Headline
RHSA-2023:2204: Red Hat Security Advisory: Image Builder security, bug fix, and enhancement update
An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic.
- CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query parameters in the forwarded query when the outbound request’s form field is set after the reverse proxy. The director function returns, indicating that the proxy has parsed the query parameters. Proxies that do not parse query parameters continue to forward the original query parameters unchanged.
- CVE-2022-27664: A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown.
- CVE-2022-41715: A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.
- CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
Synopsis
Moderate: Image Builder security, bug fix, and enhancement update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood.
Security Fix(es):
- golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)
- golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
- golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
- golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
- golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 9 x86_64
- Red Hat Enterprise Linux for IBM z Systems 9 s390x
- Red Hat Enterprise Linux for Power, little endian 9 ppc64le
- Red Hat Enterprise Linux for ARM 64 9 aarch64
Fixes
- BZ - 2119980 - edge-installer ISO install failed at dracut-initqueue timeout
- BZ - 2122843 - coreos-installer-0.15.0-2.el9 does not work with osbuild-composer-62-1.el9
- BZ - 2123373 - edge images default to LVM [rhel-9.2.0]
- BZ - 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
- BZ - 2125249 - podman network backend does not switch to netavark when embedding container in image [rhel-9.2.0]
- BZ - 2132250 - Update Image Builder suite of projects to their latest upstream releases [RHEL-9.2]
- BZ - 2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers
- BZ - 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
- BZ - 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
- BZ - 2136504 - osbuild-composer can’t access /var/cache/osbuild-composer/rpmmd on package upgrade from 9.0
- BZ - 2137364 - composer-cli blueprints show command fails when firewall customization is included in a blueprint
- BZ - 2139645 - [cockpit-composer] RHEL 9.2 Tier 0 Localization
- BZ - 2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests
- BZ - 2164560 - Rebase to weldr-client v35.9
- BZ - 2174158 - systemd units aren’t enabled/started using ignition
- BZ - 2177699 - Composer is not setting the rpm stage options in the os pipeline correctly for payload repositories
CVEs
- CVE-2022-2879
- CVE-2022-2880
- CVE-2022-27664
- CVE-2022-41715
- CVE-2022-41717
References
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index
Red Hat Enterprise Linux for x86_64 9
SRPM
cockpit-composer-45-1.el9_2.src.rpm
