Headline
RHSA-2023:3083: Red Hat Security Advisory: go-toolset:rhel8 security and bug fix update
An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition.
- CVE-2022-41725: A flaw was found in Go, where it is vulnerable to a denial of service caused by an excessive resource consumption flaw in the net/http and mime/multipart packages. By sending a specially-crafted request, a remote attacker can cause a denial of service.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2023-05-16
Updated:
2023-05-16
RHSA-2023:3083 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: go-toolset:rhel8 security and bug fix update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.
Security Fix(es):
- golang: crypto/tls: large handshake records may cause panics (CVE-2022-41724)
- golang: net/http, mime/multipart: denial of service from excessive resource consumption (CVE-2022-41725)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- Backport fix for https://github.com/golang/go/issues/56891 (BZ#2167412)
- Update Go to 1.19.6 (BZ#2174430)
Affected Products
- Red Hat Enterprise Linux for x86_64 8 x86_64
- Red Hat Enterprise Linux for IBM z Systems 8 s390x
- Red Hat Enterprise Linux for Power, little endian 8 ppc64le
- Red Hat Enterprise Linux for ARM 64 8 aarch64
Fixes
- BZ - 2167412 - Backport fix for https://github.com/golang/go/issues/56891
- BZ - 2178488 - CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption
- BZ - 2178492 - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics
Red Hat Enterprise Linux for x86_64 8
SRPM
delve-1.9.1-1.module+el8.8.0+16778+5fbb74f5.src.rpm
SHA-256: 1b037c6c0f16e789c9cf361b6cf87e5e06661e7f29deae013bb1ede7f3c1ff93
go-toolset-1.19.6-1.module+el8.8.0+18289+edd6c8b6.src.rpm
SHA-256: 0c6a2f27b2bbc0ea28e998ee5f536f298f7b1f3258d87274ad55821dde3fc984
golang-1.19.6-1.module+el8.8.0+18289+edd6c8b6.src.rpm
SHA-256: a767d680d37a8ab3103c9441347c216d93b6280f51fd2f5d02aac4468d537f21
x86_64
delve-1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64.rpm
SHA-256: e63fbb1595650d32386fe757c131a9475710f50f3df6c673b9ee3d7da17fb40b
delve-debuginfo-1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64.rpm
SHA-256: 10cbdf420e26f44c6a556c9bac32f8d4d9f55f2c1294009710248550c0ed1528
delve-debugsource-1.9.1-1.module+el8.8.0+16778+5fbb74f5.x86_64.rpm
SHA-256: b9ec866e5579c7683dfc4a6efd2fb41b21e3635de5fac94c4f9870f647f9c869
go-toolset-1.19.6-1.module+el8.8.0+18289+edd6c8b6.x86_64.rpm
SHA-256: b66e8c636b9407d6b4f0a6f8ea0adffbf0cbc71af5b544a3e50cecc63a4cffde
golang-1.19.6-1.module+el8.8.0+18289+edd6c8b6.x86_64.rpm
SHA-256: 3d0cd0c7a6120eb9a3727414405d87f95a31b85b360322246076e02e2e925421
golang-bin-1.19.6-1.module+el8.8.0+18289+edd6c8b6.x86_64.rpm
SHA-256: abc7989ef4436d98a5c351412b7d575703d5fa6ed7d49cd2ad62a7fb0a26c0ed
golang-docs-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm
SHA-256: d7e2033cdd9e2c3d35c5cb6fa376d3be883ca2d9ae08ecce63d39f6c6f354e2a
golang-misc-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm
SHA-256: 5b5b7a49032c1f805b51709ccb06df419d46dab2618e6a8bd5b0279c95bc1216
golang-race-1.19.6-1.module+el8.8.0+18289+edd6c8b6.x86_64.rpm
SHA-256: c47770a74fc8f314bfb6247f3497186c042d168d7bd810476a5f582f0dc02171
golang-src-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm
SHA-256: 2b8fed3ea5bb5e638713280dbb7db91b1edd2718da91fc941f5dbdc0fe3e5549
golang-tests-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm
SHA-256: b1674450c64c67af51fa6c2973b99d90aa180c4a03f93bea88a74ed0e402dcd3
Red Hat Enterprise Linux for IBM z Systems 8
SRPM
go-toolset-1.19.6-1.module+el8.8.0+18289+edd6c8b6.src.rpm
SHA-256: 0c6a2f27b2bbc0ea28e998ee5f536f298f7b1f3258d87274ad55821dde3fc984
golang-1.19.6-1.module+el8.8.0+18289+edd6c8b6.src.rpm
SHA-256: a767d680d37a8ab3103c9441347c216d93b6280f51fd2f5d02aac4468d537f21
s390x
