Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2022:7548: Red Hat Security Advisory: Image Builder security, bug fix, and enhancement update

An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2022-32189: golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
Red Hat Security Data
#vulnerability#linux#red_hat#dos#js#ibm

Synopsis

Low: Image Builder security, bug fix, and enhancement update

Type/Severity

Security Advisory: Low

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood.

Security Fix(es):

  • golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.7 Release Notes linked from the References section.

Affected Products

  • Red Hat Enterprise Linux for x86_64 8 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 8 s390x
  • Red Hat Enterprise Linux for Power, little endian 8 ppc64le
  • Red Hat Enterprise Linux for ARM 64 8 aarch64

Fixes

  • BZ - 2059867 - Update osbuild to the newest upstream version in RHEL 8.7
  • BZ - 2059868 - Update osbuild-composer to the newest upstream version in RHEL 8.7
  • BZ - 2060063 - Rebase cockpit-composer to newest release for RHEL 8.7
  • BZ - 2062694 - [cockpit-composer] RHEL 8.7 Tier 0 Localization
  • BZ - 2065734 - Build fails for packages in blueprint that contain conditional dependencies
  • BZ - 2104464 - [osbuild] Image builder does not support the use of a dot inside a username
  • BZ - 2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
  • BZ - 2118829 - Backport test changes for new osbuild-composer

References

  • https://access.redhat.com/security/updates/classification/#low
  • https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.7_release_notes/index