SHA-256: e8864b5ab251dcfee8592f79444a17e630211373462b4639d4a6e228f916325f
osbuild-81-1.el9.src.rpm
SHA-256: a3372d0d234590b6c9d4823363b74e1d05d1b7d7679ef0858442c816dbbd7ba0
osbuild-composer-76-2.el9_2.src.rpm
SHA-256: fd31073e7bd7f0bf363aa8a112e3f9e44aa38990e8afaf6aecc019c806d084e0
weldr-client-35.9-1.el9.src.rpm
SHA-256: 55b1d5988b5f41dadba169a111c3e8b6dffbcc9566d82c58021b5366abb7bcbd
x86_64
cockpit-composer-45-1.el9_2.noarch.rpm
SHA-256: d27f9853cbed79a857301dcb3871710504baa9ab4d238c982a7503476905d923
osbuild-81-1.el9.noarch.rpm
SHA-256: 2614ec98a1d4ac180c8b10fd44f19267feaa5a233a9a504d1f4fc174f2f91d20
osbuild-composer-76-2.el9_2.x86_64.rpm
SHA-256: cdec9b08c3e796b0dba60ed41097e672ac7c8677794c9c2d1edf91337c5391af
osbuild-composer-core-76-2.el9_2.x86_64.rpm
SHA-256: 37a8f4521c9f2af682ad960230351f14b85e72b03a60adc9b259f54912e3d8cb
osbuild-composer-core-debuginfo-76-2.el9_2.x86_64.rpm
SHA-256: 2bf9f4def8ecee743fabe2d4436b0f3e9c413efff7a44efecdc63c65b6c82b28
osbuild-composer-debuginfo-76-2.el9_2.x86_64.rpm
SHA-256: 76dda80b13969fbf1e97af2d0bf68752a3a5332ad394bfb41902db38d62ba1cd
osbuild-composer-debugsource-76-2.el9_2.x86_64.rpm
SHA-256: 0580e9e923eddd3f4da5abd4f3a57b3db0fd01d34db30162aaab7e7ace9c839a
osbuild-composer-dnf-json-76-2.el9_2.x86_64.rpm
SHA-256: 6da9d0ed0f826fb4cccd80201bd046c2cbe31da33c7c9e8d311b135f32a9b31e
osbuild-composer-tests-debuginfo-76-2.el9_2.x86_64.rpm
SHA-256: 9e35a40b6795310831a5069a6c1653bff87cba883e46b5cd2b0894575caca7d4
osbuild-composer-worker-76-2.el9_2.x86_64.rpm
SHA-256: ce5712b111bd07b0e28a0751c64454b28df988a3a8c3b9d2e919480c4b4fa510
osbuild-composer-worker-debuginfo-76-2.el9_2.x86_64.rpm
SHA-256: 48a80eea8255983b5fb76bc4948f82cd3c0df2c81f1752272a51aa95cdc71a28
osbuild-luks2-81-1.el9.noarch.rpm
SHA-256: 54898e84c43f005a093adb0f9da8c7ae3e896838a236e119aae84f830982c723
osbuild-lvm2-81-1.el9.noarch.rpm
SHA-256: 98cf372383cbdfe8016a68b0c59e7776f326cae949f67f53a7bb42fb948ee55b
osbuild-ostree-81-1.el9.noarch.rpm
SHA-256: f142810e923c1b6591bff1a2de2f6ba900ca5108581a0e13f562de2a9ea97942
osbuild-selinux-81-1.el9.noarch.rpm
SHA-256: 46cb15fb86584581d40c8d9428d3314709729e40d90ef821863168b09a75443b
python3-osbuild-81-1.el9.noarch.rpm
SHA-256: 14d5899ef08657ab204b8078b6f8c3cba179c9660961030fcff6f5c35e4b3ee5
weldr-client-35.9-1.el9.x86_64.rpm
SHA-256: c54f1ec74510ea6c26887cc8d9ba12455cab334ad063aa74c67590995b941b85
weldr-client-debuginfo-35.9-1.el9.x86_64.rpm
SHA-256: 61ab83265f090936d76d1c3fe2034545449d3d2365dc93f26803db5e87d1d23e
weldr-client-debugsource-35.9-1.el9.x86_64.rpm
SHA-256: 6b45bc6434a6f5ae6c03b0c0256d9584d00c837d2ee31c3cb64d5a90a959d8a4
weldr-client-tests-debuginfo-35.9-1.el9.x86_64.rpm
SHA-256: 646099e482f05e96fbe0781919a0f5169393876ea52b430eae491e0eccc1e561
Red Hat Enterprise Linux for IBM z Systems 9
SRPM
cockpit-composer-45-1.el9_2.src.rpm
SHA-256: e8864b5ab251dcfee8592f79444a17e630211373462b4639d4a6e228f916325f
osbuild-81-1.el9.src.rpm