golang-docs-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm
SHA-256: d7e2033cdd9e2c3d35c5cb6fa376d3be883ca2d9ae08ecce63d39f6c6f354e2a
golang-misc-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm
SHA-256: 5b5b7a49032c1f805b51709ccb06df419d46dab2618e6a8bd5b0279c95bc1216
golang-src-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm
SHA-256: 2b8fed3ea5bb5e638713280dbb7db91b1edd2718da91fc941f5dbdc0fe3e5549
golang-tests-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm
SHA-256: b1674450c64c67af51fa6c2973b99d90aa180c4a03f93bea88a74ed0e402dcd3
go-toolset-1.19.6-1.module+el8.8.0+18289+edd6c8b6.s390x.rpm
SHA-256: e28954720c22cd0291378d432687c610b93bd6b271671cdfb7ccd2121444ab7e
golang-1.19.6-1.module+el8.8.0+18289+edd6c8b6.s390x.rpm
SHA-256: a535d441ee44064dc80db76f46230069a2b091de652e287e97dc34e994f3899e
golang-bin-1.19.6-1.module+el8.8.0+18289+edd6c8b6.s390x.rpm
SHA-256: cce4653457134ef6b2ae9e4dbb8a4a1586adc10c181aec0fc1b0fa9463de58ae
Red Hat Enterprise Linux for Power, little endian 8
SRPM
go-toolset-1.19.6-1.module+el8.8.0+18289+edd6c8b6.src.rpm
SHA-256: 0c6a2f27b2bbc0ea28e998ee5f536f298f7b1f3258d87274ad55821dde3fc984
golang-1.19.6-1.module+el8.8.0+18289+edd6c8b6.src.rpm
SHA-256: a767d680d37a8ab3103c9441347c216d93b6280f51fd2f5d02aac4468d537f21
ppc64le
golang-docs-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm
SHA-256: d7e2033cdd9e2c3d35c5cb6fa376d3be883ca2d9ae08ecce63d39f6c6f354e2a
golang-misc-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm
SHA-256: 5b5b7a49032c1f805b51709ccb06df419d46dab2618e6a8bd5b0279c95bc1216
golang-src-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm
SHA-256: 2b8fed3ea5bb5e638713280dbb7db91b1edd2718da91fc941f5dbdc0fe3e5549
golang-tests-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm
SHA-256: b1674450c64c67af51fa6c2973b99d90aa180c4a03f93bea88a74ed0e402dcd3
go-toolset-1.19.6-1.module+el8.8.0+18289+edd6c8b6.ppc64le.rpm
SHA-256: fc1c37746bd7c3ac33b76681e14a3164358c71bc8326eb36e07630f00e1f5b7a
golang-1.19.6-1.module+el8.8.0+18289+edd6c8b6.ppc64le.rpm
SHA-256: af9e85974cf365431259b7d02652f4cd753a0f225f77be6934b907d2f71adeb1
golang-bin-1.19.6-1.module+el8.8.0+18289+edd6c8b6.ppc64le.rpm
SHA-256: 72a535ea004d235d15e1950f039748053514de11377ac6b8947f60a5b08e6c83
Red Hat Enterprise Linux for ARM 64 8
SRPM
go-toolset-1.19.6-1.module+el8.8.0+18289+edd6c8b6.src.rpm
SHA-256: 0c6a2f27b2bbc0ea28e998ee5f536f298f7b1f3258d87274ad55821dde3fc984
golang-1.19.6-1.module+el8.8.0+18289+edd6c8b6.src.rpm
SHA-256: a767d680d37a8ab3103c9441347c216d93b6280f51fd2f5d02aac4468d537f21
aarch64
golang-docs-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm
SHA-256: d7e2033cdd9e2c3d35c5cb6fa376d3be883ca2d9ae08ecce63d39f6c6f354e2a
golang-misc-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm
SHA-256: 5b5b7a49032c1f805b51709ccb06df419d46dab2618e6a8bd5b0279c95bc1216
golang-src-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm
SHA-256: 2b8fed3ea5bb5e638713280dbb7db91b1edd2718da91fc941f5dbdc0fe3e5549
golang-tests-1.19.6-1.module+el8.8.0+18289+edd6c8b6.noarch.rpm
SHA-256: b1674450c64c67af51fa6c2973b99d90aa180c4a03f93bea88a74ed0e402dcd3
go-toolset-1.19.6-1.module+el8.8.0+18289+edd6c8b6.aarch64.rpm
SHA-256: 1a2a4fe3e3c2699b31e92d04e1d9bce952344de599894a4235c940caf7b67b14
golang-1.19.6-1.module+el8.8.0+18289+edd6c8b6.aarch64.rpm
SHA-256: 6c8db72d98cda2b58fe7f7a6f6f82a571cbdf3078faf173f864f3e189fe22da8
golang-bin-1.19.6-1.module+el8.8.0+18289+edd6c8b6.aarch64.rpm
SHA-256: 2cc0220e75b2826804cb70334f938ceac6710b3de219625456e36106add2de81
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Gentoo Linux Security Advisory 202311-9 - Multiple vulnerabilities have been discovered in Go, the worst of which could lead to remote code execution. Versions greater than or equal to 1.20.10 are affected.
