Headline
RHSA-2023:3205: Red Hat Security Advisory: OpenShift Virtualization 4.13.0 Images security, bug fix, and enhancement update
Red Hat OpenShift Virtualization release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic.
- CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query parameters in the forwarded query when the outbound request’s form field is set after the reverse proxy. The director function returns, indicating that the proxy has parsed the query parameters. Proxies that do not parse query parameters continue to forward the original query parameters unchanged.
- CVE-2022-27664: A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown.
- CVE-2022-32149: A vulnerability was found in the golang.org/x/text/language package. An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant time to parse. This issue leads to a denial of service, and can impact availability.
- CVE-2022-32189: An uncontrolled resource consumption flaw was found in Golang math/big. A too-short encoded message can cause a panic in Float.GobDecode and Rat.GobDecode in math/big in Go, potentially allowing an attacker to create a denial of service, impacting availability.
- CVE-2022-32190: A flaw was found in the golang package. The JoinPath doesn’t remove the …/ path components appended to a domain that is not terminated by a slash, possibly leading to a directory traversal attack.
- CVE-2022-41715: A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.
- CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
Synopsis
Moderate: OpenShift Virtualization 4.13.0 Images security, bug fix, and enhancement update
Type/Severity
Security Advisory: Moderate
Topic
Red Hat OpenShift Virtualization release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
OpenShift Virtualization is Red Hat’s virtualization solution designed for Red Hat OpenShift Container Platform.
This advisory contains OpenShift Virtualization 4.13.0 images.
Security Fix(es):
- golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)
- golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
- golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
- golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags (CVE-2022-32149)
- golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190)
- golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
- golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
- golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.
Affected Products
- Red Hat Container Native Virtualization 4.13 for RHEL 9 x86_64
Fixes
- BZ - 2023393 - [CNV] [UI]Additional information needed for cloning when default storageclass in not defined in target datavolume
- BZ - 2029391 - VM status flipping between Paused and Running
- BZ - 2052556 - Metric “kubevirt_num_virt_handlers_by_node_running_virt_launcher” reporting incorrect value
- BZ - 2060499 - [RFE] Cannot add additional service (or other objects) to VM template
- BZ - 2070132 - [RFE][CNV] Ability to export and import virtual machines disks between clusters
- BZ - 2087540 - [RFE] Improve CPU info
- BZ - 2101390 - Easy to miss the “tick” when adding GPU device to vm via UI
- BZ - 2104424 - Enable descheduler or hide it on template’s scheduling tab
- BZ - 2104479 - [4.12] Cloned VM’s snapshot restore fails if the source VM disk is deleted
- BZ - 2104859 - [RFE] Add “Copy SSH command” to VM action list
- BZ - 2110562 - CNV introduces a compliance check fail in “ocp4-moderate” profile - routes-protected-by-tls
- BZ - 2111794 - the virtlogd process is taking too much RAM! (17468Ki > 17Mi)
- BZ - 2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
- BZ - 2114922 - Can run with host-Model cpuModel even if it is in ObsoleteCPUModels
- BZ - 2116562 - NodeNetworkConfigurationPolicy “ERROR: State editing already in progress. Commit, roll back or wait before retrying”
- BZ - 2117803 - Cannot edit ssh even vm is stopped
- BZ - 2122119 - Virtual machine fails to start with error “Unable to use native AIO: failed to create linux AIO context: Resource temporarily unavailable”
- BZ - 2122168 - Error while running virtctl - GLIBC_2.34 is not found in the package of virtctl - which is required by virtctl
- BZ - 2123209 - CNV runs non-root VMs by default which removes cap_sys_nice from the launchers and caused the real time VM failed to boot up
- BZ - 2124668 - CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances
- BZ - 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
- BZ - 2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers
- BZ - 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
- BZ - 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
- BZ - 2132873 - VM is removed before virt-launcher pod exits, new VM with same name points to old VMI/virt-launcher pod still terminating
- BZ - 2134010 - CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags
- BZ - 2138199 - Win11 and Win22 templates are not filtered properly by Template provider
- BZ - 2138653 - Saving Template prameters reloads the page
- BZ - 2138664 - VM that was created with SSH key fails to start
- BZ - 2139235 - unlike other CNV components, Kubevirt uses its own cipher for tls 1.2
- BZ - 2139257 - Cannot add disk via “Using an existing PVC”
- BZ - 2139260 - Clone button is disabled while VM is running
- BZ - 2139293 - Non-admin user cannot load VM list page
- BZ - 2139296 - Non-admin cannot load MigrationPolicies page
- BZ - 2139299 - No auto-generated VM name while creating VM by non-admin user
- BZ - 2139306 - Non-admin cannot create VM via customize mode
- BZ - 2139479 - virtualization overview crashes for non-priv user
- BZ - 2139574 - VM name gets “emptyname” if click the create button quickly
- BZ - 2139651 - non-priv user can click create when have no permissions
- BZ - 2139687 - catalog shows template list for non-priv users
- BZ - 2139820 - non-priv user cant reach vm details
- BZ - 2140730 - Links on Virtualization Overview page lead to wrong namespace for non-priv user
- BZ - 2140977 - Alerts number is not correct on Virtualization overview
- BZ - 2140982 - The base template of cloned template is “Not available”
- BZ - 2140998 - Incorrect information shows in overview page per namespace
- BZ - 2142511 - Enhance alerts card in overview
- BZ - 2143039 - Some liveMigrationConfig options cannot be used for cluster-wide setting
- BZ - 2143498 - Could not load template while creating VM from catalog
- BZ - 2143716 - [4.13]VMExport: fix DV Error message when trying to import without certConfigMap and secretExtraHeaders
- BZ - 2144580 - “?” icon is too big in VM Template Disk tab
- BZ - 2145092 - “No MigrationPolicies are defined yet” flash by on MigrationPolicies page
- BZ - 2145126 - Cant start VM with “clock” virtualMachinePreference
- BZ - 2145137 - Machine type is not updated to rhel9.2.0 in Templates
