05dc88b625cb26e43795926166ef674b74d736

osbuild-81-1.el8.noarch.rpm

SHA-256: 7457728e146b874722b5deb53bb85e700828cc421ffbf33a5b3b8342f36573ea

osbuild-composer-75-1.el8.x86_64.rpm

SHA-256: 870026f684ab2bab6aa7f071558856a21e4af1143c9cfc2529b0ec9e783c0542

osbuild-composer-core-75-1.el8.x86_64.rpm

SHA-256: 9234cf91518c3f0b4dbb2262d517d8266ca10c752f770b755a39cb9693cf19e5

osbuild-composer-core-debuginfo-75-1.el8.x86_64.rpm

SHA-256: 81887f43898059f4e3e376957d44f1e7d1d290573afbd875e1315145295008bb

osbuild-composer-debuginfo-75-1.el8.x86_64.rpm

SHA-256: 8d6c71b05e8d9fa71471e7f1edbe432b2f7dfb0d9bb904ea217c55835e4a7f13

osbuild-composer-debugsource-75-1.el8.x86_64.rpm

SHA-256: 11dc416742e978e1976d60a8236be150c3b81ffc732c59ca7a437b71fd14448c

osbuild-composer-dnf-json-75-1.el8.x86_64.rpm

SHA-256: ef6bf923864e2d46373f5d69e66bcde52eee0828515362b44defddc88b108320

osbuild-composer-tests-debuginfo-75-1.el8.x86_64.rpm

SHA-256: b5dc32b1dc957a7c6fff909a06a22c608e7845d069680d71258d5e4d3dc3b6e8

osbuild-composer-worker-75-1.el8.x86_64.rpm

SHA-256: 278ea25338c485496bf8032a9b4ad33490e8a3e5c323e728785045a354fd9520

osbuild-composer-worker-debuginfo-75-1.el8.x86_64.rpm

SHA-256: f76f33ee5435ff808536ee96b7c500c832069f03e218f5b455ae390865376d9e

osbuild-luks2-81-1.el8.noarch.rpm

SHA-256: e4a464a8c929c4e6660a777fdc734b81b7ed9251d39daabb3138d624b2f09f88

osbuild-lvm2-81-1.el8.noarch.rpm

SHA-256: 895ae9c9f1b6c17f28ce91fddc6b13ed25b846a17f088de76396614809938942

osbuild-ostree-81-1.el8.noarch.rpm

SHA-256: 5cba956596a36beba1a2c7bb19177b81328d84b368fe70644809c366a5f97570

osbuild-selinux-81-1.el8.noarch.rpm

SHA-256: 25ba00f1f7fb7c006df5b2254256e2a3c83e03c744b7d06a792420ae693995a2

python3-osbuild-81-1.el8.noarch.rpm

SHA-256: 6f070e9e8fb76ca747dd1f75af994db362e139e55c588bc3bbf40d7e41352e55

weldr-client-35.9-2.el8.x86_64.rpm

SHA-256: c5c476fbb8dbde112b1016975b7ae5d92c50666be54c862365ae9a1ab829c648

weldr-client-debuginfo-35.9-2.el8.x86_64.rpm

SHA-256: f456cef85ee3e9ab1a8044e0b5b8b5e43de230dafe4bf936c29e285a2563b743

weldr-client-debugsource-35.9-2.el8.x86_64.rpm

SHA-256: 3cc697074c8f805819e2a437289686389abd3aa1ac711908b58ce86c3c38ccb8

weldr-client-tests-debuginfo-35.9-2.el8.x86_64.rpm

SHA-256: 83bc9ed72bf714dc36e9c52af95bde7528880c80539f4d8e3ae9a80c53ff56a9

Red Hat Enterprise Linux for IBM z Systems 8

SRPM

cockpit-composer-45-1.el8_8.src.rpm

SHA-256: f2bd4a227c11da67e47452dbf6d9bc743e0a3cf7fe5a63fac4870ec4515bde7b

osbuild-81-1.el8.src.rpm

SHA-256: e6991f4ee9309fe23e8f4486f3ea733769acb33cb3276cd07b016c9295b0ad75

osbuild-composer-75-1.el8.src.rpm

SHA-256: 461d7604d0556d64370eb6b7bb34c1400affc3de200c1baee596b2d4bf9eedeb

weldr-client-35.9-2.el8.src.rpm

SHA-256: 68707f6c8032d8020d767c35dc4205113efa4921063b44bb8385bf26aeb5ca95

s390x