SHA-256: a3372d0d234590b6c9d4823363b74e1d05d1b7d7679ef0858442c816dbbd7ba0
osbuild-composer-76-2.el9_2.src.rpm
SHA-256: fd31073e7bd7f0bf363aa8a112e3f9e44aa38990e8afaf6aecc019c806d084e0
weldr-client-35.9-1.el9.src.rpm
SHA-256: 55b1d5988b5f41dadba169a111c3e8b6dffbcc9566d82c58021b5366abb7bcbd
s390x
cockpit-composer-45-1.el9_2.noarch.rpm
SHA-256: d27f9853cbed79a857301dcb3871710504baa9ab4d238c982a7503476905d923
osbuild-81-1.el9.noarch.rpm
SHA-256: 2614ec98a1d4ac180c8b10fd44f19267feaa5a233a9a504d1f4fc174f2f91d20
osbuild-composer-76-2.el9_2.s390x.rpm
SHA-256: a2a00265cb880b589286410d4e6319e8ae0c4f6e999fa083a82459d209bf3e98
osbuild-composer-core-76-2.el9_2.s390x.rpm
SHA-256: 38245cb714e509a944031a87359f0fcc96edf49c2d8f712e49176ec727b7d894
osbuild-composer-core-debuginfo-76-2.el9_2.s390x.rpm
SHA-256: 00a63b955b4d63e67bedd4746d35ca963918b723d6b90139729eeadda571386d
osbuild-composer-debuginfo-76-2.el9_2.s390x.rpm
SHA-256: 96cb74ddc8cbf359f78f100fbab2b8a3230ee85f300ab4369beee5230631b111
osbuild-composer-debugsource-76-2.el9_2.s390x.rpm
SHA-256: 41011caa8e258d0f1b797411da35736891ee3b992711f5a5e9ab1f9b26aaf9f2
osbuild-composer-dnf-json-76-2.el9_2.s390x.rpm
SHA-256: e7917731148356680a7a9c07aabec3d3680de2fab5750a498b95ca291352e6d5
osbuild-composer-tests-debuginfo-76-2.el9_2.s390x.rpm
SHA-256: e25638006cdb3d0fc053578dae5c0c9b7ce7f68ecacd8ad61e17f225cce710f0
osbuild-composer-worker-76-2.el9_2.s390x.rpm
SHA-256: 3c4b39e3f33e5e2fc98e617240ae0080c82d0feeb5cf44b68db0eba71cf2d41f
osbuild-composer-worker-debuginfo-76-2.el9_2.s390x.rpm
SHA-256: f34ea87898f8e6ff71f2f442f79d8c922f83e5a857270b5803757e74be802cf1
osbuild-luks2-81-1.el9.noarch.rpm
SHA-256: 54898e84c43f005a093adb0f9da8c7ae3e896838a236e119aae84f830982c723
osbuild-lvm2-81-1.el9.noarch.rpm
SHA-256: 98cf372383cbdfe8016a68b0c59e7776f326cae949f67f53a7bb42fb948ee55b
osbuild-ostree-81-1.el9.noarch.rpm
SHA-256: f142810e923c1b6591bff1a2de2f6ba900ca5108581a0e13f562de2a9ea97942
osbuild-selinux-81-1.el9.noarch.rpm
SHA-256: 46cb15fb86584581d40c8d9428d3314709729e40d90ef821863168b09a75443b
python3-osbuild-81-1.el9.noarch.rpm
SHA-256: 14d5899ef08657ab204b8078b6f8c3cba179c9660961030fcff6f5c35e4b3ee5
weldr-client-35.9-1.el9.s390x.rpm
SHA-256: 1623162076766a57ee26cb01c818a103377aefbce0cdec24cac96e62753de106
weldr-client-debuginfo-35.9-1.el9.s390x.rpm
SHA-256: 979a3d67ad277a36b6da2f43a49783238e3ead8b4d3f9d546ac4926f32f6955c
weldr-client-debugsource-35.9-1.el9.s390x.rpm
SHA-256: 8f423f3991fd64109063e0c0db67f1a5435b014b29f1aaebde7cbca4eaa6514b
weldr-client-tests-debuginfo-35.9-1.el9.s390x.rpm
SHA-256: abf50cc5d174fa26d1270aa3e2a14f4d7c5117af7087a4fa0f3ad5938919874c
Red Hat Enterprise Linux for Power, little endian 9
SRPM
cockpit-composer-45-1.el9_2.src.rpm
SHA-256: e8864b5ab251dcfee8592f79444a17e630211373462b4639d4a6e228f916325f
osbuild-81-1.el9.src.rpm
SHA-256: a3372d0d234590b6c9d4823363b74e1d05d1b7d7679ef0858442c816dbbd7ba0