- BZ - 2145223 - VM with missing source datasource pvc is started without any error messages
- BZ - 2147582 - Add Y axis to all graphs under metrics tab (same as Pod metrics tab)
- BZ - 2148322 - Add help text to DataImportCron
- BZ - 2148849 - The help text of items in DataSource details page includes incorrect url link
- BZ - 2148850 - Help text is missing in MigrationPolicies details page
- BZ - 2149118 - virt-handler leaks VNC sockets
- BZ - 2149201 - Incorrect pending changes warning about memory and CPU while starting a VM in a namespace with limitranges
- BZ - 2149227 - VMs requiring vTPM fails to create
- BZ - 2149897 - The context menu of the serial console does not contain a paste command
- BZ - 2150364 - Deletion of VM deletes referenced secret
- BZ - 2150653 - VMExport for VMSnapshot - volume names should be the same as the VMs volume names
- BZ - 2150832 - vCPU number is not correct in Virtualization -> Overview
- BZ - 2151053 - The scripts tab of Windows VM cannot be saved
- BZ - 2151056 - Improve descriptive text of cloud-init and ssh-key
- BZ - 2151427 - Virtualization -> Overview is crashed when creating VM in other browser session
- BZ - 2151508 - Add login username to virtctl ssh command
- BZ - 2151521 - No username set in cloud-init in the template example yaml
- BZ - 2151759 - “No available boot source” shows while creating VM from upload image
- BZ - 2151766 - “No available boot source” shows while creating VM from existing PVC
- BZ - 2151831 - Time format in VM utilization card is not correct
- BZ - 2152122 - VM can’t start if disk io is default
- BZ - 2152534 - Default CPU request in namespace limitrange takes precedence over the VMs configured vCPU
- BZ - 2152537 - [4.13]Better to have a more friendly error when missing storage size in clone
- BZ - 2155403 - ssh related information displayed in OpenShift console for Windows VMs created from template
- BZ - 2155409 - PVC details page crashing
- BZ - 2155796 - windows10-installer contains upstream example url
- BZ - 2156392 - In the VM latency checkup, the max_desired_latency_milliseconds field has no meaning when the measured latency is less than 1[ms]
- BZ - 2156902 - VM latency checkup - Checkup not performing a teardown in case of setup failure
- BZ - 2158060 - [console] Source project list for selecting existing PVC is not sorted alphabetically
- BZ - 2158079 - “Storage” and “?” are not aligned in customize wizard (Firefox only)
- BZ - 2158362 - PVC should be filtered by status in pvc dropdown list while creating vm or adding disk
- BZ - 2158424 - Cannot select Network Attachment Definitions from the global namespaces
- BZ - 2158515 - Guestfs image url not constructed correctly
- BZ - 2159715 - VM Memory does not show in details card of overview or details tab
- BZ - 2159975 - The prefix “docker://docker://” was added to the container image while editing the rootdisk (registry)
- BZ - 2160298 - YAML Switcher text should be just ?YAML?
- BZ - 2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests
- BZ - 2161340 - HCO taking long to reconcile ConsolePlugin kubevirt-plugin
- BZ - 2162016 - hostpath provisioner operator consuming stray k8s API
- BZ - 2162333 - PVC created using non default storage class on fresh cluster
- BZ - 2163460 - Can’t set resources.requests.memory when using instance type
- BZ - 2164590 - VM with InstanceType validation webhook when checking hugepage size
- BZ - 2164807 - Migration metrics values are not sum up values from all VMIs
- BZ - 2164814 - [4.13]virtualmachineclones.clone.kubevirt.io and virtualmachineexports.export.kubevirt.io are not part of system:cluster-readers group
- BZ - 2164838 - KubeVirtComponentExceedsRequestedMemory Alert for virt-api pod
- BZ - 2165618 - Overhead of management layer in virt-launcher is not calculated accurately
- BZ - 2165943 - Error While applying Migration Policy
- BZ - 2166165 - Two elements about vm-name-input shows on VM creation page
- BZ - 2166394 - cdi.kubevirt.io/storage.bind.immediate.requested is not propagated down to the DataVolume if set on an existing DataImportCronTemplate
- BZ - 2166507 - The loading time of Virtualization -> Overview -> Settings page is a bit longer
- BZ - 2166508 - Virtualization -> Overview -> Settings page is crashed when the user have no permission to list network-attachment-definitions
- BZ - 2166512 - VM can’t start because of requests/limits CPU number mismatch after adding the overallocated one
- BZ - 2167012 - Unable to create a vm with network bridge
- BZ - 2167226 - Sorting Network Interface by ‘Network’ or ‘Type’ does not work.
- BZ - 2167251 - Virtualization -> Overview page is crashed
- BZ - 2167661 - Alerts card always show the ?Info? although it?s 0
- BZ - 2167979 - qemu.log are no longer getting collected for cnv must-gather (vm gather) in 4.13.0
- BZ - 2168032 - Error happens while selecting ssh types between “SSH over NodePort” and “SSH over LoadBalancer”
- BZ - 2168111 - VM template loses storage information if a required parameter has no value
- BZ - 2168165 - [4.13]preallocation is always applied when importing image to block storage
- BZ - 2168180 - Correct the pod name of kubevirt-console-plugin from `kubevirt-plugin-xxx` to `kubevirt-console-plugin-xxx`
- BZ - 2168480 - VM -> Metrics tab: ?Virtualization dashboard? link is wrong
- BZ - 2168484 - VM -> Metrics tab: Add dates to the X axis
- BZ - 2168486 - “Restore template settings” is disabled while editing VM’s CPU/Mem
- BZ - 2168488 - Add text to VM workload profile
- BZ - 2168561 - Strorage IOPS card in VM Metrics has wrong case
- BZ - 2168770 - “Not migratable” label should only be added to running VM
- BZ - 2168859 - Cannot attach an existing secret while creating the VM as a regular user
- BZ - 2168861 - “Attach existing sysprep” should not try to get resource at cluster scope when logged in with regular user
- BZ - 2169699 - [e2e] Add data-test-id for SSH service type
- BZ - 2169880 - virt-handler should not delete any pre-configured mediated devices i these are provided by an external provider
- BZ - 2170703 - “Filter by keyword” not working in catalog
- BZ - 2170740 - Deleting vm with --cascade=orphan is not working properly
- BZ - 2171395 - virt-controller crashes because of out-of-bound slice access in evacuation controller
- BZ - 2172371 - “Restore template settings” change the memory to zero if the VM has no template
- BZ - 2172375 - Error happens while deleting secret from VM
- BZ - 2172612 - [4.13] VMSnaphot and WaitForFirstConsumer storage: VMRestore is not Complete
- BZ - 2172842 - Fix “Templates project” and “Templates catalog”
- BZ - 2172952 - Cannot change first vNIC to virtio in “Review and create VirtualMachine”
- BZ - 2173527 - VM details: Machine type- should it be just q35 or everything?
