Headline
RHSA-2022:7548: Red Hat Security Advisory: Image Builder security, bug fix, and enhancement update
An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-32189: golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
Synopsis
Low: Image Builder security, bug fix, and enhancement update
Type/Severity
Security Advisory: Low
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood.
Security Fix(es):
- golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.7 Release Notes linked from the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 8 x86_64
- Red Hat Enterprise Linux for IBM z Systems 8 s390x
- Red Hat Enterprise Linux for Power, little endian 8 ppc64le
- Red Hat Enterprise Linux for ARM 64 8 aarch64
Fixes
- BZ - 2059867 - Update osbuild to the newest upstream version in RHEL 8.7
- BZ - 2059868 - Update osbuild-composer to the newest upstream version in RHEL 8.7
- BZ - 2060063 - Rebase cockpit-composer to newest release for RHEL 8.7
- BZ - 2062694 - [cockpit-composer] RHEL 8.7 Tier 0 Localization
- BZ - 2065734 - Build fails for packages in blueprint that contain conditional dependencies
- BZ - 2104464 - [osbuild] Image builder does not support the use of a dot inside a username
- BZ - 2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
- BZ - 2118829 - Backport test changes for new osbuild-composer
References
- https://access.redhat.com/security/updates/classification/#low
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.7_release_notes/index
Red Hat Enterprise Linux for x86_64 8
SRPM
cockpit-composer-41-1.el8.src.rpm
SHA-256: 320840bb03fcaf275c874bda98e26691de1bcbd260b4a11b96fb3801e8d76a08
osbuild-65-1.el8.src.rpm
SHA-256: d917251f48df83fe62382fedc3ef265aaa609210fa9c17e16a6644a242430ca0
osbuild-composer-62-1.el8.src.rpm
SHA-256: fe40a543749d43b7697d329a77723b2f75ee2b8c3560e55460101565ee7ebe5f
weldr-client-35.5-4.el8.src.rpm
SHA-256: e5c985620c81ebfe2ca68fc1604352043d61845ed26e77fd582ec035fe6c4057
x86_64
cockpit-composer-41-1.el8.noarch.rpm
SHA-256: 940b0c3b4a7aaf2f9c6040334a2074b1b21f49ad665c60d354e4ec67f7ce3e6a
osbuild-65-1.el8.noarch.rpm
SHA-256: c416da84806250ed7592a03e673a1de33f3f339907ce1e0849a000c4fcc4aa74
osbuild-composer-62-1.el8.x86_64.rpm
SHA-256: 907cd771fd72893a5e629ded8148009236c221a69a911988488e5cca0b5ca424
osbuild-composer-core-62-1.el8.x86_64.rpm
SHA-256: 6d0a0edba97797d6b25cc6f7d606c5fa92b66cae04bb7b2b05449fbae43306b9
osbuild-composer-core-debuginfo-62-1.el8.x86_64.rpm
SHA-256: 159b3045ed798ac73367ffa9d2b7a935e05e2af4ac21ee8364814a04160961db
osbuild-composer-debuginfo-62-1.el8.x86_64.rpm
SHA-256: 44373704b3491ee50015748413bb661d990e1d2f576c94dd1588e98c1a88b429