osbuild-composer-76-2.el9_2.src.rpm
SHA-256: fd31073e7bd7f0bf363aa8a112e3f9e44aa38990e8afaf6aecc019c806d084e0
weldr-client-35.9-1.el9.src.rpm
SHA-256: 55b1d5988b5f41dadba169a111c3e8b6dffbcc9566d82c58021b5366abb7bcbd
ppc64le
cockpit-composer-45-1.el9_2.noarch.rpm
SHA-256: d27f9853cbed79a857301dcb3871710504baa9ab4d238c982a7503476905d923
osbuild-81-1.el9.noarch.rpm
SHA-256: 2614ec98a1d4ac180c8b10fd44f19267feaa5a233a9a504d1f4fc174f2f91d20
osbuild-composer-76-2.el9_2.ppc64le.rpm
SHA-256: 2dbbe3ada3b17b07728d7f5f75116aee183fe014955afd8b267663f056e82ead
osbuild-composer-core-76-2.el9_2.ppc64le.rpm
SHA-256: 1aeca8965bf31fc3dab5a0d8a77845abe9fd34227d1e9efbe6a1bc53bcf3cc94
osbuild-composer-core-debuginfo-76-2.el9_2.ppc64le.rpm
SHA-256: f6375ef8cbdb30e2daf7755fa68f7079d0dc99aaf2a8b90abb470d538504c5d7
osbuild-composer-debuginfo-76-2.el9_2.ppc64le.rpm
SHA-256: 4793a12be71cc8af1b8a4d655857ae3e5dcae9ec9420101cb63c95b01dafccb7
osbuild-composer-debugsource-76-2.el9_2.ppc64le.rpm
SHA-256: ae524e6361557b7b5855ea76729dad573ee3e22096fa43f228c70ee6ed48d035
osbuild-composer-dnf-json-76-2.el9_2.ppc64le.rpm
SHA-256: 9070e241ca0717c4eca32cca9ac0d83b9c78add24d125e42e64fcfe13aa89a90
osbuild-composer-tests-debuginfo-76-2.el9_2.ppc64le.rpm
SHA-256: 91a65123feb357f5fad52124082d1f41169d99ea9f33eb9a612cbdee6c8bcebe
osbuild-composer-worker-76-2.el9_2.ppc64le.rpm
SHA-256: 6bf164e723baa7ac80badd9200702cc26e970cf3fe1487a21beab8c1273244f4
osbuild-composer-worker-debuginfo-76-2.el9_2.ppc64le.rpm
SHA-256: b209bd618b5a260def9eb617af20174f0b41d1f9995e7b6c5960b20228a50be4
osbuild-luks2-81-1.el9.noarch.rpm
SHA-256: 54898e84c43f005a093adb0f9da8c7ae3e896838a236e119aae84f830982c723
osbuild-lvm2-81-1.el9.noarch.rpm
SHA-256: 98cf372383cbdfe8016a68b0c59e7776f326cae949f67f53a7bb42fb948ee55b
osbuild-ostree-81-1.el9.noarch.rpm
SHA-256: f142810e923c1b6591bff1a2de2f6ba900ca5108581a0e13f562de2a9ea97942
osbuild-selinux-81-1.el9.noarch.rpm
SHA-256: 46cb15fb86584581d40c8d9428d3314709729e40d90ef821863168b09a75443b
python3-osbuild-81-1.el9.noarch.rpm
SHA-256: 14d5899ef08657ab204b8078b6f8c3cba179c9660961030fcff6f5c35e4b3ee5
weldr-client-35.9-1.el9.ppc64le.rpm
SHA-256: 77a2690b768883928cca0b78699ce70f44699043c00a408d5813ec039c8738dd
weldr-client-debuginfo-35.9-1.el9.ppc64le.rpm
SHA-256: 131d95ee0e9a36be53176e2c103fd5204497fa6d299f44ae187c0ee59281a9f1
weldr-client-debugsource-35.9-1.el9.ppc64le.rpm
SHA-256: 7eaf021b855ed531a6cb3ae0a6d7075f1383a18272830145bb50b3e6b86c95ef
weldr-client-tests-debuginfo-35.9-1.el9.ppc64le.rpm
SHA-256: d78fcd1acd8907989d6eedd69d25ef07864857579059e887b92ca735e71b232f
Red Hat Enterprise Linux for ARM 64 9
SRPM
cockpit-composer-45-1.el9_2.src.rpm
SHA-256: e8864b5ab251dcfee8592f79444a17e630211373462b4639d4a6e228f916325f
osbuild-81-1.el9.src.rpm
SHA-256: a3372d0d234590b6c9d4823363b74e1d05d1b7d7679ef0858442c816dbbd7ba0
osbuild-composer-76-2.el9_2.src.rpm
SHA-256: fd31073e7bd7f0bf363aa8a112e3f9e44aa38990e8afaf6aecc019c806d084e0