- BZ - 2173562 - The ?play? button is not clickable in the mini console
- BZ - 2173563 - The “YAML view” position is not consistent in VM tabs
- BZ - 2173593 - Virtualization -> Overview -> Top-consumers is crashed
- BZ - 2173595 - Cluster reader cannot view VM list page
- BZ - 2174288 - No storageClass is selected by default while adding/editing a disk
- BZ - 2174324 - “Add” should be “Add volume” in Bootable volumes page
- BZ - 2174334 - VM’s disk is not deleted along with the VM if the VM is created from upload image
- BZ - 2174619 - No boot order items while editing the boot order
- BZ - 2174636 - Visit Virtualization -> Overview -> Migrations crashes the app
- BZ - 2174742 - Machine type is not updated to rhel9.2.0 in KV CR
- BZ - 2175054 - Delete bootable volume crashes the page
- BZ - 2175171 - Internal workaround for nonRoot->Root FG on Kubevirt
- BZ - 2175256 - Error when accessing Catalog page
- BZ - 2175274 - Error after trying to edit VM CPU | Memory field in VM Details
- BZ - 2175571 - [RFE] Sort templates in grid view
- BZ - 2175601 - Cannot select Network Attachment Definitions from the global namespaces
- BZ - 2175636 - VMI with x86_Icelake fail when mpx feature is missing
- BZ - 2175641 - Add volume from existing PVC not working
- BZ - 2175643 - The “Add volume” button has a loading time in “Bootable volumes” page
- BZ - 2175888 - [cnv-4.13] Mark Windows 11 as TechPreview
- BZ - 2175890 - [cnv-4.13] Ensure Windows 2022 Templates are marked as TechPreview like it is done now for Windows 11
- BZ - 2175974 - The default rows of volume table should at least includes all default volumes
- BZ - 2175976 - “Select InstanceType” should show the volume’s default instanceType
- BZ - 2175977 - The Create VM button should be disabled until everything is selected
- BZ - 2175979 - “Cores” should be “CPU” in instanceTypes page
- BZ - 2175983 - Improve the delete button and the text on delete modal for bootable volumes
- BZ - 2175985 - “Clone existing PVC ?” should be accessible on hover
- BZ - 2175986 - Improve message when different storageclass is selected
- BZ - 2175988 - Remove descriptive text of the volume name
- BZ - 2176353 - Cannot enable headless mode in catalog
- BZ - 2176355 - Show a reason on VM console tab when headless mode is ON
- BZ - 2176422 - getting wrong error message when trying to upload dv when pvc already exist
- BZ - 2176706 - Click the item link in Pending Changes get a blank page below
- BZ - 2176708 - The disk name “Make Persistent disk” in “Pending Changes” should be the actual disk name
- BZ - 2176725 - “Start this VirtualMachine after creation” is not carried over to next dialog during VM creation
- BZ - 2176753 - Remove the dashed line from the Configurations in MigrationPolicy details page
- BZ - 2176804 - VM created with instanceType from UI cannot be started due to secret missing
- BZ - 2176843 - “No bootable device” shows in VM console if it’s created with instanceType
- BZ - 2177091 - Edit buttons are added to “Hardware devices” in quick creation page but not editable
- BZ - 2177578 - Set width for columns in volume list tab
- BZ - 2177586 - No pod networking added to the VM while creating it from instanceType
- BZ - 2177589 - Preference in Virt -> Bootable volumes -> Add volume modal is not sorted
- BZ - 2177668 - [DPDK latency checkup] Traffic generator cannot start due to multiple environment vars with PCIDEVICE_ prefix
- BZ - 2177763 - clusterInstanceType and clusterPreference show in “get all” command
- BZ - 2177888 - VM with cpu.cores and memory.guest raises false notification
- BZ - 2177961 - ‘GiB’ is displayed incompletely
- BZ - 2177973 - Add “CloneInProgress” badge to volumes while it’s still been cloning
- BZ - 2178037 - VM termination stuck until instancetype/preference revisionName is cleared
- BZ - 2178628 - VM mutator panics when inferring instancetype from DataSource without specifying namespace
- BZ - 2178629 - [DPDK latency checkup] Traffic generator cannot start due to error in scappy server
- BZ - 2179225 - Improve “Use existing secret” in catalog -> instanceTypes
- BZ - 2179226 - Improve the name of “Add new” secret in catalog -> instanceTypes
- BZ - 2179565 - VM Overview card links are broken
- BZ - 2179626 - Filter can not be cleared in VM Diagnostic tab
- BZ - 2179811 - Sometimes the preference list is empty in Bootable volumes -> Add volume modal
- BZ - 2180146 - upgrade cnv from 4.12.1 to v4.13.0.rhel9-1819 is stuck
- BZ - 2180279 - VM cannot be started while creating from a template which has 2nd disk added
- BZ - 2180553 - Cannot remove description from volume
- BZ - 2180853 - The console goes blank after trying to clone a virtual machine
- BZ - 2182006 - Rename of Network Interface duplicates it, breaks VM start
- BZ - 2182097 - “Cancel” button on instanceType should exit the flow instead of clearing data
- BZ - 2182534 - spec.firmware.bootloader is not copied while cloning a UEFI VM
- BZ - 2182535 - “Copy SSH command” get undefined user
- BZ - 2182536 - The volume in instanceTypes page should be selected automatically just after it’s been added
- BZ - 2182538 - Cloned VM should not use the same PVC of the source VM
- BZ - 2182539 - [Nonpriv] VM Memory does not show in details card of overview or details tab
- BZ - 2182661 - Restore VM’s pretty names
- BZ - 2183026 - Console is almost frozen if scroll down and up in VM metrics tab
- BZ - 2183205 - [DPDK latency checkup] Traffic generator cannot start due to missing dedicated ServiceAccount
- BZ - 2183397 - Trend charts are empty when looking at ?All projects?