cockpit-composer-45-1.el8_8.noarch.rpm

SHA-256: 58b36053f36b90ebc2e9fb47fb05dc88b625cb26e43795926166ef674b74d736

osbuild-81-1.el8.noarch.rpm

SHA-256: 7457728e146b874722b5deb53bb85e700828cc421ffbf33a5b3b8342f36573ea

osbuild-composer-75-1.el8.s390x.rpm

SHA-256: e086e2091074051a5ba8f184d92c06b8f9de0ca62a8b774d602caa94c5ba9d0b

osbuild-composer-core-75-1.el8.s390x.rpm

SHA-256: 797df974fbe7012185ceed3898b58e87d192db89467cc3deb19ee46142f30ab1

osbuild-composer-core-debuginfo-75-1.el8.s390x.rpm

SHA-256: 3b9833c0061f0b71b1a9fd1cdcb224bd600b20046bb0481ed8f678eea45a6656

osbuild-composer-debuginfo-75-1.el8.s390x.rpm

SHA-256: 3a222053f94d50f203ff15a7c29a4f6aa0308dba4616496261970564a035060a

osbuild-composer-debugsource-75-1.el8.s390x.rpm

SHA-256: 44dd256435e4824b28450388d0709d3bb8bc1b72db41253eba18559fa08e14c7

osbuild-composer-dnf-json-75-1.el8.s390x.rpm

SHA-256: 717abe9dfb05f8dd5783a08cb0ed3bf96613d9abe916f7cc0e3adde6c2044961

osbuild-composer-tests-debuginfo-75-1.el8.s390x.rpm

SHA-256: f2d1ef982d8b78755ed8f391e720efe1f6fe9d49079b1d0c1c760abb64cf72fe

osbuild-composer-worker-75-1.el8.s390x.rpm

SHA-256: 1b672cfa7d496253071e5063dc87b81edb04178eb0937bac1cb1fa2d6524f597

osbuild-composer-worker-debuginfo-75-1.el8.s390x.rpm

SHA-256: b7ac3908b969037f993a97768cbf08bb3d6de3159902462d70a99379679ab076

osbuild-luks2-81-1.el8.noarch.rpm

SHA-256: e4a464a8c929c4e6660a777fdc734b81b7ed9251d39daabb3138d624b2f09f88

osbuild-lvm2-81-1.el8.noarch.rpm

SHA-256: 895ae9c9f1b6c17f28ce91fddc6b13ed25b846a17f088de76396614809938942

osbuild-ostree-81-1.el8.noarch.rpm

SHA-256: 5cba956596a36beba1a2c7bb19177b81328d84b368fe70644809c366a5f97570

osbuild-selinux-81-1.el8.noarch.rpm

SHA-256: 25ba00f1f7fb7c006df5b2254256e2a3c83e03c744b7d06a792420ae693995a2

python3-osbuild-81-1.el8.noarch.rpm

SHA-256: 6f070e9e8fb76ca747dd1f75af994db362e139e55c588bc3bbf40d7e41352e55

weldr-client-35.9-2.el8.s390x.rpm

SHA-256: 3254db5e9a9753306584edfc6a6ca09d0d87dc75e8b2b4d5d390de47045991df

weldr-client-debuginfo-35.9-2.el8.s390x.rpm

SHA-256: 45977514928901a55860f6325b6613b4d46682990e5b8d2177bc92f0efa71527

weldr-client-debugsource-35.9-2.el8.s390x.rpm

SHA-256: 3fcb9676d70ebc048b42d3a3ea775c0cc82ac3df924867382879d56bf314de82

weldr-client-tests-debuginfo-35.9-2.el8.s390x.rpm

SHA-256: 9bd1ec25d3d294050339db0a0b16387eea3abd7f39850e820ff4fafefa8c0ce9

Red Hat Enterprise Linux for Power, little endian 8

SRPM

cockpit-composer-45-1.el8_8.src.rpm

SHA-256: f2bd4a227c11da67e47452dbf6d9bc743e0a3cf7fe5a63fac4870ec4515bde7b

osbuild-81-1.el8.src.rpm

SHA-256: e6991f4ee9309fe23e8f4486f3ea733769acb33cb3276cd07b016c9295b0ad75

osbuild-composer-75-1.el8.src.rpm

SHA-256: 461d7604d0556d64370eb6b7bb34c1400affc3de200c1baee596b2d4bf9eedeb

weldr-client-35.9-2.el8.src.rpm

