Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:2204: Red Hat Security Advisory: Image Builder security, bug fix, and enhancement update

An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic.
  • CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query parameters in the forwarded query when the outbound request’s form field is set after the reverse proxy. The director function returns, indicating that the proxy has parsed the query parameters. Proxies that do not parse query parameters continue to forward the original query parameters unchanged.
  • CVE-2022-27664: A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown.
  • CVE-2022-41715: A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.
  • CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
Red Hat Security Data
#vulnerability#linux#red_hat#dos#js#ibm#rpm

Synopsis

Moderate: Image Builder security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood.

Security Fix(es):

  • golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)
  • golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
  • golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
  • golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
  • golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.

Affected Products

  • Red Hat Enterprise Linux for x86_64 9 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 9 s390x
  • Red Hat Enterprise Linux for Power, little endian 9 ppc64le
  • Red Hat Enterprise Linux for ARM 64 9 aarch64

Fixes

  • BZ - 2119980 - edge-installer ISO install failed at dracut-initqueue timeout
  • BZ - 2122843 - coreos-installer-0.15.0-2.el9 does not work with osbuild-composer-62-1.el9
  • BZ - 2123373 - edge images default to LVM [rhel-9.2.0]
  • BZ - 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
  • BZ - 2125249 - podman network backend does not switch to netavark when embedding container in image [rhel-9.2.0]
  • BZ - 2132250 - Update Image Builder suite of projects to their latest upstream releases [RHEL-9.2]
  • BZ - 2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers
  • BZ - 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
  • BZ - 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
  • BZ - 2136504 - osbuild-composer can’t access /var/cache/osbuild-composer/rpmmd on package upgrade from 9.0
  • BZ - 2137364 - composer-cli blueprints show command fails when firewall customization is included in a blueprint
  • BZ - 2139645 - [cockpit-composer] RHEL 9.2 Tier 0 Localization
  • BZ - 2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests
  • BZ - 2164560 - Rebase to weldr-client v35.9
  • BZ - 2174158 - systemd units aren’t enabled/started using ignition
  • BZ - 2177699 - Composer is not setting the rpm stage options in the os pipeline correctly for payload repositories

CVEs

  • CVE-2022-2879
  • CVE-2022-2880
  • CVE-2022-27664
  • CVE-2022-41715
  • CVE-2022-41717

References

  • https://access.redhat.com/security/updates/classification/#moderate
  • https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index

