Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:3083: Red Hat Security Advisory: go-toolset:rhel8 security and bug fix update

An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition.
  • CVE-2022-41725: A flaw was found in Go, where it is vulnerable to a denial of service caused by an excessive resource consumption flaw in the net/http and mime/multipart packages. By sending a specially-crafted request, a remote attacker can cause a denial of service.
Red Hat Security Data
#vulnerability#web#linux#red_hat#dos#nodejs#js#git#java#kubernetes#aws#auth#ibm#ssl

Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager

All Products

Issued:

2023-05-16

Updated:

2023-05-16

RHSA-2023:3083 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: go-toolset:rhel8 security and bug fix update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.

Security Fix(es):

  • golang: crypto/tls: large handshake records may cause panics (CVE-2022-41724)
  • golang: net/http, mime/multipart: denial of service from excessive resource consumption (CVE-2022-41725)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • Backport fix for https://github.com/golang/go/issues/56891 (BZ#2167412)
  • Update Go to 1.19.6 (BZ#2174430)

Affected Products

  • Red Hat Enterprise Linux for x86_64 8 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 8 s390x
  • Red Hat Enterprise Linux for Power, little endian 8 ppc64le
  • Red Hat Enterprise Linux for ARM 64 8 aarch64

Fixes

  • BZ - 2167412 - Backport fix for https://github.com/golang/go/issues/56891
  • BZ - 2178488 - CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption
  • BZ - 2178492 - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics

Red Hat Enterprise Linux for x86_64 8

SRPM

delve-1.9.1-1.module+el8.8.0+16778+5fbb74f5.src.rpm

SHA-256: 1b037c6c0f16e789c9cf361b6cf87e5e06661e7f29deae013bb1ede7f3c1ff93

go-toolset-1.19.6-1.module+el8.8.0+18289+edd6c8b6.src.rpm

SHA-256: 0c6a2f27b2bbc0ea28e998ee5f536f298f7b1f3258d87274ad55821dde3fc984

golang-1.19.6-1.module+el8.8.0+18289+edd6c8b6.src.rpm

SHA-256: a767d680d37a8ab3103c9441347c216d93b6280f51fd2f5d02aac4468d537f21

x86_64

delve-1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64.rpm

SHA-256: e63fbb1595650d32386fe757c131a9475710f50f3df6c673b9ee3d7da17fb40b

delve-debuginfo-1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64.rpm

SHA-256: 10cbdf420e26f44c6a556c9bac32f8d4d9f55f2c1294009710248550c0ed1528

delve-debugsource-1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64.rpm

SHA-256: b9ec866e5579c7683dfc4a6efd2fb41b21e3635de5fac94c4f9870f647f9c869

go-toolset-1.19.6-1.module+el8.8.0+18289+edd6c8b6.x86_64.rpm

SHA-256: b66e8c636b9407d6b4f0a6f8ea0adffbf0cbc71af5b544a3e50cecc63a4cffde

golang-1.19.6-1.module+el8.8.0+18289+edd6c8b6.x86_64.rpm

SHA-256: 3d0cd0c7a6120eb9a3727414405d87f95a31b85b360322246076e02e2e925421

golang-bin-1.19.6-1.module+el8.8.0+18289+edd6c8b6.x86_64.rpm

SHA-256: abc7989ef4436d98a5c351412b7d575703d5fa6ed7d49cd2ad62a7fb0a26c0ed

golang-docs-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm

SHA-256: d7e2033cdd9e2c3d35c5cb6fa376d3be883ca2d9ae08ecce63d39f6c6f354e2a

golang-misc-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm

SHA-256: 5b5b7a49032c1f805b51709ccb06df419d46dab2618e6a8bd5b0279c95bc1216

golang-race-1.19.6-1.module+el8.8.0+18289+edd6c8b6.x86_64.rpm

SHA-256: c47770a74fc8f314bfb6247f3497186c042d168d7bd810476a5f582f0dc02171

golang-src-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm

SHA-256: 2b8fed3ea5bb5e638713280dbb7db91b1edd2718da91fc941f5dbdc0fe3e5549

golang-tests-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm

SHA-256: b1674450c64c67af51fa6c2973b99d90aa180c4a03f93bea88a74ed0e402dcd3

Red Hat Enterprise Linux for IBM z Systems 8

SRPM

go-toolset-1.19.6-1.module+el8.8.0+18289+edd6c8b6.src.rpm

SHA-256: 0c6a2f27b2bbc0ea28e998ee5f536f298f7b1f3258d87274ad55821dde3fc984

golang-1.19.6-1.module+el8.8.0+18289+edd6c8b6.src.rpm

SHA-256: a767d680d37a8ab3103c9441347c216d93b6280f51fd2f5d02aac4468d537f21

s390x

golang-docs-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm

SHA-256: d7e2033cdd9e2c3d35c5cb6fa376d3be883ca2d9ae08ecce63d39f6c6f354e2a

golang-misc-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm

SHA-256: 5b5b7a49032c1f805b51709ccb06df419d46dab2618e6a8bd5b0279c95bc1216

golang-src-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm

SHA-256: 2b8fed3ea5bb5e638713280dbb7db91b1edd2718da91fc941f5dbdc0fe3e5549

golang-tests-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm

SHA-256: b1674450c64c67af51fa6c2973b99d90aa180c4a03f93bea88a74ed0e402dcd3

go-toolset-1.19.6-1.module+el8.8.0+18289+edd6c8b6.s390x.rpm

SHA-256: e28954720c22cd0291378d432687c610b93bd6b271671cdfb7ccd2121444ab7e

golang-1.19.6-1.module+el8.8.0+18289+edd6c8b6.s390x.rpm

SHA-256: a535d441ee44064dc80db76f46230069a2b091de652e287e97dc34e994f3899e

golang-bin-1.19.6-1.module+el8.8.0+18289+edd6c8b6.s390x.rpm

SHA-256: cce4653457134ef6b2ae9e4dbb8a4a1586adc10c181aec0fc1b0fa9463de58ae

Red Hat Enterprise Linux for Power, little endian 8

SRPM

go-toolset-1.19.6-1.module+el8.8.0+18289+edd6c8b6.src.rpm

SHA-256: 0c6a2f27b2bbc0ea28e998ee5f536f298f7b1f3258d87274ad55821dde3fc984

golang-1.19.6-1.module+el8.8.0+18289+edd6c8b6.src.rpm

SHA-256: a767d680d37a8ab3103c9441347c216d93b6280f51fd2f5d02aac4468d537f21

ppc64le

golang-docs-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm

SHA-256: d7e2033cdd9e2c3d35c5cb6fa376d3be883ca2d9ae08ecce63d39f6c6f354e2a

golang-misc-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm

SHA-256: 5b5b7a49032c1f805b51709ccb06df419d46dab2618e6a8bd5b0279c95bc1216

golang-src-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm

SHA-256: 2b8fed3ea5bb5e638713280dbb7db91b1edd2718da91fc941f5dbdc0fe3e5549

golang-tests-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm

SHA-256: b1674450c64c67af51fa6c2973b99d90aa180c4a03f93bea88a74ed0e402dcd3

go-toolset-1.19.6-1.module+el8.8.0+18289+edd6c8b6.ppc64le.rpm

SHA-256: fc1c37746bd7c3ac33b76681e14a3164358c71bc8326eb36e07630f00e1f5b7a

golang-1.19.6-1.module+el8.8.0+18289+edd6c8b6.ppc64le.rpm

SHA-256: af9e85974cf365431259b7d02652f4cd753a0f225f77be6934b907d2f71adeb1

golang-bin-1.19.6-1.module+el8.8.0+18289+edd6c8b6.ppc64le.rpm

SHA-256: 72a535ea004d235d15e1950f039748053514de11377ac6b8947f60a5b08e6c83

Red Hat Enterprise Linux for ARM 64 8

SRPM

go-toolset-1.19.6-1.module+el8.8.0+18289+edd6c8b6.src.rpm

SHA-256: 0c6a2f27b2bbc0ea28e998ee5f536f298f7b1f3258d87274ad55821dde3fc984

golang-1.19.6-1.module+el8.8.0+18289+edd6c8b6.src.rpm

SHA-256: a767d680d37a8ab3103c9441347c216d93b6280f51fd2f5d02aac4468d537f21

aarch64

golang-docs-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm

SHA-256: d7e2033cdd9e2c3d35c5cb6fa376d3be883ca2d9ae08ecce63d39f6c6f354e2a

golang-misc-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm

SHA-256: 5b5b7a49032c1f805b51709ccb06df419d46dab2618e6a8bd5b0279c95bc1216

golang-src-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm

SHA-256: 2b8fed3ea5bb5e638713280dbb7db91b1edd2718da91fc941f5dbdc0fe3e5549

golang-tests-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm

SHA-256: b1674450c64c67af51fa6c2973b99d90aa180c4a03f93bea88a74ed0e402dcd3

go-toolset-1.19.6-1.module+el8.8.0+18289+edd6c8b6.aarch64.rpm

SHA-256: 1a2a4fe3e3c2699b31e92d04e1d9bce952344de599894a4235c940caf7b67b14

golang-1.19.6-1.module+el8.8.0+18289+edd6c8b6.aarch64.rpm

SHA-256: 6c8db72d98cda2b58fe7f7a6f6f82a571cbdf3078faf173f864f3e189fe22da8

golang-bin-1.19.6-1.module+el8.8.0+18289+edd6c8b6.aarch64.rpm

SHA-256: 2cc0220e75b2826804cb70334f938ceac6710b3de219625456e36106add2de81

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

Ubuntu Security Notice USN-7109-1

Ubuntu Security Notice 7109-1 - Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2 streams. An attacker could possibly use this issue to cause a denial of service. Marten Seemann discovered that Go did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause a panic resulting in a denial of service. Ameya Darshan and Jakob Ackermann discovered that Go did not properly validate the amount of memory and disk files ReadForm can consume. An attacker could possibly use this issue to cause a panic resulting in a denial of service.

Gentoo Linux Security Advisory 202311-09

Gentoo Linux Security Advisory 202311-9 - Multiple vulnerabilities have been discovered in Go, the worst of which could lead to remote code execution. Versions greater than or equal to 1.20.10 are affected.

Red Hat Security Advisory 2023-5935-01

Red Hat Security Advisory 2023-5935-01 - An update for osp-director-agent-container, osp-director-downloader-container, osp-director-operator-bundle-container, and osp-director-operator-container is now available for Red Hat OpenStack Platform 16.2.5. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-4627-01

Red Hat Security Advisory 2023-4627-01 - Migration Toolkit for Applications 6.2.0 Images. Issues addressed include a denial of service vulnerability.

RHSA-2023:4335: Red Hat Security Advisory: Security Update for cert-manager Operator for Red Hat OpenShift 1.10.3

cert-manager Operator for Red Hat OpenShift 1.10.3 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specia...

RHSA-2023:4470: Red Hat Security Advisory: Red Hat Ansible Automation Platform 2.3 Product Security and Bug Fix Update

An update is now available for Red Hat Ansible Automation Platform 2.3 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys ca...

RHSA-2023:4003: Red Hat Security Advisory: Red Hat Service Interconnect 1.4 Release security update

This is release 1.4 of the rpms for Red Hat Service Interconnect. Red Hat Service Interconnect 1.4 introduces a service network, linking TCP and HTTP services across the hybrid cloud. A service network enables communication between services running in different network locations or sites. It allows geographically distributed services to connect as if they were all running in the same site. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: A flaw was found in the gol...

Red Hat Security Advisory 2023-3925-01

Red Hat Security Advisory 2023-3925-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.23.

RHSA-2023:3925: Red Hat Security Advisory: Red Hat OpenShift Enterprise security update

Red Hat OpenShift Container Platform release 4.12.23 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-...

Red Hat Security Advisory 2023-3742-02

Red Hat Security Advisory 2023-3742-02 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. Issues addressed include bypass, denial of service, and remote SQL injection vulnerabilities.

RHSA-2023:3742: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.13.0 security and bug fix update

Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...

RHSA-2023:3366: Red Hat Security Advisory: OpenShift Container Platform 4.13.2 packages and security update

Red Hat OpenShift Container Platform release 4.13.2 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27191: A broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh. This issue causes a client to fail authentication with RSA keys to servers that reject signature algorithms...

Ubuntu Security Notice USN-6140-1

Ubuntu Security Notice 6140-1 - It was discovered that Go did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause a panic resulting in a denial of service. This issue only affected golang-1.19 on Ubuntu 22.10. It was discovered that Go did not properly validate the amount of memory and disk files ReadForm can consume. An attacker could possibly use this issue to cause a panic resulting in a denial of service. This issue only affected golang-1.19 on Ubuntu 22.10.

RHSA-2023:3455: Red Hat Security Advisory: Release of OpenShift Serverless 1.29.0

OpenShift Serverless version 1.29.0 contains a moderate security impact. The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker ...

Red Hat Security Advisory 2023-3303-01

Red Hat Security Advisory 2023-3303-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.1.

RHSA-2023:3303: Red Hat Security Advisory: OpenShift Container Platform 4.13.1 packages and security update

Red Hat OpenShift Container Platform release 4.13.1 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a ...