SHA-256: 68707f6c8032d8020d767c35dc4205113efa4921063b44bb8385bf26aeb5ca95

ppc64le

cockpit-composer-45-1.el8_8.noarch.rpm

SHA-256: 58b36053f36b90ebc2e9fb47fb05dc88b625cb26e43795926166ef674b74d736

osbuild-81-1.el8.noarch.rpm

SHA-256: 7457728e146b874722b5deb53bb85e700828cc421ffbf33a5b3b8342f36573ea

osbuild-composer-75-1.el8.ppc64le.rpm

SHA-256: 64ed7e3c4d11cf9f23451a9658c6235d2e1fa4a2dd8058556226673d7567ddab

osbuild-composer-core-75-1.el8.ppc64le.rpm

SHA-256: 14ccf45542bd18d2c1419f94692226ec3a774c7591a36d3d9f4cc4a1213866a6

osbuild-composer-core-debuginfo-75-1.el8.ppc64le.rpm

SHA-256: 41339b029537dc927233f3075301197e7038a75ff407c141a7ad635bebe947bc

osbuild-composer-debuginfo-75-1.el8.ppc64le.rpm

SHA-256: 80d25d86b45589e609584945e912d126df280fdcbd6f46c4c5494a60bcd05f03

osbuild-composer-debugsource-75-1.el8.ppc64le.rpm

SHA-256: 7c272011989a6fc3c40c4c725942b03f906721c606fe8e6f198654dd7f37c86c

osbuild-composer-dnf-json-75-1.el8.ppc64le.rpm

SHA-256: 202ce26f436d5127ec97498c53e1e05fbbd78dcc964479d18fd8f64c1a6da089

osbuild-composer-tests-debuginfo-75-1.el8.ppc64le.rpm

SHA-256: ffdfea6f8b73f22472c7bf36c404a4d96043c0b7686a1dd9358849a62f90c04b

osbuild-composer-worker-75-1.el8.ppc64le.rpm

SHA-256: 6a6edf6557ecf990a45c9b83ceb0cfe1c41bd8d4a00e51b5307a1369582103a6

osbuild-composer-worker-debuginfo-75-1.el8.ppc64le.rpm

SHA-256: eb3c9ae023bbbd698651aea27713029f10dc81ace05cd55c2b4c4cd37db4d1cb

osbuild-luks2-81-1.el8.noarch.rpm

SHA-256: e4a464a8c929c4e6660a777fdc734b81b7ed9251d39daabb3138d624b2f09f88

osbuild-lvm2-81-1.el8.noarch.rpm

SHA-256: 895ae9c9f1b6c17f28ce91fddc6b13ed25b846a17f088de76396614809938942

osbuild-ostree-81-1.el8.noarch.rpm

SHA-256: 5cba956596a36beba1a2c7bb19177b81328d84b368fe70644809c366a5f97570

osbuild-selinux-81-1.el8.noarch.rpm

SHA-256: 25ba00f1f7fb7c006df5b2254256e2a3c83e03c744b7d06a792420ae693995a2

python3-osbuild-81-1.el8.noarch.rpm

SHA-256: 6f070e9e8fb76ca747dd1f75af994db362e139e55c588bc3bbf40d7e41352e55

weldr-client-35.9-2.el8.ppc64le.rpm

SHA-256: 8f3f1ba200f7b0e7f51cf25d8ff9f898ad1fa63a63c0a0c8988f7dda56e711a8

weldr-client-debuginfo-35.9-2.el8.ppc64le.rpm

SHA-256: 2771203e295f5383050de05b1620d4fe32e7839077aa4626bb35669f51c11794

weldr-client-debugsource-35.9-2.el8.ppc64le.rpm

SHA-256: cd5f89caa88d60c05eb0e93ad040fa2c4a5c88ed37c4ffd9210e9d290f060cd9

weldr-client-tests-debuginfo-35.9-2.el8.ppc64le.rpm

SHA-256: abb62cd785c98767ee0207ae5e44e3b1364df818b5f2a968e62a9c1734b60603

Red Hat Enterprise Linux for ARM 64 8

SRPM

cockpit-composer-45-1.el8_8.src.rpm

SHA-256: f2bd4a227c11da67e47452dbf6d9bc743e0a3cf7fe5a63fac4870ec4515bde7b

osbuild-81-1.el8.src.rpm

SHA-256: e6991f4ee9309fe23e8f4486f3ea733769acb33cb3276cd07b016c9295b0ad75

osbuild-composer-75-1.el8.src.rpm

SHA-256: 461d7604d0556d64370eb6b7bb34c1400affc3de200c1baee596b2d4bf9eedeb