Red Hat Enterprise Linux for x86_64 9

SRPM

cockpit-composer-45-1.el9_2.src.rpm

SHA-256: e8864b5ab251dcfee8592f79444a17e630211373462b4639d4a6e228f916325f

osbuild-81-1.el9.src.rpm

SHA-256: a3372d0d234590b6c9d4823363b74e1d05d1b7d7679ef0858442c816dbbd7ba0

osbuild-composer-76-2.el9_2.src.rpm

SHA-256: fd31073e7bd7f0bf363aa8a112e3f9e44aa38990e8afaf6aecc019c806d084e0

weldr-client-35.9-1.el9.src.rpm

SHA-256: 55b1d5988b5f41dadba169a111c3e8b6dffbcc9566d82c58021b5366abb7bcbd

x86_64

cockpit-composer-45-1.el9_2.noarch.rpm

SHA-256: d27f9853cbed79a857301dcb3871710504baa9ab4d238c982a7503476905d923

osbuild-81-1.el9.noarch.rpm

SHA-256: 2614ec98a1d4ac180c8b10fd44f19267feaa5a233a9a504d1f4fc174f2f91d20

osbuild-composer-76-2.el9_2.x86_64.rpm

SHA-256: cdec9b08c3e796b0dba60ed41097e672ac7c8677794c9c2d1edf91337c5391af

osbuild-composer-core-76-2.el9_2.x86_64.rpm

SHA-256: 37a8f4521c9f2af682ad960230351f14b85e72b03a60adc9b259f54912e3d8cb

osbuild-composer-core-debuginfo-76-2.el9_2.x86_64.rpm

SHA-256: 2bf9f4def8ecee743fabe2d4436b0f3e9c413efff7a44efecdc63c65b6c82b28

osbuild-composer-debuginfo-76-2.el9_2.x86_64.rpm

SHA-256: 76dda80b13969fbf1e97af2d0bf68752a3a5332ad394bfb41902db38d62ba1cd

osbuild-composer-debugsource-76-2.el9_2.x86_64.rpm

SHA-256: 0580e9e923eddd3f4da5abd4f3a57b3db0fd01d34db30162aaab7e7ace9c839a

osbuild-composer-dnf-json-76-2.el9_2.x86_64.rpm

SHA-256: 6da9d0ed0f826fb4cccd80201bd046c2cbe31da33c7c9e8d311b135f32a9b31e

osbuild-composer-tests-debuginfo-76-2.el9_2.x86_64.rpm

SHA-256: 9e35a40b6795310831a5069a6c1653bff87cba883e46b5cd2b0894575caca7d4

osbuild-composer-worker-76-2.el9_2.x86_64.rpm

SHA-256: ce5712b111bd07b0e28a0751c64454b28df988a3a8c3b9d2e919480c4b4fa510

osbuild-composer-worker-debuginfo-76-2.el9_2.x86_64.rpm

SHA-256: 48a80eea8255983b5fb76bc4948f82cd3c0df2c81f1752272a51aa95cdc71a28

osbuild-luks2-81-1.el9.noarch.rpm

SHA-256: 54898e84c43f005a093adb0f9da8c7ae3e896838a236e119aae84f830982c723

osbuild-lvm2-81-1.el9.noarch.rpm

SHA-256: 98cf372383cbdfe8016a68b0c59e7776f326cae949f67f53a7bb42fb948ee55b

osbuild-ostree-81-1.el9.noarch.rpm

SHA-256: f142810e923c1b6591bff1a2de2f6ba900ca5108581a0e13f562de2a9ea97942

osbuild-selinux-81-1.el9.noarch.rpm

SHA-256: 46cb15fb86584581d40c8d9428d3314709729e40d90ef821863168b09a75443b

python3-osbuild-81-1.el9.noarch.rpm

SHA-256: 14d5899ef08657ab204b8078b6f8c3cba179c9660961030fcff6f5c35e4b3ee5

weldr-client-35.9-1.el9.x86_64.rpm

SHA-256: c54f1ec74510ea6c26887cc8d9ba12455cab334ad063aa74c67590995b941b85

weldr-client-debuginfo-35.9-1.el9.x86_64.rpm

SHA-256: 61ab83265f090936d76d1c3fe2034545449d3d2365dc93f26803db5e87d1d23e

weldr-client-debugsource-35.9-1.el9.x86_64.rpm

SHA-256: 6b45bc6434a6f5ae6c03b0c0256d9584d00c837d2ee31c3cb64d5a90a959d8a4

weldr-client-tests-debuginfo-35.9-1.el9.x86_64.rpm

SHA-256: 646099e482f05e96fbe0781919a0f5169393876ea52b430eae491e0eccc1e561

Red Hat Enterprise Linux for IBM z Systems 9

SRPM

cockpit-composer-45-1.el9_2.src.rpm