Red Hat Security Advisory 2023-3167-01

Red Hat Security Advisory 2023-3167-01 - New Red Hat build of Cryostat 2.3.0 on RHEL 8 container images have been released, adding a variety of features and bug fixes. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-0584-01

Red Hat Security Advisory 2023-0584-01 - Secondary Scheduler Operator for Red Hat OpenShift 1.1.1. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-1325-01

Red Hat Security Advisory 2023-1325-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.0. Issues addressed include bypass, denial of service, and information leakage vulnerabilities.

Red Hat Security Advisory 2023-1326-01

Red Hat Security Advisory 2023-1326-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.0. Issues addressed include bypass, denial of service, information leakage, out of bounds read, and remote SQL injection vulnerabilities.

RHSA-2023:3167: Red Hat Security Advisory: Red Hat build of Cryostat 2.3.0: new RHEL 8 container images

New Red Hat build of Cryostat 2.3.0 on RHEL 8 container images are now availableThis content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition. * CVE-2022-41725: A flaw was found in Go, where it is vulnerable to a denial of service caused by an excessive resource consumption...

RHSA-2023:1325: Red Hat Security Advisory: OpenShift Container Platform 4.13.0 security update

Red Hat OpenShift Container Platform release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2990: An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has d...

RHSA-2023:1326: Red Hat Security Advisory: OpenShift Container Platform 4.13.0 security update

Red Hat OpenShift Container Platform release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4235: A flaw was found in go-yaml. This issue occurs due to unbounded alias chasing, where a maliciously crafted YAML file can cause the system to consume significant system resources. If p...

Red Hat Security Advisory 2023-1327-01

Red Hat Security Advisory 2023-1327-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.0.

Red Hat Security Advisory 2023-2107-01

Red Hat Security Advisory 2023-2107-01 - The Migration Toolkit for Containers (MTC) 1.7.9 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-2107-01

Red Hat Security Advisory 2023-2107-01 - The Migration Toolkit for Containers (MTC) 1.7.9 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. Issues addressed include a denial of service vulnerability.

RHSA-2023:2107: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.9 security and bug fix update

The Migration Toolkit for Containers (MTC) 1.7.9 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition. * CVE-2022-41725: A flaw was found in Go, where it is vulnerable to a denial of service caused by...

RHSA-2023:2107: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.9 security and bug fix update

The Migration Toolkit for Containers (MTC) 1.7.9 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition. * CVE-2022-41725: A flaw was found in Go, where it is vulnerable to a denial of service caused by...

Red Hat Security Advisory 2023-1817-01

Red Hat Security Advisory 2023-1817-01 - Network Observability 1.2.0 is an OpenShift operator that provides a monitoring pipeline to collect and enrich network flows that are produced by the Network observability eBPF agent. The operator provides dashboards, metrics, and keeps flows accessible in a queryable log store, Grafana Loki. When a FlowCollector is deployed, new dashboards are available in the Console. This update contains bug fixes. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-1817-01

Red Hat Security Advisory 2023-1817-01 - Network Observability 1.2.0 is an OpenShift operator that provides a monitoring pipeline to collect and enrich network flows that are produced by the Network observability eBPF agent. The operator provides dashboards, metrics, and keeps flows accessible in a queryable log store, Grafana Loki. When a FlowCollector is deployed, new dashboards are available in the Console. This update contains bug fixes. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-1639-01

Red Hat Security Advisory 2023-1639-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-1639-01

Red Hat Security Advisory 2023-1639-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Issues addressed include a denial of service vulnerability.

RHSA-2023:1639: Red Hat Security Advisory: OpenShift API for Data Protection (OADP) 1.1.3 security and bug fix update

OpenShift API for Data Protection (OADP) 1.1.3 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition. * CVE-2022-41725: A flaw was found in Go, where it is vulnerable to a denial of service caused by a...

RHSA-2023:1639: Red Hat Security Advisory: OpenShift API for Data Protection (OADP) 1.1.3 security and bug fix update

OpenShift API for Data Protection (OADP) 1.1.3 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition. * CVE-2022-41725: A flaw was found in Go, where it is vulnerable to a denial of service caused by a...

CVE-2022-41724: [security] Go 1.20.1 and Go 1.19.6 are released

Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).

CVE-2022-41724: [security] Go 1.20.1 and Go 1.19.6 are released

Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).

CVE-2022-41725: net/http, mime/multipart: denial of service from excessive resource consumption (CVE-2022-41725) · Issue #58006 · golang/go

A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files cr...