Red Hat Enterprise Linux for x86_64 8

SRPM

cockpit-composer-41-1.el8.src.rpm

SHA-256: 320840bb03fcaf275c874bda98e26691de1bcbd260b4a11b96fb3801e8d76a08

osbuild-65-1.el8.src.rpm

SHA-256: d917251f48df83fe62382fedc3ef265aaa609210fa9c17e16a6644a242430ca0

osbuild-composer-62-1.el8.src.rpm

SHA-256: fe40a543749d43b7697d329a77723b2f75ee2b8c3560e55460101565ee7ebe5f

weldr-client-35.5-4.el8.src.rpm

SHA-256: e5c985620c81ebfe2ca68fc1604352043d61845ed26e77fd582ec035fe6c4057

x86_64

cockpit-composer-41-1.el8.noarch.rpm

SHA-256: 940b0c3b4a7aaf2f9c6040334a2074b1b21f49ad665c60d354e4ec67f7ce3e6a

osbuild-65-1.el8.noarch.rpm

SHA-256: c416da84806250ed7592a03e673a1de33f3f339907ce1e0849a000c4fcc4aa74

osbuild-composer-62-1.el8.x86_64.rpm

SHA-256: 907cd771fd72893a5e629ded8148009236c221a69a911988488e5cca0b5ca424

osbuild-composer-core-62-1.el8.x86_64.rpm

SHA-256: 6d0a0edba97797d6b25cc6f7d606c5fa92b66cae04bb7b2b05449fbae43306b9

osbuild-composer-core-debuginfo-62-1.el8.x86_64.rpm

SHA-256: 159b3045ed798ac73367ffa9d2b7a935e05e2af4ac21ee8364814a04160961db

osbuild-composer-debuginfo-62-1.el8.x86_64.rpm

SHA-256: 44373704b3491ee50015748413bb661d990e1d2f576c94dd1588e98c1a88b429

osbuild-composer-debugsource-62-1.el8.x86_64.rpm

SHA-256: 31893e2a0d289ee43d408effd1cd329f1d0a34f82597a4217d209fab31efe6d7

osbuild-composer-dnf-json-62-1.el8.x86_64.rpm

SHA-256: b9c29225db4acfdfbd4b2a62165ba1db0a8957c8701bf6103079d35f81030ddb

osbuild-composer-tests-debuginfo-62-1.el8.x86_64.rpm

SHA-256: a8b03b955859f920e2610a493f6adadb56a01cc0dce72f17a9111b45fb78956c

osbuild-composer-worker-62-1.el8.x86_64.rpm

SHA-256: eae863e5944f8c79a2ea50e0ced54e2400bd329c939f77f0c8fa839e5813f13a

osbuild-composer-worker-debuginfo-62-1.el8.x86_64.rpm

SHA-256: a4ec3408187ca89a895832c4a7fb73a910dc1cacf349ebf40daa016bdd7fa1a7

osbuild-luks2-65-1.el8.noarch.rpm

SHA-256: 90203c927a75d011e49b04a0aedf10512fe83dfda4ccad1a9a075d70515f6b14

osbuild-lvm2-65-1.el8.noarch.rpm

SHA-256: fd9318746fe1ff55495011a3927b8bbe99c97c095f98d0848b83dce84eee0228

osbuild-ostree-65-1.el8.noarch.rpm

SHA-256: ab1405e1cbd8a6f5082a58f5631569a88dc7641ddee1810f149c5e684418ddf0

osbuild-selinux-65-1.el8.noarch.rpm

SHA-256: 2e64fb0c711cf84ac3348eda69696feb56b2e36a79aaccf5bc78e05bcbc1c530

python3-osbuild-65-1.el8.noarch.rpm

SHA-256: 9211f9abb4c8394420f09f86836d756123276938db4aa309a63b8ef2affcfd17

weldr-client-35.5-4.el8.x86_64.rpm

SHA-256: 5240e566dbe50022ca691288ffa1f3b252f79419141e44cf1939df234e403465

weldr-client-debuginfo-35.5-4.el8.x86_64.rpm

SHA-256: 6cdb8e5c0c677ab2ff24bcd1f2775d5aa7a20cbb2eb23f2159ef0e509c113078

weldr-client-debugsource-35.5-4.el8.x86_64.rpm

SHA-256: 03e57b9f35da8f9147c69629484620009af6a5760d5e30d350bb4b534351f6f0

weldr-client-tests-debuginfo-35.5-4.el8.x86_64.rpm

SHA-256: 214578e864ee1ebc8a6484aadf79aeb4ce07285c38e5db61509a0a9a62c4a19c

Red Hat Enterprise Linux for IBM z Systems 8

SRPM

cockpit-composer-41-1.el8.src.rpm

SHA-256: 320840bb03fcaf275c874bda98e26691de1bcbd260b4a11b96fb3801e8d76a08

osbuild-65-1.el8.src.rpm

SHA-256: d917251f48df83fe62382fedc3ef265aaa609210fa9c17e16a6644a242430ca0

osbuild-composer-62-1.el8.src.rpm

SHA-256: fe40a543749d43b7697d329a77723b2f75ee2b8c3560e55460101565ee7ebe5f

weldr-client-35.5-4.el8.src.rpm

SHA-256: e5c985620c81ebfe2ca68fc1604352043d61845ed26e77fd582ec035fe6c4057

s390x

cockpit-composer-41-1.el8.noarch.rpm

SHA-256: 940b0c3b4a7aaf2f9c6040334a2074b1b21f49ad665c60d354e4ec67f7ce3e6a