- BZ - 2183968 - CNV4.13 SVVP Test:job ‘Check SMBIOS Table Specific Requirements’ failed on win2022
- BZ - 2186767 - VM metrics graphs are render incorrectly
- BZ - 2187437 - The storageclass option is not respected in add volume modal for “Use existing volume”
- BZ - 2187547 - non-privileged user cannot add new nic
- BZ - 2187581 - “No data available” shows on Virtualization overview metrics chart
CVEs
- CVE-2022-2879
- CVE-2022-2880
- CVE-2022-27664
- CVE-2022-32149
- CVE-2022-32189
- CVE-2022-32190
- CVE-2022-41715
- CVE-2022-41717
aarch64
container-native-virtualization/bridge-marker-rhel9@sha256:e8a55aee3d75a316bb0d7a554c737198823df04b3c05e481c17e45eb2153bced
container-native-virtualization/cluster-network-addons-operator-rhel9@sha256:f439d2f420bb59eb1d5af14ce2002648d0cfc155d1a1466c8aac9b661fe902b8
container-native-virtualization/cnv-containernetworking-plugins-rhel9@sha256:89f22e541f61a660c9aa9f38ef58e80b84a0517f74e84292107fc252c25465c9
container-native-virtualization/cnv-must-gather-rhel9@sha256:9e8efd76924958eb605401abdac08eba97fb83a1ada383bc87a7fb7c87b3a455
container-native-virtualization/hco-bundle-registry-rhel9@sha256:dd20b138045ef1424d83a47e7abcfcbb2ac54577dcec5ed3c186390aaa4c9d84
container-native-virtualization/hostpath-csi-driver-rhel9@sha256:676d4c23a5f60dd331728af056b0a6b2d3358ac88da23299b1a98dfaca8f288e
container-native-virtualization/hostpath-provisioner-operator-rhel9@sha256:571ae805641dea11646028c946039983c7fd82f138b915dcb8b80c39b465e63c
container-native-virtualization/hostpath-provisioner-rhel9@sha256:d4ed87745b7ee2acca2d83e2c91c2f6dced1903c81495b50f2559b3ba2dde287
container-native-virtualization/hyperconverged-cluster-operator-rhel9@sha256:e681560b184189df03fc84c8a712f32289f42573dd348cda394b19565eb6eca8
container-native-virtualization/hyperconverged-cluster-webhook-rhel9@sha256:06d036d320b3027bb8370bb8e0f6fe8c9f0ec9bca7aac3b5c53698ba4a170042
container-native-virtualization/kubemacpool-rhel9@sha256:59862a59854f0d5b83dc25ba119f9586a8aff42b6e60d1922f8ae7b4567309ff
container-native-virtualization/kubesecondarydns-rhel9@sha256:b1838f3c8ba3d8113bddea17b78c21e1c1490e2a4a07ea77014edee523d06347
container-native-virtualization/kubevirt-console-plugin-rhel9@sha256:ffb2acd9ae09c1ef9ca756f5eaf6087d0a3957cfc824543949d25f556a97744d
container-native-virtualization/kubevirt-dpdk-checkup-rhel9@sha256:525aceb9396010ebcdba14040f267889b807cd84db8e5b4030429b51f0fbf5fe
container-native-virtualization/kubevirt-ssp-operator-rhel9@sha256:badeb0f65f543b209f6af761729d9778b7b73b97d55044016dfba3f38a1f6f18
container-native-virtualization/kubevirt-tekton-tasks-cleanup-vm-rhel9@sha256:b0ff7e812a576ea848590655fc13a85832d5a39f68e7769ceab9da6949da88c7
container-native-virtualization/kubevirt-tekton-tasks-copy-template-rhel9@sha256:4916a6c6b1f9b529187d3b4d5fc99b90157993767b3fe2ad36a9ec77fbb46b10
container-native-virtualization/kubevirt-tekton-tasks-create-datavolume-rhel9@sha256:7112400a4ecb23ee2110bf96372fcf9f96ad648a51aa944627b40eb59539a660
container-native-virtualization/kubevirt-tekton-tasks-create-vm-from-template-rhel9@sha256:4d962618aa95600c60c9fc8b890186e510de91177d51949e12797a3558e31328
container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize-rhel9@sha256:a780244e48c6d4f87446d3754c3eb9ab79c0d54675c189da4a659f7a4d5668ea
container-native-virtualization/kubevirt-tekton-tasks-disk-virt-sysprep-rhel9@sha256:84577d949a1bbcaa291c70729127bca4a8994df03068666baa23840877ea8392
container-native-virtualization/kubevirt-tekton-tasks-modify-vm-template-rhel9@sha256:31d959b80cf57462e1705684bb7e1b78af26bd2c62f1c9e4e51e1d02199b05a8
container-native-virtualization/kubevirt-tekton-tasks-operator-rhel9@sha256:d0cf0e81589f0938de45961eaddfc5ec4782738fd11082de0439b200534259eb
container-native-virtualization/kubevirt-tekton-tasks-wait-for-vmi-status-rhel9@sha256:afb68af076954fcd18c7a4a1464ea0c2a766e8282eae980051906ed07eaa1707
container-native-virtualization/kubevirt-template-validator-rhel9@sha256:02b22c7e7014b5e72d47fed8b6a268cf307638c5510adf3916c51f7f40a52a08
container-native-virtualization/libguestfs-tools-rhel9@sha256:6558f60343e068b032167e2340b2c549c5f0258acc5d2614b60966ce79408b01
container-native-virtualization/multus-dynamic-networks-rhel9@sha256:3ecb0162a4b01d1590bf209d717b32a4f0835910d9979823f18c24acba41b503