osbuild-composer-debugsource-62-1.el8.x86_64.rpm
SHA-256: 31893e2a0d289ee43d408effd1cd329f1d0a34f82597a4217d209fab31efe6d7
osbuild-composer-dnf-json-62-1.el8.x86_64.rpm
SHA-256: b9c29225db4acfdfbd4b2a62165ba1db0a8957c8701bf6103079d35f81030ddb
osbuild-composer-tests-debuginfo-62-1.el8.x86_64.rpm
SHA-256: a8b03b955859f920e2610a493f6adadb56a01cc0dce72f17a9111b45fb78956c
osbuild-composer-worker-62-1.el8.x86_64.rpm
SHA-256: eae863e5944f8c79a2ea50e0ced54e2400bd329c939f77f0c8fa839e5813f13a
osbuild-composer-worker-debuginfo-62-1.el8.x86_64.rpm
SHA-256: a4ec3408187ca89a895832c4a7fb73a910dc1cacf349ebf40daa016bdd7fa1a7
osbuild-luks2-65-1.el8.noarch.rpm
SHA-256: 90203c927a75d011e49b04a0aedf10512fe83dfda4ccad1a9a075d70515f6b14
osbuild-lvm2-65-1.el8.noarch.rpm
SHA-256: fd9318746fe1ff55495011a3927b8bbe99c97c095f98d0848b83dce84eee0228
osbuild-ostree-65-1.el8.noarch.rpm
SHA-256: ab1405e1cbd8a6f5082a58f5631569a88dc7641ddee1810f149c5e684418ddf0
osbuild-selinux-65-1.el8.noarch.rpm
SHA-256: 2e64fb0c711cf84ac3348eda69696feb56b2e36a79aaccf5bc78e05bcbc1c530
python3-osbuild-65-1.el8.noarch.rpm
SHA-256: 9211f9abb4c8394420f09f86836d756123276938db4aa309a63b8ef2affcfd17
weldr-client-35.5-4.el8.x86_64.rpm
SHA-256: 5240e566dbe50022ca691288ffa1f3b252f79419141e44cf1939df234e403465
weldr-client-debuginfo-35.5-4.el8.x86_64.rpm
SHA-256: 6cdb8e5c0c677ab2ff24bcd1f2775d5aa7a20cbb2eb23f2159ef0e509c113078
weldr-client-debugsource-35.5-4.el8.x86_64.rpm
SHA-256: 03e57b9f35da8f9147c69629484620009af6a5760d5e30d350bb4b534351f6f0
weldr-client-tests-debuginfo-35.5-4.el8.x86_64.rpm
SHA-256: 214578e864ee1ebc8a6484aadf79aeb4ce07285c38e5db61509a0a9a62c4a19c
Red Hat Enterprise Linux for IBM z Systems 8
SRPM
cockpit-composer-41-1.el8.src.rpm
SHA-256: 320840bb03fcaf275c874bda98e26691de1bcbd260b4a11b96fb3801e8d76a08
osbuild-65-1.el8.src.rpm
SHA-256: d917251f48df83fe62382fedc3ef265aaa609210fa9c17e16a6644a242430ca0
osbuild-composer-62-1.el8.src.rpm
SHA-256: fe40a543749d43b7697d329a77723b2f75ee2b8c3560e55460101565ee7ebe5f
weldr-client-35.5-4.el8.src.rpm
SHA-256: e5c985620c81ebfe2ca68fc1604352043d61845ed26e77fd582ec035fe6c4057
s390x
cockpit-composer-41-1.el8.noarch.rpm
SHA-256: 940b0c3b4a7aaf2f9c6040334a2074b1b21f49ad665c60d354e4ec67f7ce3e6a
osbuild-65-1.el8.noarch.rpm
SHA-256: c416da84806250ed7592a03e673a1de33f3f339907ce1e0849a000c4fcc4aa74
osbuild-composer-62-1.el8.s390x.rpm
SHA-256: e415eb3e1650d887489111a9579fb27d170c5ae5cd74cf787ea36eebe3463e27
osbuild-composer-core-62-1.el8.s390x.rpm
SHA-256: 6238caeb38f41f694936b3955b50ff2b0b0298779bf1bcaa63100f0d6acf1fbe
osbuild-composer-core-debuginfo-62-1.el8.s390x.rpm