SHA-256: e8864b5ab251dcfee8592f79444a17e630211373462b4639d4a6e228f916325f

osbuild-81-1.el9.src.rpm

SHA-256: a3372d0d234590b6c9d4823363b74e1d05d1b7d7679ef0858442c816dbbd7ba0

osbuild-composer-76-2.el9_2.src.rpm

SHA-256: fd31073e7bd7f0bf363aa8a112e3f9e44aa38990e8afaf6aecc019c806d084e0

weldr-client-35.9-1.el9.src.rpm

SHA-256: 55b1d5988b5f41dadba169a111c3e8b6dffbcc9566d82c58021b5366abb7bcbd

s390x

cockpit-composer-45-1.el9_2.noarch.rpm

SHA-256: d27f9853cbed79a857301dcb3871710504baa9ab4d238c982a7503476905d923

osbuild-81-1.el9.noarch.rpm

SHA-256: 2614ec98a1d4ac180c8b10fd44f19267feaa5a233a9a504d1f4fc174f2f91d20

osbuild-composer-76-2.el9_2.s390x.rpm

SHA-256: a2a00265cb880b589286410d4e6319e8ae0c4f6e999fa083a82459d209bf3e98

osbuild-composer-core-76-2.el9_2.s390x.rpm

SHA-256: 38245cb714e509a944031a87359f0fcc96edf49c2d8f712e49176ec727b7d894

osbuild-composer-core-debuginfo-76-2.el9_2.s390x.rpm

SHA-256: 00a63b955b4d63e67bedd4746d35ca963918b723d6b90139729eeadda571386d

osbuild-composer-debuginfo-76-2.el9_2.s390x.rpm

SHA-256: 96cb74ddc8cbf359f78f100fbab2b8a3230ee85f300ab4369beee5230631b111

osbuild-composer-debugsource-76-2.el9_2.s390x.rpm

SHA-256: 41011caa8e258d0f1b797411da35736891ee3b992711f5a5e9ab1f9b26aaf9f2

osbuild-composer-dnf-json-76-2.el9_2.s390x.rpm

SHA-256: e7917731148356680a7a9c07aabec3d3680de2fab5750a498b95ca291352e6d5

osbuild-composer-tests-debuginfo-76-2.el9_2.s390x.rpm

SHA-256: e25638006cdb3d0fc053578dae5c0c9b7ce7f68ecacd8ad61e17f225cce710f0

osbuild-composer-worker-76-2.el9_2.s390x.rpm

SHA-256: 3c4b39e3f33e5e2fc98e617240ae0080c82d0feeb5cf44b68db0eba71cf2d41f

osbuild-composer-worker-debuginfo-76-2.el9_2.s390x.rpm

SHA-256: f34ea87898f8e6ff71f2f442f79d8c922f83e5a857270b5803757e74be802cf1

osbuild-luks2-81-1.el9.noarch.rpm

SHA-256: 54898e84c43f005a093adb0f9da8c7ae3e896838a236e119aae84f830982c723

osbuild-lvm2-81-1.el9.noarch.rpm

SHA-256: 98cf372383cbdfe8016a68b0c59e7776f326cae949f67f53a7bb42fb948ee55b

osbuild-ostree-81-1.el9.noarch.rpm

SHA-256: f142810e923c1b6591bff1a2de2f6ba900ca5108581a0e13f562de2a9ea97942

osbuild-selinux-81-1.el9.noarch.rpm

SHA-256: 46cb15fb86584581d40c8d9428d3314709729e40d90ef821863168b09a75443b

python3-osbuild-81-1.el9.noarch.rpm

SHA-256: 14d5899ef08657ab204b8078b6f8c3cba179c9660961030fcff6f5c35e4b3ee5

weldr-client-35.9-1.el9.s390x.rpm

SHA-256: 1623162076766a57ee26cb01c818a103377aefbce0cdec24cac96e62753de106

weldr-client-debuginfo-35.9-1.el9.s390x.rpm

SHA-256: 979a3d67ad277a36b6da2f43a49783238e3ead8b4d3f9d546ac4926f32f6955c

weldr-client-debugsource-35.9-1.el9.s390x.rpm

SHA-256: 8f423f3991fd64109063e0c0db67f1a5435b014b29f1aaebde7cbca4eaa6514b

weldr-client-tests-debuginfo-35.9-1.el9.s390x.rpm

SHA-256: abf50cc5d174fa26d1270aa3e2a14f4d7c5117af7087a4fa0f3ad5938919874c

Red Hat Enterprise Linux for Power, little endian 9

SRPM

cockpit-composer-45-1.el9_2.src.rpm

SHA-256: e8864b5ab251dcfee8592f79444a17e630211373462b4639d4a6e228f916325f

osbuild-81-1.el9.src.rpm

SHA-256: a3372d0d234590b6c9d4823363b74e1d05d1b7d7679ef0858442c816dbbd7ba0