container-native-virtualization/ovs-cni-plugin-rhel9@sha256:0f1d372f418744e0aff59ecb0a38f53178aac9c2e9eecfd38aa25ed83e0d1360
container-native-virtualization/virt-api-rhel9@sha256:e68416321ca8c74a547b3d35897f54813c03481143e402e9bdc4daf315e35b5d
container-native-virtualization/virt-artifacts-server-rhel9@sha256:33d11c1832b49df39c1fca62bad40dbc5c30a452248339aaef449ac99509accb
container-native-virtualization/virt-cdi-apiserver-rhel9@sha256:f6128a63344ed2129f5bce648ddcfaa2869d31cde4b93328d3c22534b97ade10
container-native-virtualization/virt-cdi-cloner-rhel9@sha256:6ac212767481bef64d8a7d0252bb8089c0f9751fad4a355aef71bd49dad2ad07
container-native-virtualization/virt-cdi-controller-rhel9@sha256:65f5263275d9f0a12b8fb057d82adf678778039ec873ca9bde182dea3413c9f1
container-native-virtualization/virt-cdi-importer-rhel9@sha256:00a6d9d24ca1466d450b02269ec3144fc7550f0e5c696e869fbf7ce10cae6093
container-native-virtualization/virt-cdi-operator-rhel9@sha256:20ec064750faedd97d11b797c8c1d9a1db5d60d7d76e82e65cfd05eb79d65e29
container-native-virtualization/virt-cdi-uploadproxy-rhel9@sha256:392d0f61f462c707adfdc21e4239c5c09d8520a80486b41d9d9ae479267d6124
container-native-virtualization/virt-cdi-uploadserver-rhel9@sha256:4528c24672689cfb6505761b6b108fbcc04488192733f23d2bfe39cd42a1d743
container-native-virtualization/virt-controller-rhel9@sha256:970edc281d7a731e9f7e8c2d4440fe48a221e5e355d5235c5413b4c3adb28503
container-native-virtualization/virt-exportproxy-rhel9@sha256:de3c4afbf7669b98517cbef2490ec186f0553dd97b05bed80ec36dd883fe507b
container-native-virtualization/virt-exportserver-rhel9@sha256:3f7f98645176d42c63cca5c0fc3182a03121af87446ca421b6c72baf07dfca0d
container-native-virtualization/virt-handler-rhel9@sha256:5fc47110d866d8048aec50689090ce10705d19d3bb48d2b06727d6d569003af7
container-native-virtualization/virt-launcher-rhel9@sha256:95aeacb98209e0baef27ce0e02fbac38d693cea74808fc77107efda0f344bcb5
container-native-virtualization/virt-operator-rhel9@sha256:66b1b3b379121d6411ba22283e7d991617177330c93746d37753ab7812b9a00b
container-native-virtualization/virtio-win-rhel9@sha256:8735f51da918408a8826601c082d1b29accf26d59b9978da89b980cb509c1102
container-native-virtualization/vm-console-proxy-rhel9@sha256:70a8d0cd66182c25e02679540bae1368b2a9cf687532b58dba41ef30c5ca00c1
container-native-virtualization/vm-network-latency-checkup-rhel9@sha256:503ea7ac914a9b54e9d665a0227ee0b5d5200cdb5d692aa94c07dd1518d91b70
x86_64
container-native-virtualization/bridge-marker-rhel9@sha256:8eac196b30a648989cdca5cb153a3bc3d34e47339acba0e4f760bd366496c99d
container-native-virtualization/cluster-network-addons-operator-rhel9@sha256:3bff33e3f40cd1e2b519c2db56734d4bb8df883e155c2f20b1cb9d3d184daec1
container-native-virtualization/cnv-containernetworking-plugins-rhel9@sha256:bf471997e54e4a75b0d71f492ab295787fdbb14d8c85c4ea8c03f0552dbc3755
container-native-virtualization/cnv-must-gather-rhel9@sha256:b9fc32b5fabedd65a4c3a471879c808af2087277de4278adaa115a732f0468da
container-native-virtualization/hco-bundle-registry-rhel9@sha256:60e89d7a99ff9f20e974430b802dd724a3bb6fa1e01e5a62daad98ac487b3063
container-native-virtualization/hostpath-csi-driver-rhel9@sha256:61e2824853d51347593ad909a5e546cd92e4216d6a1df5dffb50dd9cba277cce
container-native-virtualization/hostpath-provisioner-operator-rhel9@sha256:515be94be496c67f5b8fd5f4832fe4385e56476e6589897d6b9fbb9bb2b00f32
container-native-virtualization/hostpath-provisioner-rhel9@sha256:ac3fe350bedd6bc43596444ba0f279ccf8a144ab14ac5a9b80ea71c46390b7b4
container-native-virtualization/hyperconverged-cluster-operator-rhel9@sha256:e5ab9f3be59d3568e3d672ab374efb16990ccf92192eac4e1244b10fcd7423e2
container-native-virtualization/hyperconverged-cluster-webhook-rhel9@sha256:b5a01336180aad017df62cf8e652f2491b8263ba7e4dd07f858db1ef1924cf2f
container-native-virtualization/kubemacpool-rhel9@sha256:4d190d81eeb3fbe9ed56cf3548dc83a3f81641bfdafa7b42dcfb0d2512566644
container-native-virtualization/kubesecondarydns-rhel9@sha256:121d30d78cc57731ea2242ef2c32430890ac66c2723e65608d5e2f26c3f515cd
container-native-virtualization/kubevirt-console-plugin-rhel9@sha256:86a4b1e3d6ad1d56302c9c058f8bc5826dcfe6c46fb3e0ddaa06818645039020
container-native-virtualization/kubevirt-dpdk-checkup-rhel9@sha256:553c4686f56c66cc1e3c5ad9d4051f139d43f821eac3abb98ca5cdb8b5dfe202
container-native-virtualization/kubevirt-ssp-operator-rhel9@sha256:901e6cad9534c7bd7c4018c60bccfe49d7280fba5a9901ab4c4d15e9345288c4