weldr-client-35.9-2.el8.src.rpm

SHA-256: 68707f6c8032d8020d767c35dc4205113efa4921063b44bb8385bf26aeb5ca95

aarch64

cockpit-composer-45-1.el8_8.noarch.rpm

SHA-256: 58b36053f36b90ebc2e9fb47fb05dc88b625cb26e43795926166ef674b74d736

osbuild-81-1.el8.noarch.rpm

SHA-256: 7457728e146b874722b5deb53bb85e700828cc421ffbf33a5b3b8342f36573ea

osbuild-composer-75-1.el8.aarch64.rpm

SHA-256: 10bf0cea342944f39d30499ac0523d48e1fe0e6d97e6f65b935fa8083fa21556

osbuild-composer-core-75-1.el8.aarch64.rpm

SHA-256: 15bc5c793a8c94b309b04566fb1bb5e1139a707f228e5fda35fdeb0c0130fd6c

osbuild-composer-core-debuginfo-75-1.el8.aarch64.rpm

SHA-256: 59f3f12cc3da1c9587b4ddffea7d70f429b46df5bc328b6f7b0ff16a7a331fa9

osbuild-composer-debuginfo-75-1.el8.aarch64.rpm

SHA-256: 43563534c2e8ad33ed04bbc021a79be8b8f4a93c19ed952a0092fa377bda34b2

osbuild-composer-debugsource-75-1.el8.aarch64.rpm

SHA-256: e25366895f011661c994343417fc83f8981dbdbd236de06ed01e5d967dae9a12

osbuild-composer-dnf-json-75-1.el8.aarch64.rpm

SHA-256: 4bedbf25060295d36eac2ce4beeacfb89cf3d25a608bb9a2a12c0e54f7adb7ff

osbuild-composer-tests-debuginfo-75-1.el8.aarch64.rpm

SHA-256: 7f765eccb93aac2107b7122c1c6a1da1105124aa7daaa14fe10bcf5d89c6fe87

osbuild-composer-worker-75-1.el8.aarch64.rpm

SHA-256: b6889c7c0df1eff52ce79196ad10fa10e740bdc1245710901d21bcc157c36a25

osbuild-composer-worker-debuginfo-75-1.el8.aarch64.rpm

SHA-256: ab0bf028f59a5f888c2c9354ef6c326f8217237d3533793f4fc59b5aaa24731f

osbuild-luks2-81-1.el8.noarch.rpm

SHA-256: e4a464a8c929c4e6660a777fdc734b81b7ed9251d39daabb3138d624b2f09f88

osbuild-lvm2-81-1.el8.noarch.rpm

SHA-256: 895ae9c9f1b6c17f28ce91fddc6b13ed25b846a17f088de76396614809938942

osbuild-ostree-81-1.el8.noarch.rpm

SHA-256: 5cba956596a36beba1a2c7bb19177b81328d84b368fe70644809c366a5f97570

osbuild-selinux-81-1.el8.noarch.rpm

SHA-256: 25ba00f1f7fb7c006df5b2254256e2a3c83e03c744b7d06a792420ae693995a2

python3-osbuild-81-1.el8.noarch.rpm

SHA-256: 6f070e9e8fb76ca747dd1f75af994db362e139e55c588bc3bbf40d7e41352e55

weldr-client-35.9-2.el8.aarch64.rpm

SHA-256: 8d3b6ea13c957f50926c5b58f2e20af30775893a262c030702d2841a2c38244c

weldr-client-debuginfo-35.9-2.el8.aarch64.rpm

SHA-256: c9f6817db36ac379f842ed1a98907230d1868c1e833cb11a3032481ca4ebac76

weldr-client-debugsource-35.9-2.el8.aarch64.rpm

SHA-256: 535c1d25592e88a23ef448b8854b7d6f131d3c313f99458b8d959f20400a8bb6

weldr-client-tests-debuginfo-35.9-2.el8.aarch64.rpm

SHA-256: dfbb8813332b7e312b573aa5ee96789269f4d69f04fe4feea7928b6c619b5e0f

Related news

Gentoo Linux Security Advisory 202409-29

Gentoo Linux Security Advisory 202409-29 - Multiple vulnerabilities have been discovered in Docker, the worst of which could result in denial of service. Versions greater than or equal to 25.0.4 are affected.