osbuild-65-1.el8.noarch.rpm

SHA-256: c416da84806250ed7592a03e673a1de33f3f339907ce1e0849a000c4fcc4aa74

osbuild-composer-62-1.el8.s390x.rpm

SHA-256: e415eb3e1650d887489111a9579fb27d170c5ae5cd74cf787ea36eebe3463e27

osbuild-composer-core-62-1.el8.s390x.rpm

SHA-256: 6238caeb38f41f694936b3955b50ff2b0b0298779bf1bcaa63100f0d6acf1fbe

osbuild-composer-core-debuginfo-62-1.el8.s390x.rpm

SHA-256: adaf6a669a5beabc80edb029cc5b41ce9811e22be431ce393675ee99dca0e4c2

osbuild-composer-debuginfo-62-1.el8.s390x.rpm

SHA-256: 2d5cbe6d882fd9f0e7159703862d819fffeb0ff848bfcb6c124d212e3b9f32f8

osbuild-composer-debugsource-62-1.el8.s390x.rpm

SHA-256: ced605f8d96055b751fee7e6fe2208e88952799cb785aad035f3494727e841e5

osbuild-composer-dnf-json-62-1.el8.s390x.rpm

SHA-256: 6c266feaf95f38a3c07be7a75bbbb409a23892335f3b6645dd906c94ac40a5d5

osbuild-composer-tests-debuginfo-62-1.el8.s390x.rpm

SHA-256: 684eca8aaf6345430e83f670abd023e966057adf0164fc9e512fba56583fd171

osbuild-composer-worker-62-1.el8.s390x.rpm

SHA-256: 2d545ce81ef9bf00c9f00108fed784c4370fb571de2992349889eaca78b5a137

osbuild-composer-worker-debuginfo-62-1.el8.s390x.rpm

SHA-256: 1cea8759f3ab187fe95fd894821f2674ba2a6c487614c79345a0973706df6130

osbuild-luks2-65-1.el8.noarch.rpm

SHA-256: 90203c927a75d011e49b04a0aedf10512fe83dfda4ccad1a9a075d70515f6b14

osbuild-lvm2-65-1.el8.noarch.rpm

SHA-256: fd9318746fe1ff55495011a3927b8bbe99c97c095f98d0848b83dce84eee0228

osbuild-ostree-65-1.el8.noarch.rpm

SHA-256: ab1405e1cbd8a6f5082a58f5631569a88dc7641ddee1810f149c5e684418ddf0

osbuild-selinux-65-1.el8.noarch.rpm

SHA-256: 2e64fb0c711cf84ac3348eda69696feb56b2e36a79aaccf5bc78e05bcbc1c530

python3-osbuild-65-1.el8.noarch.rpm

SHA-256: 9211f9abb4c8394420f09f86836d756123276938db4aa309a63b8ef2affcfd17

weldr-client-35.5-4.el8.s390x.rpm

SHA-256: 712ce55dd30d345048ba3b6234c6701ae6cf07cfe4057c07483350e227a0adf4

weldr-client-debuginfo-35.5-4.el8.s390x.rpm

SHA-256: ebbc19519952d3d264bc65d56e8b62041189d628419975ccdc5fd608bced55a1

weldr-client-debugsource-35.5-4.el8.s390x.rpm

SHA-256: 4431d01fc98e9de26f3ffda790b8636bba324694df4c7113ad79d6675e9bbf2e

weldr-client-tests-debuginfo-35.5-4.el8.s390x.rpm

SHA-256: df5318d4195278aebf45bfbe577b6af6b3d9a9edebe2d5c0ea58813f6002e7a5

Red Hat Enterprise Linux for Power, little endian 8

SRPM

cockpit-composer-41-1.el8.src.rpm

SHA-256: 320840bb03fcaf275c874bda98e26691de1bcbd260b4a11b96fb3801e8d76a08

osbuild-65-1.el8.src.rpm

SHA-256: d917251f48df83fe62382fedc3ef265aaa609210fa9c17e16a6644a242430ca0

osbuild-composer-62-1.el8.src.rpm

SHA-256: fe40a543749d43b7697d329a77723b2f75ee2b8c3560e55460101565ee7ebe5f

weldr-client-35.5-4.el8.src.rpm

SHA-256: e5c985620c81ebfe2ca68fc1604352043d61845ed26e77fd582ec035fe6c4057

ppc64le

cockpit-composer-41-1.el8.noarch.rpm

SHA-256: 940b0c3b4a7aaf2f9c6040334a2074b1b21f49ad665c60d354e4ec67f7ce3e6a

osbuild-65-1.el8.noarch.rpm

SHA-256: c416da84806250ed7592a03e673a1de33f3f339907ce1e0849a000c4fcc4aa74

osbuild-composer-62-1.el8.ppc64le.rpm

SHA-256: 91d0803e7adc0c3b9de8ccb8792ecc162c6c0290652f7c62d593cf29bbee1552

osbuild-composer-core-62-1.el8.ppc64le.rpm

SHA-256: f61b7b63a8099edd0d897f3e7cc2575d9a182866ac89ce3cab1589e5ef173f53

osbuild-composer-core-debuginfo-62-1.el8.ppc64le.rpm

SHA-256: 2178d91ed864d814dee56c20d80ccaa255b68d402536f51c3887ec3caaff3ca2

osbuild-composer-debuginfo-62-1.el8.ppc64le.rpm

SHA-256: 56528cf1ad242a62847cd3751c88cbf6cbedcf4b3e369798fd95e5cc660451c4