Red Hat Security Advisory 2023-5935-01 - An update for osp-director-agent-container, osp-director-downloader-container, osp-director-operator-bundle-container, and osp-director-operator-container is now available for Red Hat OpenStack Platform 16.2.5. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-4627-01 - Migration Toolkit for Applications 6.2.0 Images. Issues addressed include a denial of service vulnerability.
cert-manager Operator for Red Hat OpenShift 1.10.3 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specia...
An update is now available for Red Hat Ansible Automation Platform 2.3 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys ca...
This is release 1.4 of the rpms for Red Hat Service Interconnect. Red Hat Service Interconnect 1.4 introduces a service network, linking TCP and HTTP services across the hybrid cloud. A service network enables communication between services running in different network locations or sites. It allows geographically distributed services to connect as if they were all running in the same site. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: A flaw was found in the gol...
Red Hat Security Advisory 2023-3925-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.23.
Red Hat OpenShift Container Platform release 4.12.23 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-...
Red Hat Security Advisory 2023-3742-02 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. Issues addressed include bypass, denial of service, and remote SQL injection vulnerabilities.
Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...
Red Hat OpenShift Container Platform release 4.13.2 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27191: A broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh. This issue causes a client to fail authentication with RSA keys to servers that reject signature algorithms...
Ubuntu Security Notice 6140-1 - It was discovered that Go did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause a panic resulting in a denial of service. This issue only affected golang-1.19 on Ubuntu 22.10. It was discovered that Go did not properly validate the amount of memory and disk files ReadForm can consume. An attacker could possibly use this issue to cause a panic resulting in a denial of service. This issue only affected golang-1.19 on Ubuntu 22.10.
OpenShift Serverless version 1.29.0 contains a moderate security impact. The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker ...
Red Hat Security Advisory 2023-3303-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.1.
Red Hat OpenShift Container Platform release 4.13.1 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a ...
Red Hat Security Advisory 2023-3167-01 - New Red Hat build of Cryostat 2.3.0 on RHEL 8 container images have been released, adding a variety of features and bug fixes. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-0584-01 - Secondary Scheduler Operator for Red Hat OpenShift 1.1.1. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-1325-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.0. Issues addressed include bypass, denial of service, and information leakage vulnerabilities.
Red Hat Security Advisory 2023-1326-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.0. Issues addressed include bypass, denial of service, information leakage, out of bounds read, and remote SQL injection vulnerabilities.
New Red Hat build of Cryostat 2.3.0 on RHEL 8 container images are now availableThis content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition. * CVE-2022-41725: A flaw was found in Go, where it is vulnerable to a denial of service caused by an excessive resource consumption...
Red Hat OpenShift Container Platform release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2990: An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has d...
Red Hat OpenShift Container Platform release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4235: A flaw was found in go-yaml. This issue occurs due to unbounded alias chasing, where a maliciously crafted YAML file can cause the system to consume significant system resources. If p...
Red Hat Security Advisory 2023-1327-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.0.
Red Hat Security Advisory 2023-2107-01 - The Migration Toolkit for Containers (MTC) 1.7.9 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-2107-01 - The Migration Toolkit for Containers (MTC) 1.7.9 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. Issues addressed include a denial of service vulnerability.
The Migration Toolkit for Containers (MTC) 1.7.9 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition. * CVE-2022-41725: A flaw was found in Go, where it is vulnerable to a denial of service caused by...
The Migration Toolkit for Containers (MTC) 1.7.9 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition. * CVE-2022-41725: A flaw was found in Go, where it is vulnerable to a denial of service caused by...
Red Hat Security Advisory 2023-1817-01 - Network Observability 1.2.0 is an OpenShift operator that provides a monitoring pipeline to collect and enrich network flows that are produced by the Network observability eBPF agent. The operator provides dashboards, metrics, and keeps flows accessible in a queryable log store, Grafana Loki. When a FlowCollector is deployed, new dashboards are available in the Console. This update contains bug fixes. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-1817-01 - Network Observability 1.2.0 is an OpenShift operator that provides a monitoring pipeline to collect and enrich network flows that are produced by the Network observability eBPF agent. The operator provides dashboards, metrics, and keeps flows accessible in a queryable log store, Grafana Loki. When a FlowCollector is deployed, new dashboards are available in the Console. This update contains bug fixes. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-1639-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-1639-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Issues addressed include a denial of service vulnerability.
OpenShift API for Data Protection (OADP) 1.1.3 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition. * CVE-2022-41725: A flaw was found in Go, where it is vulnerable to a denial of service caused by a...
OpenShift API for Data Protection (OADP) 1.1.3 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition. * CVE-2022-41725: A flaw was found in Go, where it is vulnerable to a denial of service caused by a...
Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).
Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).
A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files cr...