Gentoo Linux Security Advisory 202311-09

Gentoo Linux Security Advisory 202311-9 - Multiple vulnerabilities have been discovered in Go, the worst of which could lead to remote code execution. Versions greater than or equal to 1.20.10 are affected.

Red Hat Security Advisory 2023-4090-01

Red Hat Security Advisory 2023-4090-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.5.

Red Hat Security Advisory 2023-4003-01

Red Hat Security Advisory 2023-4003-01 - As a Kubernetes user, I cannot connect easily connect services from one cluster with services on another cluster. Red Hat Application Interconnect enables me to create a service network and it allows geographically distributed services to connect as if they were all running in the same site. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-3915-01

Red Hat Security Advisory 2023-3915-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.44.

Red Hat Security Advisory 2023-3742-02

Red Hat Security Advisory 2023-3742-02 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. Issues addressed include bypass, denial of service, and remote SQL injection vulnerabilities.

RHSA-2023:3664: Red Hat Security Advisory: OpenShift Jenkins image and Jenkins agent base image security update

Release of Bug Advisories for the OpenShift Jenkins image and Jenkins agent base image. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-2880: A flaw was found in the golang package, where reques...

Red Hat Security Advisory 2023-3644-01

Red Hat Security Advisory 2023-3644-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release.

Red Hat Security Advisory 2023-3645-01

Red Hat Security Advisory 2023-3645-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Issues addressed include a denial of service vulnerability.

RHSA-2023:3642: Red Hat Security Advisory: Red Hat Ceph Storage 6.1 Container security and bug fix update

A new container image for Red Hat Ceph Storage 6.1 is now available in the Red Hat Ecosystem Catalog. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-42581: A flaw was found in the Ramda NPM package that involves prototype poisoning. This flaw allows attackers to supply a crafted object, affecting the integrity or availability of the application. * CVE-2022-1650: A flaw was found in the EventSource NPM Package. The description from the source states the following messa...

RHSA-2023:0584: Red Hat Security Advisory: Secondary Scheduler Operator for Red Hat OpenShift 1.1.1 security update

Secondary Scheduler Operator for Red Hat OpenShift 1.1.1 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query ...

RHSA-2023:1329: Red Hat Security Advisory: OpenShift Container Platform 4.13.0 bug fix and security update

Red Hat build of MicroShift release 4.13.0 is now available with updates to packages and images that fix several bugs. This release includes a security update for Red Hat build of MicroShift 4.13. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP head...

RHSA-2023:3204: Red Hat Security Advisory: OpenShift Virtualization 4.13.0 RPMs security and bug fix update

Red Hat OpenShift Virtualization release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27664: A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown. * CVE-2022-32149: A vulnerability was found in the golang.org/x/text/language pack...

RHSA-2023:2866: Red Hat Security Advisory: git-lfs security and bug fix update

An update for git-lfs is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy saniti...

Red Hat Security Advisory 2023-2283-01

Red Hat Security Advisory 2023-2283-01 - The skopeo command lets you inspect images from container image registries, get images and image layers, and use signatures to create and verify files.

Red Hat Security Advisory 2023-2367-01

Red Hat Security Advisory 2023-2367-01 - The Container Network Interface project consists of a specification and libraries for writing plug-ins for configuring network interfaces in Linux containers, along with a number of supported plug-ins. CNI concerns itself only with network connectivity of containers and removing allocated resources when the container is deleted.

RHSA-2023:2592: Red Hat Security Advisory: golang-github-cpuguy83-md2man security, bug fix, and enhancement update

An update for golang-github-cpuguy83-md2man is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41715: A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small...

RHSA-2023:2357: Red Hat Security Advisory: git-lfs security and bug fix update

An update for git-lfs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by r...

RHSA-2023:2357: Red Hat Security Advisory: git-lfs security and bug fix update

An update for git-lfs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by r...

RHSA-2023:2193: Red Hat Security Advisory: butane security, bug fix, and enhancement update

An update for butane is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27664: A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown. * CVE-2022-32189: An uncontrolled resource consumption flaw was found in Golang math/big. A too-short encoded message can cause a panic in Float.GobDecode an...