osbuild-composer-76-2.el9_2.src.rpm

SHA-256: fd31073e7bd7f0bf363aa8a112e3f9e44aa38990e8afaf6aecc019c806d084e0

weldr-client-35.9-1.el9.src.rpm

SHA-256: 55b1d5988b5f41dadba169a111c3e8b6dffbcc9566d82c58021b5366abb7bcbd

ppc64le

cockpit-composer-45-1.el9_2.noarch.rpm

SHA-256: d27f9853cbed79a857301dcb3871710504baa9ab4d238c982a7503476905d923

osbuild-81-1.el9.noarch.rpm

SHA-256: 2614ec98a1d4ac180c8b10fd44f19267feaa5a233a9a504d1f4fc174f2f91d20

osbuild-composer-76-2.el9_2.ppc64le.rpm

SHA-256: 2dbbe3ada3b17b07728d7f5f75116aee183fe014955afd8b267663f056e82ead

osbuild-composer-core-76-2.el9_2.ppc64le.rpm

SHA-256: 1aeca8965bf31fc3dab5a0d8a77845abe9fd34227d1e9efbe6a1bc53bcf3cc94

osbuild-composer-core-debuginfo-76-2.el9_2.ppc64le.rpm

SHA-256: f6375ef8cbdb30e2daf7755fa68f7079d0dc99aaf2a8b90abb470d538504c5d7

osbuild-composer-debuginfo-76-2.el9_2.ppc64le.rpm

SHA-256: 4793a12be71cc8af1b8a4d655857ae3e5dcae9ec9420101cb63c95b01dafccb7

osbuild-composer-debugsource-76-2.el9_2.ppc64le.rpm

SHA-256: ae524e6361557b7b5855ea76729dad573ee3e22096fa43f228c70ee6ed48d035

osbuild-composer-dnf-json-76-2.el9_2.ppc64le.rpm

SHA-256: 9070e241ca0717c4eca32cca9ac0d83b9c78add24d125e42e64fcfe13aa89a90

osbuild-composer-tests-debuginfo-76-2.el9_2.ppc64le.rpm

SHA-256: 91a65123feb357f5fad52124082d1f41169d99ea9f33eb9a612cbdee6c8bcebe

osbuild-composer-worker-76-2.el9_2.ppc64le.rpm

SHA-256: 6bf164e723baa7ac80badd9200702cc26e970cf3fe1487a21beab8c1273244f4

osbuild-composer-worker-debuginfo-76-2.el9_2.ppc64le.rpm

SHA-256: b209bd618b5a260def9eb617af20174f0b41d1f9995e7b6c5960b20228a50be4

osbuild-luks2-81-1.el9.noarch.rpm

SHA-256: 54898e84c43f005a093adb0f9da8c7ae3e896838a236e119aae84f830982c723

osbuild-lvm2-81-1.el9.noarch.rpm

SHA-256: 98cf372383cbdfe8016a68b0c59e7776f326cae949f67f53a7bb42fb948ee55b

osbuild-ostree-81-1.el9.noarch.rpm

SHA-256: f142810e923c1b6591bff1a2de2f6ba900ca5108581a0e13f562de2a9ea97942

osbuild-selinux-81-1.el9.noarch.rpm

SHA-256: 46cb15fb86584581d40c8d9428d3314709729e40d90ef821863168b09a75443b

python3-osbuild-81-1.el9.noarch.rpm

SHA-256: 14d5899ef08657ab204b8078b6f8c3cba179c9660961030fcff6f5c35e4b3ee5

weldr-client-35.9-1.el9.ppc64le.rpm

SHA-256: 77a2690b768883928cca0b78699ce70f44699043c00a408d5813ec039c8738dd

weldr-client-debuginfo-35.9-1.el9.ppc64le.rpm

SHA-256: 131d95ee0e9a36be53176e2c103fd5204497fa6d299f44ae187c0ee59281a9f1

weldr-client-debugsource-35.9-1.el9.ppc64le.rpm

SHA-256: 7eaf021b855ed531a6cb3ae0a6d7075f1383a18272830145bb50b3e6b86c95ef

weldr-client-tests-debuginfo-35.9-1.el9.ppc64le.rpm

SHA-256: d78fcd1acd8907989d6eedd69d25ef07864857579059e887b92ca735e71b232f

Red Hat Enterprise Linux for ARM 64 9

SRPM

cockpit-composer-45-1.el9_2.src.rpm

SHA-256: e8864b5ab251dcfee8592f79444a17e630211373462b4639d4a6e228f916325f

osbuild-81-1.el9.src.rpm

SHA-256: a3372d0d234590b6c9d4823363b74e1d05d1b7d7679ef0858442c816dbbd7ba0

osbuild-composer-76-2.el9_2.src.rpm