container-native-virtualization/kubevirt-tekton-tasks-cleanup-vm-rhel9@sha256:28e4975fa4dac22d9da32ed2a10aed039fd957b30140daa36bab2caa998be77a
container-native-virtualization/kubevirt-tekton-tasks-copy-template-rhel9@sha256:f71c36442f1b61cdde7ec58d2c3c78d2039f6d6108e6c35388ef7c1650971fa1
container-native-virtualization/kubevirt-tekton-tasks-create-datavolume-rhel9@sha256:2ad49cf6e2242a9e5861929d9bcab1305a7fc4e34e708f99cff1d7253aa46167
container-native-virtualization/kubevirt-tekton-tasks-create-vm-from-template-rhel9@sha256:1411c65bbad7302710788327f6964a4bf5bc20ef70d5e46f4a5c6e7a0e7a0161
container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize-rhel9@sha256:5c23d3f20ea9dcbe7109284d73078ecd516a070e964b844f8d80b1d92ebd55ee
container-native-virtualization/kubevirt-tekton-tasks-disk-virt-sysprep-rhel9@sha256:aed630a597a090179e1b0e0c117e536df06b67d0f793f91936aa7388c0c5d7eb
container-native-virtualization/kubevirt-tekton-tasks-modify-vm-template-rhel9@sha256:66aea526bc10e4c0136ba86e394bbdfe4fbd7f757d6f391a561b51d2ba2f4d46
container-native-virtualization/kubevirt-tekton-tasks-operator-rhel9@sha256:f1b1f5044db6bb945584f9d4f31d020597725a286ef368ed0aca2116abb31beb
container-native-virtualization/kubevirt-tekton-tasks-wait-for-vmi-status-rhel9@sha256:39a15d03f113735df03b1a7408227eb9604d942c1f3c1992bcdc7eaf07662711
container-native-virtualization/kubevirt-template-validator-rhel9@sha256:c0264b9271e602f85b2040ef7f207cdfa46038dc4fa6e4738bf196ef88a71cf8
container-native-virtualization/libguestfs-tools-rhel9@sha256:29ae84575bbca24553cf649256759fd96ff286971d80bc2db129154a7df9b283
container-native-virtualization/multus-dynamic-networks-rhel9@sha256:b7f68b6420009e21380d32d6459193aae45e93be9533debe17cb3108571b36b8
container-native-virtualization/ovs-cni-plugin-rhel9@sha256:e8e7a44edbf1713fe74de5c4b8f691cce78f4440c4a32a16ba9ad16694a55396
container-native-virtualization/virt-api-rhel9@sha256:fdb4ca1bb8b310d713d9c7e88f7d091f4460aa942dbeca5ebcf17281a06daffe
container-native-virtualization/virt-artifacts-server-rhel9@sha256:81fc61b714baecb5a89fa6c0749c14566e0661b8e184ca602fc2e03b9cf431ee
container-native-virtualization/virt-cdi-apiserver-rhel9@sha256:feca273a691d09445c6cff6d36b5d590735e867656a9898ce0d89744d98e8006
container-native-virtualization/virt-cdi-cloner-rhel9@sha256:68e3b9b0291b4fb277ac430269ffce11d13b0a7688cf2ffcdb7f98759c36b4db
container-native-virtualization/virt-cdi-controller-rhel9@sha256:d9e62b2019328be258489ac852eef25f8b1233f29abac6bcea5b406329f97fed
container-native-virtualization/virt-cdi-importer-rhel9@sha256:2df07fb21a3575e74aa16ded20129828f2300cd33e8ab369b0362062d49e62d0
container-native-virtualization/virt-cdi-operator-rhel9@sha256:802ee8923d9d8e406b23911406f9748756c0ef4d6954e9e2fd5fb4bdf91dde9a
container-native-virtualization/virt-cdi-uploadproxy-rhel9@sha256:6775f34353eec8f35bead9411dde155530d079bb8d51582fb1f2aacc27dbde1d
container-native-virtualization/virt-cdi-uploadserver-rhel9@sha256:b22048390387380af94e267c8a9a66813c515997456d59d8ebac1486916b6585
container-native-virtualization/virt-controller-rhel9@sha256:3e7880149ee9a68286e390beb3d9779f7403c30fc5136e5370e0e4690a3fd243
container-native-virtualization/virt-exportproxy-rhel9@sha256:1bda34d5bff734ad997202f29a5ff6f7362fd79fa90511a422442ef2e3681198
container-native-virtualization/virt-exportserver-rhel9@sha256:8f12955cd777eb2409037a6968aa92f50c99d6e07e722951dbcfd0c8c9829b5e
container-native-virtualization/virt-handler-rhel9@sha256:84ba79ae9658699147d2493df2582ab6df10adbff4d44a533c3fe6a9f45f9691
container-native-virtualization/virt-launcher-rhel9@sha256:4990d40d9987d5126d105dd45be2501eaded248cb61bdde5ea8d359bc1e7ebef
container-native-virtualization/virt-operator-rhel9@sha256:5c1a7e4ed2061938987b900a2394f07121d4037350c9bb6485213a2adfea787d
container-native-virtualization/virtio-win-rhel9@sha256:d147d2a6eb6f907d1e88f61aaca83596853bc72164583d6dda2b1154b490de25
container-native-virtualization/vm-console-proxy-rhel9@sha256:7ca921f98f6d81a126907127a611146fb53397869a628678faa1e289c01d22b2
container-native-virtualization/vm-network-latency-checkup-rhel9@sha256:59fd965975bccf641a0fa7aa01374d45057bd03cda7528248a84b60b1205bf57
Related news
Red Hat Security Advisory 2024-1994-03 - An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.