RHSA-2023:1529: Red Hat Security Advisory: Service Telemetry Framework 1.5 security update

An update is now available for Service Telemetry Framework 1.5. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-23772: A flaw was found in the big package of the math library in golang. The Rat....

RHSA-2023:1529: Red Hat Security Advisory: Service Telemetry Framework 1.5 security update

An update is now available for Service Telemetry Framework 1.5. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-23772: A flaw was found in the big package of the math library in golang. The Rat....

RHSA-2023:1529: Red Hat Security Advisory: Service Telemetry Framework 1.5 security update

An update is now available for Service Telemetry Framework 1.5. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-23772: A flaw was found in the big package of the math library in golang. The Rat....

Red Hat Security Advisory 2023-0931-01

Red Hat Security Advisory 2023-0931-01 - Update information for Logging Subsystem 5.4.12 in Red Hat OpenShift. Red Hat Product Security has rated this update as having a security impact of Moderate.

Red Hat Security Advisory 2023-0930-01

Red Hat Security Advisory 2023-0930-01 - Update information for Logging Subsystem 5.5.8 in Red Hat OpenShift. Red Hat Product Security has rated this update as having a security impact of Moderate.

RHSA-2023:1174: Red Hat Security Advisory: OpenShift API for Data Protection (OADP) 1.1.2 security and bug fix update

OpenShift API for Data Protection (OADP) 1.1.2 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic. * CVE-2022...

RHSA-2023:0932: Red Hat Security Advisory: Logging Subsystem 5.6.3 - Red Hat OpenShift

Logging Subsystem 5.6.3 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24999: qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&...

Red Hat Security Advisory 2023-1042-01

Red Hat Security Advisory 2023-1042-01 - Custom Metrics Autoscaler Operator for Red Hat OpenShift including security updates.

Red Hat Security Advisory 2023-1042-01

Red Hat Security Advisory 2023-1042-01 - Custom Metrics Autoscaler Operator for Red Hat OpenShift including security updates.

Red Hat Security Advisory 2023-1042-01

Red Hat Security Advisory 2023-1042-01 - Custom Metrics Autoscaler Operator for Red Hat OpenShift including security updates.

Red Hat Security Advisory 2023-1079-01

Red Hat Security Advisory 2023-1079-01 - An update for osp-director-downloader-container, osp-director-agent-container and osp-director-operator-container is now available for Red Hat OpenStack Platform 16.2 (Train).

RHSA-2023:1042: Red Hat Security Advisory: Custom Metrics Autoscaler Operator for Red Hat OpenShift (with security updates)

Custom Metrics Autoscaler Operator for Red Hat OpenShift including security updates. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-1962: A flaw was found in the golang standard library, go/par...

RHSA-2023:1079: Red Hat Security Advisory: Red Hat OpenStack Platform 16.2 (osp-director-downloader-container, osp-director-agent-container and osp-director-operator-container) security update

An update for osp-director-downloader-container, osp-director-agent-container and osp-director-operator-container is now available for Red Hat OpenStack Platform 16.2 (Train). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to c...

Red Hat Security Advisory 2023-0727-01

Red Hat Security Advisory 2023-0727-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.3.

Red Hat Security Advisory 2023-0727-01

Red Hat Security Advisory 2023-0727-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.3.

Red Hat Security Advisory 2023-0709-01

Red Hat Security Advisory 2023-0709-01 - Version 1.27.0 of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.8, 4.9, 4.10, 4.11 and 4.12. This release includes security and bug fixes, and enhancements.

Red Hat Security Advisory 2023-0709-01

Red Hat Security Advisory 2023-0709-01 - Version 1.27.0 of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.8, 4.9, 4.10, 4.11 and 4.12. This release includes security and bug fixes, and enhancements.

Red Hat Security Advisory 2023-0693-01

Red Hat Security Advisory 2023-0693-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a denial of service vulnerability.

RHSA-2023:0709: Red Hat Security Advisory: Release of OpenShift Serverless 1.27.0

Release of OpenShift Serverless 1.27.0 The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic. * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query para...

RHSA-2023:0709: Red Hat Security Advisory: Release of OpenShift Serverless 1.27.0

Release of OpenShift Serverless 1.27.0 The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic. * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query para...

RHSA-2023:0709: Red Hat Security Advisory: Release of OpenShift Serverless 1.27.0

Release of OpenShift Serverless 1.27.0 The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic. * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query para...