SHA-256: adaf6a669a5beabc80edb029cc5b41ce9811e22be431ce393675ee99dca0e4c2
osbuild-composer-debuginfo-62-1.el8.s390x.rpm
SHA-256: 2d5cbe6d882fd9f0e7159703862d819fffeb0ff848bfcb6c124d212e3b9f32f8
osbuild-composer-debugsource-62-1.el8.s390x.rpm
SHA-256: ced605f8d96055b751fee7e6fe2208e88952799cb785aad035f3494727e841e5
osbuild-composer-dnf-json-62-1.el8.s390x.rpm
SHA-256: 6c266feaf95f38a3c07be7a75bbbb409a23892335f3b6645dd906c94ac40a5d5
osbuild-composer-tests-debuginfo-62-1.el8.s390x.rpm
SHA-256: 684eca8aaf6345430e83f670abd023e966057adf0164fc9e512fba56583fd171
osbuild-composer-worker-62-1.el8.s390x.rpm
SHA-256: 2d545ce81ef9bf00c9f00108fed784c4370fb571de2992349889eaca78b5a137
osbuild-composer-worker-debuginfo-62-1.el8.s390x.rpm
SHA-256: 1cea8759f3ab187fe95fd894821f2674ba2a6c487614c79345a0973706df6130
osbuild-luks2-65-1.el8.noarch.rpm
SHA-256: 90203c927a75d011e49b04a0aedf10512fe83dfda4ccad1a9a075d70515f6b14
osbuild-lvm2-65-1.el8.noarch.rpm
SHA-256: fd9318746fe1ff55495011a3927b8bbe99c97c095f98d0848b83dce84eee0228
osbuild-ostree-65-1.el8.noarch.rpm
SHA-256: ab1405e1cbd8a6f5082a58f5631569a88dc7641ddee1810f149c5e684418ddf0
osbuild-selinux-65-1.el8.noarch.rpm
SHA-256: 2e64fb0c711cf84ac3348eda69696feb56b2e36a79aaccf5bc78e05bcbc1c530
python3-osbuild-65-1.el8.noarch.rpm
SHA-256: 9211f9abb4c8394420f09f86836d756123276938db4aa309a63b8ef2affcfd17
weldr-client-35.5-4.el8.s390x.rpm
SHA-256: 712ce55dd30d345048ba3b6234c6701ae6cf07cfe4057c07483350e227a0adf4
weldr-client-debuginfo-35.5-4.el8.s390x.rpm
SHA-256: ebbc19519952d3d264bc65d56e8b62041189d628419975ccdc5fd608bced55a1
weldr-client-debugsource-35.5-4.el8.s390x.rpm
SHA-256: 4431d01fc98e9de26f3ffda790b8636bba324694df4c7113ad79d6675e9bbf2e
weldr-client-tests-debuginfo-35.5-4.el8.s390x.rpm
SHA-256: df5318d4195278aebf45bfbe577b6af6b3d9a9edebe2d5c0ea58813f6002e7a5
Red Hat Enterprise Linux for Power, little endian 8
SRPM
cockpit-composer-41-1.el8.src.rpm
SHA-256: 320840bb03fcaf275c874bda98e26691de1bcbd260b4a11b96fb3801e8d76a08
osbuild-65-1.el8.src.rpm
SHA-256: d917251f48df83fe62382fedc3ef265aaa609210fa9c17e16a6644a242430ca0
osbuild-composer-62-1.el8.src.rpm
SHA-256: fe40a543749d43b7697d329a77723b2f75ee2b8c3560e55460101565ee7ebe5f
weldr-client-35.5-4.el8.src.rpm
SHA-256: e5c985620c81ebfe2ca68fc1604352043d61845ed26e77fd582ec035fe6c4057
ppc64le
cockpit-composer-41-1.el8.noarch.rpm
SHA-256: 940b0c3b4a7aaf2f9c6040334a2074b1b21f49ad665c60d354e4ec67f7ce3e6a
osbuild-65-1.el8.noarch.rpm
SHA-256: c416da84806250ed7592a03e673a1de33f3f339907ce1e0849a000c4fcc4aa74
osbuild-composer-62-1.el8.ppc64le.rpm
SHA-256: 91d0803e7adc0c3b9de8ccb8792ecc162c6c0290652f7c62d593cf29bbee1552