osbuild-composer-debugsource-62-1.el8.ppc64le.rpm

SHA-256: da1255dbd8a8af6193e61b9e94b5e942a8c57da73b608196a364e5d0965bd1a0

osbuild-composer-dnf-json-62-1.el8.ppc64le.rpm

SHA-256: b230f2071bbeb02c3322003c8ce6cd52d4cfa4ced9d1725df00079216cd4c4ca

osbuild-composer-tests-debuginfo-62-1.el8.ppc64le.rpm

SHA-256: afeb95ae0b6debf0e7c49d11c4f15e8503460ca1f8f0ea84a7507ea86249418d

osbuild-composer-worker-62-1.el8.ppc64le.rpm

SHA-256: 6f8e36a44549b806a7d848728f6d14422ea9e66c4b48eaf5245e33bda3b68525

osbuild-composer-worker-debuginfo-62-1.el8.ppc64le.rpm

SHA-256: 817ca19b0a1736ae8fa05d478d725ac0c552082be27569f1c494c42afb49d9d6

osbuild-luks2-65-1.el8.noarch.rpm

SHA-256: 90203c927a75d011e49b04a0aedf10512fe83dfda4ccad1a9a075d70515f6b14

osbuild-lvm2-65-1.el8.noarch.rpm

SHA-256: fd9318746fe1ff55495011a3927b8bbe99c97c095f98d0848b83dce84eee0228

osbuild-ostree-65-1.el8.noarch.rpm

SHA-256: ab1405e1cbd8a6f5082a58f5631569a88dc7641ddee1810f149c5e684418ddf0

osbuild-selinux-65-1.el8.noarch.rpm

SHA-256: 2e64fb0c711cf84ac3348eda69696feb56b2e36a79aaccf5bc78e05bcbc1c530

python3-osbuild-65-1.el8.noarch.rpm

SHA-256: 9211f9abb4c8394420f09f86836d756123276938db4aa309a63b8ef2affcfd17

weldr-client-35.5-4.el8.ppc64le.rpm

SHA-256: beedb5d165cd86ba70c5c2e7a92739204badc2232900c4d94a8ac9cd69244e0a

weldr-client-debuginfo-35.5-4.el8.ppc64le.rpm

SHA-256: e44af932747d42753c11ea119de0014fd9872a3d6525a23c77a984f500549939

weldr-client-debugsource-35.5-4.el8.ppc64le.rpm

SHA-256: 4fc36c6203ed42a8f38efa64854cbb3021c4e85b6331a8dc067f086f75d41431

weldr-client-tests-debuginfo-35.5-4.el8.ppc64le.rpm

SHA-256: bc5320bafc9c9705ceb161122221113bbf1a57ad263753ed7a2b1ee18b87a5c9

Red Hat Enterprise Linux for ARM 64 8

SRPM

cockpit-composer-41-1.el8.src.rpm

SHA-256: 320840bb03fcaf275c874bda98e26691de1bcbd260b4a11b96fb3801e8d76a08

osbuild-65-1.el8.src.rpm

SHA-256: d917251f48df83fe62382fedc3ef265aaa609210fa9c17e16a6644a242430ca0

osbuild-composer-62-1.el8.src.rpm

SHA-256: fe40a543749d43b7697d329a77723b2f75ee2b8c3560e55460101565ee7ebe5f

weldr-client-35.5-4.el8.src.rpm

SHA-256: e5c985620c81ebfe2ca68fc1604352043d61845ed26e77fd582ec035fe6c4057

aarch64

cockpit-composer-41-1.el8.noarch.rpm

SHA-256: 940b0c3b4a7aaf2f9c6040334a2074b1b21f49ad665c60d354e4ec67f7ce3e6a

osbuild-65-1.el8.noarch.rpm

SHA-256: c416da84806250ed7592a03e673a1de33f3f339907ce1e0849a000c4fcc4aa74

osbuild-composer-62-1.el8.aarch64.rpm

SHA-256: 5d8a70d78e8af38e6d99585b9ea5d0d044eb493d3195746fd3db395031f99d1e

osbuild-composer-core-62-1.el8.aarch64.rpm

SHA-256: 4985c59760c9003ddea82151cfa0eb91eb0555614c2498b7e1d4b565a498452b

osbuild-composer-core-debuginfo-62-1.el8.aarch64.rpm

SHA-256: 347dc84703ce01f7ac65153e487a941bf3e4e650770cccc2dc15acb967659324

osbuild-composer-debuginfo-62-1.el8.aarch64.rpm

SHA-256: 82990ee83c3d7fb909a584e6269a564032852f38e0425d2277d933c874fa4dfe

osbuild-composer-debugsource-62-1.el8.aarch64.rpm

SHA-256: 5a33a19269a4a16775628a191c0b22a2989d1f843a9a3670e0a359da84ed4856

osbuild-composer-dnf-json-62-1.el8.aarch64.rpm

SHA-256: 21115ed052b1efeaeabb788ad9bc0ae1f48af1fcbe114fb2051b50c8d2d9b37a

osbuild-composer-tests-debuginfo-62-1.el8.aarch64.rpm

SHA-256: 63cddb7a159f75698858f135bc3dc6af354e5583529a5934f959d343769ce0ef

osbuild-composer-worker-62-1.el8.aarch64.rpm

SHA-256: da0928684f88cb9f4039aec4649b5d83c7ee0724c516984eeee14ff072edbaea

osbuild-composer-worker-debuginfo-62-1.el8.aarch64.rpm