Ubuntu Security Notice 6038-2 - USN-6038-1 fixed several vulnerabilities in Go 1.18. This update provides the corresponding updates for Go 1.13 and Go 1.16. CVE-2022-29526 and CVE-2022-30630 only affected Go 1.16. It was discovered that the Go net/http module incorrectly handled Transfer-Encoding headers in the HTTP/1 client. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack.
Docker Desktop before 4.23.0 allows Access Token theft via a crafted extension icon URL. This issue affects Docker Desktop: before 4.23.0.
An update is now available for Red Hat Ansible Automation Platform 2.3 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys ca...
Red Hat Security Advisory 2023-3925-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.23.
Red Hat OpenShift Container Platform release 4.11.44 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS...
Red Hat Security Advisory 2023-3742-02 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. Issues addressed include bypass, denial of service, and remote SQL injection vulnerabilities.
Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...
Red Hat Security Advisory 2023-3642-01 - Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services. This new container image is based on Red Hat Ceph Storage 6.1 and Red Hat Enterprise Linux 9. Issues addressed include bypass, cross site scripting, denial of service, information leakage, spoofing, and traversal vulnerabilities.
Red Hat OpenShift Service Mesh Containers for 2.4.0 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24540: A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
The Migration Toolkit for Containers (MTC) 1.7.10 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24534: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in HTTP and MIME header parsing. By sending a specially crafted request, a remote attacker can cause a denial of service. * CVE-2023-24536: A flaw was found in Golang Go, where it is vulnerable to a denial of service cause...
Secondary Scheduler Operator for Red Hat OpenShift 1.1.1 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query ...
Red Hat Security Advisory 2023-3205-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 4.13.0 images. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-3204-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 4.13.0 RPMs. Issues addressed include a denial of service vulnerability.
An update for grafana is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy saniti...
An update for grafana is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy saniti...
An update for grafana is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy saniti...
An update for grafana-pcp is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27664: A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown.
Red Hat Security Advisory 2023-2728-01 - The Red Hat OpenShift Distributed Tracing 2.8 container images have been updated. CVE-2022-41717 was fixed as part of this release. Users of Red Hat OpenShift Distributed Tracing 2.8 container images are advised to upgrade to these updated images, which contain backported patches to correct these security issues, fix these bugs, and add these enhancements.
Red Hat Security Advisory 2023-2204-01 - Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood.
Red Hat Security Advisory 2023-2204-01 - Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood.
Red Hat Security Advisory 2023-2204-01 - Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood.
An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, ...
An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, ...
An update for grafana-pcp is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27664: A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown.
An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, ...
An update for conmon is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can ...
An update for golang-github-cpuguy83-md2man is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41715: A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small...
An update for toolbox is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27664: A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown. * CVE-2022-32189: An uncontrolled resource consumption flaw was found in Golang math/big. A too-short encoded message can cause a panic in Float.GobDecode a...
An update for toolbox is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27664: A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown. * CVE-2022-32189: An uncontrolled resource consumption flaw was found in Golang math/big. A too-short encoded message can cause a panic in Float.GobDecode a...
An update for git-lfs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by r...
An update for buildah is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-30629: A flaw was found in the crypto/tls golang package. When session tickets are generated by crypto/tls, it is missing the ticket expiration. This issue may allow an attacker to observe the TLS handshakes to correlate successive connections during session resumption. * CVE-2022-41717: A flaw was found in the net/http library of the golang package. Th...
Red Hat Security Advisory 2023-1529-01 - Service Telemetry Framework provides automated collection of measurements and data from remote clients, such as Red Hat OpenStack Platform or third-party nodes. STF then transmits the information to a centralized, receiving Red Hat OpenShift Container Platform deployment for storage, retrieval, and monitoring. Issues addressed include a denial of service vulnerability.
The Migration Toolkit for Containers (MTC) 1.7.8 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36567: A flaw was found in gin. This issue occurs when the default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path. * CVE-2022-24999: A flaw was found in the express.js npm package. Express.js Express is vulnerable to a d...
Red Hat Security Advisory 2023-1154-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.10.54.
Red Hat Security Advisory 2023-1275-01 - An update for etcd is now available for Red Hat OpenStack Platform. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-1179-01 - Red Hat OpenShift Serverless Client kn 1.27.1 provides a CLI to interact with Red Hat OpenShift Serverless 1.27.1. The kn CLI is delivered as an RPM package for installation on RHEL platforms, and as binaries for non-Linux platforms. This release includes security and bug fixes, and enhancements.
Red Hat OpenShift Container Platform release 4.11.28 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: A flaw was found in goutils where randomly generated alphanumeric strings contain significantly less entropy than expected. Both the `RandomAlphaNumeric` and `CryptoRandomAlphaNumeric` functions always return strings containing at least one digit from 0 to 9. This issu...
Red Hat OpenShift Container Platform release 4.11.28 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: A flaw was found in goutils where randomly generated alphanumeric strings contain significantly less entropy than expected. Both the `RandomAlphaNumeric` and `CryptoRandomAlphaNumeric` functions always return strings containing at least one digit from 0 to 9. This issu...
Red Hat OpenShift Container Platform release 4.11.28 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: A flaw was found in goutils where randomly generated alphanumeric strings contain significantly less entropy than expected. Both the `RandomAlphaNumeric` and `CryptoRandomAlphaNumeric` functions always return strings containing at least one digit from 0 to 9. This issu...