osbuild-composer-core-62-1.el8.ppc64le.rpm
SHA-256: f61b7b63a8099edd0d897f3e7cc2575d9a182866ac89ce3cab1589e5ef173f53
osbuild-composer-core-debuginfo-62-1.el8.ppc64le.rpm
SHA-256: 2178d91ed864d814dee56c20d80ccaa255b68d402536f51c3887ec3caaff3ca2
osbuild-composer-debuginfo-62-1.el8.ppc64le.rpm
SHA-256: 56528cf1ad242a62847cd3751c88cbf6cbedcf4b3e369798fd95e5cc660451c4
osbuild-composer-debugsource-62-1.el8.ppc64le.rpm
SHA-256: da1255dbd8a8af6193e61b9e94b5e942a8c57da73b608196a364e5d0965bd1a0
osbuild-composer-dnf-json-62-1.el8.ppc64le.rpm
SHA-256: b230f2071bbeb02c3322003c8ce6cd52d4cfa4ced9d1725df00079216cd4c4ca
osbuild-composer-tests-debuginfo-62-1.el8.ppc64le.rpm
SHA-256: afeb95ae0b6debf0e7c49d11c4f15e8503460ca1f8f0ea84a7507ea86249418d
osbuild-composer-worker-62-1.el8.ppc64le.rpm
SHA-256: 6f8e36a44549b806a7d848728f6d14422ea9e66c4b48eaf5245e33bda3b68525
osbuild-composer-worker-debuginfo-62-1.el8.ppc64le.rpm
SHA-256: 817ca19b0a1736ae8fa05d478d725ac0c552082be27569f1c494c42afb49d9d6
osbuild-luks2-65-1.el8.noarch.rpm
SHA-256: 90203c927a75d011e49b04a0aedf10512fe83dfda4ccad1a9a075d70515f6b14
osbuild-lvm2-65-1.el8.noarch.rpm
SHA-256: fd9318746fe1ff55495011a3927b8bbe99c97c095f98d0848b83dce84eee0228
osbuild-ostree-65-1.el8.noarch.rpm
SHA-256: ab1405e1cbd8a6f5082a58f5631569a88dc7641ddee1810f149c5e684418ddf0
osbuild-selinux-65-1.el8.noarch.rpm
SHA-256: 2e64fb0c711cf84ac3348eda69696feb56b2e36a79aaccf5bc78e05bcbc1c530
python3-osbuild-65-1.el8.noarch.rpm
SHA-256: 9211f9abb4c8394420f09f86836d756123276938db4aa309a63b8ef2affcfd17
weldr-client-35.5-4.el8.ppc64le.rpm
SHA-256: beedb5d165cd86ba70c5c2e7a92739204badc2232900c4d94a8ac9cd69244e0a
weldr-client-debuginfo-35.5-4.el8.ppc64le.rpm
SHA-256: e44af932747d42753c11ea119de0014fd9872a3d6525a23c77a984f500549939
weldr-client-debugsource-35.5-4.el8.ppc64le.rpm
SHA-256: 4fc36c6203ed42a8f38efa64854cbb3021c4e85b6331a8dc067f086f75d41431
weldr-client-tests-debuginfo-35.5-4.el8.ppc64le.rpm
SHA-256: bc5320bafc9c9705ceb161122221113bbf1a57ad263753ed7a2b1ee18b87a5c9
Red Hat Enterprise Linux for ARM 64 8
SRPM
cockpit-composer-41-1.el8.src.rpm
SHA-256: 320840bb03fcaf275c874bda98e26691de1bcbd260b4a11b96fb3801e8d76a08
osbuild-65-1.el8.src.rpm
SHA-256: d917251f48df83fe62382fedc3ef265aaa609210fa9c17e16a6644a242430ca0
osbuild-composer-62-1.el8.src.rpm
SHA-256: fe40a543749d43b7697d329a77723b2f75ee2b8c3560e55460101565ee7ebe5f
weldr-client-35.5-4.el8.src.rpm
SHA-256: e5c985620c81ebfe2ca68fc1604352043d61845ed26e77fd582ec035fe6c4057
aarch64
cockpit-composer-41-1.el8.noarch.rpm
SHA-256: 940b0c3b4a7aaf2f9c6040334a2074b1b21f49ad665c60d354e4ec67f7ce3e6a