SHA-256: fd31073e7bd7f0bf363aa8a112e3f9e44aa38990e8afaf6aecc019c806d084e0

weldr-client-35.9-1.el9.src.rpm

SHA-256: 55b1d5988b5f41dadba169a111c3e8b6dffbcc9566d82c58021b5366abb7bcbd

aarch64

cockpit-composer-45-1.el9_2.noarch.rpm

SHA-256: d27f9853cbed79a857301dcb3871710504baa9ab4d238c982a7503476905d923

osbuild-81-1.el9.noarch.rpm

SHA-256: 2614ec98a1d4ac180c8b10fd44f19267feaa5a233a9a504d1f4fc174f2f91d20

osbuild-composer-76-2.el9_2.aarch64.rpm

SHA-256: 487fc0488e9eff0ddbcab9108e599a32cecf3c9d1fc713562cf36f0ce538315e

osbuild-composer-core-76-2.el9_2.aarch64.rpm

SHA-256: 3dee53b009e0dd3d33c35e266aab86a888e85d672fdca189edc474384fdb3e0a

osbuild-composer-core-debuginfo-76-2.el9_2.aarch64.rpm

SHA-256: 37c0b01a6761323fb7d29078b84f3c8e1a2fb8cc222dc1689e4c2f0950a8133c

osbuild-composer-debuginfo-76-2.el9_2.aarch64.rpm

SHA-256: c1d3af89350a308368dfb70b1bf77101f1c543023af76faf47f4420836955335

osbuild-composer-debugsource-76-2.el9_2.aarch64.rpm

SHA-256: c9fe7d71da82c52238400fd5a0fc2c6a8f62a267ae4ce2102cce3891415aa179

osbuild-composer-dnf-json-76-2.el9_2.aarch64.rpm

SHA-256: 44e41d67f2ff72c08430b4ef1b65311cd7b48265b412fac64c6bd217440086f9

osbuild-composer-tests-debuginfo-76-2.el9_2.aarch64.rpm

SHA-256: 3b46f91b4002001a9d50d95caad6871123f85eee95154142503a3dc776fea300

osbuild-composer-worker-76-2.el9_2.aarch64.rpm

SHA-256: 6932814b09443599a1e5925e10614072938e7f518e2cfcb9d2b9784d3e6b59fa

osbuild-composer-worker-debuginfo-76-2.el9_2.aarch64.rpm

SHA-256: c2da056b5dd2118ff41e50c50a983160d8eda007be1e2737cae77ced172a21ea

osbuild-luks2-81-1.el9.noarch.rpm

SHA-256: 54898e84c43f005a093adb0f9da8c7ae3e896838a236e119aae84f830982c723

osbuild-lvm2-81-1.el9.noarch.rpm

SHA-256: 98cf372383cbdfe8016a68b0c59e7776f326cae949f67f53a7bb42fb948ee55b

osbuild-ostree-81-1.el9.noarch.rpm

SHA-256: f142810e923c1b6591bff1a2de2f6ba900ca5108581a0e13f562de2a9ea97942

osbuild-selinux-81-1.el9.noarch.rpm

SHA-256: 46cb15fb86584581d40c8d9428d3314709729e40d90ef821863168b09a75443b

python3-osbuild-81-1.el9.noarch.rpm

SHA-256: 14d5899ef08657ab204b8078b6f8c3cba179c9660961030fcff6f5c35e4b3ee5

weldr-client-35.9-1.el9.aarch64.rpm

SHA-256: 4a9a399971a1e0fcbe0047bde38771b37677d253c5d4c1f21d1a0a58bdfa698c

weldr-client-debuginfo-35.9-1.el9.aarch64.rpm

SHA-256: 5989be178e9b66531ef2932665b5359957f4f7df6e8db5decc05953dae707ea7

weldr-client-debugsource-35.9-1.el9.aarch64.rpm

SHA-256: 1494806b86716ebd2cfc516696846ea9dc2cb702b4e0de8fd4123f1c0a54d2f7

weldr-client-tests-debuginfo-35.9-1.el9.aarch64.rpm

SHA-256: 9141c76f8d7e6a1276d331e142868fd0490ed5dfbaf156997124ba7dd6d2329f

Related news

Ubuntu Security Notice USN-6038-2

Ubuntu Security Notice 6038-2 - USN-6038-1 fixed several vulnerabilities in Go 1.18. This update provides the corresponding updates for Go 1.13 and Go 1.16. CVE-2022-29526 and CVE-2022-30630 only affected Go 1.16. It was discovered that the Go net/http module incorrectly handled Transfer-Encoding headers in the HTTP/1 client. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack.

