-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: Release of OpenShift Serverless 1.29.0
Advisory ID:       RHSA-2023:3455-01
Product:           Red Hat OpenShift Serverless
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3455
Issue date:        2023-06-05
CVE Names:         CVE-2022-4304 CVE-2022-4450 CVE-2022-36227 
                   CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 
                   CVE-2023-0215 CVE-2023-0286 CVE-2023-0361 
                   CVE-2023-0767 CVE-2023-21930 CVE-2023-21937 
                   CVE-2023-21938 CVE-2023-21939 CVE-2023-21954 
                   CVE-2023-21967 CVE-2023-21968 CVE-2023-24534 
                   CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 
                   CVE-2023-25173 CVE-2023-27535 
====================================================================
1. Summary:

OpenShift Serverless version 1.29.0 contains a moderate security impact.

The References section contains CVE links providing detailed severity
ratings
for each vulnerability. Ratings are based on a Common Vulnerability Scoring
System (CVSS) base score.

2. Description:

Version 1.29.0 of the OpenShift Serverless Operator is supported on Red Hat
OpenShift Container Platform versions 4.10, 4.11, 4.12, and 4.13.

This release includes security and bug fixes, and enhancements.

Security Fixes in this release include:

- - containerd: Supplementary groups are not set up properly(CVE-2023-25173)
- - golang.org/x/net/http2: avoid quadratic complexity in HPACK
decoding(CVE-2022-41723)
- - golang: net/http, mime/multipart: denial of service from excessive
resource consumption(CVE-2022-41725)
- - golang: crypto/tls: large handshake records may cause
panics(CVE-2022-41724)
- - golang: html/template: backticks not treated as string
delimiters(CVE-2023-24538)
- - golang: net/http, net/textproto, mime/multipart: denial of service from
excessive resource consumption(CVE-2023-24536)
- - golang: net/http, net/textproto: denial of service from excessive memory
allocation(CVE-2023-24534)
- - golang: go/parser: Infinite loop in parsing(CVE-2023-24537)

For more details about the security issues, including the impact, a CVSS
score, acknowledgments, and other related information, see the CVE pages
linked from the References section.

3. Solution:

For instructions on how to install and use OpenShift Serverless, see
documentation linked from the References section.

4. Bugs fixed (https://bugzilla.redhat.com/):

2174485 - CVE-2023-25173 containerd: Supplementary groups are not set up properly
2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
2178488 - CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption
2178492 - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics
2184481 - CVE-2023-24538 golang: html/template: backticks not treated as string delimiters2184482 - CVE-2023-24536 golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption
2184483 - CVE-2023-24534 golang: net/http, net/textproto: denial of service from excessive memory allocation
2184484 - CVE-2023-24537 golang: go/parser: Infinite loop in parsing
2185507 - Release of OpenShift Serverless Serving 1.29.0
2185509 - Release of OpenShift Serverless Eventing 1.29.0

5. References:

https://access.redhat.com/security/cve/CVE-2022-4304
https://access.redhat.com/security/cve/CVE-2022-4450
https://access.redhat.com/security/cve/CVE-2022-36227
https://access.redhat.com/security/cve/CVE-2022-41723
https://access.redhat.com/security/cve/CVE-2022-41724
https://access.redhat.com/security/cve/CVE-2022-41725
https://access.redhat.com/security/cve/CVE-2023-0215
https://access.redhat.com/security/cve/CVE-2023-0286
https://access.redhat.com/security/cve/CVE-2023-0361
https://access.redhat.com/security/cve/CVE-2023-0767
https://access.redhat.com/security/cve/CVE-2023-21930
https://access.redhat.com/security/cve/CVE-2023-21937
https://access.redhat.com/security/cve/CVE-2023-21938
https://access.redhat.com/security/cve/CVE-2023-21939
https://access.redhat.com/security/cve/CVE-2023-21954
https://access.redhat.com/security/cve/CVE-2023-21967
https://access.redhat.com/security/cve/CVE-2023-21968
https://access.redhat.com/security/cve/CVE-2023-24534
https://access.redhat.com/security/cve/CVE-2023-24536
https://access.redhat.com/security/cve/CVE-2023-24537
https://access.redhat.com/security/cve/CVE-2023-24538
https://access.redhat.com/security/cve/CVE-2023-25173
https://access.redhat.com/security/cve/CVE-2023-27535
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.11/html/serverless/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/serverless/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.13/html/serverless/index