RHSA-2023:0631: Red Hat Security Advisory: RHSA: Submariner 0.14 - bug fix and security updates

Submariner 0.14 packages that fix various bugs and add various enhancements that are now available for Red Hat Advanced Cluster Management for Kubernetes version 2.7 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go ...

RHSA-2023:0631: Red Hat Security Advisory: RHSA: Submariner 0.14 - bug fix and security updates

Submariner 0.14 packages that fix various bugs and add various enhancements that are now available for Red Hat Advanced Cluster Management for Kubernetes version 2.7 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go ...

RHSA-2023:0631: Red Hat Security Advisory: RHSA: Submariner 0.14 - bug fix and security updates

Submariner 0.14 packages that fix various bugs and add various enhancements that are now available for Red Hat Advanced Cluster Management for Kubernetes version 2.7 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go ...

Red Hat Security Advisory 2023-0542-01

Red Hat Security Advisory 2023-0542-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release. Issues addressed include denial of service and spoofing vulnerabilities.

Red Hat Security Advisory 2023-0542-01

Red Hat Security Advisory 2023-0542-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release. Issues addressed include denial of service and spoofing vulnerabilities.

Red Hat Security Advisory 2023-0542-01

Red Hat Security Advisory 2023-0542-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release. Issues addressed include denial of service and spoofing vulnerabilities.

RHSA-2023:0542: Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.3.1 Containers security update

Red Hat OpenShift Service Mesh 2.3.1 Containers Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-3962: kiali: error message spoofing in kiali UI * CVE-2022-27664: golang: ...

RHSA-2023:0542: Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.3.1 Containers security update

Red Hat OpenShift Service Mesh 2.3.1 Containers Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-3962: kiali: error message spoofing in kiali UI * CVE-2022-27664: golang: ...

Red Hat Security Advisory 2023-0264-01

Red Hat Security Advisory 2023-0264-01 - An update for Logging Subsystem (5.6.0) is now available for Red Hat OpenShift Container Platform. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-0264-01

Red Hat Security Advisory 2023-0264-01 - An update for Logging Subsystem (5.6.0) is now available for Red Hat OpenShift Container Platform. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2022-7399-01

Red Hat Security Advisory 2022-7399-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.0. Issues addressed include denial of service, memory leak, and out of bounds read vulnerabilities.

Red Hat Security Advisory 2022-7398-02

Red Hat Security Advisory 2022-7398-02 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.0. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2022-7398-02

Red Hat Security Advisory 2022-7398-02 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.0. Issues addressed include a denial of service vulnerability.

RHSA-2022:7399: Red Hat Security Advisory: OpenShift Container Platform 4.12.0 bug fix and security update

Red Hat OpenShift Container Platform release 4.12.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-2879: golang: arc...

RHSA-2022:7399: Red Hat Security Advisory: OpenShift Container Platform 4.12.0 bug fix and security update

Red Hat OpenShift Container Platform release 4.12.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-2879: golang: arc...

RHSA-2022:7399: Red Hat Security Advisory: OpenShift Container Platform 4.12.0 bug fix and security update

Red Hat OpenShift Container Platform release 4.12.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-2879: golang: arc...

RHSA-2022:7398: Red Hat Security Advisory: OpenShift Container Platform 4.12.0 packages and security update

Red Hat OpenShift Container Platform release 4.12.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4235: go-yaml: Denial of Service in go-yaml * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-2995: cri-o: incorrect handlin...

RHSA-2022:7398: Red Hat Security Advisory: OpenShift Container Platform 4.12.0 packages and security update

Red Hat OpenShift Container Platform release 4.12.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4235: go-yaml: Denial of Service in go-yaml * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-2995: cri-o: incorrect handlin...

Red Hat Security Advisory 2022-8634-01

Red Hat Security Advisory 2022-8634-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.

Red Hat Security Advisory 2022-7129-01

Red Hat Security Advisory 2022-7129-01 - Git Large File Storage replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server. Issues addressed include a denial of service vulnerability.

Gentoo Linux Security Advisory 202209-26

Gentoo Linux Security Advisory 202209-26 - Multiple vulnerabilities have been discovered in Go, the worst of which could result in denial of service. Versions less than 1.18.6 are affected.

CVE-2021-21285: Docker Engine release notes

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.

CVE-2021-21285: Docker Engine release notes

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.