Red Hat Security Advisory 2023-4090-01

Red Hat Security Advisory 2023-4090-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.5.

Red Hat Security Advisory 2023-4003-01

Red Hat Security Advisory 2023-4003-01 - As a Kubernetes user, I cannot connect easily connect services from one cluster with services on another cluster. Red Hat Application Interconnect enables me to create a service network and it allows geographically distributed services to connect as if they were all running in the same site. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-3915-01

Red Hat Security Advisory 2023-3915-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.44.

Red Hat Security Advisory 2023-3742-02

Red Hat Security Advisory 2023-3742-02 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. Issues addressed include bypass, denial of service, and remote SQL injection vulnerabilities.

RHSA-2023:3664: Red Hat Security Advisory: OpenShift Jenkins image and Jenkins agent base image security update

Release of Bug Advisories for the OpenShift Jenkins image and Jenkins agent base image. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-2880: A flaw was found in the golang package, where reques...

Red Hat Security Advisory 2023-3644-01

Red Hat Security Advisory 2023-3644-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release.

Red Hat Security Advisory 2023-3645-01

Red Hat Security Advisory 2023-3645-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Issues addressed include a denial of service vulnerability.

RHSA-2023:3642: Red Hat Security Advisory: Red Hat Ceph Storage 6.1 Container security and bug fix update

A new container image for Red Hat Ceph Storage 6.1 is now available in the Red Hat Ecosystem Catalog. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-42581: A flaw was found in the Ramda NPM package that involves prototype poisoning. This flaw allows attackers to supply a crafted object, affecting the integrity or availability of the application. * CVE-2022-1650: A flaw was found in the EventSource NPM Package. The description from the source states the following messa...

Red Hat Security Advisory 2023-1328-01

Red Hat Security Advisory 2023-1328-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include denial of service and out of bounds read vulnerabilities.

RHSA-2023:3205: Red Hat Security Advisory: OpenShift Virtualization 4.13.0 Images security, bug fix, and enhancement update

Red Hat OpenShift Virtualization release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded...

RHSA-2023:2784: Red Hat Security Advisory: grafana security update

An update for grafana is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy saniti...

Red Hat Security Advisory 2023-2204-01

Red Hat Security Advisory 2023-2204-01 - Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood.

RHSA-2023:2193: Red Hat Security Advisory: butane security, bug fix, and enhancement update

An update for butane is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27664: A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown. * CVE-2022-32189: An uncontrolled resource consumption flaw was found in Golang math/big. A too-short encoded message can cause a panic in Float.GobDecode an...

RHSA-2023:1154: Red Hat Security Advisory: OpenShift Container Platform 4.10.54 security update

Red Hat OpenShift Container Platform release 4.10.54 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: A flaw was found in goutils where randomly generated alphanumeric strings contain significantly less entropy than expected. Both the `RandomAlphaNumeric` and `CryptoRandomAlphaNumeric` functions always return strings containing at least one digit from 0 to 9. This issu...

RHSA-2023:1275: Red Hat Security Advisory: Red Hat OpenStack Platform (etcd) security update

An update for etcd is now available for Red Hat OpenStack Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by rev...

RHSA-2023:1275: Red Hat Security Advisory: Red Hat OpenStack Platform (etcd) security update

An update for etcd is now available for Red Hat OpenStack Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by rev...

RHSA-2023:1275: Red Hat Security Advisory: Red Hat OpenStack Platform (etcd) security update

An update for etcd is now available for Red Hat OpenStack Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by rev...

RHSA-2023:1276: Red Hat Security Advisory: Red Hat OpenStack Platform (collectd-libpod-stats) security update

An update for collectd-libpod-stats is now available for Red Hat OpenStack Platform. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very ...

Red Hat Security Advisory 2023-1030-01

Red Hat Security Advisory 2023-1030-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.30.