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZH521tzjgjWX9erEAQicLg/+JJY0iROByNwBz9upWD+qDC+ffNd+85c+
VIj8Gpp3Zy6lgGokmtp6YzlZgJvJ/HROOYp2Hy+8eTCwkBQsV/7zdEmT1DfYMFYL
yH8k3Gmf+fxaoL4LuY457Pdn2w2Szhj5sUWnUCw/8UTQfO3msNya0zK0Z3+KJ9Nz
fIdRMQb0wI2JN1y+kISdSTqfOJKuWuhCQ5H5yhnxV74H9d8jC59jOCpz84fZ3VE2
atrDnYRZV/URzkCDMTcLFbqewgC+O4dX953F91RyycAaVEP2+wHCLMF6QfsnU0se
6zFFvuUbsgWgxlFyrovylnmm6CGGQ/Tkp9olpnLZp0eXK67tt4KTbL/N8iPt7qYt
9S5VlN1IS6jA8DpyF1AxQNng6yJmjGCGhOp2n2F25cz6IYbz5hmFLluDkdCkeyzu
xSGQ9bT+K2ih6W4UwAMy3eI0YtZ8qC4e8GIP9EBgLsNowblR76IjkpKI8lrt+XSW
tI+cz6XT0HaMkEJhzOnlm4uxJAQqpde/hwlQ4GdlMR4F13yX44UMEglwaJSkIrMZ
dg7tfZ1t1K4+JOjXET4F22/RZnu+Bc6QDkA4BboRyB68/WLhmUfUy+Z7wsIgKif+
yFCqUE+2sRu6Xn3Y6bfAZem41gLXBhKV5tvdhmm+PrdB3jQAt/ISjXSGdYLxmC4X
1hDAf16dj7Y=YctY
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-3455:01 Moderate: Release of OpenShift Serverless 1.29.0

OpenShift Serverless version 1.29.0 contains a moderate security impact

Summary

Version 1.29.0 of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.10, 4.11, 4.12, and 4.13.
This release includes security and bug fixes, and enhancements.
Security Fixes in this release include:
- - containerd: Supplementary groups are not set up properly(CVE-2023-25173) - - golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding(CVE-2022-41723) - - golang: net/http, mime/multipart: denial of service from excessive resource consumption(CVE-2022-41725) - - golang: crypto/tls: large handshake records may cause panics(CVE-2022-41724) - - golang: html/template: backticks not treated as string delimiters(CVE-2023-24538) - - golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption(CVE-2023-24536) - - golang: net/http, net/textproto: denial of service from excessive memory allocation(CVE-2023-24534) - - golang: go/parser: Infinite loop in parsing(CVE-2023-24537)
For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, see the CVE pages linked from the References section.

Summary

Solution

For instructions on how to install and use OpenShift Serverless, see documentation linked from the References section.

References

https://access.redhat.com/security/cve/CVE-2022-4304 https://access.redhat.com/security/cve/CVE-2022-4450 https://access.redhat.com/security/cve/CVE-2022-36227 https://access.redhat.com/security/cve/CVE-2022-41723 https://access.redhat.com/security/cve/CVE-2022-41724 https://access.redhat.com/security/cve/CVE-2022-41725 https://access.redhat.com/security/cve/CVE-2023-0215 https://access.redhat.com/security/cve/CVE-2023-0286 https://access.redhat.com/security/cve/CVE-2023-0361 https://access.redhat.com/security/cve/CVE-2023-0767 https://access.redhat.com/security/cve/CVE-2023-21930 https://access.redhat.com/security/cve/CVE-2023-21937 https://access.redhat.com/security/cve/CVE-2023-21938 https://access.redhat.com/security/cve/CVE-2023-21939 https://access.redhat.com/security/cve/CVE-2023-21954 https://access.redhat.com/security/cve/CVE-2023-21967 https://access.redhat.com/security/cve/CVE-2023-21968 https://access.redhat.com/security/cve/CVE-2023-24534 https://access.redhat.com/security/cve/CVE-2023-24536 https://access.redhat.com/security/cve/CVE-2023-24537 https://access.redhat.com/security/cve/CVE-2023-24538 https://access.redhat.com/security/cve/CVE-2023-25173 https://access.redhat.com/security/cve/CVE-2023-27535 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index https://access.redhat.com/documentation/en-us/openshift_container_platform/4.11/html/serverless/index https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/serverless/index https://access.redhat.com/documentation/en-us/openshift_container_platform/4.13/html/serverless/index