weldr-client-35.9-1.el9.src.rpm
SHA-256: 55b1d5988b5f41dadba169a111c3e8b6dffbcc9566d82c58021b5366abb7bcbd
aarch64
cockpit-composer-45-1.el9_2.noarch.rpm
SHA-256: d27f9853cbed79a857301dcb3871710504baa9ab4d238c982a7503476905d923
osbuild-81-1.el9.noarch.rpm
SHA-256: 2614ec98a1d4ac180c8b10fd44f19267feaa5a233a9a504d1f4fc174f2f91d20
osbuild-composer-76-2.el9_2.aarch64.rpm
SHA-256: 487fc0488e9eff0ddbcab9108e599a32cecf3c9d1fc713562cf36f0ce538315e
osbuild-composer-core-76-2.el9_2.aarch64.rpm
SHA-256: 3dee53b009e0dd3d33c35e266aab86a888e85d672fdca189edc474384fdb3e0a
osbuild-composer-core-debuginfo-76-2.el9_2.aarch64.rpm
SHA-256: 37c0b01a6761323fb7d29078b84f3c8e1a2fb8cc222dc1689e4c2f0950a8133c
osbuild-composer-debuginfo-76-2.el9_2.aarch64.rpm
SHA-256: c1d3af89350a308368dfb70b1bf77101f1c543023af76faf47f4420836955335
osbuild-composer-debugsource-76-2.el9_2.aarch64.rpm
SHA-256: c9fe7d71da82c52238400fd5a0fc2c6a8f62a267ae4ce2102cce3891415aa179
osbuild-composer-dnf-json-76-2.el9_2.aarch64.rpm
SHA-256: 44e41d67f2ff72c08430b4ef1b65311cd7b48265b412fac64c6bd217440086f9
osbuild-composer-tests-debuginfo-76-2.el9_2.aarch64.rpm
SHA-256: 3b46f91b4002001a9d50d95caad6871123f85eee95154142503a3dc776fea300
osbuild-composer-worker-76-2.el9_2.aarch64.rpm
SHA-256: 6932814b09443599a1e5925e10614072938e7f518e2cfcb9d2b9784d3e6b59fa
osbuild-composer-worker-debuginfo-76-2.el9_2.aarch64.rpm
SHA-256: c2da056b5dd2118ff41e50c50a983160d8eda007be1e2737cae77ced172a21ea
osbuild-luks2-81-1.el9.noarch.rpm
SHA-256: 54898e84c43f005a093adb0f9da8c7ae3e896838a236e119aae84f830982c723
osbuild-lvm2-81-1.el9.noarch.rpm
SHA-256: 98cf372383cbdfe8016a68b0c59e7776f326cae949f67f53a7bb42fb948ee55b
osbuild-ostree-81-1.el9.noarch.rpm
SHA-256: f142810e923c1b6591bff1a2de2f6ba900ca5108581a0e13f562de2a9ea97942
osbuild-selinux-81-1.el9.noarch.rpm
SHA-256: 46cb15fb86584581d40c8d9428d3314709729e40d90ef821863168b09a75443b
python3-osbuild-81-1.el9.noarch.rpm
SHA-256: 14d5899ef08657ab204b8078b6f8c3cba179c9660961030fcff6f5c35e4b3ee5
weldr-client-35.9-1.el9.aarch64.rpm
SHA-256: 4a9a399971a1e0fcbe0047bde38771b37677d253c5d4c1f21d1a0a58bdfa698c
weldr-client-debuginfo-35.9-1.el9.aarch64.rpm
SHA-256: 5989be178e9b66531ef2932665b5359957f4f7df6e8db5decc05953dae707ea7
weldr-client-debugsource-35.9-1.el9.aarch64.rpm
SHA-256: 1494806b86716ebd2cfc516696846ea9dc2cb702b4e0de8fd4123f1c0a54d2f7
weldr-client-tests-debuginfo-35.9-1.el9.aarch64.rpm
SHA-256: 9141c76f8d7e6a1276d331e142868fd0490ed5dfbaf156997124ba7dd6d2329f
Related news
Ubuntu Security Notice 6038-2 - USN-6038-1 fixed several vulnerabilities in Go 1.18. This update provides the corresponding updates for Go 1.13 and Go 1.16. CVE-2022-29526 and CVE-2022-30630 only affected Go 1.16. It was discovered that the Go net/http module incorrectly handled Transfer-Encoding headers in the HTTP/1 client. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack.