RHSA-2023:1030: Red Hat Security Advisory: OpenShift Container Platform 4.11.30 security update

Red Hat OpenShift Container Platform release 4.11.30 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total num...

Red Hat Security Advisory 2023-0899-01

Red Hat Security Advisory 2023-0899-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.53.

RHSA-2023:0934: Red Hat Security Advisory: Migration Toolkit for Applications security and bug fix update

Migration Toolkit for Applications 6.0.1 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36567: A flaw was found in gin. This issue occurs when the default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path. * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to...

RHSA-2023:0918: Red Hat Security Advisory: Service Binding Operator security update

An update for service-binding-operator-bundle-container and service-binding-operator-container is now available for OpenShift Developer Tools and Services for OCP 4.9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. W...

Red Hat Security Advisory 2023-0774-01

Red Hat Security Advisory 2023-0774-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.28. Issues addressed include denial of service and out of bounds read vulnerabilities.

Red Hat Security Advisory 2023-0774-01

Red Hat Security Advisory 2023-0774-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.28. Issues addressed include denial of service and out of bounds read vulnerabilities.

Red Hat Security Advisory 2023-0774-01

Red Hat Security Advisory 2023-0774-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.28. Issues addressed include denial of service and out of bounds read vulnerabilities.

RHSA-2023:0769: Red Hat Security Advisory: OpenShift Container Platform 4.12.4 security update

Red Hat OpenShift Container Platform release 4.12.4 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total numb...

RHSA-2023:0769: Red Hat Security Advisory: OpenShift Container Platform 4.12.4 security update

Red Hat OpenShift Container Platform release 4.12.4 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total numb...

RHSA-2023:0769: Red Hat Security Advisory: OpenShift Container Platform 4.12.4 security update

Red Hat OpenShift Container Platform release 4.12.4 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total numb...

Red Hat Security Advisory 2023-0727-01

Red Hat Security Advisory 2023-0727-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.3.

Red Hat Security Advisory 2023-0727-01

Red Hat Security Advisory 2023-0727-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.3.

RHSA-2023:0728: Red Hat Security Advisory: OpenShift Container Platform 4.12.3 security update

Red Hat OpenShift Container Platform release 4.12.3 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: A flaw was found in goutils where randomly generated alphanumeric strings contain significantly less entropy than expected. Both the `RandomAlphaNumeric` and `CryptoRandomAlphaNumeric...

Red Hat Security Advisory 2023-0693-01

Red Hat Security Advisory 2023-0693-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a denial of service vulnerability.

RHSA-2023:0692: Red Hat Security Advisory: OpenShift API for Data Protection (OADP) 1.0.7 security and bug fix update

OpenShift API for Data Protection (OADP) 1.0.7 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32149: A vulnerability was found in the golang.org/x/text/language package. An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant time to parse. This issue leads to a denial of service, and can impact availability. * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an at...

RHSA-2023:0542: Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.3.1 Containers security update

Red Hat OpenShift Service Mesh 2.3.1 Containers Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-3962: kiali: error message spoofing in kiali UI * CVE-2022-27664: golang: ...

RHSA-2023:0542: Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.3.1 Containers security update

Red Hat OpenShift Service Mesh 2.3.1 Containers Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-3962: kiali: error message spoofing in kiali UI * CVE-2022-27664: golang: ...

RHSA-2023:0542: Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.3.1 Containers security update

Red Hat OpenShift Service Mesh 2.3.1 Containers Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-3962: kiali: error message spoofing in kiali UI * CVE-2022-27664: golang: ...

RHSA-2023:0542: Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.3.1 Containers security update

Red Hat OpenShift Service Mesh 2.3.1 Containers Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-3962: kiali: error message spoofing in kiali UI * CVE-2022-27664: golang: ...