osbuild-65-1.el8.noarch.rpm
SHA-256: c416da84806250ed7592a03e673a1de33f3f339907ce1e0849a000c4fcc4aa74
osbuild-composer-62-1.el8.aarch64.rpm
SHA-256: 5d8a70d78e8af38e6d99585b9ea5d0d044eb493d3195746fd3db395031f99d1e
osbuild-composer-core-62-1.el8.aarch64.rpm
SHA-256: 4985c59760c9003ddea82151cfa0eb91eb0555614c2498b7e1d4b565a498452b
osbuild-composer-core-debuginfo-62-1.el8.aarch64.rpm
SHA-256: 347dc84703ce01f7ac65153e487a941bf3e4e650770cccc2dc15acb967659324
osbuild-composer-debuginfo-62-1.el8.aarch64.rpm
SHA-256: 82990ee83c3d7fb909a584e6269a564032852f38e0425d2277d933c874fa4dfe
osbuild-composer-debugsource-62-1.el8.aarch64.rpm
SHA-256: 5a33a19269a4a16775628a191c0b22a2989d1f843a9a3670e0a359da84ed4856
osbuild-composer-dnf-json-62-1.el8.aarch64.rpm
SHA-256: 21115ed052b1efeaeabb788ad9bc0ae1f48af1fcbe114fb2051b50c8d2d9b37a
osbuild-composer-tests-debuginfo-62-1.el8.aarch64.rpm
SHA-256: 63cddb7a159f75698858f135bc3dc6af354e5583529a5934f959d343769ce0ef
osbuild-composer-worker-62-1.el8.aarch64.rpm
SHA-256: da0928684f88cb9f4039aec4649b5d83c7ee0724c516984eeee14ff072edbaea
osbuild-composer-worker-debuginfo-62-1.el8.aarch64.rpm
SHA-256: 8e4b9244e6376493bb75c4a403c186af2dcb4704c0555729b319e73ff91dd9ac
osbuild-luks2-65-1.el8.noarch.rpm
SHA-256: 90203c927a75d011e49b04a0aedf10512fe83dfda4ccad1a9a075d70515f6b14
osbuild-lvm2-65-1.el8.noarch.rpm
SHA-256: fd9318746fe1ff55495011a3927b8bbe99c97c095f98d0848b83dce84eee0228
osbuild-ostree-65-1.el8.noarch.rpm
SHA-256: ab1405e1cbd8a6f5082a58f5631569a88dc7641ddee1810f149c5e684418ddf0
osbuild-selinux-65-1.el8.noarch.rpm
SHA-256: 2e64fb0c711cf84ac3348eda69696feb56b2e36a79aaccf5bc78e05bcbc1c530
python3-osbuild-65-1.el8.noarch.rpm
SHA-256: 9211f9abb4c8394420f09f86836d756123276938db4aa309a63b8ef2affcfd17
weldr-client-35.5-4.el8.aarch64.rpm
SHA-256: 5326a87cb96175707523df864ca9ae455d92a2afd9151b722fc5a8b789d840b7
weldr-client-debuginfo-35.5-4.el8.aarch64.rpm
SHA-256: 8d2667bba41d029ce5dd0762bca85c80d49a440f6d89b76acc275a599576a258
weldr-client-debugsource-35.5-4.el8.aarch64.rpm
SHA-256: 0803400a046e66885bdef20d6d1fc49b42d6b22f10f32252145a9cd95046ca84
weldr-client-tests-debuginfo-35.5-4.el8.aarch64.rpm
SHA-256: 0da2e12649a48ddaf4b93dcae28e6f2c230b97b52c490470182c6288b8ca1d24
Related news
Ubuntu Security Notice 6038-2 - USN-6038-1 fixed several vulnerabilities in Go 1.18. This update provides the corresponding updates for Go 1.13 and Go 1.16. CVE-2022-29526 and CVE-2022-30630 only affected Go 1.16. It was discovered that the Go net/http module incorrectly handled Transfer-Encoding headers in the HTTP/1 client. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack.
Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...
Red Hat OpenShift Service Mesh Containers for 2.4.0 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24540: A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
Red Hat Security Advisory 2023-0584-01 - Secondary Scheduler Operator for Red Hat OpenShift 1.1.1. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Virtualization release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27664: A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown. * CVE-2022-32149: A vulnerability was found in the golang.org/x/text/language pack...
Red Hat Security Advisory 2023-2802-01 - The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Issues addressed include denial of service and information leakage vulnerabilities.
An update for toolbox is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27664: A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown. * CVE-2022-32189: An uncontrolled resource consumption flaw was found in Golang math/big. A too-short encoded message can cause a panic in Float.GobDecode a...
Migration Toolkit for Applications 6.1.0 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3782: A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect ...
An update is now available for Service Telemetry Framework 1.5. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-23772: A flaw was found in the big package of the math library in golang. The Rat....
The Migration Toolkit for Containers (MTC) 1.7.8 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36567: A flaw was found in gin. This issue occurs when the default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path. * CVE-2022-24999: A flaw was found in the express.js npm package. Express.js Express is vulnerable to a d...
An update for etcd is now available for Red Hat OpenStack Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by rev...
The Migration Toolkit for Containers (MTC) 1.7.7 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-43138: A vulnerability was found in the async package. This flaw allows a malicious user to obtain privileges via the mapValues() method. * CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw a...
Red Hat Security Advisory 2023-0542-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release. Issues addressed include denial of service and spoofing vulnerabilities.
Red Hat OpenShift Service Mesh 2.3.1 Containers Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-3962: kiali: error message spoofing in kiali UI * CVE-2022-27664: golang: ...
Red Hat Security Advisory 2023-0069-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.24.
Red Hat Security Advisory 2022-7401-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include denial of service and out of bounds read vulnerabilities.
Red Hat Security Advisory 2022-7398-02 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.0. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Container Platform release 4.12.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-2879: golang: arc...
The Migration Toolkit for Containers (MTC) 1.7.6 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-28131: golang: encoding/xml: stack exhaustion in Decoder.Skip * CVE-2022-30629: golang: crypto/tls: session tickets lack random ticket_age_add * CVE-2022-30630: golang: io/fs: stack exhaustion in G...
Logging Subsystem 5.5.5 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36518: jackson-databind: denial of service via a large depth of nested objects * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-32189: golang: math/b...
Red Hat Security Advisory 2022-8626-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.11.17. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Container Platform release 4.11.17 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-32148: golang: net/http/ht...
Red Hat Security Advisory 2022-8535-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.16. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-8534-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.11.16. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Container Platform release 4.11.16 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-32189: golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, po...
Red Hat OpenShift Container Platform release 4.11.16 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32189: golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32189: golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
Red Hat Security Advisory 2022-7129-01 - Git Large File Storage replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server. Issues addressed include a denial of service vulnerability.
An update for git-lfs is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-28851: golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension * CVE-2020-28852: golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWA...
A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.
Gentoo Linux Security Advisory 202208-2 - Multiple vulnerabilities have been found in Go, the worst of which could result in remote code execution. Versions less than 1.18.5 are affected.