Docker Desktop before 4.23.0 allows Access Token theft via a crafted extension icon URL. This issue affects Docker Desktop: before 4.23.0.
Red Hat Security Advisory 2023-4090-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.5.
Red Hat Security Advisory 2023-4003-01 - As a Kubernetes user, I cannot connect easily connect services from one cluster with services on another cluster. Red Hat Application Interconnect enables me to create a service network and it allows geographically distributed services to connect as if they were all running in the same site. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-3915-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.44.
Red Hat Security Advisory 2023-3742-02 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. Issues addressed include bypass, denial of service, and remote SQL injection vulnerabilities.
Release of Bug Advisories for the OpenShift Jenkins image and Jenkins agent base image. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-2880: A flaw was found in the golang package, where reques...
Red Hat Security Advisory 2023-3644-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release.
Red Hat Security Advisory 2023-3645-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Issues addressed include a denial of service vulnerability.
A new container image for Red Hat Ceph Storage 6.1 is now available in the Red Hat Ecosystem Catalog. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-42581: A flaw was found in the Ramda NPM package that involves prototype poisoning. This flaw allows attackers to supply a crafted object, affecting the integrity or availability of the application. * CVE-2022-1650: A flaw was found in the EventSource NPM Package. The description from the source states the following messa...
Red Hat Security Advisory 2023-1328-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include denial of service and out of bounds read vulnerabilities.
Red Hat OpenShift Virtualization release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded...
An update for grafana is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy saniti...
Red Hat Security Advisory 2023-2204-01 - Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood.
An update for butane is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27664: A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown. * CVE-2022-32189: An uncontrolled resource consumption flaw was found in Golang math/big. A too-short encoded message can cause a panic in Float.GobDecode an...
Red Hat OpenShift Container Platform release 4.10.54 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: A flaw was found in goutils where randomly generated alphanumeric strings contain significantly less entropy than expected. Both the `RandomAlphaNumeric` and `CryptoRandomAlphaNumeric` functions always return strings containing at least one digit from 0 to 9. This issu...
An update for etcd is now available for Red Hat OpenStack Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by rev...
An update for etcd is now available for Red Hat OpenStack Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by rev...
An update for etcd is now available for Red Hat OpenStack Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by rev...
An update for collectd-libpod-stats is now available for Red Hat OpenStack Platform. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very ...
Red Hat Security Advisory 2023-1030-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.30.
Red Hat OpenShift Container Platform release 4.11.30 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total num...
Red Hat Security Advisory 2023-0899-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.53.
Migration Toolkit for Applications 6.0.1 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36567: A flaw was found in gin. This issue occurs when the default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path. * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to...
An update for service-binding-operator-bundle-container and service-binding-operator-container is now available for OpenShift Developer Tools and Services for OCP 4.9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. W...
Red Hat Security Advisory 2023-0774-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.28. Issues addressed include denial of service and out of bounds read vulnerabilities.
Red Hat Security Advisory 2023-0774-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.28. Issues addressed include denial of service and out of bounds read vulnerabilities.
Red Hat Security Advisory 2023-0774-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.28. Issues addressed include denial of service and out of bounds read vulnerabilities.
Red Hat OpenShift Container Platform release 4.12.4 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total numb...