RHSA-2023:0445: Red Hat Security Advisory: go-toolset-1.18 security update

An update for go-toolset-1.18 and go-toolset-1.18-golang is now available for Red Hat Developer Tools. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-41715: golang: regexp/syntax: limit memory used by parsing regexps

RHSA-2023:0445: Red Hat Security Advisory: go-toolset-1.18 security update

An update for go-toolset-1.18 and go-toolset-1.18-golang is now available for Red Hat Developer Tools. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-41715: golang: regexp/syntax: limit memory used by parsing regexps

RHSA-2023:0445: Red Hat Security Advisory: go-toolset-1.18 security update

An update for go-toolset-1.18 and go-toolset-1.18-golang is now available for Red Hat Developer Tools. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-41715: golang: regexp/syntax: limit memory used by parsing regexps

RHSA-2023:0328: Red Hat Security Advisory: go-toolset and golang security and bug fix update

An update for go-toolset and golang is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-41715: golang: regexp/syntax: limit memory used by parsing regexps

RHSA-2023:0328: Red Hat Security Advisory: go-toolset and golang security and bug fix update

An update for go-toolset and golang is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-41715: golang: regexp/syntax: limit memory used by parsing regexps

RHSA-2023:0328: Red Hat Security Advisory: go-toolset and golang security and bug fix update

An update for go-toolset and golang is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-41715: golang: regexp/syntax: limit memory used by parsing regexps

Red Hat Security Advisory 2022-7398-02

Red Hat Security Advisory 2022-7398-02 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.0. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2022-7398-02

Red Hat Security Advisory 2022-7398-02 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.0. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2022-7398-02

Red Hat Security Advisory 2022-7398-02 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.0. Issues addressed include a denial of service vulnerability.

RHSA-2022:7399: Red Hat Security Advisory: OpenShift Container Platform 4.12.0 bug fix and security update

Red Hat OpenShift Container Platform release 4.12.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-2879: golang: arc...

RHSA-2022:7399: Red Hat Security Advisory: OpenShift Container Platform 4.12.0 bug fix and security update

Red Hat OpenShift Container Platform release 4.12.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-2879: golang: arc...

RHSA-2022:7399: Red Hat Security Advisory: OpenShift Container Platform 4.12.0 bug fix and security update

Red Hat OpenShift Container Platform release 4.12.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-2879: golang: arc...

RHSA-2022:7399: Red Hat Security Advisory: OpenShift Container Platform 4.12.0 bug fix and security update

Red Hat OpenShift Container Platform release 4.12.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-2879: golang: arc...

CVE-2022-41720: [security] Go 1.19.4 and Go 1.18.9 are released

On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With fix applied, the behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error.

RHSA-2022:8626: Red Hat Security Advisory: OpenShift Container Platform 4.11.17 packages and security update

Red Hat OpenShift Container Platform release 4.11.17 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-32148: golang: net/http/ht...

RHSA-2022:8634: Red Hat Security Advisory: OpenShift API for Data Protection (OADP) 1.1.1 security and bug fix update

OpenShift API for Data Protection (OADP) 1.1.1 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27191: golang: crash in a golang.org/x/crypto/ssh server * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-30632: golang: path/filepath: stack exhaustion in Glob * CVE-2022-30635: golang: encoding/gob: stack exhaustion in Decoder.Decode * CVE-2022-32190: golang: net/url: JoinPath does not strip relative path components i...

Red Hat Security Advisory 2022-7129-01

Red Hat Security Advisory 2022-7129-01 - Git Large File Storage replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server. Issues addressed include a denial of service vulnerability.

CVE-2022-2879: archive/tar: unbounded memory consumption when reading headers · Issue #54853 · golang/go

Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.

CVE-2022-39278: Announcing Istio 1.13.9

Istio is an open platform-independent service mesh that provides traffic management, policy enforcement, and telemetry collection. Prior to versions 1.15.2, 1.14.5, and 1.13.9, the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted or oversized message which results in the control plane crashing when the Kubernetes validating or mutating webhook service is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially external istiod topologies, this port is exposed over the public internet. Versions 1.15.2, 1.14.5, and 1.13.9 contain patches for this issue. There are no effective workarounds, beyond upgrading. This bug is due to an error in `regexp.Compile` in Go.

Gentoo Linux Security Advisory 202209-26

Gentoo Linux Security Advisory 202209-26 - Multiple vulnerabilities have been discovered in Go, the worst of which could result in denial of service. Versions less than 1.18.6 are affected.

CVE-2022-27664: [security] Go 1.19.1 and Go 1.18.6 are released

In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.

CVE-2021-21285: Docker Engine release notes

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.

CVE-2021-21285: Docker Engine release notes

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.

CVE-2021-21285: Docker Engine release notes

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.

CVE-2021-21285: Docker Engine release notes

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.