Red Hat OpenShift Container Platform release 4.11.28 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: A flaw was found in goutils where randomly generated alphanumeric strings contain significantly less entropy than expected. Both the `RandomAlphaNumeric` and `CryptoRandomAlphaNumeric` functions always return strings containing at least one digit from 0 to 9. This issu...
Red Hat Security Advisory 2023-0769-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
Red Hat Security Advisory 2023-0769-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
Red Hat Security Advisory 2023-0769-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
Red Hat Security Advisory 2023-0769-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
Red Hat Security Advisory 2023-0728-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.3.
Red Hat Security Advisory 2023-0727-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.3.
Red Hat Security Advisory 2023-0727-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.3.
Red Hat Security Advisory 2023-0727-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.3.
Ubuntu Security Notice 5873-1 - It was discovered that Go Text incorrectly handled certain encodings. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. It was discovered that Go Text incorrectly handled certain BCP 47 language tags. An attacker could possibly use this issue to cause a denial of service. CVE-2020-28851, CVE-2020-28852, and CVE-2021-38561 affected only Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
Submariner 0.13.3 packages that fix various bugs and add various enhancements that are now available for Red Hat Advanced Cluster Management for Kubernetes version 2.6 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32149: A vulnerability was found in the golang.org/x/text/language package. An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant time to parse. This issue leads to a denial of service, and can impact availability.
Red Hat Security Advisory 2023-0632-01 - Logging Subsystem 5.4.11 - Red Hat OpenShift.
An update is now available for the Logging subsystem for Red Hat OpenShift 5.4. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-30123: A flaw was found in ruby gem-rack. This flaw allows a malicious actor to craft requests that can cause shell escape sequences to be written to the terminal via rack's `Lint` middleware and `CommonLogger` middleware. This issue can leverage these escape sequences to execute commands in the victim's terminal. * CVE-2022-41717: A flaw was f...
Red Hat Security Advisory 2023-0693-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Service Mesh 2.3.1 Containers Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-3962: kiali: error message spoofing in kiali UI * CVE-2022-27664: golang: ...
Red Hat Security Advisory 2023-0481-01 - Submariner enables direct networking between pods and services on different Kubernetes clusters that are either on-premises or in the cloud. This advisory contains bug fixes and enhancements to the Submariner container images.
Submariner 0.12.3 packages that fix various bugs and add various enhancements that are now available for Red Hat Advanced Cluster Management for Kubernetes version 2.5. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32149: golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags
Red Hat Security Advisory 2023-0445-01 - Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.
Red Hat Security Advisory 2023-0445-01 - Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.
Red Hat Security Advisory 2023-0445-01 - Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.
An update for go-toolset and golang is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-41715: golang: regexp/syntax: limit memory used by parsing regexps
Red Hat Security Advisory 2023-0264-01 - An update for Logging Subsystem (5.6.0) is now available for Red Hat OpenShift Container Platform. Issues addressed include a denial of service vulnerability.
An update for Logging Subsystem (5.6.0) is now available for Red Hat OpenShift Container Platform. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36518: jackson-databind: denial of service via a large depth of nested objects * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-27664: golang: net/http: handle server error...
An update for Logging Subsystem (5.6.0) is now available for Red Hat OpenShift Container Platform. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36518: jackson-databind: denial of service via a large depth of nested objects * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-27664: golang: net/http: handle server error...
An update for Logging Subsystem (5.6.0) is now available for Red Hat OpenShift Container Platform. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36518: jackson-databind: denial of service via a large depth of nested objects * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-27664: golang: net/http: handle server error...
An update for Logging Subsystem (5.6.0) is now available for Red Hat OpenShift Container Platform. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36518: jackson-databind: denial of service via a large depth of nested objects * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-27664: golang: net/http: handle server error...
An update for Logging Subsystem (5.6.0) is now available for Red Hat OpenShift Container Platform. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36518: jackson-databind: denial of service via a large depth of nested objects * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-27664: golang: net/http: handle server error...
Red Hat Security Advisory 2022-8781-01 - Logging Subsystem for Red Hat OpenShift has a security update. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-8781-01 - Logging Subsystem for Red Hat OpenShift has a security update. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-8781-01 - Logging Subsystem for Red Hat OpenShift has a security update. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-8781-01 - Logging Subsystem for Red Hat OpenShift has a security update. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-8781-01 - Logging Subsystem for Red Hat OpenShift has a security update. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-8626-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.11.17. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-8626-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.11.17. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-8634-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.
OpenShift API for Data Protection (OADP) 1.1.1 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27191: golang: crash in a golang.org/x/crypto/ssh server * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-30632: golang: path/filepath: stack exhaustion in Glob * CVE-2022-30635: golang: encoding/gob: stack exhaustion in Decoder.Decode * CVE-2022-32190: golang: net/url: JoinPath does not strip relative path components i...
Red Hat Security Advisory 2022-8535-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.16. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-8535-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.16. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Container Platform release 4.11.16 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-32189: golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, po...
Red Hat Security Advisory 2022-7435-01 - An update is now available for Logging subsystem for Red Hat OpenShift 5.4. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-7434-01 - A Red Hat OpenShift security update has been provided for the Logging Subsystem.
Logging Subsystem 5.5.4 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32149: golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags
Red Hat Security Advisory 2022-7407-01 - Service Binding Operator 1.3.1 is now available for OpenShift Developer Tools and Services for OCP 4.9 +.
An update for service-binding-operator-bundle-container and service-binding-operator-container is now available for OpenShift Developer Tools and Services for OCP 4.9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32149: golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags
An update for git-lfs is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-28851: golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension * CVE-2020-28852: golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWA...
An update for git-lfs is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-28851: golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension * CVE-2020-28852: golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWA...
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.
An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.
Gentoo Linux Security Advisory 202209-26 - Multiple vulnerabilities have been discovered in Go, the worst of which could result in denial of service. Versions less than 1.18.6 are affected.
JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result.
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.