Red Hat OpenShift Container Platform release 4.12.4 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total numb...
Red Hat OpenShift Container Platform release 4.12.4 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total numb...
Red Hat Security Advisory 2023-0727-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.3.
Red Hat Security Advisory 2023-0727-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.3.
Red Hat OpenShift Container Platform release 4.12.3 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: A flaw was found in goutils where randomly generated alphanumeric strings contain significantly less entropy than expected. Both the `RandomAlphaNumeric` and `CryptoRandomAlphaNumeric...
Red Hat Security Advisory 2023-0693-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a denial of service vulnerability.
OpenShift API for Data Protection (OADP) 1.0.7 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32149: A vulnerability was found in the golang.org/x/text/language package. An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant time to parse. This issue leads to a denial of service, and can impact availability. * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an at...
Red Hat OpenShift Service Mesh 2.3.1 Containers Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-3962: kiali: error message spoofing in kiali UI * CVE-2022-27664: golang: ...
Red Hat OpenShift Service Mesh 2.3.1 Containers Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-3962: kiali: error message spoofing in kiali UI * CVE-2022-27664: golang: ...
Red Hat OpenShift Service Mesh 2.3.1 Containers Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-3962: kiali: error message spoofing in kiali UI * CVE-2022-27664: golang: ...
Red Hat OpenShift Service Mesh 2.3.1 Containers Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-3962: kiali: error message spoofing in kiali UI * CVE-2022-27664: golang: ...
An update for go-toolset-1.18 and go-toolset-1.18-golang is now available for Red Hat Developer Tools. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-41715: golang: regexp/syntax: limit memory used by parsing regexps
An update for go-toolset-1.18 and go-toolset-1.18-golang is now available for Red Hat Developer Tools. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-41715: golang: regexp/syntax: limit memory used by parsing regexps
An update for go-toolset-1.18 and go-toolset-1.18-golang is now available for Red Hat Developer Tools. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-41715: golang: regexp/syntax: limit memory used by parsing regexps
An update for go-toolset and golang is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-41715: golang: regexp/syntax: limit memory used by parsing regexps
An update for go-toolset and golang is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-41715: golang: regexp/syntax: limit memory used by parsing regexps
An update for go-toolset and golang is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-41715: golang: regexp/syntax: limit memory used by parsing regexps
Red Hat Security Advisory 2022-7398-02 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.0. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-7398-02 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.0. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-7398-02 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.0. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Container Platform release 4.12.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-2879: golang: arc...
Red Hat OpenShift Container Platform release 4.12.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-2879: golang: arc...
Red Hat OpenShift Container Platform release 4.12.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-2879: golang: arc...
Red Hat OpenShift Container Platform release 4.12.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-2879: golang: arc...
On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With fix applied, the behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error.
Red Hat OpenShift Container Platform release 4.11.17 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-32148: golang: net/http/ht...
OpenShift API for Data Protection (OADP) 1.1.1 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27191: golang: crash in a golang.org/x/crypto/ssh server * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-30632: golang: path/filepath: stack exhaustion in Glob * CVE-2022-30635: golang: encoding/gob: stack exhaustion in Decoder.Decode * CVE-2022-32190: golang: net/url: JoinPath does not strip relative path components i...
Red Hat Security Advisory 2022-7129-01 - Git Large File Storage replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server. Issues addressed include a denial of service vulnerability.
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.
Istio is an open platform-independent service mesh that provides traffic management, policy enforcement, and telemetry collection. Prior to versions 1.15.2, 1.14.5, and 1.13.9, the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted or oversized message which results in the control plane crashing when the Kubernetes validating or mutating webhook service is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially external istiod topologies, this port is exposed over the public internet. Versions 1.15.2, 1.14.5, and 1.13.9 contain patches for this issue. There are no effective workarounds, beyond upgrading. This bug is due to an error in `regexp.Compile` in Go.
Gentoo Linux Security Advisory 202209-26 - Multiple vulnerabilities have been discovered in Go, the worst of which could result in denial of service. Versions less than 1.18.6 are affected.
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.