SHA-256: 8e4b9244e6376493bb75c4a403c186af2dcb4704c0555729b319e73ff91dd9ac

osbuild-luks2-65-1.el8.noarch.rpm

SHA-256: 90203c927a75d011e49b04a0aedf10512fe83dfda4ccad1a9a075d70515f6b14

osbuild-lvm2-65-1.el8.noarch.rpm

SHA-256: fd9318746fe1ff55495011a3927b8bbe99c97c095f98d0848b83dce84eee0228

osbuild-ostree-65-1.el8.noarch.rpm

SHA-256: ab1405e1cbd8a6f5082a58f5631569a88dc7641ddee1810f149c5e684418ddf0

osbuild-selinux-65-1.el8.noarch.rpm

SHA-256: 2e64fb0c711cf84ac3348eda69696feb56b2e36a79aaccf5bc78e05bcbc1c530

python3-osbuild-65-1.el8.noarch.rpm

SHA-256: 9211f9abb4c8394420f09f86836d756123276938db4aa309a63b8ef2affcfd17

weldr-client-35.5-4.el8.aarch64.rpm

SHA-256: 5326a87cb96175707523df864ca9ae455d92a2afd9151b722fc5a8b789d840b7

weldr-client-debuginfo-35.5-4.el8.aarch64.rpm

SHA-256: 8d2667bba41d029ce5dd0762bca85c80d49a440f6d89b76acc275a599576a258

weldr-client-debugsource-35.5-4.el8.aarch64.rpm

SHA-256: 0803400a046e66885bdef20d6d1fc49b42d6b22f10f32252145a9cd95046ca84

weldr-client-tests-debuginfo-35.5-4.el8.aarch64.rpm

SHA-256: 0da2e12649a48ddaf4b93dcae28e6f2c230b97b52c490470182c6288b8ca1d24

Related news

Ubuntu Security Notice USN-6038-2

Ubuntu Security Notice 6038-2 - USN-6038-1 fixed several vulnerabilities in Go 1.18. This update provides the corresponding updates for Go 1.13 and Go 1.16. CVE-2022-29526 and CVE-2022-30630 only affected Go 1.16. It was discovered that the Go net/http module incorrectly handled Transfer-Encoding headers in the HTTP/1 client. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack.

RHSA-2023:3742: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.13.0 security and bug fix update

Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...

RHSA-2023:3644: Red Hat Security Advisory: Red Hat OpenShift Service Mesh Containers for 2.4.0

Red Hat OpenShift Service Mesh Containers for 2.4.0 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24540: A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.

Red Hat Security Advisory 2023-0584-01

Red Hat Security Advisory 2023-0584-01 - Secondary Scheduler Operator for Red Hat OpenShift 1.1.1. Issues addressed include a denial of service vulnerability.

RHSA-2023:3204: Red Hat Security Advisory: OpenShift Virtualization 4.13.0 RPMs security and bug fix update

Red Hat OpenShift Virtualization release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27664: A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown. * CVE-2022-32149: A vulnerability was found in the golang.org/x/text/language pack...

Red Hat Security Advisory 2023-2802-01

Red Hat Security Advisory 2023-2802-01 - The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Issues addressed include denial of service and information leakage vulnerabilities.

RHSA-2023:2236: Red Hat Security Advisory: toolbox security and bug fix update

An update for toolbox is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27664: A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown. * CVE-2022-32189: An uncontrolled resource consumption flaw was found in Golang math/big. A too-short encoded message can cause a panic in Float.GobDecode a...

RHSA-2023:2041: Red Hat Security Advisory: Migration Toolkit for Applications security and bug fix update

Migration Toolkit for Applications 6.1.0 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3782: A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect ...