Package List

Severity

Advisory ID: RHSA-2023:3455-01

Product: Red Hat OpenShift Serverless

Advisory URL: https://access.redhat.com/errata/RHSA-2023:3455

Issued Date: : 2023-06-05

CVE Names: CVE-2022-4304 CVE-2022-4450 CVE-2022-36227 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2023-0215 CVE-2023-0286 CVE-2023-0361 CVE-2023-0767 CVE-2023-21930 CVE-2023-21937 CVE-2023-21938 CVE-2023-21939 CVE-2023-21954 CVE-2023-21967 CVE-2023-21968 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-25173 CVE-2023-27535

Topic

OpenShift Serverless version 1.29.0 contains a moderate security impact.The References section contains CVE links providing detailed severityratingsfor each vulnerability. Ratings are based on a Common Vulnerability ScoringSystem (CVSS) base score.

Topic

Relevant Releases Architectures

Bugs Fixed

2174485 - CVE-2023-25173 containerd: Supplementary groups are not set up properly

2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding

2178488 - CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption

2178492 - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics

2184481 - CVE-2023-24538 golang: html/template: backticks not treated as string delimiters2184482 - CVE-2023-24536 golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption

2184483 - CVE-2023-24534 golang: net/http, net/textproto: denial of service from excessive memory allocation

2184484 - CVE-2023-24537 golang: go/parser: Infinite loop in parsing

2185507 - Release of OpenShift Serverless Serving 1.29.0

2185509 - Release of OpenShift Serverless Eventing 1.29.0

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12

3 - 5 min read

Dec 06, 2024

The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This

A Linux Admin

A Linux Admin's Guide to Tackling Emerging Cloud-Native Security Risks

3 - 6 min read

Dec 05, 2024

As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,

Leveraging Insights from the Linux Foundation

Leveraging Insights from the Linux Foundation's Census III Report for More Secure Linux Administration

3 - 5 min read

Dec 05, 2024

The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone

Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns

Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns

3 - 6 min read

Dec 04, 2024

Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security

From Wayland Fixes to Security Boosts: Examining Qt 6.8.1

From Wayland Fixes to Security Boosts: Examining Qt 6.8.1's Impact on Linux Administration

3 - 6 min read

Dec 03, 2024

The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application

Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins

Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins

3 - 6 min read

Dec 03, 2024

The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline

Deck the Halls with Enhanced Security: Linux Kernel 6.13

Deck the Halls with Enhanced Security: Linux Kernel 6.13's Top Features & Improvements

3 - 5 min read

Dec 02, 2024

As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made

Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions

Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions

3 - 5 min read

Dec 02, 2024

New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

News

Cloud Security Cryptography Desktop Security Firewall Government Hacks/Cracks IoT Security Network Security Organizations/Events Privacy Security Projects Security Trends Security Vulnerabilities Server Security Vendors/Products
Advisories

Debian Debian LTS Fedora Gentoo Mageia Oracle openSUSE RockyLinux Slackware SuSE Ubuntu
HOWTOs

Harden My Filesystem Learn Tips and Tricks Secure My E-mail Secure My Firewall Secure My Network Secure My Webserver Strengthen My Privacy
Features

Best Secure Linux Distros for Enhanced Privacy & Security The Truth About Linux Malware & How to Protect Your System Is Linux A More Secure Option Than Windows For Businesses? How Secure Is Linux? Top Tips for Securing Your Linux System
About Us

Advertise Contribute Your Article Legal Notice RSS Feeds Contact Us Terms of Service Privacy Policy
Powered By

Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.

© 2024 Guardian Digital, Inc All Rights Reserved