RHSA-2023:1529: Red Hat Security Advisory: Service Telemetry Framework 1.5 security update

An update is now available for Service Telemetry Framework 1.5. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-23772: A flaw was found in the big package of the math library in golang. The Rat....

RHSA-2023:1428: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.8 security and bug fix update

The Migration Toolkit for Containers (MTC) 1.7.8 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36567: A flaw was found in gin. This issue occurs when the default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path. * CVE-2022-24999: A flaw was found in the express.js npm package. Express.js Express is vulnerable to a d...

RHSA-2023:1275: Red Hat Security Advisory: Red Hat OpenStack Platform (etcd) security update

An update for etcd is now available for Red Hat OpenStack Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid. * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by rev...

RHSA-2023:0693: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.7 security and bug fix update

The Migration Toolkit for Containers (MTC) 1.7.7 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-43138: A vulnerability was found in the async package. This flaw allows a malicious user to obtain privileges via the mapValues() method. * CVE-2022-2879: A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw a...

Red Hat Security Advisory 2023-0542-01

Red Hat Security Advisory 2023-0542-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release. Issues addressed include denial of service and spoofing vulnerabilities.

RHSA-2023:0542: Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.3.1 Containers security update

Red Hat OpenShift Service Mesh 2.3.1 Containers Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-3962: kiali: error message spoofing in kiali UI * CVE-2022-27664: golang: ...

Red Hat Security Advisory 2023-0069-01

Red Hat Security Advisory 2023-0069-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.24.

Red Hat Security Advisory 2022-7401-01

Red Hat Security Advisory 2022-7401-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include denial of service and out of bounds read vulnerabilities.

Red Hat Security Advisory 2022-7398-02

Red Hat Security Advisory 2022-7398-02 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.0. Issues addressed include a denial of service vulnerability.

RHSA-2022:7399: Red Hat Security Advisory: OpenShift Container Platform 4.12.0 bug fix and security update

Red Hat OpenShift Container Platform release 4.12.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-2879: golang: arc...

RHSA-2022:9047: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.6 security and bug fix update

The Migration Toolkit for Containers (MTC) 1.7.6 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-28131: golang: encoding/xml: stack exhaustion in Decoder.Skip * CVE-2022-30629: golang: crypto/tls: session tickets lack random ticket_age_add * CVE-2022-30630: golang: io/fs: stack exhaustion in G...

RHSA-2022:8781: Red Hat Security Advisory: Logging Subsystem 5.5.5 - Red Hat OpenShift security update

Logging Subsystem 5.5.5 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36518: jackson-databind: denial of service via a large depth of nested objects * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-32189: golang: math/b...

Red Hat Security Advisory 2022-8626-01

Red Hat Security Advisory 2022-8626-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.11.17. Issues addressed include a denial of service vulnerability.

RHSA-2022:8626: Red Hat Security Advisory: OpenShift Container Platform 4.11.17 packages and security update

Red Hat OpenShift Container Platform release 4.11.17 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-32148: golang: net/http/ht...

Red Hat Security Advisory 2022-8535-01

Red Hat Security Advisory 2022-8535-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.16. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2022-8534-01

Red Hat Security Advisory 2022-8534-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.11.16. Issues addressed include a denial of service vulnerability.

RHSA-2022:8535: Red Hat Security Advisory: OpenShift Container Platform 4.11.16 security update

Red Hat OpenShift Container Platform release 4.11.16 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-32189: golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, po...

RHSA-2022:8534: Red Hat Security Advisory: OpenShift Container Platform 4.11.16 security update

Red Hat OpenShift Container Platform release 4.11.16 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32189: golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service

RHSA-2022:7950: Red Hat Security Advisory: Image Builder security, bug fix, and enhancement update

An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32189: golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service

Red Hat Security Advisory 2022-7129-01

Red Hat Security Advisory 2022-7129-01 - Git Large File Storage replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server. Issues addressed include a denial of service vulnerability.

RHSA-2022:7129: Red Hat Security Advisory: git-lfs security and bug fix update

An update for git-lfs is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-28851: golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension * CVE-2020-28852: golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWA...

CVE-2022-32189: math/big: index out of range in Float.GobDecode · Issue #53871 · golang/go

A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.

Gentoo Linux Security Advisory 202208-02

Gentoo Linux Security Advisory 202208-2 - Multiple vulnerabilities have been found in Go, the worst of which could result in remote code execution. Versions less than 1.18.5 are affected.